Okta Identity Engine release notes (Early Access)

OAuth 2.0 provisioning for Org2Org with Autorotation

Admins deploying multi-org architectures (for example Okta hub-and-spoke orgs) need to secure user and group provisioning. Provisioning using OAuth2.0 scoped tokens has several advantages over API tokens, including more access granularity, shorter token lifespans, and automatic key rotation. You can now enable OAuth 2.0 Autorotation for Org2Org app provisioning directly from the Admin Console.

See Integrate Okta Org2Org with Okta.

Manage Active Directory accounts in Okta Privileged Access

This feature allows management of Active Directory (AD) account passwords through Okta Privileged Access using the Okta AD Agent. Admins can set discovery rules for accounts in specific organizational units (OUs) and create policies for user access, ensuring passwords are rotated upon check-in or on a schedule. Users with access can view their assigned accounts and retrieve passwords. To enable this feature, contact Okta support. See Manage Active Directory accounts

Bypass ASN binding with the Default Exempt IP Zone

The ASN binding feature associates admins with the IP address that they signed in from. If the IP changes during a session, the admin is signed out of Okta, and an event appears in the System Log. To bypass IP and ASN binding, you can add the client IP to the Default Exempt IP Zone. See IP exempt zone.

App Switcher for Okta first-party apps

The End-User Dashboard, Admin Console, and Workflows Console now have an App Switcher that helps admins quickly navigate between their assigned Okta apps. Note that you must enable the Unified look and feel for Okta Admin Console and Unified look and feel for Okta Dashboard Early Access features for the App Switcher to appear.

New look and feel in the End-User Dashboard

The End-User Dashboard now provides a new look and feel, including redesigned side and top navigation menus and the addition of a gray background.

New identity verification provider added

Okta now supports using CLEAR Verified as an identity provider. This increases the number of identity verification vendors (IDVs) you can use to verify the identity of your users when they onboard or reset their account. See Add an identity verification vendor as an identity provider.

Track MFA abandonment in the System Log

You can now monitor abandoned MFA attempts in the System Log using the user.authentication.auth_via_mfa event. The event now has two additional statuses for the event outcome:

• UNANSWERED: MFA prompt was abandoned, but the user eventually signed in using another authenticator.
• ABANDONED: MFA prompt was abandoned and the user couldn't sign in.

See Track MFA abandonment in the System Log

Custom admin role for Okta Device Access

You can now configure custom admin roles to view and manage Okta Device Access functionality. This enhancement enables IT teams to designate admins who can effectively manage Okta Device Access capabilities without requiring them to have the most elevated security permissions. See Desktop MFA recovery .

New System Log event for identity verification

The 'new user.identity_verification' event displays the result (success or failure) of identity verifications with identity verification vendors (IDVs). If there's a failure, the event also displays the reason.

Custom remediation for device assurance

You can now display custom remediation instructions to users when authentication fails due to unsuccessful device posture checks with Okta Verify or Chrome Device Trust. See Configure custom remediation instructions for device assurance.

New look and feel in the Admin Console

The Admin Console now provides a new look and feel, including redesigned side and top navigation menus and the addition of a gray background.

On-prem Connector for SAP Netweaver ABAP

On-prem Connector for SAP NetWeaver ABAP provides an out-of-the-box solution that connects SAP on-premises apps with Okta Identity Governance. It enables the discovery, visibility, and management of SAP entitlements (roles) directly in Okta. This integration enhances security, saves time, and simplifies governance by eliminating the need for custom integrations and by streamlining entitlement management.

New attributes in Universal Sync

The following attributes are now supported in Universal Sync: AuthOrig, DLMemRejectPerms, DLMemSubmitPerms, and UnauthOrig.

New identity verification provider added

Okta now supports using Incode as an identity provider. This increases the number of identity verification vendors (IDVs) you can use to verify the identity of your users when they onboard or reset their account. See Add an identity verification vendor as an identity provider.

Block syncable passkeys

You can now block syncable passkeys during authentication. Previously, you could only block them during enrollment. This enhances the security of your org by preventing users from presenting such passkeys to attempt to enroll new, unmanaged devices.

Self-service toggle for Deactivate App Users

Admins can now use the self-service toggle to change what happens to an Okta user's individual app assignments upon deactivation. If enabled, the user's individual app assignments deactivate instead of suspend. If a user is reactivated in Okta, the individual app assignments don't reactivate.

Entitlement support for disconnected apps

Disconnected apps are apps that aren't LCM integrated within Okta. This feature allows you to use CSV files to import users and entitlements into Okta from disconnected apps. This enables consistent governance and compliance across all apps, including those not fully integrated with Okta.

MFA for Secure Partner Access admin portal

MFA is now required to access the partner admin portal app.

Force rematching of imported users

This feature enforces a rematch for unconfirmed users imported from a profile source, whether through full or incremental imports. It attempts to match these imported users with existing Okta users. When this feature is enabled, every import re-evaluates matches for unconfirmed users.

New skipping of entitlement sync during import of a user Systems Log event

The following System Log event has been added: Sync skipping of entitlement during import of a user

Okta-to-Okta claims sharing enhancement

Okta-to-Okta claims sharing now supports the use of the smart card authenticator and Active Directory for Single Sign-On. This removes the need for users to authenticate with a service provider when they've already authenticated to an Okta org.

On-prem Connector for SAP Netweaver ABAP supports more attributes

Okta On-prem Connector now supports more user attributes, which enables better integration between Okta and SAP Netweaver ABAP.

Secure Partner Access for external partners

Secure Partner Access provides a secure way for external business partners to access your org's resources. It streamlines your partner management tasks, reduces IT workload, and simplifies the process of configuring your org's security requirements. See Secure Partner Access.

Same-Device Enrollment for Okta FastPass reactivated

Same-Device Enrollment for Okta FastPass is now available again. The feature had been removed to resolve an Okta Verify enrollment issue. On orgs with Okta FastPass, the Okta Verify enrollment process has been streamlined:

• Users can initiate and complete enrollment on the device they're currently using. Previously, a second device was required for enrollments. Note that enrollment requires 2FA if possible, which may involve a second device.
• Users no longer need to enter their org URL during enrollment.
• The enrollment flow has fewer steps.

This feature is supported on Android, iOS, and macOS devices. To enable it, go to Admin ConsoleSettings and turn on Same-Device Enrollment for Okta FastPass.

Verify an SSF Stream

Okta SSF Transmitter now supports the verification endpoint to enable receivers to request verification events and validate the end-to-end delivery between the transmitter and receiver. The SSF Transmitter verification events claim structure is also now compliant with the OpenID Shared Signals Framework ID3 spec.

Grace period for device assurance

Occasionally, users' devices might fall out of compliance with security policies due to temporary conditions such as missed software updates or unapproved network connections. Without a grace period, they would be immediately blocked from accessing critical resources, which disrupts productivity and causes frustration. The Grace period for device assurance feature allows you to define a temporary window during which non-compliant devices can still access resources. This gives users time to remediate issues without being locked out, balancing productivity with security standards. See Add a device assurance policy

Authentication claims sharing between Okta orgs

Authentication claims sharing allows an admin to configure their Okta org to trust claims from IdPs during SSO. Sharing claims also allows Okta to interpret the authentication context from an IdP. This helps eliminate duplicate factor challenges during user authentication and helps improve security posture. See Add a SAML Identity Provider.

Seamless and secure authentication with passkey autofill

Passkeys offer a streamlined sign in experience to users by leveraging their browser's existing autofill capabilities. This allows users to quickly and intuitively sign in to an org without typing their credentials or seeing extra prompts. This secure, phishing-resistant solution works seamlessly across devices, delivering both enhanced security and convenience for modern authentication needs. See Configure the FIDO2 (WebAuthn) authenticator.

OIDC and SAML app integrations enhancement

When the Front-channel Single Logout feature is enabled, the OIDC and SAML app integration pages now have a single Logout section that includes all of the logout settings for the app.

Require MFA for accessing Identity Governance admin apps

If your org uses Okta Identity Governance, you can require MFA for admins who access these first-party apps: Okta Access Certifications, Okta Entitlement Management, Okta Access Requests Admin. If you have auto-enabled EA features in your org, MFA is automatically enforced for those apps. See Enable MFA for the Admin Console.

Custom Keep me signed in labels

Admins can now customize the Keep me signed in label on their sign-in page.

OAuth 2.0 security for invoking API endpoints

Okta Workflows users can now securely invoke API endpoints using OAuth 2.0 protocols and their Okta org authorization server. Compared with the existing token authorization option, this Early Access feature is more secure while also being easier to implement. Add the okta.workflows.invoke.manage scope to any new or existing app integration to make it eligible to invoke your API endpoint.

Biometric user verification in authentication policies

You can now configure authentication policies to require biometric user verification (no passcode). With this feature you ensure that users confirm their biometrics when they authenticate with Okta FastPass or Okta Verify Push. See Biometric user verification in authentication policies.

Certificate-based authentication for Office 365

Okta Identity Engine now supports certificate-based authentication for WS-Fed SSO requests. Users can authenticate using smart/PIV cards to seamlessly access their Windows devices and Office 365 apps.

Entitlement Management with Okta Provisioning Agent with SCIM 2.0 support

This agent supports Entitlement Management for app integrations that have enabled Governance Engine. This allows the provisioning of entitlements between Okta and on-premises apps.

Continuous Access widget is now Post auth session violations widget

The Continuous Access widget in the Identity Threat Protection dashboard is renamed to the Post auth session violations widget.

• Continuous access violations are renamed to Session violations.
• Continuous access evaluation is renamed to Post auth session evaluation.

Continuous Access is now Post Auth Session

The Continuous Access tab in Authentication Policies is renamed to Post Auth Session.

Updates to Identity Threat Protection reports

The Identity Threat Protection reports have been updated as follows:

• Reports list page

  • Continuous Access Evaluation section is renamed to Identity Threat Protection.
  • Continuous Access Violation Report is renamed to Session Violation Report.

• Continuous Access Violation Report page

  • Instances of Continuous Access are renamed to Session.
  • Report delay in description is changed from four hours to fifteen minutes

• At-Risk User Report page

  • Report delay in description is changed from four hours to fifteen minutes

Skip the verify page and redirect to the IdP authenticator

This feature allows users to skip the verify step in the Sign-In Widget. They are instead redirected to the IdP authenticator for verification. When you enable this feature, end users see the option to skip the Sign-In Widget verification. If your org is configured to remember the last authenticator the user used, then the user is auto-redirected to the IdP authenticator for future sign-in attempts.

Enhancement to protected access to Admin Console

As part of the Require MFA for Protected Actions in the Admin Console feature, step-up authentication is required to modify authentication policies applicable to Admin Console.

Restrict access to the Admin Console

By default, users and groups with assigned admin roles have access to the Admin Console app. With this feature, super admins can choose to manually assign the app to delegated admins instead. This is recommended for orgs with admins who don't need access, like business partners, third-party admins, or admins who only use the Okta API. See Configure administrator settings.

Authenticator actions hidden

Users must satisfy the requirements of an Okta account management policy to reset or remove their existing security methods. If they don't, the authenticator actions are now hidden from their Settings page.

Support case management for admins

Super admins can now assign the View, create, and manage Okta support cases permission and Support Cases resource to a custom admin role. This allows delegated admins to manage the support cases that they've opened.

New Hyperspace agent version

This version includes bug fixes and an upgrade of the .NET Framework to version 4.8.

IdP selection for admin resources

This feature gives customers the ability to select and manage the Identity Providers (IdPs) that they want to associate with an admin role. This enhances security by providing granular permissions to roles. See Create a resource set.

Google Workspace 1-click federation

Admins can set up SSO to Google Workspace using a simplified integration experience that saves time and reduces the risk of errors.

IP binding for Admin Console setting

The SecurityGeneralOrganization Security page has a new IP binding for Admin Console setting. When you enable this setting, all of the admin sessions in your org are associated with the system IP address that they signed in from. If the IP address changes during the session, the admin is signed out of Okta, and an event appears in the System Log. See General Security.