Okta Identity Engine release notes (2023)

January 2023
2023.01.0: Monthly Production release began deployment on January 17
* Features may not be available in all Okta Product SKUs.
Generally Available Features
New Features
Improvements to the self-service registration experience
Earlier versions of the self-service registration (SSR) flow used a complicated array of templates to send activation emails to end users. The simplified SSR flow reduces this to only two email templates with customized welcome messages. If your application requires immediate verification of the end user’s email address, Okta uses the Registration - Activation template. This template includes a magic link for a smoother sign-in experience. If email verification isn't immediately required to sign in to the application, Okta uses the Registration - Email Verification template. This template includes a link for end users to complete email verification at any time after they successfully sign in to the application. See Customize email notifications and the Okta email (magic link/OTP) integration guide. This feature is currently enabled by default for new orgs only.
Revoke user sessions
Admins can end all Okta sessions for an end user when resetting their password. This option protects the user account from unauthorized access. If policy allows, Okta-sourced end users can choose to sign themselves out of all other devices when performing self-service password reset or resetting their passwords in Settings. See Revoke all user sessions. This feature is now enabled by default for all orgs.
Directory Debugger for Okta AD and LDAP agents
Admins can now enable the Directory Debugger to provide Okta Support with access to Okta AD and LDAP agent diagnostic data. This new diagnostic and troubleshooting tool accelerates issue resolution by eliminating delays collecting data and improves communication between orgs and Okta. See Enable the Directories Debugger. This feature is being re-released.
Non-associated RADIUS agents deprecated
Access for RADIUS agents that have not been associated with an application has now been disabled. See RADIUS integrations.
Unusual telephony requests blocked by machine-learning measures
SMS and voice requests are now blocked if an internal machine-learning-based toll fraud and abuse-detection model considers the requests unusual. Telephony requests that are blocked by the machine-learning model have a DENY status in the System Log.
Enhancements
View last update info for app integrations and AD/LDAP directories
Admins can view the date an app integration was last updated by going to Applications > Applications and selecting the integration. They can view the date an AD/LDAP directory integration was last updated by going to Directory > Directory Integrations and selecting the integration.
Internet Explorer 11 no longer supported
A new banner has been added on the End-User Dashboard to notify the Internet Explorer 11 users that the browser is no longer supported.
MFA report column selection
In the MFA Enrollment by User report, you can now choose which columns to hide or show in the data table. See MFA Enrollment by User report.
Early Access Features
Enhancements
AWS region support for EventBridge Log Streaming
EventBridge Log Streaming now supports all commercial AWS regions.
Fixes
General Fixes
OKTA-437264
The HEC Token field wasn't displayed correctly in the Splunk Cloud Log Stream settings.
OKTA-454996
Some users were able to access apps on non-managed devices.
OKTA-519198
Groups and apps counts displayed on the Admin Dashboard weren't always correct.
OKTA-543969
Accented characters were replaced with question marks in log streams to Splunk Cloud.
OKTA-548780
Custom domain settings were deleted during editing if the admin chose the option Bring your own certificate.
OKTA-553006
When authenticated users attempted to access an app they weren’t assigned to, they were redirected to a sign-in page with a permission error.
OKTA-553364
The Custom Authenticator allowed Android users to sign in without biometric verification even though user verification was required.
OKTA-557762
In some cases when Okta Verify wasn’t active, users couldn’t access apps if the authentication policy had OS version conditions for device assurance.
OKTA-559571
The Help link on the Administrators page directed users to the wrong URL.
OKTA-561259
On the Edit role page, the previously selected permission types weren’t retained.
OKTA-561309
A misleading error message appeared when the authentication policy rule’s possession requirements required an unavailable authenticator.
OKTA-564264
Notifications for adding or renewing fingerprint authentication were sometimes not managed correctly.
Applications
Application Update
New GitHub Teams API URL: In response to GitHub's plan to sunset deprecated Teams API endpoints over the coming months, our GitHub integration has been updated to use the new /organizations/:org_id/team/:team_id path. No action needed for Okta admins.
New Integrations
OIDC for the following Okta Verified applications:
-
Infra: For configuration information, see Infra Configuration Guide.
-
Kanbina AI: For configuration information, see the Kanbina AI Documentation.
-
Riot Single Sign-on: For configuration information, see Logging in with Single Sign-On (SSO) through Okta.
-
Tracxn: For configuration information, see Configure SSO between Tracxn and Okta.
Weekly Updates

Fixes
General Fixes
OKTA-394045
The End-User Dashboard wasn't aligned correctly when viewed on mobile browsers.
OKTA-460054
Office 365 nested security groups sometimes failed to synchronize correctly from Okta.
OKTA-522922
Not all users deactivated in an Org2Org spoke tenant were deprovisioned in the hub tenant.
OKTA-534291
Samanage/SolarWinds schema discovery didn't display custom attributes.
OKTA-544943
When a user was deactivated in Okta, the Okta Workflows and Okta Workflows OAuth app integrations weren't removed from the user's assigned app integrations.
OKTA-547756
An incorrect error message was displayed during self-service registration when an email address that exceeded the maximum length allowed was entered.
OKTA-547978
If an admin account was deleted, certificate authorities uploaded by the admin account didn’t load on the Device Integrations page.
OKTA-548390
Enabling Agentless DSSO didn't create a default routing rule if no routing rules existed.
OKTA-549213
User's weren't able to activate Windows Hello after enrolling in Okta Verify for Microsoft Windows.
OKTA-550739
Users could request that one-time passwords for SMS, Voice, and Email activation be resent more times than allowed by the rate limit.
OKTA-556056
Group claims failed if a user who belonged to more than 100 groups appeared in the group claims expression results.
OKTA-558840
Some users were unable to complete self-service password resets and received an error.
OKTA-561264
Admins received an error when they used an internal URL to configure user help for device assurance policies.
OKTA-564242
Access tokens for some users didn’t match the lifetime specified in the access policy rule.
OKTA-565041
Group filtering failed when more than 100 groups appeared in the list of results.
OKTA-565899
An incorrect error message appeared when users saved an empty Website URL field in their on the fly app settings.
OKTA-566372
Users were sometimes unable to sign in to several Office 365 apps from Okta.
OKTA-567711
In some orgs, Email Change Confirmed Notification emails were sent unexpectedly. Admins should verify that the recipients lists audience settings are accurate for Change Email Confirmation and Email Change Confirmed Notification.
OKTA-567970
When users were created using the API (/users/${userId}/factors/questions), a null custom security question and answer were included in the response.
Applications
New Integrations
New SCIM Integration application:
The following partner-built provisioning integration app is now Generally Available in the OIN Catalog as partner-built:
- Verona: For configuration information, see Configuring Provisioning for Verona.
SAML for the following Okta Verified applications:
-
Alibaba Cloud CloudSSO (OKTA-531834)
-
DoControl (OKTA-556624)
-
EasyLlama (OKTA-547466)
-
Extracker (OKTA-555971)
-
Saleo (OKTA-552314)
-
Verona (OKTA-551188)
-
Viewst (OKTA-555217)
-
WOVN.io (OKTA-551752)
OIDC for the following Okta Verified application:
- Sharry: For configuration information, see the Sharry OKTA CONFIGURATION GUIDE.

Generally Available
Content Security Policy enhancements
Over the next few months we are gradually releasing enhancements to our Content Security Policy (CSP) headers. During this time you may notice an increase in header sizes.
Fixes
General Fixes
OKTA-532840
Users created using Just-In-Time provisioning weren't assigned to a group when a group rule existed.
OKTA-537944
AD-sourced users received an error when resetting passwords while an Okta session was active in the browser.
OKTA-545918
Admin roles that were granted to a user through group membership sometimes didn't appear on the user's
tab.OKTA-551921
When a large number of profile mappings were associated with a user type, updates to the user type could time out.
OKTA-552273
Users who signed in to the End User Dashboard using a federated sign-in flow without a factor verification were shown an incorrect last sign-in time.
OKTA-552566
Users were sometimes asked to re-authenticate during an active session even though the authentication policy re-authentication frequency was set to Never re-authenticate if the session is active.
OKTA-553201
Users who scanned a Google Authenticator one-time passcode with Okta Verify received an error message and couldn't enroll in the authenticator.
OKTA-554013
Batch federation of multiple Microsoft Azure domains failed if the batch contained any child domains.
OKTA-557337
Users with apps provisioned with password sync enabled weren't challenged for multifactor authentication when they signed in from new IP addresses or a new city even though the Global Session Policy required re-authentication under those conditions.
OKTA-559661
Some org upgrades failed when a single sign-on factor was required for Admin Dashboard access and only the YubiKey, Duo Security, and Symantec VIP MFA factors were enabled but not recognized for migration.
OKTA-564420
Users couldn’t sign in to their org subdomain from okta.com if Captcha was enabled.
OKTA-566285
A threading issue caused directory imports to fail intermittently.
OKTA-566682
When an admin configured an IdP routing rule that allowed users to access certain apps, the list of available apps was blank.
OKTA-566824
Sometimes super admins encountered a timeout when listing admin users on the Administrators page in the Admin Console.
OKTA-567707
A security issue is fixed, which requires RADIUS agent version 2.18.0.
OKTA-567972
An unclear error message was returned when a group rules API call (create, update, or activate) was made to assign users to read-only groups (for example, Everyone ).
OKTA-567979
Last update information was displayed for API Service Apps and OIDC clients.
OKTA-571393
Users couldn’t enroll YubiKeys with the FIDO2 (WebAuthn) authenticator and received an error message on Firefox and Embedded Edge browsers.
Applications
New Integrations
New SCIM Integration application:
The following partner-built provisioning integration app is now Generally Available in the OIN Catalog as partner-built:
- BizLibrary: For configuration information, see Configuring SCIM with Okta.
SAML for the following Okta Verified applications:
-
Better Stack (OKTA-566261)
-
Mist Cloud (OKTA-559122)
-
Tower (OKTA-567818)
OIDC for the following Okta Verified application:
- Oyster HR: For configuration information, see Okta configuration guide | Oyster.

February 2023
2023.02.0: Monthly Production release began deployment on February 13
* Features may not be available in all Okta Product SKUs.
Generally Available Features
New Features
Agents page removed from the navigation panel
The operational status of org agents moved from the Agent page of the Admin Console to the Status widget of the Admin Dashboard. See View your org agents' status.
Splunk edition support for Log Streaming integrations
The Spunk Cloud Log Streaming integration now supports GCP and GovCloud customers. You can set the Splunk edition parameter (settings.edition) to AWS (aws), GCP (gcp), or AWS GovCloud (aws_govcloud) in your log streaming integration. See Splunk Cloud Settings properties.
Custom links for personal information and password management on End-User Dashboard
If you manage end users' personal information and passwords in an external application, you can configure that application as the User Identity Source in Customizations. Using this setting, you can provide a link to the application in the End-User Dashboard. When end users click the link, they're taken to the third-party page to update their information and password.
This setting is only applicable to the end users whose personal information and password are managed outside of Okta (for example, Active Directory). See Customize personal information and password management.
You must upgrade to Sign-in Widget version 7.3.0 or higher to use this feature. See the Sign-In Widget Release Notes.
Run delegated flows from the Admin Console
With delegated flows, admins can be assigned the ability to run Okta Workflows directly from the Admin Console. Flows that are delegated to an admin appear on the Delegated Flows page where they can be invoked without signing in to the Workflows Console. This gives super admins more granular control over their admin assignments. See Delegated flows.
Full Featured Code Editor for error pages
Full Featured Code Editor integrates Monaco code editing library into the Admin Console to make editing code for error pages more efficient and less reliant on documentation. Developers can write, test, and publish code faster with the better syntax highlighting, autocomplete, autosave, diff view, and a Revert changes button. See Customize the Okta-hosted error pages.
Phishing-resistant authentication
Phishing-resistant authentication detects and prevents the disclosure of sensitive data to fake applications or websites. When users authenticate with Okta FastPass on managed devices, they’re protected from phishing attacks. See About MFA authenticators.
Custom app login
Custom app login is now available to limited customers in Identity Engine. Only orgs that actively used the feature in Classic Engine before they upgraded may continue to do so. Orgs that don't use custom app login should continue to use the Okta-hosted sign-in experience or configure IdP routing rules that redirect users to the appropriate app to sign in. See Custom app login.
New user enumeration prevention options
Okta now allows admins to enable user enumeration prevention for authentication or recovery flows, or both. This enhancement blocks attackers from attempting to identify user accounts and authenticator enrollments in a more granular way. See User enumeration prevention.
Enhancements
Enhanced MFA System Log event
The new user.mfa.factor.activate System Log event for FIDO2 (WebAuthn) enrollments has been enhanced. Whenever a user enrolls in the FIDO2 (WebAuthn) authenticator, Okta now records the credential's AAGUID value, whether the credential can be backed up, and allow-list authenticator group names that include the make and model of the authenticator device that was enrolled.
Log Streaming status messages
Log streaming status messages now include a prefix related to the log streaming operation.
Updated AWS EventBridge supported regions for Log Stream integrations
The list of supported AWS EventBridge regions has been updated based on configurable event sources. See the list of available AWS regions for Log Stream integrations.
Informative error messages for SAML sign-in
Error messages presented during a SAML sign-in flow now provide an informative description of the error along with a link to the sign-in page.
Early Access Features
New Features
Smart Card authenticator available
You can add a new Smart Card authenticator that enables PIV to be used in authentication policies. You can also restrict the authentication policies to use only Smart Card Authenticator as MFA. See Smart Card IdP authenticator.
Device probing enhancement
You can now collect device signals from every authentication with Okta FastPass. By collecting fresh device signals, you enhance the overall security of your org. Note that users might receive additional verification prompts. See About MFA authenticators.
Fixes
General Fixes
OKTA-493073
An authentication policy error message wasn't applicable in some use cases.
OKTA-493531
Users were unable to sign in using passcodes when Permit Automatic Push for Okta Verify Enrolled Users was enabled.
OKTA-501372
The People page used an incorrect field name as the sorting key.
OKTA-540894
Users who attempted to cancel a Sign in with PIV/CAC card request weren't redirected back to the custom domain.
OKTA-544814
Clicking Show More in the tab resulted in an Invalid search criteria error.
OKTA-552341
After users completed an MFA challenge and signed out, their full Okta username appeared on the Sign In page.
OKTA-554006
Clicking Save and Add another to add new attributes on the Profile Editor page didn’t consistently function as expected.
OKTA-555768
Improved New Device Behavior Evaluation incorrectly identified a previously used device as new when the admin accessed the Okta Admin Dashboard.
OKTA-560752
In the Admin Console, the Japanese version of the MFA Enrollment by User report contained some English.
OKTA-566469
The Coupa integration URL displayed under the application Sign On tab was incorrect.
OKTA-567511
Users weren’t assigned to applications through group assignments following an import from AD into Okta.
OKTA-567991
Signing in to the End-User Dashboard through a third-party IdP displayed an incorrect error message if the password had expired.
OKTA-568319
In the End-User Dashboard, the link to access the Okta Browser Plugin installation guide redirected users to a broken page.
OKTA-572600
Sometimes, custom email domain configurations didn’t appear on the Domains page in the Admin Console.
OKTA-572333
After an org upgraded to Identity Engine, some apps with the default app sign-on policy weren’t assigned to the Classic Migrated policy.
OKTA-468178
In the Tasks section of the End-User Dashboard, generic error messages were displayed when validation errors occurred for pending tasks.
App Integration Fixes
The following SWA app was not working correctly and is now fixed:
-
Paychex Online (OKTA-573082)
Applications
Application Update
The HubSpot Provisioning integration is updated with a new HubSpot Roles attribute. See Configuring Provisioning for HubSpot.
New Integrations
New SCIM Integration applications:
The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:
- Better Stack: For configuration information, see Integrate Okta SSO & SCIM with Better Stack.
- Cafe: For configuration information, see Okta SCIM Configuration Guide.
- Kakao Work: For configuration information, see Kakao Work SCIM Setup.
- Torii: For configuration information, see Torii's SCIM Setup with Okta.
OIDC for the following Okta Verified applications:
-
Craftable: For configuration information, see Single Sign On with Okta.
-
LeadLander: For configuration information, see the LeadLander Okta configuration guide.
-
Loxo: For configuration information, see Logging in with Single Sign-On (SSO) through Okta.
-
Mobius Conveyor: For configuration information, see Okta SSO Configuration Guide.
-
MyInterskill LMS: For configuration information, see SSO – Okta Configuration Guide.
-
ngrok: For configuration information, see Okta SSO (OpenID Connect).
-
Paramify: For configuration information, see Logging in with Single Sign-On (SSO) through Okta.
Weekly Updates

Fixes
General Fixes
OKTA-537710
Users on M1 MacBooks were unable to sign in to organizations provisioned with an OS-specific workflow.
OKTA-550348
Device authorization returned an error if the authentication policy had a condition for registered devices.
OKTA-552996
If JIT provisioning wasn’t enabled for a SAML IdP, users who tried to sign in received an error message instead of being redirected to the Okta sign-in page.
OKTA-556133
End users received email notifications of new sign-on events even though such notifications were disabled in the org security settings.
OKTA-561269
The YubiKey Report wasn’t generated when certain report filters were applied.
OKTA-564518
The ordering of authenticators on the Verify with something else page of the Sign-In Widget sometimes changed when the page was accessed again.
OKTA-565300
Accessibility issues on the password verification page of the End-User Dashboard prevented screenreaders from reading the text.
OKTA-565984
Case sensitivity caused usernames sent in SAML 2.0 IdP assertions not to match usernames in the destination org if a custom IdP factor was used and the name ID format was unspecified.
OKTA-566892
Sometimes MFA prompts overlapped portions of the browser sign-in pages.
OKTA-567776
Super admins weren't able to access the profile of deactivated users in some Preview environments.
OKTA-572091
Some QR codes for Okta Verify enrollment weren't scannable by iOS devices.
OKTA-572416
The Help Center link on the Resources menu directed users to the wrong URL.
OKTA-574624
In Org Admin description was incorrect.
, the
App Integration Fixes
The following SWA apps weren't working correctly and are now fixed:
-
Adobe Stock (OKTA-564445)
-
Adyen (OKTA-561677)
-
Airbnb (OKTA-559114)
-
AlertLogic (OKTA-560876)
-
American Express @ Work (OKTA-565294)
-
BlueCross BlueShield of Texas (OKTA-564224)
-
Drilling Info (OKTA-558048)
-
Empower (OKTA-552346)
-
Endicia (OKTA-557826)
-
Glassdoor (OKTA-564363)
-
hoovers_level3 (OKTA-562717)
-
MailChimp (OKTA-554384)
-
MY.MYOB (OKTA-553331)
-
myFonts (OKTA-566037)
-
OpenAir (OKTA-545505)
-
Paychex (OKTA-561268)
-
Paychex Online (OKTA-564325)
-
Regions OnePass (OKTA-568163)
-
Truckstop (OKTA-552741)
-
VitaFlex Participan (OKTA-562503)
Applications
New Integrations
New SCIM Integration applications
The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:
- Akamai Enterprise Application Access: For configuration information, see SCIM provisioning with Okta.
- ArmorCode: For configuration information, see SCIM Configuration Guide Instructions.
SAML for the following Okta Verified applications:
-
Articulate 360 (OKTA-544737)
-
Kakao Work (OKTA-556713)
-
Pleo (OKTA-564884)
-
Tower (OKTA-567818)

Generally Available
Fixes
General Fixes
OKTA-431900
The People > Enroll FIDO2 Security Key button was visible to admins who didn’t have permission to enroll authentication factors.
OKTA-452990
When a user clicked the Admin button on the End-User Dashboard using a mobile device, Okta didn't check if the user's session was still active.
OKTA-495146
The MFA Usage report and various API responses displayed different authenticator enrollment dates for users.
OKTA-503419
App catalog search results didn't include SCIM functionality labels.
OKTA-516494
Group imports from AD to Okta sometimes failed.
OKTA-558628
Some orgs experienced an error when using legacy endpoints.
OKTA-566637
The agentless DSSO just-in-time provisioning flow imported ineligible AD groups in to Okta.
OKTA-566891
Users with multiple Windows Okta Verify enrollments received an error when they attempted to log in with Windows Okta Verify.
OKTA-568575
Orgs couldn’t upgrade to Identity Engine if their app sign-on policy rules contained On Network or Off Network location settings.
OKTA-572089
Browsing the Provisioning tab for an app triggered a System Log update.
OKTA-574711
The sign-in process didn't exit after users selected No, It's Not Me in Okta Verify.
OKTA-574890
When the End-User Dashboard was in grid view, screen readers couldn't recognize apps as clickable links.
OKTA-576067
Custom domains couldn't be validated if there were uppercase characters in a subdomain.
OKTA-578439
Some event hook requests failed to send in Preview orgs.
OKTA-579157
For orgs that were updated to SCIM 2.0, Workplace by Facebook profile pushes that included the manager attribute failed.
App Integration Fixes
The following SWA apps were not working correctly and are now fixed:
-
Adobe Creative (OKTA-555215)
-
Asana (OKTA-566187)
-
ManageEngine Support Center Plus (OKTA-529921)
Applications
New Integrations
New SCIM Integration applications:
The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:
-
Samsung Knox Manage: For configuration information, see Configure Knox Manage SCIM Connector and Okta for automatic user provisioning.
-
Shortcut: For configuration information, see Configuring Okta to Manage Shortcut Users with SCIM.
-
Ziflow: For configuration information, see SCIM provisioning with Okta.
SAML for the following Okta Verified applications:
-
Scalr.io (OKTA-552065)
-
Trusaic (OKTA-559106)
OIDC for the following Okta Verified applications:
-
Activaire Curator: For configuration information, see Logging in with Single Sign-On (SSO) through Okta.
-
Arrivy: For configuration information, see How to set up OIDC Okta Single sign-on with Arrivy.
-
ConductorOne: For configuration information, see Set up ConductorOne using Okta,
-
HacWare: For configuration information, see SSO Login via Okta and HacWare.
-
Jatheon Cloud: For configuration information, see How to Set Up Okta SSO Integration.
-
Kadence: For configuration information, see Okta Single Sign-On (SSO) Setup Guide.
-
Oort Identity Security: For configuration information, see Okta Integration Network SSO Instructions.
-
Skye: For configuration information, see Single Sign-On (SSO) - Okta.
-
Solarq: For configuration information, see Logging in with Single Sign-On (SSO) through Okta.
-
Tabled: For configuration information, see Logging in with Single Sign-On (SSO) through Okta.
-
Tackle.io: For configuration information, see Okta SSO Setup Guide.
-
TaskCall: For configuration information, see Okta Integration Guide.
-
TestMonitor: For configuration information, see How to set up Okta Single Sign-on in TestMonitor.