Okta Identity Engine release notes (2023)

January 2023

2023.01.0: Monthly Production release began deployment on January 17

* Features may not be available in all Okta Product SKUs.

Content

Generally Available Features

New Features

Improvements to the self-service registration experience

Earlier versions of the self-service registration (SSR) flow used a complicated array of templates to send activation emails to end users. The simplified SSR flow reduces this to only two email templates with customized welcome messages. If your application requires immediate verification of the end user’s email address, Okta uses the Registration - Activation template. This template includes a magic link for a smoother sign-in experience. If email verification isn't immediately required to sign in to the application, Okta uses the Registration - Email Verification template. This template includes a link for end users to complete email verification at any time after they successfully sign in to the application. See Customize email notifications and the Okta email (magic link/OTP) integration guide. This feature is currently enabled by default for new orgs only.

Revoke user sessions

Admins can end all Okta sessions for an end user when resetting their password. This option protects the user account from unauthorized access. If policy allows, Okta-sourced end users can choose to sign themselves out of all other devices when performing self-service password reset or resetting their passwords in Settings. See Revoke all user sessions. This feature is now enabled by default for all orgs.

Directory Debugger for Okta AD and LDAP agents

Admins can now enable the Directory Debugger to provide Okta Support with access to Okta AD and LDAP agent diagnostic data. This new diagnostic and troubleshooting tool accelerates issue resolution by eliminating delays collecting data and improves communication between orgs and Okta. See Enable the Directories Debugger. This feature is being re-released.

Non-associated RADIUS agents deprecated

Access for RADIUS agents that have not been associated with an application has now been disabled. See RADIUS integrations.

Unusual telephony requests blocked by machine-learning measures

SMS and voice requests are now blocked if an internal machine-learning-based toll fraud and abuse-detection model considers the requests unusual. Telephony requests that are blocked by the machine-learning model have a DENY status in the System Log.

Enhancements

View last update info for app integrations and AD/LDAP directories

Admins can view the date an app integration was last updated by going to Applications > Applications and selecting the integration. They can view the date an AD/LDAP directory integration was last updated by going to Directory > Directory Integrations and selecting the integration.

Internet Explorer 11 no longer supported

A new banner has been added on the End-User Dashboard to notify the Internet Explorer 11 users that the browser is no longer supported.

MFA report column selection

In the MFA Enrollment by User report, you can now choose which columns to hide or show in the data table. See MFA Enrollment by User report.

Early Access Features

Enhancements

AWS region support for EventBridge Log Streaming

EventBridge Log Streaming now supports all commercial AWS regions.

Fixes

General Fixes

OKTA-437264

The HEC Token field wasn't displayed correctly in the Splunk Cloud Log Stream settings.

OKTA-454996

Some users were able to access apps on non-managed devices.

OKTA-519198

Groups and apps counts displayed on the Admin Dashboard weren't always correct.

OKTA-543969

Accented characters were replaced with question marks in log streams to Splunk Cloud.

OKTA-548780

Custom domain settings were deleted during editing if the admin chose the option Bring your own certificate.

OKTA-553006

When authenticated users attempted to access an app they weren’t assigned to, they were redirected to a sign-in page with a permission error.

OKTA-553364

The Custom Authenticator allowed Android users to sign in without biometric verification even though user verification was required.

OKTA-557762

In some cases when Okta Verify wasn’t active, users couldn’t access apps if the authentication policy had OS version conditions for device assurance.

OKTA-559571

The Help link on the Administrators page directed users to the wrong URL.

OKTA-561259

On the Edit role page, the previously selected permission types weren’t retained.

OKTA-561309

A misleading error message appeared when the authentication policy rule’s possession requirements required an unavailable authenticator.

OKTA-564264

Notifications for adding or renewing fingerprint authentication were sometimes not managed correctly.

Applications

Application Update

New GitHub Teams API URL: In response to GitHub's plan to sunset deprecated Teams API endpoints over the coming months, our GitHub integration has been updated to use the new /organizations/:org_id/team/:team_id path. No action needed for Okta admins.

New Integrations

OIDC for the following Okta Verified applications:

Weekly Updates

Fixes

General Fixes

OKTA-394045

The End-User Dashboard wasn't aligned correctly when viewed on mobile browsers.

OKTA-460054

Office 365 nested security groups sometimes failed to synchronize correctly from Okta.

OKTA-522922

Not all users deactivated in an Org2Org spoke tenant were deprovisioned in the hub tenant.

OKTA-534291

Samanage/SolarWinds schema discovery didn't display custom attributes.

OKTA-544943

When a user was deactivated in Okta, the Okta Workflows and Okta Workflows OAuth app integrations weren't removed from the user's assigned app integrations.

OKTA-547756

An incorrect error message was displayed during self-service registration when an email address that exceeded the maximum length allowed was entered.

OKTA-547978

If an admin account was deleted, certificate authorities uploaded by the admin account didn’t load on the Device Integrations page.

OKTA-548390

Enabling Agentless DSSO didn't create a default routing rule if no routing rules existed.

OKTA-549213

User's weren't able to activate Windows Hello after enrolling in Okta Verify for Microsoft Windows.

OKTA-550739

Users could request that one-time passwords for SMS, Voice, and Email activation be resent more times than allowed by the rate limit.

OKTA-556056

Group claims failed if a user who belonged to more than 100 groups appeared in the group claims expression results.

OKTA-558840

Some users were unable to complete self-service password resets and received an error.

OKTA-561264

Admins received an error when they used an internal URL to configure user help for device assurance policies.

OKTA-564242

Access tokens for some users didn’t match the lifetime specified in the access policy rule.

OKTA-565041

Group filtering failed when more than 100 groups appeared in the list of results.

OKTA-565899

An incorrect error message appeared when users saved an empty Website URL field in their on the fly app settings.

OKTA-566372

Users were sometimes unable to sign in to several Office 365 apps from Okta.

OKTA-567711

In some orgs, Email Change Confirmed Notification emails were sent unexpectedly. Admins should verify that the recipients lists audience settings are accurate for Change Email Confirmation and Email Change Confirmed Notification.

OKTA-567970

When users were created using the API (/users/${userId}/factors/questions), a null custom security question and answer were included in the response.

Applications

New Integrations

New SCIM Integration application:

The following partner-built provisioning integration app is now Generally Available in the OIN Catalog as partner-built:

SAML for the following Okta Verified applications:

  • Alibaba Cloud CloudSSO (OKTA-531834)

  • DoControl (OKTA-556624)

  • EasyLlama (OKTA-547466)

  • Extracker (OKTA-555971)

  • Saleo (OKTA-552314)

  • Verona (OKTA-551188)

  • Viewst (OKTA-555217)

  • WOVN.io (OKTA-551752)

OIDC for the following Okta Verified application:

Generally Available

Content Security Policy enhancements

Over the next few months we are gradually releasing enhancements to our Content Security Policy (CSP) headers. During this time you may notice an increase in header sizes.

Fixes

General Fixes

OKTA-532840

Users created using Just-In-Time provisioning weren't assigned to a group when a group rule existed.

OKTA-537944

AD-sourced users received an error when resetting passwords while an Okta session was active in the browser.

OKTA-545918

Admin roles that were granted to a user through group membership sometimes didn't appear on the user's People Admin roles tab.

OKTA-551921

When a large number of profile mappings were associated with a user type, updates to the user type could time out.

OKTA-552273

Users who signed in to the End User Dashboard using a federated sign-in flow without a factor verification were shown an incorrect last sign-in time.

OKTA-552566

Users were sometimes asked to re-authenticate during an active session even though the authentication policy re-authentication frequency was set to Never re-authenticate if the session is active.

OKTA-553201

Users who scanned a Google Authenticator one-time passcode with Okta Verify received an error message and couldn't enroll in the authenticator.

OKTA-554013

Batch federation of multiple Microsoft Azure domains failed if the batch contained any child domains.

OKTA-557337

Users with apps provisioned with password sync enabled weren't challenged for multifactor authentication when they signed in from new IP addresses or a new city even though the Global Session Policy required re-authentication under those conditions.

OKTA-559661

Some org upgrades failed when a single sign-on factor was required for Admin Dashboard access and only the YubiKey, Duo Security, and Symantec VIP MFA factors were enabled but not recognized for migration.

OKTA-564420

Users couldn’t sign in to their org subdomain from okta.com if Captcha was enabled.

OKTA-566285

A threading issue caused directory imports to fail intermittently.

OKTA-566682

When an admin configured an IdP routing rule that allowed users to access certain apps, the list of available apps was blank.

OKTA-566824

Sometimes super admins encountered a timeout when listing admin users on the Administrators page in the Admin Console.

OKTA-567707

A security issue is fixed, which requires RADIUS agent version 2.18.0.

OKTA-567972

An unclear error message was returned when a group rules API call (create, update, or activate) was made to assign users to read-only groups (for example, Everyone ).

OKTA-567979

Last update information was displayed for API Service Apps and OIDC clients.

OKTA-571393

Users couldn’t enroll YubiKeys with the FIDO2 (WebAuthn) authenticator and received an error message on Firefox and Embedded Edge browsers.

Applications

New Integrations

New SCIM Integration application:

The following partner-built provisioning integration app is now Generally Available in the OIN Catalog as partner-built:

SAML for the following Okta Verified applications:

  • Better Stack (OKTA-566261)

  • Mist Cloud (OKTA-559122)

  • Tower (OKTA-567818)

OIDC for the following Okta Verified application:

February 2023

2023.02.0: Monthly Production release began deployment on February 13

* Features may not be available in all Okta Product SKUs.

Content

Generally Available Features

New Features

Agents page removed from the navigation panel

The operational status of org agents moved from the Agent page of the Admin Console to the Status widget of the Admin Dashboard. See View your org agents' status.

Splunk edition support for Log Streaming integrations

The Spunk Cloud Log Streaming integration now supports GCP and GovCloud customers. You can set the Splunk edition parameter (settings.edition) to AWS (aws), GCP (gcp), or AWS GovCloud (aws_govcloud) in your log streaming integration. See Splunk Cloud Settings properties.

Custom links for personal information and password management on End-User Dashboard

If you manage end users' personal information and passwords in an external application, you can configure that application as the User Identity Source in Customizations. Using this setting, you can provide a link to the application in the End-User Dashboard. When end users click the link, they're taken to the third-party page to update their information and password.

This setting is only applicable to the end users whose personal information and password are managed outside of Okta (for example, Active Directory). See Customize personal information and password management.

You must upgrade to Sign-in Widget version 7.3.0 or higher to use this feature. See the Sign-In Widget Release Notes.

User Accounts

Run delegated flows from the Admin Console

With delegated flows, admins can be assigned the ability to run Okta Workflows directly from the Admin Console. Flows that are delegated to an admin appear on the Delegated Flows page where they can be invoked without signing in to the Workflows Console. This gives super admins more granular control over their admin assignments. See Delegated flows.

Full Featured Code Editor for error pages

Full Featured Code Editor integrates Monaco code editing library into the Admin Console to make editing code for error pages more efficient and less reliant on documentation. Developers can write, test, and publish code faster with the better syntax highlighting, autocomplete, autosave, diff view, and a Revert changes button. See Customize the Okta-hosted error pages.

Phishing-resistant authentication

Phishing-resistant authentication detects and prevents the disclosure of sensitive data to fake applications or websites. When users authenticate with Okta FastPass on managed devices, they’re protected from phishing attacks. See About MFA authenticators.

Custom app login

Custom app login is now available to limited customers in Identity Engine. Only orgs that actively used the feature in Classic Engine before they upgraded may continue to do so. Orgs that don't use custom app login should continue to use the Okta-hosted sign-in experience or configure IdP routing rules that redirect users to the appropriate app to sign in. See Custom app login.

New user enumeration prevention options

Okta now allows admins to enable user enumeration prevention for authentication or recovery flows, or both. This enhancement blocks attackers from attempting to identify user accounts and authenticator enrollments in a more granular way. See User enumeration prevention.

Enhancements

Enhanced MFA System Log event

The new user.mfa.factor.activate System Log event for FIDO2 (WebAuthn) enrollments has been enhanced. Whenever a user enrolls in the FIDO2 (WebAuthn) authenticator, Okta now records the credential's AAGUID value, whether the credential can be backed up, and allow-list authenticator group names that include the make and model of the authenticator device that was enrolled.

Log Streaming status messages

Log streaming status messages now include a prefix related to the log streaming operation.

Updated AWS EventBridge supported regions for Log Stream integrations

The list of supported AWS EventBridge regions has been updated based on configurable event sources. See the list of available AWS regions for Log Stream integrations.

Informative error messages for SAML sign-in

Error messages presented during a SAML sign-in flow now provide an informative description of the error along with a link to the sign-in page.

Early Access Features

New Features

Smart Card authenticator available

You can add a new Smart Card authenticator that enables PIV to be used in authentication policies. You can also restrict the authentication policies to use only Smart Card Authenticator as MFA. See Smart Card IdP authenticator.

Device probing enhancement

You can now collect device signals from every authentication with Okta FastPass. By collecting fresh device signals, you enhance the overall security of your org. Note that users might receive additional verification prompts. See About MFA authenticators.

Fixes

General Fixes

OKTA-493073

An authentication policy error message wasn't applicable in some use cases.

OKTA-493531

Users were unable to sign in using passcodes when Permit Automatic Push for Okta Verify Enrolled Users was enabled.

OKTA-501372

The People page used an incorrect field name as the sorting key.

OKTA-540894

Users who attempted to cancel a Sign in with PIV/CAC card request weren't redirected back to the custom domain.

OKTA-544814

Clicking Show More in the API Trusted Origins tab resulted in an Invalid search criteria error.

OKTA-552341

After users completed an MFA challenge and signed out, their full Okta username appeared on the Sign In page.

OKTA-554006

Clicking Save and Add another to add new attributes on the Profile Editor page didn’t consistently function as expected.

OKTA-555768

Improved New Device Behavior Evaluation incorrectly identified a previously used device as new when the admin accessed the Okta Admin Dashboard.

OKTA-560752

In the Admin Console, the Japanese version of the MFA Enrollment by User report contained some English.

OKTA-566469

The Coupa integration URL displayed under the application Sign On tab was incorrect.

OKTA-567511

Users weren’t assigned to applications through group assignments following an import from AD into Okta.

OKTA-567991

Signing in to the End-User Dashboard through a third-party IdP displayed an incorrect error message if the password had expired.

OKTA-568319

In the End-User Dashboard, the link to access the Okta Browser Plugin installation guide redirected users to a broken page.

OKTA-572600

Sometimes, custom email domain configurations didn’t appear on the Domains page in the Admin Console.

OKTA-572333

After an org upgraded to Identity Engine, some apps with the default app sign-on policy weren’t assigned to the Classic Migrated policy.

OKTA-468178

In the Tasks section of the End-User Dashboard, generic error messages were displayed when validation errors occurred for pending tasks.

App Integration Fixes

The following SWA app was not working correctly and is now fixed:

  • Paychex Online (OKTA-573082)

Applications

Application Update

The HubSpot Provisioning integration is updated with a new HubSpot Roles attribute. See Configuring Provisioning for HubSpot.

New Integrations

New SCIM Integration applications:

The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:

OIDC for the following Okta Verified applications:

Weekly Updates

Fixes

General Fixes

OKTA-537710

Users on M1 MacBooks were unable to sign in to organizations provisioned with an OS-specific workflow.

OKTA-550348

Device authorization returned an error if the authentication policy had a condition for registered devices.

OKTA-552996

If JIT provisioning wasn’t enabled for a SAML IdP, users who tried to sign in received an error message instead of being redirected to the Okta sign-in page.

OKTA-556133

End users received email notifications of new sign-on events even though such notifications were disabled in the org security settings.

OKTA-561269

The YubiKey Report wasn’t generated when certain report filters were applied.

OKTA-564518

The ordering of authenticators on the Verify with something else page of the Sign-In Widget sometimes changed when the page was accessed again.

OKTA-565300

Accessibility issues on the password verification page of the End-User Dashboard prevented screenreaders from reading the text.

OKTA-565984

Case sensitivity caused usernames sent in SAML 2.0 IdP assertions not to match usernames in the destination org if a custom IdP factor was used and the name ID format was unspecified.

OKTA-566892

Sometimes MFA prompts overlapped portions of the browser sign-in pages.

OKTA-567776

Super admins weren't able to access the profile of deactivated users in some Preview environments.

OKTA-572091

Some QR codes for Okta Verify enrollment weren't scannable by iOS devices.

OKTA-572416

The Help Center link on the Resources menu directed users to the wrong URL.

OKTA-574624

In Administrators Roles, the Org Admin description was incorrect.

App Integration Fixes

The following SWA apps weren't working correctly and are now fixed:

  • Adobe Stock (OKTA-564445)

  • Adyen (OKTA-561677)

  • Airbnb (OKTA-559114)

  • AlertLogic (OKTA-560876)

  • American Express @ Work (OKTA-565294)

  • BlueCross BlueShield of Texas (OKTA-564224)

  • Drilling Info (OKTA-558048)

  • Empower (OKTA-552346)

  • Endicia (OKTA-557826)

  • Glassdoor (OKTA-564363)

  • hoovers_level3 (OKTA-562717)

  • MailChimp (OKTA-554384)

  • MY.MYOB (OKTA-553331)

  • myFonts (OKTA-566037)

  • OpenAir (OKTA-545505)

  • Paychex (OKTA-561268)

  • Paychex Online (OKTA-564325)

  • Regions OnePass (OKTA-568163)

  • Truckstop (OKTA-552741)

  • VitaFlex Participan (OKTA-562503)

Applications

New Integrations

New SCIM Integration applications

The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:

SAML for the following Okta Verified applications:

  • Articulate 360 (OKTA-544737)

  • Kakao Work (OKTA-556713)

  • Pleo (OKTA-564884)

  • Tower (OKTA-567818)

Generally Available

Fixes

General Fixes

OKTA-431900

The People > Enroll FIDO2 Security Key button was visible to admins who didn’t have permission to enroll authentication factors.

OKTA-452990

When a user clicked the Admin button on the End-User Dashboard using a mobile device, Okta didn't check if the user's session was still active.

OKTA-495146

The MFA Usage report and various API responses displayed different authenticator enrollment dates for users.

OKTA-503419

App catalog search results didn't include SCIM functionality labels.

OKTA-516494

Group imports from AD to Okta sometimes failed.

OKTA-558628

Some orgs experienced an error when using legacy endpoints.

OKTA-566637

The agentless DSSO just-in-time provisioning flow imported ineligible AD groups in to Okta.

OKTA-566891

Users with multiple Windows Okta Verify enrollments received an error when they attempted to log in with Windows Okta Verify.

OKTA-568575

Orgs couldn’t upgrade to Identity Engine if their app sign-on policy rules contained On Network or Off Network location settings.

OKTA-572089

Browsing the Provisioning tab for an app triggered a System Log update.

OKTA-574711

The sign-in process didn't exit after users selected No, It's Not Me in Okta Verify.

OKTA-574890

When the End-User Dashboard was in grid view, screen readers couldn't recognize apps as clickable links.

OKTA-576067

Custom domains couldn't be validated if there were uppercase characters in a subdomain.

OKTA-578439

Some event hook requests failed to send in Preview orgs.

OKTA-579157

For orgs that were updated to SCIM 2.0, Workplace by Facebook profile pushes that included the manager attribute failed.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed:

  • Adobe Creative (OKTA-555215)

  • Asana (OKTA-566187)

  • ManageEngine Support Center Plus (OKTA-529921)

Applications

New Integrations

New SCIM Integration applications:

The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:

SAML for the following Okta Verified applications:

  • Scalr.io (OKTA-552065)

  • Trusaic (OKTA-559106)

OIDC for the following Okta Verified applications: