Okta Identity Engine release notes: Preview

Limited GA: Okta Identity Engine is currently available only to selected customers.

October

October 2021

2021.10.0: Monthly Preview release began deployment on October 6

* Features may not be available in all Okta Product SKUs.

Content

Generally Available Features
Fixes
Applications
Weekly Updates

Generally Available Features

New Features

Secondary email option for LDAP-sourced users

Admins can now enable a secondary email option for LDAP-sourced users in new orgs. When the secondary email option is enabled, LDAP-sourced users who haven’t previously provided a secondary email are now prompted to provide it on the Okta Welcome page.

A secondary email helps reduce support calls by providing LDAP-sourced users with another option to recover their password when their primary email is unavailable. See Configure optional user account fields.

Token-based SSO between native apps

Single Sign-On (SSO) between browser-based web applications is achieved by leveraging shared cookies. Unlike web applications, native applications can’t use web cookies. With Native SSO, Okta offers a token-based approach to achieve SSO between native applications.

Native SSO allows you to protect native OpenID Connect applications, such as desktop apps and mobile apps, and achieve SSO and Single Logout (SLO) between these applications. See Configure SSO for native apps.

Risk scoring improvements

Risk scoring improvements are being slowly deployed to all organizations.

Enhancements

Custom footer enhancement

With Branding enabled, admins can now hide the Powered by Okta message in the footer of their Okta-hosted sign-in page and End-User Dashboard. See Configure the footer for your org.

Log per client mode for client-based rate limits

Client-based rate limits are now in Log per client mode for all orgs for both OAuth 2.0 /authorize and /login/login.htm endpoints. This offers additional isolation to prevent frequent rate limit violations.

Hidden password for dynamic SCEP URL

When you generate a dynamic SCEP URL to integrate Okta with your device management provider, or when you reset the dynamic SCEP password, the password is hidden for enhanced security. To reveal or copy the password, click Show password.

See Configure Okta as a CA with delegated SCEP challenge for Windows using Microsoft Intune and Configure Okta as a CA with dynamic SCEP challenge for macOS using Jamf Pro

Fixes

General Fixes

OKTA-325592

When LDAP delegated authentication was enabled, an incorrect event type was used to process user profile updates.

OKTA-346989

Global redirect URIs weren’t maintained after an upgrade to Okta Identity Engine from Classic Engine.

OKTA-353822

If an Okta Classic Engine org had an app sign-on policy rule configured for all six platforms and then migrated to Okta Identity Engine, the app sign-on policy rule for AND Device Platform is wasn't marked as Any platform.

OKTA-361609

Non-active users were able to sign in to the Office 365 app using Silent Activation.

OKTA-413405

During enrollment, a check mark didn’t appear correctly beside required authenticators on the Set up multifactor authentication page.

OKTA-419156

During phone MFA setup, users weren’t able to request another one-time passcode after entering the first one incorrectly.

OKTA-422719

A warning message appeared when users attempted to open the URL of an app that wasn’t assigned to them, and then when they clicked Sign in with Okta FastPass or signed in by entering the same username, an error message with the same information was appended to the warning message.

OKTA-423103

When selecting an authenticator for sign-in, users sometimes saw an unclear error message.

OKTA-427932

When Branding was enabled, the Sign-In Widget was distorted on custom sign-in pages.

OKTA-428268

When an LDAP interface (LDAPi) client had Custom Admin Roles enabled, time-out errors sometimes occurred during group member queries.

OKTA-429894

When a user entered an incorrect password in the Sign-In Widget and then refreshed the browser for another password attempt, the Expecting credential field warning still appeared.

OKTA-431349

Translated versions of AD and LDAP configuration validation messages weren’t provided.

OKTA-431757

The User is not assigned to this application message appeared as an INFO error rather than a WARNING.

OKTA-431868

In the UI for the SuccessFactors app, options for Active User Statuses weren't displayed.

OKTA-435586H

Some users were unable to sign in if their org's default app was deactivated or deleted.

App Integration Fixes

The following SWA app was not working correctly and is now fixed

Amplitute (OKTA-429432)

Applications

Updates

The configuration guide for the Asana SCIM integration is updated: Asana SCIM configuration guide for Okta.
The following attributes are added to the KnowBe4 SCIM app:
- customDate1
- customDate2

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:

Lucca: For configuration information, see Synchronize Lucca users and groups with Okta.
Seculio: For configuration information, see Okta user provisioning and SCIM integration.

OIDC for the following Okta Verified application:

Extole: For configuration information see Okta Instructions.

Weekly Updates

2021.10.1: Update 1 started deployment on October 13

Enhancements

New default enrollment setting for new authenticators

The default enrollment setting when adding a new authenticator is now Optional.

Email template improvements

User enrollment and authentication email template variables have been changed to facilitate upgrade from the Okta Classic Engine.

Fixes

General Fixes

OKTA-383501

When a custom admin role was assigned to an existing group with standard roles, the System Log displayed duplicate Grant user privilege events for the members of the group.

OKTA-399667

Provisioning to Zendesk failed when a user with the same email already existed in Zendesk.

OKTA-414295

For orgs with Custom Administrator Roles enabled, the page filters on the Roles, Resources, and Admins tabs of the Administrators page were labeled incorrectly.

OKTA-414339

Org2Org Push Groups sometimes failed.

OKTA-423420

After Branding was enabled, admins could still navigate to original Settings > Customization pages.

OKTA-426540

Some admins were locked out when a Profile Enrollment policy was set up for the Admin Console app.

OKTA-426692

Provisioning (create/update) users to NetSuite failed with a Null Pointer Exception (NPE).

OKTA-429996

Orgs were able to change their custom Sign-In Widget to an unsupported version.

OKTA-432405

User-verification authenticators didn’t satisfy assurance requirements for a two-factor app sign-on policy when Security Question was allowed for authentication.

OKTA-433981

When an admin role was constrained to a group, users with that role sometimes experienced time-out errors on the People page.

Applications

Application Updates

The Airtable SCIM app is updated to support Group Push and Import Groups.
The configuration guide for the Asana SCIM integration is updated: Acronis Cyber Cloud SCIM configuration guide for Okta.

New Integrations

New SCIM Integration Application:

The following partner-built provisioning integration app is now Generally Available in the OIN Catalog as partner-built:

Loom: For configuration information, see Configuring Okta provisioning for Loom.

SAML for the following Okta Verified applications:

Docutrax (OKTA-433521)
Testsigma (OKTA-405606)

OIDC for the following Okta Verified applications:

KeepTruckin: For configuration information, see KeepTruckin SSO Guide.

Sora: For configuration information, see [Okta] Sora configuration guide.