Preview release notes

Current Upcoming
Production 2023.01.2 2023.02.0 Production release is scheduled to begin deployment on February 13
Preview 2023.01.2

2023.02.0 Preview release is scheduled to begin deployment on February 8

January 2023

2023.01.0: Monthly Preview release began deployment on January 11

* Features may not be available in all Okta Product SKUs.

Content

Generally Available Features

New Features

Improvements to self-service account activities for AD and LDAP users

Previously, the self-service unlock (SSU) and self-service password reset (SSPR) flows created unnecessary friction for AD and LDAP users. This enhancement introduces a seamless magic link in emails sent to unlock accounts and reset passwords. Users no longer need to provide consent when using the same browser. In addition, after successfully unlocking their account, clicking the email magic link counts towards the application's assurance policy. After the assurance requirements are met, the user is signed in directly to the application. See Configure the Email authenticator.

Custom links for personal information and password management on End-User Dashboard

If you manage end users' personal information and passwords in an external application, you can configure that application as the User Identity Source in Customizations. Using this setting, you can provide a link to the application in the End-User Dashboard. When end users click the link, they're taken to the third-party page to update their information and password.

This setting is only applicable to the end users whose personal information and password are managed outside of Okta (for example, Active Directory). See Customize personal information and password management.

User Accounts

Full Featured Code Editor for error pages

Full Featured Code Editor integrates Monaco code editing library into the Admin Console to make editing code for error pages more efficient and less reliant on documentation. Developers can write, test, and publish code faster with the better syntax highlighting, autocomplete, autosave, diff view, and a Revert changes button. See Customize the Okta-hosted error pages.

Phishing-resistant authentication

Phishing-resistant authentication detects and prevents the disclosure of sensitive data to fake applications or websites. When users authenticate with Okta FastPass on managed devices, they’re protected from phishing attacks. See About MFA authenticators.

Smart Card IdP with Agentless DSSO

Okta can now be configured to allow users to use Agentless DSSO without being prompted when Smart Card IdP is configured.

Custom app login

Custom app login is now available to limited customers in Identity Engine. Only orgs that actively used the feature in Classic Engine before they upgraded may continue to do so. Orgs that don't use custom app login should continue to use the Okta-hosted sign-in experience or configure IdP routing rules that redirect users to the appropriate app to sign in. See Custom app login.

New user enumeration prevention options

Okta now allows admins to enable user enumeration prevention for authentication or recovery flows, or both. This enhancement blocks attackers from attempting to identify user accounts and authenticator enrollments in a more granular way. See User enumeration prevention.

Non-associated RADIUS agents deprecated

Access for RADIUS agents that have not been associated with an application has now been disabled. See RADIUS integrations.

Unusual telephony requests blocked by machine-learning measures

SMS and voice requests are now blocked if an internal machine-learning-based toll fraud and abuse-detection model considers the requests unusual. Telephony requests that are blocked by the machine-learning model have a DENY status in the System Log.

Enhancements

View last update info for app integrations and AD/LDAP directories

Admins can view the date an app integration was last updated by going to Applications > Applications and selecting the integration. They can view the date an AD/LDAP directory integration was last updated by going to Directory > Directory Integrations and selecting the integration.

Early Access Features

New Features

Enhanced Admin Console search

The Admin Console search now displays your search results in a user-friendly drop-down list. The list provides Top results, People, Apps, and Groups filters so you can quickly and easily find what you’re looking for. See Admin Console search.

Optional consent settings for OAuth 2.0 scopes

OAuth 2.0 Optional Consent provides an Optional setting that enables a user to opt in or out of an app's requested OAuth scopes. When Optional is set to true, the user can skip consent for that scope. See Create API access scopes .

Enhancements

AWS region support for EventBridge Log Streaming

EventBridge Log Streaming now supports all commercial AWS regions.

Fixes

General Fixes

OKTA-437264

The HEC Token field wasn't displayed correctly in the Splunk Cloud Log Stream settings.

OKTA-454996

Some users were able to access apps on non-managed devices.

OKTA-519198

Groups and apps counts displayed on the Admin Dashboard weren't always correct.

OKTA-543969

Accented characters were replaced with question marks in log streams to Splunk Cloud.

OKTA-548780

Custom domain settings were deleted during editing if the admin chose the option Bring your own certificate.

OKTA-553006

When authenticated users attempted to access an app they weren’t assigned to, they were redirected to a sign-in page with a permission error.

OKTA-553364

The Custom Authenticator allowed Android users to sign in without biometric verification even though user verification was required.

OKTA-557762

In some cases when Okta Verify wasn’t active, users couldn’t access apps if the authentication policy had OS version conditions for device assurance.

OKTA-559571

The Help link on the Administrators page directed users to the wrong URL.

OKTA-561259

On the Edit role page, the previously selected permission types weren’t retained.

OKTA-561309

A misleading error message appeared when the authentication policy rule’s possession requirements required an unavailable authenticator.

OKTA-564264

Notifications for adding or renewing fingerprint authentication were sometimes not managed correctly.

Applications

Application Update

New GitHub Teams API URL: In response to GitHub's plan to sunset deprecated Teams API endpoints over the coming months, our GitHub integration has been updated to use the new /organizations/:org_id/team/:team_id path. No action needed for Okta admins.

New Integrations

OIDC for the following Okta Verified applications:

Weekly Updates

Generally Available

Informative error messages for SAML sign-in

Error messages presented during a SAML sign-in flow now provide an informative description of the error along with a link to the sign-in page.

Fixes

General Fixes

OKTA-394045

The End-User Dashboard wasn't aligned correctly when viewed on mobile browsers.

OKTA-460054

Office 365 nested security groups sometimes failed to synchronize correctly from Okta.

OKTA-522922

Not all users deactivated in an Org2Org spoke tenant were deprovisioned in the hub tenant.

OKTA-534291

Samanage/SolarWinds schema discovery didn't display custom attributes.

OKTA-544943

When a user was deactivated in Okta, the Okta Workflows and Okta Workflows OAuth app integrations weren't removed from the user's assigned app integrations.

OKTA-547756

An incorrect error message was displayed during self-service registration when an email address that exceeded the maximum length allowed was entered.

OKTA-547978

If an admin account was deleted, certificate authorities uploaded by the admin account didn’t load on the Device Integrations page.

OKTA-548390

Enabling Agentless DSSO didn't create a default routing rule if no routing rules existed.

OKTA-549213

User's weren't able to activate Windows Hello after enrolling in Okta Verify for Microsoft Windows.

OKTA-550739

Users could request that one-time passwords for SMS, Voice, and Email activation be resent more times than allowed by the rate limit.

OKTA-556056

Group claims failed if a user who belonged to more than 100 groups appeared in the group claims expression results.

OKTA-558840

Some users were unable to complete self-service password resets and received an error.

OKTA-561264

Admins received an error when they used an internal URL to configure user help for device assurance policies.

OKTA-564242

Access tokens for some users didn’t match the lifetime specified in the access policy rule.

OKTA-565041

Group filtering failed when more than 100 groups appeared in the list of results.

OKTA-565899

An incorrect error message appeared when users saved an empty Website URL field in their on the fly app settings.

OKTA-566372

Users were sometimes unable to sign in to several Office 365 apps from Okta.

OKTA-567711

In some orgs, Email Change Confirmed Notification emails were sent unexpectedly. Admins should verify that the recipients lists audience settings are accurate for Change Email Confirmation and Email Change Confirmed Notification.

OKTA-567970

When users were created using the API (/users/${userId}/factors/questions), a null custom security question and answer were included in the response.

Applications

New Integrations

New SCIM Integration application:

The following partner-built provisioning integration app is now Generally Available in the OIN Catalog as partner-built:

SAML for the following Okta Verified applications:

  • Alibaba Cloud CloudSSO (OKTA-531834)

  • DoControl (OKTA-556624)

  • EasyLlama (OKTA-547466)

  • Extracker (OKTA-555971)

  • Saleo (OKTA-552314)

  • Verona (OKTA-551188)

  • Viewst (OKTA-555217)

  • WOVN.io (OKTA-551752)

OIDC for the following Okta Verified application:

Generally Available

Content Security Policy enhancements

Over the next few months we are gradually releasing enhancements to our Content Security Policy (CSP) headers. During this time you may notice an increase in header sizes.

Fixes

General Fixes

OKTA-468178

In the Tasks section of the End-User Dashboard, generic error messages were displayed when validation errors occurred for pending tasks.

OKTA-532840

Users created using Just-In-Time provisioning weren't assigned to a group when a group rule existed.

OKTA-537944

AD-sourced users received an error when resetting passwords while an Okta session was active in the browser.

OKTA-545918

Admin roles that were granted to a user through group membership sometimes didn't appear on the user's People Admin roles tab.

OKTA-551921

When a large number of profile mappings were associated with a user type, updates to the user type could time out.

OKTA-552273

Users who signed in to the End User Dashboard using a federated sign-in flow without a factor verification were shown an incorrect last sign-in time.

OKTA-552566

Users were sometimes asked to re-authenticate during an active session even though the authentication policy re-authentication frequency was set to Never re-authenticate if the session is active.

OKTA-553201

Users who scanned a Google Authenticator one-time passcode with Okta Verify received an error message and couldn't enroll in the authenticator.

OKTA-554013

Batch federation of multiple Microsoft Azure domains failed if the batch contained any child domains.

OKTA-557337

Users with apps provisioned with password sync enabled weren't challenged for multifactor authentication when they signed in from new IP addresses or a new city even though the Global Session Policy required re-authentication under those conditions.

OKTA-559661

Some org upgrades failed when a single sign-on factor was required for Admin Dashboard access and only the YubiKey, Duo Security, and Symantec VIP MFA factors were enabled but not recognized for migration.

OKTA-564420

Users couldn’t sign in to their org subdomain from okta.com if Captcha was enabled.

OKTA-566285

A threading issue caused directory imports to fail intermittently.

OKTA-566682

When an admin configured an IdP routing rule that allowed users to access certain apps, the list of available apps was blank.

OKTA-566824

Sometimes super admins encountered a timeout when listing admin users on the Administrators page in the Admin Console.

OKTA-567707

A security issue is fixed, which requires RADIUS agent version 2.18.0.

OKTA-567972

An unclear error message was returned when a group rules API call (create, update, or activate) was made to assign users to read-only groups (for example, Everyone ).

OKTA-567979

Last update information was displayed for API Service Apps and OIDC clients.

OKTA-571393

Users couldn’t enroll YubiKeys with the FIDO2 (WebAuthn) authenticator and received an error message on Firefox and Embedded Edge browsers.

Applications

New Integrations

New SCIM Integration application:

The following partner-built provisioning integration app is now Generally Available in the OIN Catalog as partner-built:

SAML for the following Okta Verified applications:

  • Better Stack (OKTA-566261)

  • Mist Cloud (OKTA-559122)

  • Tower (OKTA-567818)

OIDC for the following Okta Verified application:

Improvements to the self-service registration experience

Earlier versions of the self-service registration (SSR) flow used a complicated array of templates to send activation emails to end users. The simplified SSR flow reduces this to only two email templates with customized welcome messages. If your application requires immediate verification of the end user’s email address, Okta uses the Registration - Activation template. This template includes a magic link for a smoother sign-in experience. If email verification isn't immediately required to sign in to the application, Okta uses the Registration - Email Verification template. This template includes a link for end users to complete email verification at any time after they successfully sign in to the application. See Customize email notifications and the Okta email (magic link/OTP) integration guide.

New App Drawer

The updated app settings panel on the Okta End-User Dashboard allows end users to see all app details in a single view without having to expand multiple sections. End users can quickly differentiate between SWA apps where they have set a username and password and SAML / OIDC apps that are admin-managed with no additional user settings. The updated app settings panel also provides accessibility improvements with better screen reader support and color contrast. See View the app settings page.

Run delegated flows from the Admin Console

With delegated flows, admins can be assigned the ability to run Okta Workflows directly from the Admin Console. Flows that are delegated to an admin appear on the Delegated Flows page where they can be invoked without signing in to the Workflows Console. This gives super admins more granular control over their admin assignments. See Delegated flows.

SSO apps dashboard widget

The new SSO apps widget displays the number of user sign-in events across each of your org’s apps over a selected period of time. You can use it to see which apps are used most frequently and to easily monitor the authentication activity across your org. See Monitor your apps.

Improvements to the self-service unlock process

Earlier versions of the self-service unlock (SSU) flow created unnecessary friction in the end user experience. The newly enhanced SSU feature introduces a seamless magic link experience in emails sent out to unlock accounts. Users no longer need to provide consent when using the same browser. In addition, after successfully unlocking their account, clicking the email magic link counts towards the application's assurance policy. After the assurance requirements are met, the user is signed directly in to the application. See Configure the Email authenticator.

Improvements to the self-service password reset experience

Previously, the self-service password reset (SSPR) flow created unnecessary friction in the user experience. The newly enhanced SSPR feature introduces a seamless magic link experience for password reset emails. Users no longer need to provide consent when using the same browser. After a successful password reset where the password meets the application’s assurance policy, the user is signed directly to the app. See Configure the Email authenticator.

Toggle password visibility on the Okta Sign-In page

End users can now toggle visibility of their password on the Sign-In Widget, allowing them to check their password before they click Sign In. Note that passwords are visible for 30 seconds and then hidden automatically. See Authentication. See Enable delegated authentication.

Email failure events in the System Log

Admins can now view email delivery failure events in the System Log. This helps admins better monitor the email event activity in their org. See System Log.

Shareable Authentication Policies

Admins can now manage authentication policies using a centralized view. While authentication policies allowed admins the ability to make application access decisions using user, device, and other contextual information, managing these policies across hundreds of applications became challenging and error-prone. On the new Authentication Policies page, admins can create new policies, apply those policies to multiple applications, and assess what application access decisions are impacted by each policy. Two policy name changes are included in this release: app sign-on policy is renamed authentication policy, and Okta sign-on policy is renamed Global Session Policy. See Authentication policies.

Choose additional filters for Office 365 sign-on policy

Filters have been added to enable admins to distinguish between web browsers and Modern Authentication clients when creating an app sign-on policy. See Office 365 sign-on rules options.

Device Authorization grant type

Advancements in internet technology have seen an explosion of smart devices and the Internet of Things. Consumers need to sign in to applications that run on these devices, but the devices either lack support for a web browser or have limited ability for input, such as smart TVs, car consoles, and thermostats. As a result, users resort to insecure authentication solutions that are error-prone and time-consuming.

The Device Authorization grant feature is an OAuth 2.0 grant type that allows users to sign in to input-constrained devices and also to devices that lack web browsers. This feature enables users to use a secondary device, such as a laptop or mobile phone, to complete sign-in to applications that run on such devices. See Configure Device Authorization.

User Verification options for admins

In the Admin Console, admins can now configure whether end users are required to provide biometrics for device enrollment. See Enable Okta FastPass

Manage admin email notification subscriptions using API endpoints

Admins can manage email subscriptions using the Admin Email Subscription API endpoints.

  • Super admins can configure default subscription settings by admin type.

  • All admins can manage their own admin email notification subscriptions.

End-User Dashboard and Plugin redesign

The Okta End-User Dashboard and Okta Browser Plugin have been redesigned with a modern look and feel that includes new sidebar navigation, fuzzy search, and sections that replaces tabs.

Okta End-User Dashboard redesign

Okta End-User Dashboard redesign

Admins can enable this new design all at once or by groups. The new experience is 50% faster, more intuitive to use, and more responsive to smaller screens. Design changes also improve accessibility and app discovery for end users.

See Create sign-on policies with Okta Applications.

This feature will gradually be made available to all Preview orgs.

Workflows Templates available

Workflows Templates is now available, providing users with access to a searchable catalog of installable Flows that address many common use cases. See Get started with Workflows Templates.

LDAP password reset option

LDAP delegated authentication settings can now be configured to allow users to reset their passwords. This change reduces the time needed for password management and allows users to reset their passwords quickly and easily. See Enable delegated authentication.

LDAP admin password reset

For orgs integrated with LDAP, admins can now perform password resets for an active individual end user. See Reset a user password.

Incremental Imports for CSV

Incremental imports improve performance by importing only users who were created, updated, or deleted since your last import. See Manage your CSV directory integration. Note that this feature is being re-released having previously been released to Production in 2020.09.0.

Password changed notification email

To eliminate unnecessary email notifications, the Password changed notification email setting is no longer enabled by default on new preview orgs. See Password changed notification for end users.

Office 365 Silent Activation

Using Okta as the Identity Provider, Okta Office 365 Silent Activation allows for a seamless experience for your Microsoft Office 365 end users accessing Office 365 apps on domain joined shared Workstations or VDI environments. Once your end users have logged into a domain-joined Windows machine, no further activation steps are required. See Office 365 Silent Activation: New Implementations.

End-user Welcome emails localized

The ability to localize the Welcome email that Okta sends to new end users by referencing the users' default locale property is now Generally Available. See Configure general customization settings.

People page improvements

The People page has been improved so the people list can be filtered by user type. See Universal Directory custom user types known issues.

Mobile tab available for mobile-capable apps

The Mobile tab available in the Okta Admin Console for mobile-capable OIN apps allows you to publish mobile applications to an App Store and deploy them to your end users.

See Enable access to managed mobile apps

Provisioning page UI element change

Drop-down menus on the Provisioning page (General Settings) were standardized.

UI element change

Drop-down menus on the Provisioning page (General Settings) are standardized. See Provision applications.

Early Access features, auto-enroll

You can now opt to auto-enroll in all Early Access features, instead of having to enable them as they become available. For more information, see Manage Early Access features.

Connecting Apps to Okta using the LDAP Interface

The LDAP Interface allows you to authenticate legacy LDAP apps to Universal Directory in the cloud. With the LDAP Interface, authentication is done directly against Okta via LDAP, without the need for an on-premise LDAP server. In addition, the LDAP interface supports other LDAP functions like search. See Set up and manage the LDAP Interface.