Okta Identity Engine release notes (2024)

Version: 2024.01.0

January 2024

Generally Available

Sign-In Widget, version 7.14.0

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Okta Sign-In Widget Guide.

Okta On-Prem MFA Agent, version 1.7.4

This version includes security enhancements. See Okta On-Prem MFA agent version history.

Configure multiple IdP authenticators

You can now configure multiple SAML 2.0 or OIDC Identity Providers as authenticators. See Configure the IdP authenticator.

Read-only permission for admin role assignments

Super admins can now assign the View roles, resources, and admin assignments permission to their delegated admins. This permission gives admins a read-only view of the admin roles, resource sets, and admin assignments in the org. See Role permissions.

New possession constraint available in authentication policies

Admins may now require users to enter a PIN or do biometric verification when they authenticate. This enhancement enables admins to increase the security of their orgs and their authentications.

Use your own email provider

You can now use an external email provider to send email notifications in Okta. By default, email notifications such as the welcome email or an account recovery email are sent through an Okta-managed SMTP server. However, you can configure a third-party email provider in Okta and send these emails through it. Adding a custom email provider gives you more control over your email delivery. See Use your own email provider.

Operating system in the Okta Verify push challenge

The Okta Verify app now displays the correct operating system when the push challenge is initiated.

OIN connector support for Entitlement Management

The following connectors have been updated to support Entitlement Management:

  • Box
  • Google Workspace
  • Microsoft Office 365
  • Netsuite
  • Salesforce

See Provisioning-enabled apps.

System Log events for IdP keystore operations

New System Log events are generated for IdP keystore operations:

  • system.idp.key.create
  • system.idp.key.update
  • system.idp.key.delete

System Log event for GET an IdP

A new System Log event is generated for GET /api/v1/idps[/{idpId}.

Application Entitlement Policy

Admins can now override attribute mapping when assigning apps to individuals or groups. Attributes can also be reverted to their default mappings. See Override application attribute mapping. This feature will be gradually made available to all orgs.

New Smart Card attribute for user matching

A new issuerSnReverseByteOrder attribute has been added to the Smart Card IdP user match.

Google Workspace system roles

Okta now supports Google Workspace system roles.

Updated RADIUS authentication prompts

RADIUS authentication prompts are updated to be clearer.

Early Access Features

Early Access features from this release are now Generally Available.

Fixes

  • OKTA-654000

    Users authenticating with Okta FastPass could sign in with authenticators that weren't phishing-resistant even though it wasn't allowed by authentication policies.

  • OKTA-658796

    The Brand name description on the Brand Settings page contained a typo.

  • OKTA-659305

    The IdP Routing Rule page became unresponsive when multiple apps were added to a rule.

  • OKTA-660541

    Information about Integration settings for Chrome Device Trust was missing.

  • OKTA-665773

    The remediation page for Okta Verify enrollment didn't appear for some users.

  • OKTA-667066

    Resetting MFA using support user permissions didn't generate a System Log event.

  • OKTA-673705

    Admins couldn’t condition permissions to include or exclude attributes from multiple user profiles.

  • OKTA-674540

    Users couldn't access Confluence On-Prem using IdP-initiated or SP-initiated flows.

  • OKTA-679833

    Some default attribute mappings for SuccessFactors were incorrect.

  • OKTA-683871

    When the User verification as a possession constraint feature was activated, the If Okta FastPass is used section disappeared from the Authentication policy rule page when admins selected the Any 1 factor type option in User must authenticate with.

Okta Integration Network

App updates

  • The AcquireTM app integration has an additional redirect URI.
  • The CodeSignal app integration has a new logo.
  • The OneRange app integration has a new description.
  • The Peakon SAML app integration has a new display name, logo, website, description, doc link, and endpoints.
  • The Peakon SCIM app integration has a new base URL and help text.
  • The Qatalog app integration has a new logo.

New Okta Verified app integrations

App integration fixes

  • ADP mykplan.com (SWA) (OKTA-669875)
  • Fidelity 401k (SWA) (OKTA-659323)

Weekly Updates

Fixes

  • OKTA-626684

    The Security API menu and the Create token button didn't appear for some accounts with custom admin roles.

  • OKTA-638138

    In the System Log, the operating system was displayed as Unknown mobile if a user approved an Okta Verify push notification from an iOS device.

  • OKTA-676688

    Admins saw a warning if they granted OKTA API scopes to an app with an authentication policy that denied access.

  • OKTA-683128

    Customized error pages weren't displayed when admins canceled a certificate selection for PIV authentication.

  • OKTA-686546

    The Connector Configuration form was missing the Edit button in orgs with the App settings permissions for custom admin roles feature enabled.

Okta Integration Network

App updates

  • The AcquireTM app integration has an additional redirect URI.
  • The CodeSignal app integration has a new logo.
  • The Experience.com app integration now supports IdP-initiated flows.
  • The OneRange app integration has a new description.
  • The Peakon SCIM app integration has a new base URL and help text.
  • The Peakon SAML app integration has a new logo, website, description, doc link, and new endpoints.
  • The Qatalog app integration has a new logo.

New Okta Verified app integrations

App integration fixes

  • ADP mykplan.com (SWA) (OKTA-669875)
  • Fidelity401k (SWA) (OKTA-659323)

Generally Available

Sign-In Widget, version 7.14.2

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Sign-In Widget Guide.

IP restrictions on tokens

Admins can specify allowlisted and blocklisted network zones for static, Single Sign-On Web System (SSWS) API tokens. This strengthens org security by letting them control where calls to Okta APIs can originate from. It also restricts attackers and malware from stealing SSWS tokens or replaying them outside of their IP range to gain unauthorized access.

Fixes

  • OKTA-633537

    Okta erroneously denied access to some users due to incorrect device context evaluation.

  • OKTA-637955

    In some cases, custom admins were able to view pushed groups that weren't assigned to them.

  • OKTA-649640

    Password rules weren't correctly translated in French.

  • OKTA-653740

    Custom admins could access several Active Directory and LDAP agent-related API endpoints without having the correct admin permissions.

  • OKTA-655791

    The User App Access report didn't display the Group Name, Group Source, and Group Membership columns for users that were assigned an app through an AD imported group.

  • OKTA-664370

    Product System Log events for the access token, ID token, and user SSO grants didn't include externalSessionId.

  • OKTA-665347

    No System Log event was generated when a user's password was expired using the API. When an admin used the API to expire a user's password, no System Log event was generated.

  • OKTA-665372

    A custom attribute wasn't displayed in the activation email template for some orgs.

  • OKTA-665377

    Some authenticator actions done using the API didn't appear in the System Log.

  • OKTA-665903

    In some cases, where a group was unassigned from an app, members of that group were still provisioned to the app.

  • OKTA-667063

    Affected entity wasn't included in the System Log when temporary access was granted using the Support User.

  • OKTA-668185

    Admins could add deleted network zones to an authentication policy rule.

  • OKTA-673876

    Screen readers didn't inform users of screen animations, form submission, or form loading after they clicked Next in the Sign-In Widget.

  • OKTA-674218

    System Log events for access token and ID token grants didn't include user attributes.

  • OKTA-679556

    Group Push of large groups from Okta sometimes failed to push all members to downstream apps.

  • OKTA-679914

    After an org's ISO region codes were updated, their policies prevented users from signing in from Telangana, India.

  • OKTA-683871

    When the User verification as a possession constraint feature was activated, the If Okta FastPass is used section disappeared from the Authentication policy rule page when admins selected the Any 1 factor type option in User must authenticate with.

  • OKTA-684369

    Users were sometimes not unassigned from applications after being removed from groups on orgs that had application entitlement policy enabled.

  • OKTA-684547

    In some orgs, users couldn't sign in with Okta FastPass when PIN or biometric verification was required.

  • OKTA-686081

    Some users weren't imported after being unassigned from a sourcing app.

  • OKTA-686239

    Screen readers didn't inform users which security method they selected in the Sign-In Widget for multifactor authentication.

  • OKTA-686457

    In some orgs, users couldn't sign in with Okta FastPass when PIN or biometric verification was required.

  • OKTA-686801

    Some Salesforce provisioning jobs entered a buffered state and didn't run.

  • OKTA-687001

    Sometimes the statuses that were displayed for agents were inaccurate.

  • OKTA-687369

    Okta Verify incorrectly prompted for user verification.

  • OKTA-687812

    An error with expiring signatures prevented agents from updating to the newest version of the LDAP agent. The issue has been resolved in version 5.19.1.

  • OKTA-687814

    An error with expiring signatures prevented agents from updating to the newest version of the Active Directory agent. The issue has been resolved in version 3.16.1.

  • OKTA-688020

    In some orgs, users observed a timeout and error when authenticating with AWS Account Federation.

  • OKTA-688685

    On macOS devices, some users were stuck in a sign-in loop when they tried to authenticate with Okta FastPass in a Safari browser.

Okta Integration Network

App updates

  • The Digitail app integration has new custom_location_attribute, department, and role SAML attributes.
  • The Flow of Work Co app integration has been rebranded as GoFIGR.
  • The OpsLevel app integration now has the group push, import users, and import groups functions.
  • The Saltalk app integration has been rebranded as WeBox.

New Okta Verified app integrations

App integration fixes

  • FaxSIPit (SWA) (OKTA-655845)
  • My Eaton (SWA) (OKTA-670410)