Okta AD agent, version 3.11.0

This version of the agent contains the following changes:

• Increased minimum .NET version supported to 4.6.2. If the installer doesn't detect .NET 4.6.2 or higher, it won't be installed.

• Security enhancements

• Removed unsupported libraries

See Okta Active Directory agent version history.

Okta ADFS plugin, version 1.7.10

This version of the plugin contains bug fixes and security enhancements. See Okta ADFS Plugin Version History.

Okta RADIUS agent, version 2.17.4

This version of the agent contains bug fixes and security enhancements. See Okta RADIUS Server Agent Version History.

Okta On-Prem MFA agent, version 1.5.0

This version of the agent contains security enhancements. See Okta On-Prem MFA Agent Version History.

Jira Authenticator, version 3.1.8

This release contains bug fixes. See Okta Jira Authenticator Version History.

Okta Resource Center access

The Okta Resource Center is a collection of product tours, step-by-step guides, and announcements that helps you learn about new features and how to perform tasks within the Admin Console. You can launch the Okta Resource Center by clicking the blue icon from anywhere in the Admin Console. See Okta Resource Center.

Improved email magic link authentication experience

Email magic links have been enhanced to allow end users to authenticate in two different contexts. They can authenticate in the same location where they click the link and quickly return to the application context. Or, if the end user clicks the link in a different browser, they can enter a one-time password to proceed with authentication. Previously when using email magic links to sign in to an application, end users had to return to the original browser location where they initiated the sign-in attempt. Okta ensures that end users can prove ownership of both the originating tab and the tab where they clicked the email magic link. See Configure the Email authenticator and Sign in to resources protected by Okta.

Password as optional authenticator

Passwords are weak authenticators and prone to security issues. Currently all users are required to enroll a password. This also causes friction during the self-service registration process. You can now create a password-optional or passwordless sign-in experience for your end users. It makes the registration process quicker by removing the need to set up a password. It also provides a safer and more secure sign-in experience as users can instead use stronger authenticators such as possession-based authenticators or biometrics. Okta gives you the flexibility to target specific groups of users in your organization with passwordless flows, allowing you to gradually roll out the experience across your entire user base. See Set up passwordless sign-in experience.

Symantec VIP authenticator now available

The Symantec VIP authenticator is now available in Okta Identity Engine. Enterprises that use Symantec VIP to verify their users’ identities may now integrate this authenticator into their Okta environments and use it to protect access to their Okta orgs and apps. See Configure Symantec VIP authenticator.

Expose groups in the LDAP interface directory information tree (DIT)

To simplify access control decisions for their orgs, admins can now select the groups they want to expose in the LDAP interface directory information tree (DIT). In addition to Okta groups, admins now have the option to view the application groups that are significant to their orgs, including Active Directory (AD) and LDAP groups. See Expose app groups in the LDAP interface directory information tree.

Bulk assign users to groups

Admins can now use bulk import functionality to assign multiple users to specific Okta groups. Bulk user import significantly reduces the time admins spend managing user group assignments. In addition, this functionality makes it easier for large enterprise orgs to adopt Okta as their access management provider. See Bulk assign people to a group.

Advanced search for users and groups

To make it easier for admins to quickly locate and manage users and groups, enhanced people and group search functionality is now available. Admins can limit search results to specific criteria using the SCIM protocol to query. They can also use Created On and Last Updated On in their queries to identify when users or groups were created or last modified, and search for groups and users using both base and custom attributes. These advanced search options optimize search results and help reduce the time spent searching for specific information. See View group members.

Okta Admin Console Groups page enhancements

The Okta Admin Console Groups page has been updated to simplify the addition of large numbers of users to groups and reduce the likelihood that all users can be accidentally removed from a group. In addition, search functionality has been significantly improved to make adding and removing users from groups quicker and easier. See Manage groups.

Custom help links in the Sign-In Widget

Admins can add a custom help link on the authenticator page of the Sign-In Widget. This link can provide just-in-time help with multifactor authentication and can point to an in-house resource or other location. See Customize text on your sign-in page.

PKCE is a verification method for OIDC SPA and Native app integrations

The OIDC App Integration Wizard now identifies that PKCE is not a client authentication method. Instead, for SPA and Native apps, the AIW creates apps listing PKCE as a verification method. See Create OIDC app integrations using AIW.

Add agent permissions to custom admin roles

Custom admins can perform AD agent auto-updates for AD instances they have access to. They can also view the agents dashboard page to see the statuses of all agents associated with app instances they can manage. See Automatically update Okta agents.

Group count tooltip on the Admin Dashboard

On the Admin Dashboard, the Overview section now provides an "Includes only Okta sourced groups and excludes those sourced externally, such as AD groups" tooltip for the Groups count. The new tooltip helps you understand how your groups count is calculated. You can view the tooltip by hovering your cursor over the Groups count on the Overview section. See View your org at a glance.

Okta End-User Dashboard enhancements

• Unread notifications are more visible to users.

• The End-User Dashboard Preview function bar has moved to a separate dialog. See Preview an end user's dashboard.

• The Last sign in link at the bottom of the Okta End-User Dashboard now includes the entire text of the message in the hyperlink.

• The title of the copy password dialog in the Okta End-User Dashboard is more specific.

System Log enhancements for block zone events

• The zone.make_blacklist event in the System Log now encompasses two actions: when an admin creates a blocked network zone, and when an admin marks an existing blocked zone as unblocked. Previously, this event was only recorded when a pre-existing network zone was converted into a block list.

  

• The zone.remove_blacklist System Log event now encompasses two actions: when a network zone is converted into an allow list, and when an admin deletes a blocked zone. Previously, this event was only recorded when a pre-existing network zone was converted to an allow list.

  

System Log enhancement for network zone events

A network zone ID is now added as a target for all network zone events in the System Log.

Enhancements to ThreatInsight

ThreatInsight is improved to further protect rate limit consumption from malicious actors. Requests from actors with a high threat level continue to be logged and/or blocked depending on the org's configuration. Now, additional requests that seem malicious but have a lower threat level no longer count towards org rate limits.

Enhancements to multifactor authentication validation in authentication policies

When creating authentication policies, admins can only select authenticators that are enabled in their org and available to the associated group of users.

OIN Catalog enhancements

Integrations in the OIN Catalog help end users address issues across a variety of industries. Okta has added the ability to filter integrations by industry to help both prospective and current Okta users identify the OIN integrations that best meet their needs. Additionally, the OIN Catalog interface has been updated with the following enhancements for improved navigation:

• The search interface has been updated and popular search terms can now be selected.

• Details pages for integrations have been updated for usability.

• Navigation breadcrumbs have been added to the OIN Catalog.

• Integrations can now be sorted alphabetically and by recently added.

See Add existing app integrations.

OIN Catalog search functionality and filter updates

• OIN Catalog search results now prioritize complete word matches from the search phrase.

• Integrations in the OIN Catalog can now be filtered by RADIUS functionality.

See Add existing app integrations.

OIN Manager enhancements

The OIN Manager now requires that ISV submissions for SCIM integrations confirm that the integration meets API response timing requirements. See Publish an OIN integration.

OKTA-386570

If an LDAP interface bind request failed, subsequent searches failed with an internal server error instead of a permissions denied error.

OKTA-435855

Web and SPA app integrations created with an Authorization code or Interaction code grant type incorrectly returned an error if the Login Initiated By Either Okta or App option was selected.

OKTA-476570

The System Log didn’t display the app name when users entered invalid credentials during an SP-initiated flow.

OKTA-476896

On the Administrators page, deactivated users with assigned admin roles were included in the Individually assigned count.

OKTA-477494

Some invalid EL expressions incorrectly passed validation.

OKTA-477634

Some users experienced delays when searching for an app on the Okta End-User Dashboard.

OKTA-481752

When users tried to enroll in Okta Verify, VoiceOver screen readers didn't highlight the mobile device type correctly or allow users to select a device. It also selected the iPhone option even though the Android option was also available.

OKTA-482266

During PIV authentication where no certificate or an expired certificate was provided, a 404 error was displayed.

OKTA-482435

When admins upgraded an app to SAML 2.0, the SAML 2.0 setup instructions used the org-scoped certificate instead of the app-scoped certificate.

OKTA-483062

Custom application access error pages redirected to the default Okta error page.

OKTA-484366

Admins couldn’t use the objectGuid attribute as a unique identifier when integrating AD LDS LDAP servers with Okta.

OKTA-486141

If an inline hook was registered and in use under a profile enrollment policy, admins could deactivate or delete the hook. This resulted in an error when that policy was used for self-service registration.

OKTA-486974

An internal ID incorrectly appeared in a policy System Log event.

OKTA-488233

Parallel JIT requests for the same username created duplicate users.

OKTA-488234

The sign-in page didn’t load correctly for some orgs after they upgraded to Identity Engine.

OKTA-488428

Some users lost the ability to reveal passwords for an app when the app drawer feature was enabled.

OKTA-488663

When Full Featured Code Editor was enabled, the full screen toggle on the error page code editor didn’t change to a minimize icon.

OKTA-489050

Sometimes an error message was displayed when admins viewed applications in the Admin Console.

OKTA-489448

In SP-initiated flows, the message instructing users to create their accounts was formatted incorrectly.

OKTA-490811

When an unenrolled device attempted to access an app that required device management, the sign-in request didn't fail gracefully.

OKTA-491164

Some admins weren’t assigned the Admin Console when they were added to a group with assigned admin roles.

OKTA-491264

Sometimes when a super admin deleted a custom admin role that contained email notifications, admins couldn’t update their email notification settings.

OKTA-495549

When groups were exposed in the LDAP interface directory information tree, some filters referencing the entryDn attribute returned the incorrect result code if the group wasn’t found.

OKTA-495598

AD-sourced users who reset their passwords in AD had to reset their passwords again when using IWA or ADSSO to sign in to Okta.

App Integration Fix

The following SWA app was not working correctly and is now fixed:

• NDFR/SDU (OKTA-485335)