Okta Identity Engine release notes (Early Access)

MFA for Secure Partner Access admin portal

MFA is required for accessing the partner admin portal app. See Manage Secure Partner Access.

Entitlement claims

You can now enrich tokens with app entitlements that produce deeper integrations. After you configure this feature for your app integration, use the Okta Expression Language in Identity Engine to add entitlements at runtime as OIDC claims and SAML assertions. See Generate federated claims.

Block syncable passkeys

You can now block syncable passkeys during authentication. Previously, you could only block them during enrollment. This enhances the security of your org by preventing users from presenting such passkeys to attempt to enroll new, unmanaged devices. See Configure the FIDO2 (WebAuthn) authenticator.

New skipping of entitlement sync during import of a user Systems Log event

The following System Log event has been added: Sync skipping of entitlement during import of a user.

Force rematching of imported users

This feature enforces a rematch for unconfirmed users imported from a profile source, whether through full or incremental imports. It attempts to match these imported users with existing Okta users. When this feature is enabled, every import re-evaluates matches for unconfirmed users.

Create dynamic resource sets with conditions

Resource set conditions help you limit the scope of a role by excluding an admin’s access to certain apps. This gives you more granular control over your custom admin roles and helps meet your org’s unique security needs. See Resource set conditions.

Granular account linking for certain Identity Providers

When admins link users from SAML and OIDC Identity Providers, they can now exclude specific users and admins. This improves security by allowing admins to configure granular access control scenarios.

Self-service toggle for Deactivate App Users

Admins can now use the self-service toggle to change what happens to an Okta user’s individual app assignments upon deactivation. If enabled, the user's individual app assignments deactivate instead of suspend. If a user is reactivated in Okta, the individual app assignments don't reactivate.

Restrict access to the Admin Console

By default, users and groups with assigned admin roles have access to the Admin Console app. With this feature, super admins can choose to manually assign the app to delegated admins instead. This is recommended for orgs with admins who don't need access, like business partners, third-party admins, or admins who only use the Okta API. See Configure administrator settings.

IP Exempt Zone

Use this feature to allow traffic from specific gateway IPs irrespective of Okta ThreatInsight configurations, blocked network zones, or IP change events within Identity Threat Protection with Okta AI. See IP Exempt Zone.

OpenID Connect Identity Providers now support group sync

OpenID Connect Identity Providers now support full group sync and adding a user to a group that they don't already belong to. A user who authenticates with an external IdP is added to all available groups when Full sync of groups is enabled. The user is added to any groups that they don't already belong to when Add user to missing groups is enabled. This allows you to specify certain groups that users should be added to.

Create dynamic resource sets with conditions

Resource set conditions help you limit the scope of a role by excluding an admin's access to certain apps. This gives you more granular control over your custom admin roles and helps meet your org's unique security needs. See Resource set conditions.

Seamless and secure authentication with passkey autofill

Passkeys offer a streamlined sign in experience to users by leveraging their browser's existing autofill capabilities. This allows users to quickly and intuitively sign in to an org without typing their credentials or seeing extra prompts. This secure, phishing-resistant solution works seamlessly across devices, delivering both enhanced security and convenience for modern authentication needs. See Configure the FIDO2 (WebAuthn) authenticator.

Secure Partner Access for external partners

Secure Partner Access provides a secure way for external business partners to access your org's resources. It streamlines your partner management tasks, reduces IT workload, and simplifies the process of configuring your org's security requirements. See Manage Secure Partner Access.

Secure SaaS service accounts

This feature enables customers to monitor, manage, and secure access to service accounts in their SaaS apps. This new feature in Okta Privileged Access improves the Okta platform by safeguarding non-federated accounts across an org's apps. See Manage service accounts.

Custom languages for email templates

Admins can now customize Okta-generated emails in any BCP47-formatted language. Previously, customizations were limited to 27 Okta-supported languages. This feature allows admins to configure additional locales using Okta's Brands API. When a new locale is configured, it's available as a new language selection within the Email Templates Editor. See Customized Email Notifications.

Dynamic OS version compliance for device assurance

You can configure OS version compliance by using device assurance. However, you have to manually update the policies every time a new OS version or patch is released. With Dynamic OS version compliance, Okta updates device assurance policies with the latest OS versions and patches, eliminating the need for manual updates. With this feature you can ensure OS version compliance in your org without tracking OS releases. See Add a device assurance policy.

Make email optional authenticator

This feature allows you to upgrade your org to Identity Engine without updating your email factor settings. If you already have an Identity Engine org, it gives you and your end users more control over the email authenticator. See Skip auto-enrolling email authenticator and Make email an optional authenticator.

New app settings permissions for custom admin roles

Super admins can now assign permissions for custom admin roles to manage all app settings, or only general app settings. This enables super admins to provide more granular permissions to the admins they create, resulting in better control over org security. See Application permissions.

Workday writeback enhancement

When this feature is enabled, Okta makes separate calls to update work and home contact information. This feature requires the Home Contact Change and Work Contact Change business process security policy permissions in Workday.

Custom admin roles with device permissions

You can now create custom admin roles with permissions to view and manage devices. You can add the Devices to your resource set and then specify device permissions for your custom admin. See Create a resource set and Devices permissions.

Okta FastPass and Smart Card options on Sign-in page

Currently, if you configured both the Sign in with Okta FastPass option and Smart Card as an authenticator, users only see the Okta FastPass option when they sign in. With this feature, you can make both options available for your users during the sign-in process. See Configure the Smart Card authenticator.

Enhanced security of Okta Verify enrollments

To ensure users enroll in Okta Verify in a phishing-resistant manner, a Higher security methods option now appears on the authenticator configuration page. With this option, users can't enroll with QR code, email, or SMS link. See Configure Okta Verify options.

IdP permissions for custom admin roles

Admins can now leverage new Identity Provider management permissions when creating custom admin roles. These permissions allow more precise access control and reinforce the principle of least privilege. See Role permissions.

Admin Console Japanese translation

When you set your display language to Japanese, the Admin Console is now translated. See Supported display languages.

Front-channel Single Logout

Front-channel Single Logout (SLO) allows a user to sign out of an SLO-participating app on their device and end their Okta session. Okta then automatically sends a sign-out request to all other participating apps that the user accessed during their session. See Configure Single Logout in app integrations.

Phishing-resistant authentication with Okta FastPass on unmanaged iOS devices

While Okta FastPass can protect users against phishing attacks in most cases, it can't secure authentication on unmanaged iOS devices. To close this gap, Okta is rolling out phishing resistance for Okta FastPass on unmanaged iOS devices. With this change, users who authenticate with Okta FastPass on their personal or unmanaged iOS devices are protected from phishing attacks. See Multifactor authentication.

This feature requires Okta Verify version 8.2.1.

Event hook filters

You can now filter individual events of the same event type based on custom business logic hosted in Okta. These filters reduce the amount of events that trigger hooks, removing an unnecessary load on your external service.

This feature includes an improved creation workflow for event hooks and a new Filters tab that you can use to create event filters with direct Expression Language statements or with a simple UI format.

Using event hook filters significantly reduces the amount of event hook requests and the need for custom code on your respective services. See Edit an event hook filter.

Import users to Office 365 using Microsoft Graph API

This feature allows Okta to process imports using the Microsoft Graph API. This background process doesn't change existing procedures and makes imports more scalable, supporting Microsoft 365 tenants with larger numbers of users, groups, and group memberships. See Import users to Office 365 using Microsoft Graph API.

AWS region support for EventBridge Log Streaming

EventBridge Log Streaming now supports all commercial AWS regions.

Phishing-resistant authenticator requirement

To enhance security, admins may now require users to authenticate using a phishing-resistant authenticator when enrolling additional authenticators. This feature protects the authenticator enrollment process from phishing attempts. See Phishing-resistant authenticator enrollment.

Log Stream event structure update

For consistency the report structure for Log Stream events is now the same as that for System Log events. The following fields are changed and might need updating for any monitoring scripts in use:

• Under devices, osPlatform is now platform.

• The ipChain array is now correctly nested under request instead of client.

• The extraneous field insertionTimestamp is removed.

Passkey Management

Apple passkeys may be synchronized across multiple devices, including on unmanaged ones, and stored in Apple's data centers. This may impact organizations whose security policies require that credentials never leave the device, or that only managed devices be allowed to connect. Okta now allows admins to block the enrollment of passkeys in their orgs. With the new Passkey Management feature, customers can ensure that security policies continue to be enforced, and potentially compromised devices can be kept from connecting. Existing passkey enrollments aren't affected by turning this feature on.

New OIN app for Microsoft 365 GCC High

A new app is available for integrating Microsoft Office 365 Government Community Cloud (GCC) High. This Office 365 tenant type serves as a highly secure version of Office 365 built specifically for government entities, vendors, and contractors. The tenant provides built-in compliance with certifications and accreditations that are required by the U.S. public sector, including FedRAMP high-impact requirements.

With the new Okta Integration Network app, customers using the GCC High environment for Office 365 can securely deploy a consistent user experience for SSO and identity management. See Configure Office 365 GCC High Tenant.

Phishing-resistant authentication

Phishing-resistant authentication detects and prevents the disclosure of sensitive data to fake applications or websites. When users authenticate with Okta FastPass on managed devices, they're protected from phishing attacks. See Phishing-resistant authentication.

New column for the User app access report

The User app access report now includes the Recently Accessed column. This allows you to view when the user accessed the app in the last 90 days.

SSO apps dashboard widget

The new SSO apps widget displays the number of user sign-in events across each of your org's apps over a selected period of time. You can use it to see which apps are used most frequently and to easily monitor the authentication activity across your org. See Monitor your apps.

SAML app support added for email magic links

The Email Magic Link feature now supports SAML applications for self-service registration, self-service password reset, and self-service unlock operations.

Improvements to the self-service registration experience

Earlier versions of the self-service registration (SSR) flow used a complicated array of templates to send activation emails to end users. The simplified SSR flow reduces this to only two email templates with customized welcome messages. If your application requires immediate verification of the end user's email address, Okta uses the Registration - Activation template. This template includes a magic link for a smoother sign-in experience. If email verification isn't immediately required to sign in to the application, Okta uses the Registration - Email Verification template. This template includes a link for end users to complete email verification at any time after they successfully sign in to the application. See Customize email notifications and the Okta email (magic link/OTP) integration guide.

Run delegated flows from the Admin Console

With delegated flows, admins can be assigned the ability to run Okta Workflows directly from the Admin Console. Flows that are delegated to an admin appear on the Delegated Flows page where they can be invoked without signing in to the Workflows Console. This gives super admins more granular control over their admin assignments. See Delegated flows.

New permissions for custom admin roles

Super admins can now assign these new permissions to their custom admin roles:

• Manage authorization server

• View authorization server

• Manage customizations

• View customizations

The authorization server permissions can be scoped to all or to a subset of the org's authorization servers. With these new permissions, super admins can now create custom admin roles with more granular permissions for managing their org's customizations and authorization servers. See Role permissions.

Splunk available for Log Streaming

Many organizations use third-party systems to monitor, aggregate, and act on the event data in Okta System Log events.

Log Streaming enables Okta admins to more easily and securely send System Log events to a specified system such as the Splunk Cloud in near real time with simple, pre-built connectors. Log streaming scales well even with high event volume, and unlike many existing System Log event collectors, it doesn't require a third-party system to store an Okta Admin API token. See Log streaming.

Automatically update public keys in the Admin Console

Using private_key_jwt as your app's client authentication method requires that you upload public keys to Okta and then use the private keys to sign the assertion. Then, you must update the client configuration each time you rotate the key pairs. This is time-consuming and error-prone. To seamlessly use key pairs and rotate them frequently, you can now configure private_key_jwt client authentication in the Admin Console for OAuth clients by specifying the URI where you store your public keys. See Manage secrets and keys for OIDC apps.

Incremental Imports for the Org2Org app

Okta now supports incremental imports for the Org2Org app. Incremental imports improve performance by only importing users that were created, updated, or deleted since your last import. See Okta Org2Org.

Additional Okta username formats for LDAP-sourced users

Three additional Okta username formats are now available for LDAP-sourced users. In addition to the existing options, admins can now select Employee Number, Common Name, and Choose from schema to form the Okta username. These new options allow admins to use both delegated authentication and Just-In-Time (JIT) provisioning with LDAP directory services. With these new provisioning options, it is now easier for admins to integrate their LDAP servers with Okta. See Configure LDAP integration settings.

Windows Autopilot integration with Okta

You can now use Okta to secure and streamline the Windows Autopilot flow on end-user devices. Before this integration, if you were using Okta Device Trust or Okta FastPass, it prohibited the enrollment of a new device through Windows Autopilot. The new integration now allows you to accommodate Not Trusted devices with Windows Autopilot while continuing to use Okta Device Trust and Okta FastPass for Trusted devices. It also allows you to add a sign-on policy rule in Okta that requires MFA when enrolling a device through Windows Autopilot. This increases security without compromising the user experience and ensures that the right person gets the access to the device. See Typical workflow for using Okta with Windows Autopilot.

Manage email notifications for custom admin roles

Super admins can configure the system notifications and Okta communications for custom admin roles. Configuring the email notifications helps ensure admins receive all of the communications that are relevant to their role. See Configure email notifications for an admin role.

Third-Party Risk

Okta Risk Eco-System API / Third-Party Risk enables security teams to integrate IP-based risk signals to analyze and orchestrate risk-based access using the authentication layer. Practitioners can step up, reduce friction or block the user based on risk signals across the customer's security stack. Apart from improving security efficacy, this feature also enhances the user experience by reducing friction for good users based on positive user signals. See Risk scoring.