Okta Identity Engine release notes (Preview)

Version: 2024.06.0

June 2024

Generally Available

Sign-In Widget, version 7.19.2

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Okta Sign-In Widget Guide.

Deprecated user profile attributes for Office 365

The following user profile attributes are no longer supported for Office 365:

  • AuthOrig
  • DLMemRejectPerms
  • DLMemSubmitPerms
  • IsTrackingChanges
  • UnauthOrig

See Supported user profile attributes for Office 365 provisioning.

Breached password protection

Protect your organization from the impact of passwords that have been compromised. If Okta determines that an Okta username and password combination has been compromised based on the data collected by our internal threat intelligence pipeline, Okta records a System Log event, expires the user's credentials, and requires the user to update their password before they can use their password to sign in again. See Breached password protection.

View System Logs for Office 365 authentication events

You can now view authentication events in the System Log when using WS-Fed to authenticate through Office 365 active (WS-Trust-1.2) and username13 (WS-Trust-1.3) endpoints.

Protected actions in the Admin Console

The protected actions feature provides an additional layer of security to your org. It prompts admins for authentication when they perform critical tasks in the Admin Console and helps ensure that only authorized admins can perform these tasks. Super admins can configure the authentication interval for their org. See Protected actions in the Admin Console.

New maximum session lifetime for SAML apps

Users can now configure the maximum app session lifetime for SAML apps.

New Manage API tokens admin role permission

The new Manage API tokens permission lets admins view, revoke, and update the principle rate limit for a token. This enhancement lets admins assign more granular permissions and reduce the risk of creating roles with too many privileges.

Active Directory Bidirectional Group Management

Bidirectional Group Management for Active Directory (AD) allows you to manage AD groups from within Okta. You can add or remove users from groups based on their identity and access requirements. This ensures that changes made to user access in Okta are reflected in AD. When you use Okta Access Certifications to revoke a user's membership to an AD group, the removal is reflected in AD. Okta can only manage group memberships for users and groups imported into Okta using the AD integration. It isn't possible to manage users and groups that weren't imported through AD integration. It's also not possible to manage users and groups that are outside the organizational unit's scope for the integration using this feature. See Bidirectional Group Management with Active Directory.

New browser tab reactivation behavior for the Sign-In Widget

The Sign-In Widget now avoids a full page refresh on custom domains when an inactive tab is reactivated. This change improves compatibility with browser memory saver features. This feature will be gradually made available to all orgs.

ADSSO authentication parameters

When a state token is used, Okta removes the fromURI parameter from the ADSSO authentication POST request.

Rate limit update for using Okta fallback telephony provider

Orgs that use an active telephony inline hook now have a heavy rate limit for the Okta fallback mechanism.

Federation Broker Mode has been removed from OAuth Service Clients

The Federation Broker Mode option has been removed from OAuth Service Clients.

DPoP available when creating OIDC apps

You can now require the Demonstrating Proof of Possession (DPoP) condition when you create an OIDC app. Previously, this option was only available after you create the app. This streamlines the process of creating and securing OIDC apps.

Increase to Inline Hooks

The maximum number of inline hooks an org can create is now 100. The previous maximum was 50. See Add an inline hook .

Support for migration to Microsoft Graph

You can now migrate your existing Office 365 WS-Fed Manual app instances to Microsoft Graph by using the migration banner on the app dashboard.

New System Log Event

The user.authentication.universal_logout.scheduled System Log event is fired when an admin manually triggers Universal Logout against an app instance. It contains information about where and how Universal Logout was fired. This event is only fired once.

Event hook for session context changes

The user.session.context.change System Log event is now available for use in an event hook. See Event hooks.

Early Access

Enhanced dynamic zones

Use enhanced dynamic network zones to define IP service categories (proxies, VPNs), locations, and Autonomous System Numbers (ASNs) that are allowed or blocked in a zone. See Enhanced dynamic zones.

Same-device enrollment for Okta FastPass

On orgs with Okta FastPass, the Okta Verify enrollment process has been streamlined:

  • Users can initiate and complete enrollment on the device they’re currently using. Previously, two different devices were required to set up an account.

  • Users no longer need to enter their org URL during enrollment.

  • The enrollment flow has fewer steps.

This feature is supported on Android, iOS, and macOS devices. To enable it, go to Admin Console Settings and turn on Same-Device Enrollment for Okta FastPass.

Access request conditions and resource catalog

This feature provides a new method to streamline your access requests for apps, entitlements, and groups from the app’s profile page in the Admin Console.

As super admins and access request admins, you can set up app-specific access request conditions that define requester scope, access level, expiration for the access level, and the approval sequence. Based on your active conditions, requesters can request access to an app or app access level directly from their End-User Dashboard.

Compared to request types, this approach allows you to reuse existing relationships between users, groups, and apps defined in Okta to govern access instead of recreating these in Okta Access Requests. This feature also integrates the app catalog in the End-User Dashboard with Access Requests to make the process of requesting access intuitive and user-friendly. See Access Requests and Create requests.

You can also view and edit a user’s access duration for the app if the app has Governance Engine enabled. See Manage user entitlements.

Continuous Access is now Post Auth Session

The Continuous Access tab in Authentication Policies is renamed to Post Auth Session.

Continuous Access widget is now Post auth session violations widget

The Continuous Access widget in the Identity Threat Protection dashboard is renamed to the Post Auth Session Violations widget.

  • Continuous access violations are renamed to Session violations.
  • Continuous access evaluation is renamed to Post auth session evaluation.

Fixes

  • The list of languages in Customizations SMS wasn't translated. (OKTA-626381)

  • When an admin attempted to create a profile with a username that contained invalid characters, an unhelpful error message appeared in orgs using a custom character restriction for usernames. (OKTA-680557)

  • Users could bypass admin approval from the import screen to sign in to Okta when Active Directory Just-In-Time provisioning was disabled. (OKTA-706392)

  • The Disable Force Authentication option was ignored for org2org apps using the SAML sign-in mode and AMR claims mapping. (OKTA-711957)

  • The Country Code attribute was missing from the profile enrollment form when admins deleted a similar attribute from a SAML Identity Provider. (OKTA-712657)

  • Some policy evaluations in Identity Threat Protection weren't processed correctly. (OKTA-713378)

  • Some Sign-In Widget error messages weren't localized. (OKTA-721035)

  • For some orgs, the last used factor was still prompted when a user clicked Verify with something else. (OKTA-726023)

  • Active Directory incremental imports were converted to full imports when a new OrganizationUnit was added or an existing OrganizationUnit was renamed. (OKTA-729735)

  • The user.risk.change System Log event displayed incorrect actor values. (OKTA-731725)

  • New Dropbox Business instances were missing a profile attribute. (OKTA-733503)

  • The Provisioning tab wasn't saved when admins created Office 365 applications, and Japanese translations of the Session Lifetime for SAML apps feature didn't appear. (OKTA-735840)

  • Versions 7.18.1 to 7.19.1 of the Sign-In Widget weren't rendered when users accessed them from legacy browsers. (OKTA-736546)

Okta Integration Network

  • candidate.fyi (OIDC) is now available. Learn more.
  • Edify (OIDC) now has sign-in URLs.
  • KiteSuite (SAML) is now available. Learn more.
  • ParkZapp (W) (OIDC) is now available. Learn more.
  • ShareThis (SWA) was updated. (OKTA-723868)
  • Umbrella Faces (SCIM) is now available. Learn more.

Weekly Updates

Enhanced sign-in experience for PIV/CAC

The Sign-in Widget has been updated to provide an improved user experience when signing in with a PIV/CAC card. The new experience allows users to select a different authenticator if the PIV/CAC authentication fails, instead of forcing them to restart the sign-in process. If your org uses default error pages for PIV/CAC sign-in, the new experience is automatically enabled for the org. If your org uses customized error pages for PIV/CAC sign-in, they are preserved. However, you need to contact Support to switch to the new experience.

Sign in with duplicated email authenticators

Previously, users couldn’t sign in if they had the same email enrolled twice as an authenticator. This change checks the status of each email authenticator and allows the user to sign in with the most suitable email authenticator.

Okta Personal for Workforce

Okta Personal for Workforce is a set of features that allows admins to separate their users' work data from non-work data. Admins can now offer their end users a free Okta Personal account to store personal data, allow them to switch between accounts, and migrate personal apps from Okta enterprise tenant to Okta Personal. When Okta Personal for Workforce is enabled, personalized comms will be sent to the end users encouraging them to use Okta Personal for personal data and Okta enterprise for work data. See Okta Personal for Workforce User Experience.

Customize branding for IdP authenticators

You can now add a custom name and logo to IdP authenticators. End users see this branding when signing in, which allows them to distinguish between different IdP authenticators. See Configure the IdP authenticator.

End-user setting for nicknaming factors

End users can now nickname their phone, WebAuthn, and Okta Verify factors. If they have enrolled multiple instances of a factor, giving nicknames helps them identify the factors quickly (for example, “My personal cellphone” or “My office MacBook TouchID”). See the End-User documentation. This is a self-service feature.

Content security policy enforcement on end-user pages

Content Security Policy is now enforced for end-user pages in orgs with custom domains. Content Security Policy headers help detect attacks such as cross-site scripting and data injection by ensuring browsers know what kind of actions the webpage can execute. Future iterations of the Content Security Policy enforcement for end-user pages will become stricter than this first release. This feature will be gradually made available to all orgs.

Okta ThreatInsight coverage on core Okta API endpoints

Okta ThreatInsight coverage is now available for core Okta API endpoints (OpenID Connect & OAuth 2.0, Okta Management, and MyAccount API). Based on heuristics and machine learning models, Okta ThreatInsight maintains an evolving list of IP addresses that consistently show malicious activity across Okta's customer base. Requests from these bad IP addresses can be blocked or elevated for further analysis when Okta ThreatInsight is enabled for an Okta org.

Previously, Okta ThreatInsight coverage only applied to Okta authentication endpoints (including enrollment and recovery endpoints). With this release, enhanced attack patterns are detected for authentication endpoints and limited attack patterns are also detected for non-authentication endpoints.

There are no changes to the existing Okta ThreatInsight configuration. You can still enable Okta ThreatInsight with log and block mode, log mode, and exempt network zones. A new Negative IP Reputation reason is available for high security.threat.detected events. See System Log events for Okta ThreatInsight.

Application Entitlement Policy

Administrators can now override attribute mapping when assigning apps to individuals or groups. Attributes can also be reverted to their default mappings. See Override application attribute mapping. This feature will be gradually made available to all orgs.

Descriptive System Log events

When Okta identifies a security threat, the resulting security.threat.detected entry now provides a descriptive reason for the event. See System Log.

Improvements to the self-service registration experience

Earlier versions of the self-service registration (SSR) flow used a complicated array of templates to send activation emails to end users. The simplified SSR flow reduces this to only two email templates with customized welcome messages. If your application requires immediate verification of the end user's email address, Okta uses the Registration - Activation template. This template includes a magic link for a smoother sign-in experience. If email verification isn't immediately required to sign in to the application, Okta uses the Registration - Email Verification template. This template includes a link for end users to complete email verification at any time after they successfully sign in to the application. See Customize email notifications and the Okta email (magic link/OTP) integration guide.

New App Drawer

The updated app settings panel on the Okta End-User Dashboard allows end users to see all app details in a single view without having to expand multiple sections. End users can quickly differentiate between SWA apps where they have set a username and password and SAML / OIDC apps that are admin-managed with no additional user settings. The updated app settings panel also provides accessibility improvements with better screen reader support and color contrast. See View the app settings page.

SSO apps dashboard widget

The new SSO apps widget displays the number of user sign-in events across each of your org’s apps over a selected period of time. You can use it to see which apps are used most frequently and to easily monitor the authentication activity across your org. See Monitor your apps.

Improvements to the self-service unlock process

Earlier versions of the self-service unlock (SSU) flow created unnecessary friction in the end user experience. The newly enhanced SSU feature introduces a seamless magic link experience in emails sent out to unlock accounts. Users no longer need to provide consent when using the same browser. In addition, after successfully unlocking their account, clicking the email magic link counts towards the application's assurance policy. After the assurance requirements are met, the user is signed directly in to the application. See Configure the email authenticator.

Toggle password visibility on the Okta Sign-In page

End users can now toggle visibility of their password on the Sign-In Widget, allowing them to check their password before they click Sign In. Note that passwords are visible for 30 seconds and then hidden automatically. See Authentication. See Enable delegated authentication for LDAP.

Email failure events in the System Log

Admins can now view email delivery failure events in the System Log. This helps admins better monitor the email event activity in their org. See System Log.

Shareable Authentication Policies

Admins can now manage authentication policies using a centralized view. While authentication policies allowed admins the ability to make application access decisions using user, device, and other contextual information, managing these policies across hundreds of applications became challenging and error-prone. On the new Authentication Policies page, admins can create new policies, apply those policies to multiple applications, and assess what application access decisions are impacted by each policy. Two policy name changes are included in this release: app sign-on policy is renamed authentication policy, and Okta sign-on policy is renamed Global Session Policy. See Authentication policies.

Choose additional filters for Office 365 sign-on policy

Filters have been added to enable admins to distinguish between web browsers and Modern Authentication clients when creating an app sign-on policy. See Office 365 sign-on rules options.

Device Authorization grant type

Advancements in internet technology have seen an explosion of smart devices and the Internet of Things. Consumers need to sign in to applications that run on these devices, but the devices either lack support for a web browser or have limited ability for input, such as smart TVs, car consoles, and thermostats. As a result, users resort to insecure authentication solutions that are error-prone and time-consuming.

The Device Authorization grant feature is an OAuth 2.0 grant type that allows users to sign in to input-constrained devices and also to devices that lack web browsers. This feature enables users to use a secondary device, such as a laptop or mobile phone, to complete sign-in to applications that run on such devices. See Configure Device Authorization.

User Verification options for admins

In the Admin Console, admins can now configure whether end users are required to provide biometrics for device enrollment. See Enable Okta FastPass

Manage admin email notification subscriptions using API endpoints

Admins can manage email subscriptions using the Admin Email Subscription API endpoints.

  • Super admins can configure default subscription settings by admin type.

  • All admins can manage their own admin email notification subscriptions.

End-User Dashboard and Plugin redesign

The Okta End-User Dashboard and Okta Browser Plugin have been redesigned with a modern look and feel that includes new sidebar navigation, fuzzy search, and sections that replaces tabs.

Admins can enable this new design all at once or by groups. The new experience is 50% faster, more intuitive to use, and more responsive to smaller screens. Design changes also improve accessibility and app discovery for end users.

See Create sign-on policies with Okta Applications.

This feature will gradually be made available to all Preview orgs.

LDAP password reset option

LDAP delegated authentication settings can now be configured to allow users to reset their passwords. This change reduces the time needed for password management and allows users to reset their passwords quickly and easily. See Enable delegated authentication for LDAP.

LDAP admin password reset

For orgs integrated with LDAP, admins can now perform password resets for an active individual end user. See Reset a user password.