Okta Identity Engine release notes (Preview)
Version: 2024.04.0
April 2024
Generally Available
Sign-in Widget, version 7.17.0
For details about this release, see the Sign-In Widget Release Notes.
For more information about the Widget, see the Okta Sign-In Widget Guide.
Okta MFA Provider for ADFS, version 1.8.0
This release includes vulnerability fixes and a .NET Framework version upgrade.
Okta Personal for Workforce
Okta Personal for Workforce is a set of features that allows admins to separate their users' work data from non-work data. Admins can now offer their end users a free Okta Personal account to store personal data, allow them to switch between accounts, and migrate personal apps from Okta enterprise tenant to Okta Personal. When Okta Personal for Workforce is enabled, personalized comms will be sent to the end users encouraging them to use Okta Personal for personal data and Okta enterprise for work data. See Okta Personal for Workforce User Experience.
Support for Active Directory password complexity requirements
This feature creates an option in the password policy to match the same complexity options as Active Directory (AD). Until now, admins couldn't exactly match Okta password complexity requirements to those of their AD instances. Historically, the password complexity requirements in Okta and AD had different granularities, and the requirements displayed in the Sign-In Widget didn't always reflect the AD requirements. As a result, users were locked out without proper error messages. This feature bridges that gap. See Configure the password authenticator.
Customize branding for IdP authenticators
You can now add a custom name and logo to IdP authenticators. End users see this branding when signing in, which allows them to distinguish between different IdP authenticators. See Configure the IdP authenticator.
Improved password reset process for Active Directory-sourced users
Okta now updates user profiles when externaId, DN, or managerDn is updated in AppUser profiles during provisioning. Only attributes that have relevant mappings are affected.
Allow multiple identities on one Smart Card
When you use this feature, you enable your end users to use one Smart Card to identify as different identities and authenticate into corresponding accounts. See Configure the Smart Card authenticator.
Permissions for custom admins to manage agents
Custom admins can now view, register, and manage agents. See Agent permissions.
New maximum number of connected AWS accounts
Admins can now connect a maximum of 1000 Amazon Web Services accounts to the AWS Account Federation app in Okta. This change helps avoid timeouts when testing API credentials on AWS.
Improved date filter display in reports
The date filter is now standardized and appears inline for the following reports: Telephony usage, Continuous access violation, Entity risk, At-risk user, and MFA events.
Improved Admin Dashboard and Administrators page
The appearance of several UI components (like buttons and dropdown menus) have been improved across the Admin Dashboard and the Administrators page.
Updated documentation links
Documentation links under the Security, Applications, and Customizations menus now redirect to the correct documentation.
End-User Dashboard and unsupported browsers
The End-User Dashboard no longer loads in unsupported browsers, including Internet Explorer 11 or Edge in Internet Explorer mode. This change enhances security by preventing access from browsers that no longer receive updates.
End-User Dashboard branding and accessibility enhancements
The End-User Dashboard now features design changes that provide a consistent brand experience across Okta's app and enhance accessibility for users.
New target added to a System Log event
A new target was added to the user.authentication.auth_via_mfa System Log event. The target shows the type of MFA app that was used to authenticate.
Authentication context System Log event
The new AuthenticationContext System Log event shows who accessed the configuration secrets for ADFS, Windows Credential Provider (RDP), Epic Hyperspace, and Epic Hyperdrive apps.
New DSSO user impersonation System Log event
A System Log event is now logged when a user attempts Desktop Single Sign-On (DSSO) authentication using a profile source that wasn't the highest priority.
Additional CrowdStrike signals
Okta Verify collects additional trust signals from CrowdStrike. You can view these signals in the System Log. When you configure authentication policy rules, you can use the CrowdStrike signals in Expression Language conditions. See EDR signals for custom expressions.
Early Access
Identity Threat Protection with Okta AI
Identity Threat Protection with Okta AI is a powerful risk assessment and response solution that provides post-authentication security to your org. By continuously analyzing risk signals that are native to Okta, risk signals from integrated security partner vendors, and your policy conditions, it safeguards orgs against identity attacks that occur during and outside of a user’s session. When Identity Threat Protection discovers a risk, it can immediately end the user’s sessions, prompt an MFA challenge, or invoke a workflow to restore your org’s security posture. Using intuitive dashboard widgets and reports, you can easily monitor security threats as they happen. See Identity Threat Protection with Okta AI.
Fixes
-
Users couldn't enroll multiple Smart Cards as security methods from the End User Settings page. (OKTA-581807)
-
When end users enrolled the email authenticator, the Sign-in Widget displayed their email incorrectly. (OKTA-625907)
-
Some Microsoft Windows 365 Enterprise license names weren't displayed correctly on the Edit Assignment page. (OKTA-679276)
-
Admins could delete active network zones. (OKTA-691904)
-
No GovSlack attributes appeared for new app instances. (OKTA-693162)
-
Google Workspace default user schema attributes weren't imported into Okta. (OKTA-697236)
-
On the Configure SAML 2.0 IdP screen, the Account matching with IdP Username section appeared when Factor Only was selected for IdP Usage. (OKTA-698614)
-
When an end user enrolled in Okta Verify from an OIDC app, they received the email notification from noreply@okta.com instead of the custom email domain. (OKTA-701658)
-
When an admin enabled a self-service Early Access feature and an error occurred, a success message appeared. (OKTA-701707)
-
Users received a Bad Request error when they canceled Okta FastPass during authentication. (OKTA-706541)
-
App admins could initiate the refresh app data process for apps to which they didn't have permission. (OKTA-711670)
-
Users were unable to enroll in an authenticator with the inline enrollment prompt when the authentication policy did not contain constraints for the corresponding factor class. (OKTA-715402)
Okta Integration Network
- Alohi (SAML) is now available. Learn more.
- Alohi (SCIM) is now available. Learn more.
- Better Stack (SAML) has a new logo.
- Candor (OIDC) is now available. Learn more.
- FAX.PLUS (SAML) has a new logo, description, and display name.
- Humi (OIDC) is now available. Learn more.
- Jurnee (SCIM) is now available. Learn more.
- UMA (OIDC) is now available. Learn more.
Weekly Updates
Generally Available
Sign-in Widget, version 7.17.1
For details about this release, see the Sign-In Widget Release Notes.
For more information about the Widget, see the Okta Sign-In Widget Guide.
Fixes
-
For some non-English locales, the Use a preset version dropdown menu on the Add device assurance policy page was misplaced. (OKTA-628325)
-
Smart Card authentication method references (AMR) weren't passed correctly in OIDC ID tokens when the standard AMR org setting was enabled. (OKTA-641225)
-
Some text strings in Access Testing Tool weren't translated to Japanese. (OKTA-674050)
-
HTML was visible in some usernames in the Authenticator enrolled notification email. (OKTA-674629)
-
In the Okta Usage report, the date picker was in an incorrect date format for the US English language and the earliest possible date couldn't be selected. (OKTA-688574)
-
When a user signed in to Okta, the resulting policy.evaluate_sign_on System Log event didn’t display the user’s network zone correctly. (OKTA-690899)
-
Access Testing Tool didn't display an error when it failed because of permission issues. (OKTA-698999)
-
When users created passwords that didn't meet strength requirements, the Sign-In Widget incorrectly indicated in self-service registration flows that the requirements were met. (OKTA-703334)
-
The MFA Events report didn't include the date and time details. (OKTA-711575)
-
Sometimes Access Testing Tool showed no results when admins searched for existing users. (OKTA-713259)
-
The MFA Events report displayed the events in an incorrect chronological order. (OKTA-715259)
-
In the Profile Editor, there was no option to close the Delete Attribute window after reviewing the message. (OKTA-715984)
Okta Integration Network
- Reddit (SWA) was updated (OKTA-711282).
- RICOH Smart Integration (SAML) is now available. Learn more.
- Schwab Advisors (SWA) was updated (OKTA-710955).
- ShareThis (SWA) was updated (OKTA-709444).
- Torii (Read) (API service) is now available. Learn more.
- Torii (Read and Take action) is now available. Learn more.
- UMR (SWA) was updated (OKTA-629864).
- US Bank - Pivot (SWA) was updated (OKTA-710409).
- Var Street (SWA) was updated (OKTA-693696).
- Zerotek Lab (SAML) is now available. Learn more.
Generally Available
Referrer-Policy HTTP header sends default value
The Referrer-Policy HTTP response header controls how much referrer header information should be included with requests. Okta currently doesn't send the Referrer-Policy response header. The default value for the header is strict-origin-when-cross-origin when it's not sent by Okta. Browsers use the current default value. With this change, Okta will send the Referrer-Policy response header with the default value of strict-origin-when-cross-origin. This feature will be gradually made available to all orgs.
Fixes
-
In orgs that configure Authentication Method References claims mapping, non-federated users weren't redirected to the IdP during re-authentication. (OKTA-697028)
-
When ineligible users attempted a self-service password reset, they saw an unusable password screen instead of an error message. (OKTA-698980)
-
When an admin-created user re-requested the welcome email, it wasn't sent to their secondary email address. (OKTA-702542)
-
DENY events incorrectly appeared in the System Log in some Okta Fastpass authentication scenarios. (OKTA-711395)
-
The Sign-In Widget (third generation) didn't load for the Okta MFA Credential Provider for Windows when it prompted users to authenticate. (OKTA-711504)
-
When the Identity Threat Protection with Okta AI feature was enabled, IdP sessions were incorrectly terminated when Continuous Access evaluation resulted in a policy violation. (OKTA-712360)
-
When Identity Threat Protection with Okta AI was enabled, Continuous Access signed users out of all apps when only one app caused a violation. (OKTA-712361)
-
User.session.start events didn't appear in the System Log. (OKTA-713292)
-
Some admins received an error when trying to view the Identity Threat Protection widgets on the Admin Dashboard. (OKTA-717868)
-
When an admin deactivated a user from an Office 365 app instance, the user's license was revoked, even if they were assigned to another Office 365 app instance. (OKTA-718565)
Okta Integration Network
- Backrightup (OIDC) is now available. Learn more.
- Calendly (SWA) was updated (OKTA-713087).
- Carbon Voice (OIDC) is now available. Learn more.
- Carbon Voice (SCIM) is now available. Learn more.
- Cisco Identity Intelligence (API service) now has the okta.roles.read and okta.schemas.read scopes.
- Cloud Auth (API service) has a new integration guide.
- Cloud Auth (OIDC) has a new integration guide.
- Command Zero (API service) has a new integration guide.
- Costco (SWA) was updated (OKTA-711710).
- Hellotracks (OIDC) is now available. Learn more.
- Hellotracks (SCIM) is now available. Learn more.
- KaseyaOne (SAML) is now available. Learn more.
- NetBird (OIDC) is now available. Learn more.
- NetBird (SCIM) is now available. Learn more.
- Omni Analytics (SCIM) is now available. Learn more.
- The Training Arcade (SAML) is now available. Learn more.
- Trova (SCIM) is now available. Learn more.
- Truckstop.com (SWA) was updated (OKTA-709674).
- Zscaler 2.0 (SAML) has a new display name, logo, and integration guide.
New HealthInsight task
HealthInsight now includes a recommendation to apply MFA for access to the Admin Console.
Support for multiple Okta Verify enrollments
You can now send push notifications to all of a user's devices enrolled in Okta Verify using the Authentication and Factors APIs.
End-user setting for nicknaming factors
End users can now nickname their phone, WebAuthn, and Okta Verify factors. If they have enrolled multiple instances of a factor, giving nicknames helps them identify the factors quickly (for example, “My personal cellphone” or “My office MacBook TouchID”). See the End-User documentation. This is a self-service feature.
IME support for international characters
Admins can now use an Input Method Editor (IME) to type international characters into the Admin Console.
Content security policy enforcement on end-user pages
Content Security Policy is now enforced for end-user pages in orgs with custom domains. Content Security Policy headers help detect attacks such as cross-site scripting and data injection by ensuring browsers know what kind of actions the webpage can execute. Future iterations of the Content Security Policy enforcement for end-user pages will become stricter than this first release. This feature will be gradually made available to all orgs.
Okta ThreatInsight coverage on core Okta API endpoints
Okta ThreatInsight coverage is now available for core Okta API endpoints (OpenID Connect & OAuth 2.0, Okta Management, and MyAccount API). Based on heuristics and machine learning models, Okta ThreatInsight maintains an evolving list of IP addresses that consistently show malicious activity across Okta's customer base. Requests from these bad IP addresses can be blocked or elevated for further analysis when Okta ThreatInsight is enabled for an Okta org.
Previously, Okta ThreatInsight coverage only applied to Okta authentication endpoints (including enrollment and recovery endpoints). With this release, enhanced attack patterns are detected for authentication endpoints and limited attack patterns are also detected for non-authentication endpoints.
There are no changes to the existing Okta ThreatInsight configuration. You can still enable Okta ThreatInsight with log and block mode, log mode, and exempt network zones. A new Negative IP Reputation reason is available for high security.threat.detected events. See System Log events for Okta ThreatInsight.
Application Entitlement Policy
Administrators can now override attribute mapping when assigning apps to individuals or groups. Attributes can also be reverted to their default mappings. See Override application attribute mapping. This feature will be gradually made available to all orgs.
Descriptive System Log events
When Okta identifies a security threat, the resulting security.threat.detected entry now provides a descriptive reason for the event. See System Log.
Improvements to the self-service registration experience
Earlier versions of the self-service registration (SSR) flow used a complicated array of templates to send activation emails to end users. The simplified SSR flow reduces this to only two email templates with customized welcome messages. If your application requires immediate verification of the end user's email address, Okta uses the Registration - Activation template. This template includes a magic link for a smoother sign-in experience. If email verification isn't immediately required to sign in to the application, Okta uses the Registration - Email Verification template. This template includes a link for end users to complete email verification at any time after they successfully sign in to the application. See Customize email notifications and the Okta email (magic link/OTP) integration guide.
New App Drawer
The updated app settings panel on the Okta End-User Dashboard allows end users to see all app details in a single view without having to expand multiple sections. End users can quickly differentiate between SWA apps where they have set a username and password and SAML / OIDC apps that are admin-managed with no additional user settings. The updated app settings panel also provides accessibility improvements with better screen reader support and color contrast. See View the app settings page.
SSO apps dashboard widget
The new SSO apps widget displays the number of user sign-in events across each of your org’s apps over a selected period of time. You can use it to see which apps are used most frequently and to easily monitor the authentication activity across your org. See Monitor your apps.
Improvements to the self-service unlock process
Earlier versions of the self-service unlock (SSU) flow created unnecessary friction in the end user experience. The newly enhanced SSU feature introduces a seamless magic link experience in emails sent out to unlock accounts. Users no longer need to provide consent when using the same browser. In addition, after successfully unlocking their account, clicking the email magic link counts towards the application's assurance policy. After the assurance requirements are met, the user is signed directly in to the application. See Configure the email authenticator.
Toggle password visibility on the Okta Sign-In page
End users can now toggle visibility of their password on the Sign-In Widget, allowing them to check their password before they click Sign In. Note that passwords are visible for 30 seconds and then hidden automatically. See Authentication. See Enable delegated authentication.
Email failure events in the System Log
Admins can now view email delivery failure events in the System Log. This helps admins better monitor the email event activity in their org. See System Log.
Shareable Authentication Policies
Admins can now manage authentication policies using a centralized view. While authentication policies allowed admins the ability to make application access decisions using user, device, and other contextual information, managing these policies across hundreds of applications became challenging and error-prone. On the new Authentication Policies page, admins can create new policies, apply those policies to multiple applications, and assess what application access decisions are impacted by each policy. Two policy name changes are included in this release: app sign-on policy is renamed authentication policy, and Okta sign-on policy is renamed Global Session Policy. See Authentication policies.
Choose additional filters for Office 365 sign-on policy
Filters have been added to enable admins to distinguish between web browsers and Modern Authentication clients when creating an app sign-on policy. See Office 365 sign-on rules options.
Device Authorization grant type
Advancements in internet technology have seen an explosion of smart devices and the Internet of Things. Consumers need to sign in to applications that run on these devices, but the devices either lack support for a web browser or have limited ability for input, such as smart TVs, car consoles, and thermostats. As a result, users resort to insecure authentication solutions that are error-prone and time-consuming.
The Device Authorization grant feature is an OAuth 2.0 grant type that allows users to sign in to input-constrained devices and also to devices that lack web browsers. This feature enables users to use a secondary device, such as a laptop or mobile phone, to complete sign-in to applications that run on such devices. See Configure Device Authorization.
User Verification options for admins
In the Admin Console, admins can now configure whether end users are required to provide biometrics for device enrollment. See Enable Okta FastPass
Manage admin email notification subscriptions using API endpoints
Admins can manage email subscriptions using the Admin Email Subscription API endpoints.
-
Super admins can configure default subscription settings by admin type.
-
All admins can manage their own admin email notification subscriptions.
End-User Dashboard and Plugin redesign
The Okta End-User Dashboard and Okta Browser Plugin have been redesigned with a modern look and feel that includes new sidebar navigation, fuzzy search, and sections that replaces tabs.
Admins can enable this new design all at once or by groups. The new experience is 50% faster, more intuitive to use, and more responsive to smaller screens. Design changes also improve accessibility and app discovery for end users.
See Create sign-on policies with Okta Applications.
This feature will gradually be made available to all Preview orgs.
Workflows Templates available
Workflows Templates is now available, providing users with access to a searchable catalog of installable Flows that address many common use cases. See Get started with Workflows Templates.
LDAP password reset option
LDAP delegated authentication settings can now be configured to allow users to reset their passwords. This change reduces the time needed for password management and allows users to reset their passwords quickly and easily. See Enable delegated authentication.
LDAP admin password reset
For orgs integrated with LDAP, admins can now perform password resets for an active individual end user. See Reset a user password.
Incremental Imports for CSV
Incremental imports improve performance by importing only users who were created, updated, or deleted since your last import. See Manage your CSV directory integration. Note that this feature is being re-released having previously been released to Production in 2020.09.0.
Password changed notification email
To eliminate unnecessary email notifications, the Password changed notification email setting is no longer enabled by default on new preview orgs. See Password changed notification for end users.
Office 365 Silent Activation
Using Okta as the Identity Provider, Okta Office 365 Silent Activation allows for a seamless experience for your Microsoft Office 365 end users accessing Office 365 apps on domain joined shared Workstations or VDI environments. Once your end users have logged into a domain-joined Windows machine, no further activation steps are required. See Office 365 Silent Activation: New Implementations.
End-user Welcome emails localized
The ability to localize the Welcome email that Okta sends to new end users by referencing the users' default locale property is now Generally Available. See Configure general customization settings.
People page improvements
The People page has been improved so the people list can be filtered by user type. See Universal Directory custom user types known issues.
Mobile tab available for mobile-capable apps
The Mobile tab available in the Okta Admin Console for mobile-capable OIN apps allows you to publish mobile applications to an App Store and deploy them to your end users.
See Enable access to managed mobile apps
Provisioning page UI element change
Drop-down menus on the Provisioning page (General Settings) were standardized.
UI element change
Drop-down menus on the Provisioning page (General Settings) are standardized. See Provision applications.
Early Access features, auto-enroll
You can now opt to auto-enroll in all Early Access features, instead of having to enable them as they become available.
Connecting Apps to Okta using the LDAP Interface
The LDAP Interface allows you to authenticate legacy LDAP apps to Universal Directory in the cloud. With the LDAP Interface, authentication is done directly against Okta via LDAP, without the need for an on-premise LDAP server. In addition, the LDAP interface supports other LDAP functions like search. See Set up and manage the LDAP Interface.