Fixes

General Fixes

OKTA-394045

The End-User Dashboard wasn't aligned correctly when viewed on mobile browsers.

OKTA-460054

Office 365 nested security groups sometimes failed to synchronize correctly from Okta.

OKTA-522922

Not all users deactivated in an Org2Org spoke tenant were deprovisioned in the hub tenant.

OKTA-534291

Samanage/SolarWinds schema discovery didn't display custom attributes.

OKTA-544943

When a user was deactivated in Okta, the Okta Workflows and Okta Workflows OAuth app integrations weren't removed from the user's assigned app integrations.

OKTA-547756

An incorrect error message was displayed during self-service registration when an email address that exceeded the maximum length allowed was entered.

OKTA-547978

If an admin account was deleted, certificate authorities uploaded by the admin account didn't load on the Device Integrations page.

OKTA-548390

Enabling Agentless DSSO didn't create a default routing rule if no routing rules existed.

OKTA-549213

User's weren't able to activate Windows Hello after enrolling in Okta Verify for Microsoft Windows.

OKTA-550739

Users could request that one-time passwords for SMS, Voice, and Email activation be resent more times than allowed by the rate limit.

OKTA-556056

Group claims failed if a user who belonged to more than 100 groups appeared in the group claims expression results.

OKTA-558840

Some users were unable to complete self-service password resets and received an error.

OKTA-561264

Admins received an error when they used an internal URL to configure user help for device assurance policies.

OKTA-564242

Access tokens for some users didn't match the lifetime specified in the access policy rule.

OKTA-565041

Group filtering failed when more than 100 groups appeared in the list of results.

OKTA-565899

An incorrect error message appeared when users saved an empty Website URL field in their on the fly app settings.

OKTA-566372

Users were sometimes unable to sign in to several Office 365 apps from Okta.

OKTA-567711

In some orgs, Email Change Confirmed Notification emails were sent unexpectedly. Admins should verify that the recipients lists audience settings are accurate for Change Email Confirmation and Email Change Confirmed Notification.

OKTA-567970

When users were created using the API (/users/${userId}/factors/questions), a null custom security question and answer were included in the response.

Applications

New Integrations

Content Security Policy enhancements

Over the next few months we are gradually releasing enhancements to our Content Security Policy (CSP) headers. During this time you may notice an increase in header sizes.

Fixes

General Fixes

OKTA-532840

Users created using Just-In-Time provisioning weren't assigned to a group when a group rule existed.

OKTA-537944

AD-sourced users received an error when resetting passwords while an Okta session was active in the browser.

OKTA-545918

Admin roles that were granted to a user through group membership sometimes didn't appear on the user's People Admin roles tab.

OKTA-551921

When a large number of profile mappings were associated with a user type, updates to the user type could time out.

OKTA-552273

Users who signed in to the End User Dashboard using a federated sign-in flow without a factor verification were shown an incorrect last sign-in time.

OKTA-552566

Users were sometimes asked to re-authenticate during an active session even though the authentication policy re-authentication frequency was set to Never re-authenticate if the session is active.

OKTA-553201

Users who scanned a Google Authenticator one-time passcode with Okta Verify received an error message and couldn't enroll in the authenticator.

OKTA-554013

Batch federation of multiple Microsoft Azure domains failed if the batch contained any child domains.

OKTA-557337

Users with apps provisioned with password sync enabled weren't challenged for multifactor authentication when they signed in from new IP addresses or a new city even though the Global Session Policy required re-authentication under those conditions.

OKTA-559661

Some org upgrades failed when a single sign-on factor was required for Admin Dashboard access and only the YubiKey, Duo Security, and Symantec VIP MFA factors were enabled but not recognized for migration.

OKTA-564420

Users couldn't sign in to their org subdomain from okta.com if Captcha was enabled.

OKTA-566285

A threading issue caused directory imports to fail intermittently.

OKTA-566682

When an admin configured an IdP routing rule that allowed users to access certain apps, the list of available apps was blank.

OKTA-566824

Sometimes super admins encountered a timeout when listing admin users on the Administrators page in the Admin Console.

OKTA-567707

A security issue is fixed, which requires RADIUS agent version 2.18.0.

OKTA-567972

An unclear error message was returned when a group rules API call (create, update, or activate) was made to assign users to read-only groups (for example, Everyone ).

OKTA-567979

Last update information was displayed for API Service Apps and OIDC clients.

OKTA-571393

Users couldn't enroll YubiKeys with the FIDO2 (WebAuthn) authenticator and received an error message on Firefox and Embedded Edge browsers.

Applications

New Integrations

Fixes

General Fixes

OKTA-537710

Users on M1 MacBooks were unable to sign in to organizations provisioned with an OS-specific workflow.

OKTA-550348

Device authorization returned an error if the authentication policy had a condition for registered devices.

OKTA-552996

If JIT provisioning wasn't enabled for a SAML IdP, users who tried to sign in received an error message instead of being redirected to the Okta sign-in page.

OKTA-556133

End users received email notifications of new sign-on events even though such notifications were disabled in the org security settings.

OKTA-561269

The YubiKey Report wasn't generated when certain report filters were applied.

OKTA-564518

The ordering of authenticators on the Verify with something else page of the Sign-In Widget sometimes changed when the page was accessed again.

OKTA-565300

Accessibility issues on the password verification page of the End-User Dashboard prevented screenreaders from reading the text.

OKTA-565984

Case sensitivity caused usernames sent in SAML 2.0 IdP assertions not to match usernames in the destination org if a custom IdP factor was used and the name ID format was unspecified.

OKTA-566892

Sometimes MFA prompts overlapped portions of the browser sign-in pages.

OKTA-567776

Super admins weren't able to access the profile of deactivated users in some Preview environments.

OKTA-572091

Some QR codes for Okta Verify enrollment weren't scannable by iOS devices.

OKTA-572416

The Help Center link on the Resources menu directed users to the wrong URL.

OKTA-574624

In Administrators Roles, the Org Admin description was incorrect.

App Integration Fixes

Applications

New Integrations

Fixes

General Fixes

App Integration Fixes

Applications

New Integrations

Fixes

OKTA-401654

Users were able to perform an unlimited number of Security Question authentication attempts.

OKTA-464288

SMS customization wasn't restricted in free developer orgs.

OKTA-544970

When orgs used email template injection, some internal class information was visible in the message.

OKTA-551444

Device EDR rules that used Okta Expression Language were ignored if EDR signals weren't collected.

OKTA-562755

On the Admin Dashboard, the Total admins and Individually assigned counts were incorrect.

OKTA-565487

After an org was upgraded to Identity Engine, email was auto-enrolled as an authenticator for deactivated users.

OKTA-567399

A deactivated Identity Provider couldn't be reactivated.

OKTA-567906

Admins were able to configure an authenticator enrollment policy that allowed the Okta Verify Push mode but didn't allow the one-time password mode.

OKTA-570664

BambooHR reported an error when Okta attempted to update a value using the value of a custom attribute.

OKTA-576483

Admins weren't able to add a network zone with the name BlockedIPZone.

OKTA-578561

Enrollment policy rules weren't applied when the user enrolled an authenticator from the End User Settings page.

OKTA-578983

During self-service registration, users who didn't complete enrollment of optional authenticators were blocked from signing in to their apps.

OKTA-584624

Some orgs with custom domains were unable to upgrade to Identity Engine.

OKTA-585688

The client-initiated backchannel authentication flow didn't appear as a grant type option for OIDC native app integrations.

OKTA-585800

Some Cornerstone profiles failed to import due to missing information.

OKTA-589114

When orgs used daylight savings time, the Admin Dashboard and the System Log events timestamps were one hour behind.

Applications

New Integrations

App Integration Fixes

Fixes

OKTA-503099

Admins were able to modify the auth_time claim for an access token using a token inline hook.

OKTA-535435

During password resets, some text strings in the Sign-In Widget weren't translated.

OKTA-545664

Active Directory Single Sign-On couldn't be completed in iFrames.

OKTA-565953

After iPhone users signed in to a SAML app through Okta, the app opened in a browser window instead of the native app window.

OKTA-566659

DocuSign group pushes failed when removing users from a group.

OKTA-568170

Some orgs couldn't disable the New Sign-On Notifications email.

OKTA-568376

Users couldn't enroll an IdP as an authentication factor if their username didn't match the case of the username in their IdP profile.

OKTA-579088

In AgentsOn-premise, the Description link next to each of the agents was incorrect.

OKTA-584216

A suffix was added to the application label for new Onspring instances.

OKTA-587063

An older version of the OAuth library was included in the Okta Provisioning agent. The issue is fixed in Okta Provisioning agent 2.0.14.

OKTA-588262

The favicons for the Admin Console and End-User Dashboard were misaligned.

Applications

New Integrations

App Integration Fix

Fixes

OKTA-573597

In Identity Engine orgs that were upgraded from Classic Engine, authentication policy rules that included groups and users weren't applied correctly.

OKTA-576159

On the IdP configuration page, searching for groups under JIT Settings sometimes returned an error.

OKTA-581158

System Log events for manual imports showed that the import was scheduled by Okta.

OKTA-582181

When a user requested a password reset and user enumeration prevention was enabled, the password reset error was incorrect.

OKTA-585107

The hidden permissions count on the Edit role page was incorrect.

OKTA-585478

App sign-on events with usernames that exceeded 100 characters weren't always added to the System Log.

OKTA-587347

On mobile devices, users with long email addresses couldn't see all the options in their settings dropdown menu.

OKTA-588528

When users attempted to connect to a remote server using an Okta Verify Push prompt and Number Matching Challenge wasn't enabled, an error occurred.

OKTA-592074

Screen readers read apps on the End-User Dashboard as buttons instead of links.

Applications

New Integrations

Fixes

Applications

New Integrations

App Integration Fix

Okta Verify for Windows EXE bundle

On the Admin Console Downloads page, the Okta Verify for Windows app is now available as a single EXE bundle that includes MSI files. A separate MSI file is no longer available for this app. See Deploy Okta Verify to Windows devices.

Fixes

Applications

New Integrations

App Integration Fix

Fixes

• OKTA-570851

  Some app provisioning error strings weren't translated.

• OKTA-578140

  End users could delete all of their enrolled factors.

• OKTA-587935

  If a new user abandoned and then resumed an activation flow, they received an activation email with the ${oneTimePassword} macro visible.

• OKTA-588661

  When users clicked expired email sign-in tokens, they received incorrect error messages.

• OKTA-591232

  Logos weren't correctly displayed on email templates.

• OKTA-597761

  Some unsupported apps were included in the authentication policy mapping count.

• OKTA-599684

  When Active Directory users were added through an import or JIT provisioning, their application groups were retrieved from an incorrect domain. This caused an internal error that prevented users from signing in to Okta.

• OKTA-601320

  When an OpenID Connect authorization request included an empty IdP query parameter, users were sent to a blank sign-in page.

• OKTA-604536

  An older library was being used by the toolkit used by Okta Confluence Authenticator and Okta Jira Authenticator. The issue is fixed in version 3.2.2 of the toolkit.

• OKTA-607199

  ThreatInsight temporarily prevented non-malicious users from accessing Okta.

Applications

New Integrations

Fixes

• OKTA-542869

  Users were prompted to set up voice call authentication even though SMS authentication was already set up in the Phone authenticator.

• OKTA-570696

  Some placeholder values in the Password Changed email template weren't translated.

• OKTA-588667

  After creating accounts, some users weren't able to complete the sign-in process.

• OKTA-596446

  Error summary messages weren't written to the System Log when custom errors occurred during an import inline hook operation.

• OKTA-597490

  The LDAP interface didn't return any result for a deactivated user when the cn value was combined with other filters.

• OKTA-597959

  Okta users authenticating through Agentless Desktop SSO (ADSSO) were sometimes incorrectly shown a migration-check error message.

• OKTA-601618

  Email change confirmation notices came from an Okta test account rather than a brand-specific sender.

• OKTA-603731

  Macros in email subjects weren't processed correctly for some email templates.

• OKTA-604404

  Imports performed during UltiPro maintenance resulted in inconsistent data being returned.

• OKTA-604914

  When the redesigned resource editor feature was enabled, admins couldn't add individual applications to their resource sets.

• OKTA-609336

  Incorrect descriptions were displayed on the AgentsOn-premise tab.

Applications

New Integrations

Fixes

• OKTA-414791

  LDAP requests resulted in an error if the memberOf filter didn't include a Group DN.

• OKTA-423781

  The Privacy link on the Okta dashboard wasn't translated.

• OKTA-585123

  When the Full Featured Code Editor was enabled, some admins couldn't edit the Sign-In Widget version or their sign-in page draft changes.

• OKTA-591228

  Admins with a custom role couldn't receive user reports of suspicious activity in email notifications.

• OKTA-592530

  A deleted policy rule was still referenced in the System Log when a user signed in to Office 365.

• OKTA-594682

  Sometimes user session IDs weren't unique per session.

• OKTA-595145

  After a user enrolled in Okta Verify, the session displayed inconsistent AMR values.

• OKTA-599276

  SSO on mobile devices where an OIDC token exchange occurred between two apps sometimes failed for the second app.

• OKTA-599817

  Scope grant requests failed if any of the scope names contained periods.

• OKTA-602635

  Some text on the Administrator assignment by role page wasn't translated properly.

• OKTA-602794

  Token inline hooks failed even when a URL claim name was correctly encoded with a JSON pointer.

• OKTA-602932

  FastPass Smart Signal Collection attempted to gather signals from users without Okta Verify.

• OKTA-603996

  WebAuthn enrollment sometimes failed if the authentication policy enforced hardware-protected possession constraints.

• OKTA-604825

  When an admin added the Manage users permission to a role, any existing permission conditions were removed. Also, admins with restricted profile attributes could edit those attributes on their own profile.

• OKTA-609070

  Some users couldn't unlock their accounts if they had multiple Okta Verify and phone authenticator enrollments.

• OKTA-613226

  Some of the new Okta branding changes weren't displayed in the Admin Console.

Applications

New Integrations

Fixes

• OKTA-516583

  The application logo wasn't displayed on the Groups page for some groups.

• OKTA-554024

  Some users received a Bad Request message after successfully unlocking their accounts.

• OKTA-566503

  When no tokens were listed on the API Tokens page, the displayed message wasn't translated.

• OKTA-572820

  Deleting large numbers of IdP routing rules with API calls caused System Log discrepancies.

• OKTA-577794

  The destination in SAML responses sometimes didn't match the Assertion Consumer Service URL in signed authentication requests.

• OKTA-583072

  The System Log showed that an MFA reset notification email was sent when that notification option was disabled and no email was sent.

• OKTA-595603

  The Forgot Password link didn't work unless orgs enabled User Enumeration Prevention and disabled Profile Enrollment.

• OKTA-597009

  The Microsoft Team Exploratory licenses weren't imported correctly into Okta, which prevented users from provisioning the correct licenses.

• OKTA-599540

  HTTP replies to SP-initated SAML requests contained two session IDs, which sometimes caused user sessions to expire unexpectedly.

• OKTA-599994

  The Honor Force Authentication SAML setting didn't work with Agentless Desktop Single Sign-on (ADSSO).

• OKTA-602946

  On password hash import, users couldn't change their passwords even after the minimum password age setting period.

• OKTA-604985

  Approvers received duplicate task approval requests when users requested an app from the End-User Dashboard.

• OKTA-605016

  In the Add Dynamic Zone dialog, the Bagmati region of Nepal was missing from the State/Region dropdown menu.

• OKTA-605955

  Users were prompted for Okta FastPass or WebAuthn after they'd satisfied the possession requirements of an authentication policy.

• OKTA-606914

  Some orgs weren't migrated to newly deployed default app versions.

• OKTA-607167

  The search bar in the Groups tab on the user profile page didn't display the placeholder text correctly.

• OKTA-610185

  When the Conditions for Admin Access feature was enabled, restricted profile attributes were visible in User > Profile for imported users.

• OKTA-611235

  After upgrading to Identity Engine, some orgs experienced undesired behavior with apps that shared authentication policies.

• OKTA-611867

  The Active User Statuses field didn't appear in some configurations.

• OKTA-612177

  Some users in China didn't receive one-time passwords through SMS.

• OKTA-612312

  Admins couldn't delete a custom email domain if it was used by multiple orgs.

• OKTA-612972

  When the redesigned resource editor feature was enabled, large sets of resources were displayed outside of the Add Resource dialog, and the tooltip didn't specify the resource limit.

• OKTA-613226

  Some of the Okta branding changes weren't displayed in the Admin Console.

• OKTA-613979

  The Microsoft Office 365 Sign On tab displayed incorrect information in the Metadata details section.

Applications

New Integrations

Sign-In Widget, version 7.7.2

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Sign-In Widget Guide.

Fixes

Applications

New Integrations

Fixes

• OKTA-564847

  Sign-out errors sometimes appeared as raw JSON text rather than triggering an Okta error page.

• OKTA-579735

  When a user account was unenrolled in Okta Verify, the linked device remained active.

• OKTA-581496

  Some apps that had provisioning enabled appeared on the Provisioning Capable Apps reports.

• OKTA-588414

  Users who were removed from an Okta group using an API call were added back to the group because of the group rules.

• OKTA-588559

  The max_age=0 property wasn't treated the same as prompt=login for OAuth 2.0 /authorize requests.

• OKTA-602343

  The System Log didn't display client details for user_claim_evaluation_failure events if a token inline hook was enabled.

• OKTA-602566

  Apps using a custom identity source displayed user and group assignments in the General tab.

• OKTA-603563

  Custom authenticator allowed multiple enrollments on the same device for the same user.

• OKTA-604491

  Users were sometimes unable to display authorization server access policies in the Admin Console.

• OKTA-612193

  The System Log for Okta FastPass didn't include authNRequestId.

• OKTA-613164

  Some admins could access IdP configuration editing pages without sufficient permissions.

• OKTA-617952

  When the Redesigned Resource Editor feature was enabled, super admins couldn't preview the resource set assignments for the access requests and access certifications admin roles.

• OKTA-619651

  My Okta didn't load when the Enable Sync Account Information setting wasn't selected.

• OKTA-621542

  For SAML IdP configurations, searches for a user group to assign to the app sometimes failed to stop.

• OKTA-627295

  NetSuite couldn't be provisioned to new users.

Applications

New Integrations

App Integration Fixes

Applications

New Integrations

Sign-In Widget, version 7.8.2

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Sign-In Widget Guide.

Fixes

Applications

New Integrations

App Integration Fixes

Fixes

• OKTA-619028

  Read-only admins received user reports of suspicious activity email notifications in error.

• OKTA-624193

  The Access Testing Tool results showed an incorrect value for the profile enrollment self-service registration option.

• OKTA-627533

  Removing the emailAuthenticationLink variable from the email template didn't update the Sign-In Widget.

• OKTA-631142

  Orgs using a custom client_id in their OAuth2 client apps were unable to delete enrolled users.

• OKTA-632131

  OpenID Connect /token requests using the SAML 2.0 Assertion grant type flow failed if the SAML assertion expiry was greater than 30 days.

• OKTA-632850

  Slack provisioning didn't automatically retry after exceeding rate limits.

• OKTA-633585

  The on-demand auto-update banners for the Active Directory agent displayed updates in a random order.

• OKTA-634923

  Users weren't present in the import queue after being unassigned from an app.

• OKTA-635579

  When a super admin went to the Groups Admin Roles tab, the Edit group assignments button was mislabeled.

• OKTA-636652

  The Administrators page wasn't translated to Japanese.

Applications

New Integrations

Fixes

• OKTA-601623

  When configuring an API Service Integration (either through the Admin Console or using APIs), admins could set a JWKS URL using HTTP instead of HTTPS.

• OKTA-620953

  When user enumeration prevention wasn't enabled, the UserId and user profile were visible in the network response prior to authentication.

• OKTA-621214

  Long custom label text was sometimes truncated on the Sign-In Widget during enrollment.

• OKTA-621253

  Email Change Confirmed Notification messages weren't sent if the audience was set to Admin only.

• OKTA-627175

  Some tasks displayed a greater-than sign (>) instead of the date.

• OKTA-630368

  RADIUS logs showed multiple, repetitious Invalid cookie header warning messages.

• OKTA-634010

  Users who were locked out of Okta but not Active Directory could receive Okta Verify push prompts and sign in to Okta.

• OKTA-637641

  Some users received a Bad Request error when they signed in with Okta FastPass.

• OKTA-639427

  When admins added a new user in Preview orgs, the Realm attribute appeared on the dialog.

Applications

Fixes

• OKTA-620655

  When an error occurred during Identity Engine upgrades, a Customer Config Required message appeared instead of an Okta Assistance Required message.

• OKTA-622753

  The Access Testing Tool allowed access to applications even though authenticator enrollment was denied.

• OKTA-641043

  Admins could select values from disabled dropdown menus.

Applications

Sign-In Widget, version 7.10.1

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Sign-In Widget Guide.

Content security policy enforcement extended for custom domains

Content Security Policy is now enforced for all non-customizable pages in orgs with custom domains. Content Security Policy headers help detect attacks such as cross-site scripting and data injection by ensuring browsers know what kind of actions the webpage can execute. Future iterations of the Content Security Policy enforcement for all non-customizable pages in orgs with custom domains will become stricter than this first release. This feature will be gradually made available to all orgs.

Enhanced Okta LDAP integrations with Universal Directory

Okta LDAP integrations now feature custom mapping, schema discovery, and a fully extensible attribute schema that allows you to import or update any attribute stored in LDAP. With these enhancements, Okta LDAP matches the schema functionality already available to Active Directory integrations. See Profile Editor. This feature is being re-released. This feature will be gradually made available to all orgs.

Fixes

• OKTA-595549

  IdP users were redirected to an unbranded sign-in page after SSO failure.

• OKTA-609243

  The Admin Console referred to the phone authenticator's 5-digit OTP for SMS or voice as 6-digit.

• OKTA-614488

  Admins could view only 50 applications in the Default application for the Sign-In Widget dropdown menu when configuring a custom sign-in page.

• OKTA-619163

  When the Universal Distribution List group was pushed to Active Directory, some users' group memberships didn't sync.

• OKTA-621695

  Possession factor constraints settings weren't preserved when switching from advanced to basic mode in an authentication policy rule.

• OKTA-627119

  Some users encountered a 400 HTTP error when authenticating through a service provider.

• OKTA-627660

  Users whose admin permissions were revoked continued to receive emails with an Admin only audience setting.

• OKTA-628227

  Some SAML-linked accounts in DocuSign couldn't use SWA.

• OKTA-629263

  Email change confirmation notices came from an Okta test account rather than a brand-specific sender.

• OKTA-637801

  Admins without permission to manage apps saw an Edit button for the app's VPN Notification settings.

• OKTA-638911

  The RSA Authenticator used the old SamAccountName of AD-sourced users after it was changed.

• OKTA-639465

  The LDAP Agent Update service used an unquoted path, which could allow arbitrary code execution. For more information, see the Okta security advisory.

• OKTA-641892

  Labels were incorrect for the Enrollment by Authenticator Type chart in the MFA Enrollment by User report.

• OKTA-647842

  Okta displayed two different titles for the End-User Dashboard to users whose locale was set to Vietnamese.

Okta Integration Network

App updates

• The Amazon Business SAML app now has a configurable SAML issuer.
• The Amazon Business SCIM app now has a configurable SCIM base URL and Authorize endpoint.
• Application profile and mapping has been updated for the Jostle SCIM app.
• The mobile.dev SAML app has been rebranded as Maestro Cloud.

New Okta Verified app integrations

• Base-B (SAML)
• Base-B (SCIM)
• Comprehensive (OIDC)
• Palo Alto Networks Cloud Identity Engine (API service)
• Palo Alto Networks Cloud Identity Engine (Application-enabled) (API service)
• Rezonate Security (API service)
• supervisor.com (OIDC)
• WorkSchedule.Net (OIDC)

App integration fixes

• American Express Online by Concur (OKTA-642832)

Fixes

• OKTA-619723

  When the Conditions for admin access feature was enabled, admins who were restricted from viewing certain profile attributes couldn't access the GroupsGroup page.

• OKTA-623635

  Group mappings were unexpectedly pushed to downstream apps after the corresponding app instances were deleted.

• OKTA-627290

  Okta didn't record a System Log entry when admins deleted all the users or groups that were associated with an active authentication policy rule.

• OKTA-627805

  The unsuccessful attempt number counter for Security Question didn't reset after a successful sign-in.

• OKTA-627862

  Incorrect values for group metrics, such as the number of groups added and updated, were displayed on the Import Monitoring page.

• OKTA-633507

  The pagination cursor was ignored when requests to the Groups API (api/v1/groups) included the ID of the All Admin group.

• OKTA-639397

  The Okta Verify MFA prompt didn't appear when users tried to access the AWS Okta CLI after their Okta session expired.

• OKTA-641112

  System Log events weren't generated when Active Directory and LDAP users were deactivated during sign-in.

• OKTA-641457

  When self-service password recovery was disabled, AD users received the Forgot Password Denied email template instead of Active Directory Password Reset Denied.

• OKTA-643204

  Active Directory and LDAP users weren't unassigned from applications when they were deactivated during sign-in.

• OKTA-643499

  Sometimes the processing of group rules for smaller groups took longer than expected when other large operations were in progress.

• OKTA-648750

  SP-initiated SSO flows without a session didn't correctly populate the context.session object for SAML inline hooks.

Okta Integration Network

App updates

• The Experience.com OIDC app now has additional redirect URIs.

• The Planview Admin SAML app now has the Audience ID variable.

New Okta Verified app integrations

• Clumio (SCIM)
• Elba (API service)
• innDex (OIDC)
• Sloneek (OIDC)
• Zonka Feedback (SAML)

App integration fixes

• Bloomberg (SWA) (OKTA-642380)
• BlueCross Blueshield of Illinois (SWA) (OKTA-641490)
• Citi Velocity (SWA) (OKTA-637196)
• SAP Concur Solutions (SWA) (OKTA-643965)

Sign-In Widget, version 7.11.2

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Sign-In Widget Guide.

Admin sessions bound to Autonomous System Number (ASN)

When an admin signs in to Okta, their session is now associated with the ASN they are logging in from. If the ASN changes during the session, the admin is signed out of Okta, and an event appears in the System Log.

Fixes

• OKTA-613809

  The System Log displayed incorrect email delivery events if the Registration - Activation template audience was set to Admins only.

• OKTA-632174

  The Edit User Assignment page showed roles that had already been removed by an admin.

• OKTA-636990

  If an admin attempted to cancel or retry the enrollment of the WebAuth authenticator on behalf of a user, the page closed.

• OKTA-638649

  Field validation didn't work for Trusted Origins URLs.

• OKTA-640158

  The Honor Force Authentication SAML setting didn't work with ADSSO.

• OKTA-644143

  Users who were added to a group through group assignments were displayed as manually assigned.

• OKTA-648338

  The Zendesk app integration made API requests using the GET command instead of the POST command.

• OKTA-650249

  In rare cases, a verified push factor could be replaced by an Okta FastPass factor during a session. This required users to re-authenticate with a push factor when signing in to a new app.

• OKTA-653489

  Admins couldn't add custom default Salesforce attributes that had been deleted from the Profile Editor.

• OKTA-657472

  The Add Apps to this Policy page included apps that had already been added to the authentication policy.

Okta Integration Network

App updates

• The Extracker app integration has been rebranded as Clearstory.
• The Inflection app integration has new Assertion Consumer Service (ACS) URLs, and a new URI, logo, and integration guide link.
• The Mapiq app integration has a new logo.

• The People Experience Hub app integration no longer has an Encryption Certificate field.

• The Secure Code Warrior app integration has new SSO URLs and a new Instance Region option.
• The Tableau Online app integration has been rebranded as Tableau Cloud. The app has new application profile, custom patch batch size, and website.

New Okta Verified app integrations

• Badge (OIDC)
• Badge (SAML)
• Cisco Webex Identity SCIM 2.09 (SAML)
• Datawiza Access Management Platform for E-Business Suite (EBS) (OIDC)
• Datawiza Access Management Platform for JD Edwards (JDE) (OIDC)
• Deel HR (SCIM)
• dscout (SAML)
• Fletch (SAML)
• Incode Omni (OIDC)
• Q for Sales (OIDC)
• SpiderSense (SAML)
• Voicenter (OIDC)

App integration fixes

• Tableau Cloud (SCIM) (OKTA-625933)

Sign-In Widget, version 7.11.3

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Sign-In Widget Guide.

Fixes

• OKTA-457923

  The browser's back button removed filters set for the MFA Enrollment by User report rather than returning to the Reports page.

• OKTA-559609

  Email notifications for report downloads sometimes didn't refer to the report name correctly.

• OKTA-565078

  A display issue with the certificate's common name was corrected in the Smart Card IdP configuration.

• OKTA-568355

  When trying to launch the SuccessFactors app, credentials weren't automatically filled, which caused the launch to fail.

• OKTA-578997

  Read-only and helpdesk admins were able to incorrectly install and configure new Active Directory, LDAP, IWA Web, and Okta Provisioning agents.

• OKTA-586764

  On Okta-hosted sign-in pages, some fonts weren't loaded or rendered correctly.

• OKTA-597530

  Admins couldn't delete authorization server clients on the Access Policies page.

• OKTA-612507

  Some errors weren't translated.

• OKTA-626459

  When an org attempted to upgrade to Identity Engine, verified event hooks that were subscribed to the system.voice.send_phone_verification_call and system.sms.send_phone_verification_message event types returned warnings or consent requirements.

• OKTA-627678

  An error occurred when the postLogoutReidrectUris value in an OpenID Connect app was more than 65,535 characters.

• OKTA-633831

  Global Session Policies in newly migrated Identity Engine orgs didn't interpret sign-on rules correctly and locked users out.

• OKTA-638799

  Okta System Logs didn't show device.user.remove events.

• OKTA-639311

  When Cloud Identity was selected as the Google Workspace license type, entitlements weren't pushed.

• OKTA-647442

  Sometimes, a search request would fail if it included a recently created user.

• OKTA-649659

  The OTP page displayed an error if users opened a password reset link in a different browser or on a different device.

• OKTA-650304

  AD-sourced users could set a password compliant with the AD password policy even if the Okta password policy was more restrictive. This happens because the Okta password policy doesn't apply to these users.

• OKTA-650571

  Some user agents weren't parsed properly as a macOS X platform.

• OKTA-651062

  Users couldn't enroll duplicate instances of Desktop MFA for multiple platforms.

• OKTA-651722

  Clicking Reapply Mappings set unmapped values to empty in orgs with certain configurations.

• OKTA-653019

  Base attributes of new Slack integrations weren't visible.

• OKTA-654857

  Org navigation elements appeared behind app tiles and other user interface elements for some iOS and macOS users.

• OKTA-658533

  AMR claims weren't accepted when the inbound SAML assertion was encrypted.

• OKTA-659879

  The email challenge validity time wasn't consistently applied.

• OKTA-665293

  When an admin's network location changed, their IdP session wasn't terminated.

Okta Integration Network

App updates

• The Cisco Umbrella User Management app integration has been rebranded as Cisco User Management for Secure Access. The app integration has a new logo, description, and URL.
• The Fullview app integration has a new direct URI and a new initiate login URI.
• The YesWeHack app intergration has a new icon.

New Okta Verified app integrations

• Authentic Web (SAML)
• Extic (SAML)
• GoSearch (SAML)
• Kizen (SAML)
• Kno2fy (SAML)
• LeanIX (API service)
• Proofpoint Security Awareness Training (SCIM)
• Summize (OIDC)
• Swayable (SAML)
• Trint (SAML)
• Trint (SCIM)
• ZAMP (OIDC)

App integration fixes

• Adobe (SWA) (OKTA-647811)
• Algolia (SWA) (OKTA-654566)
• American Express (Business) (SWA) (OKTA-649753)
• Application Bank of America CashPro (SWA) (OKTA-648836)
• i-Ready (SWA) (OKTA-644769)
• IMDB Pro (SWA) (OKTA-653918)
• MIT Technology Review (SWA) (OKTA-656622)
• SuccessFactors (SWA) (OKTA-568355)
• Trend Micro Worry-Free Business Security Services (SWA) (OKTA-648083)
• Twilio (SWA) (OKTA-655486)

Sign-In Widget, version 7.12.2

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Sign-In Widget Guide.

Fixes

• OKTA-649293

  Users couldn't be assigned to Box using the Assign Box to People page.

• OKTA-649788

  A tooltip was truncated on the API Tokens page.

• OKTA-651979

  Some custom scopes weren't listed in the search box used for adding scopes to OIDC access policy rules.

• OKTA-653966

  Admins couldn't edit their ThreatInsight settings if the Exempt Zones list included a deleted network zone.

• OKTA-657130

  When admin translations were enabled, some users saw an error when they tried to access an app.

• OKTA-658969

  Attributes defined in Okta for ServiceNow failed to sync by default.

• OKTA-659369

  An Okta FastPass validation workflow failed in Safari for some users.

• OKTA-659568

  After upgrading to Identity Engine, some orgs were prompted for certificates as part of a Device Trust workflow.

• OKTA-661489

  When an app was renamed, all characters that appeared after a symbol character ( &, ", /, \ ) were removed.

• OKTA-661859

  The app count message was inaccurate on the Profile Enrollment Policy page.

• OKTA-661982

  When an import failed for a user, unique attributes for that user were sometimes retained in Okta.

• OKTA-662487

  The Session Management labels on the Global Session Policy rule page were confusing.

• OKTA-663777

  In the Add Resource dialog box, admins couldn't search for apps with special characters.

• OKTA-666323

  When an admin added a SAML app to an existing resource set, users who were assigned the resource set couldn't access the app.

• OKTA-667580

  Users weren't prompted to reauthenticate when they revealed their credentials for personal apps.

Okta Integration Network

New Okta Verified app integrations

• Anzenna (API service)
• businesscards.io (SAML)
• Command Zero (API service)
• Contentstack (SAML)
• CurationHealth (OIDC)
• Datadog (SCIM)
• Datawiza Access Management Platform for Outlook Web Access (OWA) (OIDC)
• Fareharbor (SAML)
• Gem (API service)
• hireEZ (SCIM)
• Justt.ai (OIDC)
• LexPlay (OIDC)
• mula (OIDC)
• Netradyne Driveri (OIDC)
• Opensurvey Dataspace (OIDC)
• Ramp (SCIM)
• Splashtop Secure Workspace (OIDC)
• Splashtop Secure Workspace (SAML)
• Splashtop Secure Workspace (SCIM)
• Standard Metrics (OIDC)
• SVMMARY (SAML)
• XSpecs (SAML)
• Zenlytic (OIDC)

Fixes

• OKTA-607948

  Error messages were unclear when an LDAP query filter was invalid in Active Directory and LDAP integrations.

• OKTA-640503

  Custom admins didn't receive email notifications when the LDAP and Active Directory agent was disconnected or reconnected.

• OKTA-644010

  The System Log didn't log the time when the user was prompted for authenticator enrollment or verification.

• OKTA-662134

  Resetting a user's security question using the API endpoint didn't generate a System Log entry.

• OKTA-663793

  The System Log didn't capture a failed user authentication during LDAP delegated authentication.

• OKTA-667475

  Updated custom schema values weren't imported from Google.

• OKTA-668140

  Users sometimes received an error message when accessing the Profile Editor from the Admin Dashboard.

• OKTA-669824

  When the display language was set to Polish, the Sign-In Widget wasn't translated properly.

• OKTA-669999

  Some users weren't imported after being unassigned from a sourcing app.

Okta Integration Network

App updates

• The Blameless app integration has updated endpoints.

New Okta Verified app integrations

• Built (OIDC)
• Built (SCIM)
• GoSearch (SCIM)
• Jellyfish (SAML)
• LeanIX - SaaS Discovery (API service)
• T3 Connect (SCIM)
• Tackle.io (OIDC)

Admin Console session configuration

Admins can now set the session lifetime and idle time for Admin Console users independently of global session limits. This provides greater security control over the Admin Console.

See Configure Admin Console session lifetime.

Fixes

• OKTA-636560

  When using Okta Expression Language in Identity Engine, the group.profile.name key didn't return exact matches.

• OKTA-646953

  Users couldn't sign in to URLs for custom domains.

• OKTA-651667

  When retrying a batch update of Active Directory agents, agents that had already been updated were marked as updates in progress in the email notification.

• OKTA-657959

  When assigning users to a group using group rules, the group rule evaluation timed out, and users who matched the attributes weren't added to the group.

• OKTA-661907

  Some users on Android 6 devices were erroneously granted access to Okta-protected resources despite the authentication policy rule.

• OKTA-663893

  Users without API access management enabled saw a Create Authorization Server banner on the APIAuthorization Servers page.

• OKTA-668142

  Third-party admin status couldn't be removed from an admin. This occurred when they belonged to a third-party admin group that no longer had admin privileges.

• OKTA-672678

  Sometimes countdown messages weren't displayed when Admin Console sessions were close to expiring.

• OKTA-675063

  RADIUS agent libraries contained internal security issues. Upgrade to version 2.20.0 to correct those issues.

• OKTA-675938

  Google USB-C/NFC Titan Security Key (K52T) enrollment wasn't supported.

• OKTA-679640

  Admins sometimes received an error when trying to access the Admin Console.

Okta Integration Network

App updates

• The CodeSignal SAML app integration has a new description.
• The HackerRank For Work SCIM app integration now supports user deactivation.
• The Perimeter 81 SCIM app integration now supports group push.
• The Symantec Secure Access Cloud app integration has been rebranded as Symantec ZTNA.
• The WorkRamp app integration now supports EU locations.
• The ZAMP OIDC app integration now has IdP-initiated support.

New Okta Verified app integrations

• AgentNex (SAML)
• AuditNex (SAML)
• ChargeDesk (OIDC)
• Collage HR (OIDC)
• Ethos (OIDC)
• Iterate (OIDC)
• Kertos (API service)
• Kluster (OIDC)
• Liquid & Grit (OIDC)
  
• Lookout Secure Access (SAML)
• OneRange (SAML)
• Promethean AI (OIDC)
• Push Security (API service)
• Re-flow (SAML)
• Routespring (SAML)
• Semplates (OIDC)
• Siit (SAML)
• Siit (API service)
• Skippr OIDC for Organizations (OIDC)
• StackAdapt (OIDC)
• Tabulera (SAML)
• Venue (SCIM)