Okta Identity Engine release notes (2024)
Version: 2024.01.0
January 2024
Generally Available
Sign-In Widget, version 7.14.0
For details about this release, see the Sign-In Widget Release Notes.
For more information about the Widget, see the Okta Sign-In Widget Guide.
Okta On-Prem MFA Agent, version 1.7.4
This version includes security enhancements. See Okta On-Prem MFA agent version history.
Configure multiple IdP authenticators
You can now configure multiple SAML 2.0 or OIDC Identity Providers as authenticators. See Configure the IdP authenticator.
Read-only permission for admin role assignments
Super admins can now assign the View roles, resources, and admin assignments permission to their delegated admins. This permission gives admins a read-only view of the admin roles, resource sets, and admin assignments in the org. See Role permissions.
New possession constraint available in authentication policies
Admins may now require users to enter a PIN or do biometric verification when they authenticate. This enhancement enables admins to increase the security of their orgs and their authentications.
Use your own email provider
You can now use an external email provider to send email notifications in Okta. By default, email notifications such as the welcome email or an account recovery email are sent through an Okta-managed SMTP server. However, you can configure a third-party email provider in Okta and send these emails through it. Adding a custom email provider gives you more control over your email delivery. See Use your own email provider.
Operating system in the Okta Verify push challenge
The Okta Verify app now displays the correct operating system when the push challenge is initiated.
OIN connector support for Entitlement Management
The following connectors have been updated to support Entitlement Management:
- Box
- Google Workspace
- Microsoft Office 365
- Netsuite
- Salesforce
System Log events for IdP keystore operations
New System Log events are generated for IdP keystore operations:
- system.idp.key.create
- system.idp.key.update
- system.idp.key.delete
System Log event for GET an IdP
A new System Log event is generated for GET /api/v1/idps[/{idpId}.
Application Entitlement Policy
Admins can now override attribute mapping when assigning apps to individuals or groups. Attributes can also be reverted to their default mappings. See Override application attribute mapping. This feature will be gradually made available to all orgs.
New Smart Card attribute for user matching
A new issuerSnReverseByteOrder attribute has been added to the Smart Card IdP user match.
Google Workspace system roles
Okta now supports Google Workspace system roles.
Updated RADIUS authentication prompts
RADIUS authentication prompts are updated to be clearer.
Early Access Features
Early Access features from this release are now Generally Available.
-
OKTA-654000
Users authenticating with Okta FastPass could sign in with authenticators that weren't phishing-resistant even though it wasn't allowed by authentication policies.
-
OKTA-658796
The Brand name description on the
page contained a typo. -
OKTA-659305
The IdP Routing Rule page became unresponsive when multiple apps were added to a rule.
-
OKTA-660541
Information about Integration settings for Chrome Device Trust was missing.
-
OKTA-665773
The remediation page for Okta Verify enrollment didn't appear for some users.
-
OKTA-667066
Resetting MFA using support user permissions didn't generate a System Log event.
-
OKTA-673705
Admins couldn’t condition permissions to include or exclude attributes from multiple user profiles.
-
OKTA-674540
Users couldn't access Confluence On-Prem using IdP-initiated or SP-initiated flows.
-
OKTA-679833
Some default attribute mappings for SuccessFactors were incorrect.
-
OKTA-683871
When the User verification as a possession constraint feature was activated, the If Okta FastPass is used section disappeared from the Authentication policy rule page when admins selected the Any 1 factor type option in User must authenticate with.
Okta Integration Network
App updates
- The AcquireTM app integration has an additional redirect URI.
- The CodeSignal app integration has a new logo.
- The OneRange app integration has a new description.
- The Peakon SAML app integration has a new display name, logo, website, description, doc link, and endpoints.
- The Peakon SCIM app integration has a new base URL and help text.
- The Qatalog app integration has a new logo.
New Okta Verified app integrations
- Genian ZTNA (SAML)
App integration fixes
- ADP mykplan.com (SWA) (OKTA-669875)
- Fidelity 401k (SWA) (OKTA-659323)
Weekly Updates
Fixes
-
OKTA-626684
The Create token button didn't appear for some accounts with custom admin roles.
menu and the -
OKTA-638138
In the System Log, the operating system was displayed as Unknown mobile if a user approved an Okta Verify push notification from an iOS device.
-
OKTA-676688
Admins saw a warning if they granted OKTA API scopes to an app with an authentication policy that denied access.
-
OKTA-683128
Customized error pages weren't displayed when admins canceled a certificate selection for PIV authentication.
-
OKTA-686546
The Connector Configuration form was missing the Edit button in orgs with the App settings permissions for custom admin roles feature enabled.
Okta Integration Network
App updates
- The AcquireTM app integration has an additional redirect URI.
- The CodeSignal app integration has a new logo.
- The Experience.com app integration now supports IdP-initiated flows.
- The OneRange app integration has a new description.
- The Peakon SCIM app integration has a new base URL and help text.
- The Peakon SAML app integration has a new logo, website, description, doc link, and new endpoints.
- The Qatalog app integration has a new logo.
New Okta Verified app integrations
- Arbolus (OIDC)
- Authomize Identity Security (API service)
- Bluescape (SAML)
- eFlok (SAML)
- Omni Analytics (SAML)
- ShareCal (SAML)
App integration fixes
- ADP mykplan.com (SWA) (OKTA-669875)
- Fidelity401k (SWA) (OKTA-659323)
Generally Available
Sign-In Widget, version 7.14.2
For details about this release, see the Sign-In Widget Release Notes.
For more information about the Widget, see the Sign-In Widget Guide.
IP restrictions on tokens
Admins can specify allowlisted and blocklisted network zones for static, Single Sign-On Web System (SSWS) API tokens. This strengthens org security by letting them control where calls to Okta APIs can originate from. It also restricts attackers and malware from stealing SSWS tokens or replaying them outside of their IP range to gain unauthorized access.
Fixes
-
OKTA-633537
Okta erroneously denied access to some users due to incorrect device context evaluation.
-
OKTA-637955
In some cases, custom admins were able to view pushed groups that weren't assigned to them.
-
OKTA-649640
Password rules weren't correctly translated in French.
-
OKTA-653740
Custom admins could access several Active Directory and LDAP agent-related API endpoints without having the correct admin permissions.
-
OKTA-655791
The User App Access report didn't display the Group Name, Group Source, and Group Membership columns for users that were assigned an app through an AD imported group.
-
OKTA-664370
Product System Log events for the access token, ID token, and user SSO grants didn't include externalSessionId.
-
OKTA-665347
No System Log event was generated when a user's password was expired using the API. When an admin used the API to expire a user's password, no System Log event was generated.
-
OKTA-665372
A custom attribute wasn't displayed in the activation email template for some orgs.
-
OKTA-665377
Some authenticator actions done using the API didn't appear in the System Log.
-
OKTA-665903
In some cases, where a group was unassigned from an app, members of that group were still provisioned to the app.
-
OKTA-667063
Affected entity wasn't included in the System Log when temporary access was granted using the Support User.
-
OKTA-668185
Admins could add deleted network zones to an authentication policy rule.
-
OKTA-673876
Screen readers didn't inform users of screen animations, form submission, or form loading after they clicked Next in the Sign-In Widget.
-
OKTA-674218
System Log events for access token and ID token grants didn't include user attributes.
-
OKTA-679556
Group Push of large groups from Okta sometimes failed to push all members to downstream apps.
-
OKTA-679914
After an org's ISO region codes were updated, their policies prevented users from signing in from Telangana, India.
-
OKTA-683871
When the User verification as a possession constraint feature was activated, the If Okta FastPass is used section disappeared from the Authentication policy rule page when admins selected the Any 1 factor type option in User must authenticate with.
-
OKTA-684369
Users were sometimes not unassigned from applications after being removed from groups on orgs that had application entitlement policy enabled.
-
OKTA-684547
In some orgs, users couldn't sign in with Okta FastPass when PIN or biometric verification was required.
-
OKTA-686081
Some users weren't imported after being unassigned from a sourcing app.
-
OKTA-686239
Screen readers didn't inform users which security method they selected in the Sign-In Widget for multifactor authentication.
-
OKTA-686457
In some orgs, users couldn't sign in with Okta FastPass when PIN or biometric verification was required.
-
OKTA-686801
Some Salesforce provisioning jobs entered a buffered state and didn't run.
-
OKTA-687001
Sometimes the statuses that were displayed for agents were inaccurate.
-
OKTA-687369
Okta Verify incorrectly prompted for user verification.
-
OKTA-687812
An error with expiring signatures prevented agents from updating to the newest version of the LDAP agent. The issue has been resolved in version 5.19.1.
-
OKTA-687814
An error with expiring signatures prevented agents from updating to the newest version of the Active Directory agent. The issue has been resolved in version 3.16.1.
-
OKTA-688020
In some orgs, users observed a timeout and error when authenticating with AWS Account Federation.
-
OKTA-688685
On macOS devices, some users were stuck in a sign-in loop when they tried to authenticate with Okta FastPass in a Safari browser.
Okta Integration Network
App updates
- The Digitail app integration has new custom_location_attribute, department, and role SAML attributes.
- The Flow of Work Co app integration has been rebranded as GoFIGR.
- The OpsLevel app integration now has the group push, import users, and import groups functions.
- The Saltalk app integration has been rebranded as WeBox.
New Okta Verified app integrations
- ActivityInfo (OIDC)
- Bedrock Security (SAML)
- Clockwise (SCIM)
- CrunchyBridge (OIDC)
- ESKER (SAML)
- Inigo GraphQL (OIDC)
- MockFlow (SCIM)
- Netskope Admin Console (SAML)
- OCCAM Razor (OIDC)
- OPSWAT MetaDefender IT-OT Access (SAML)
- Tradespace (SAML)
- UKG HR Service Delivery (SCIM)
App integration fixes
- FaxSIPit (SWA) (OKTA-655845)
- My Eaton (SWA) (OKTA-670410)