Okta Identity Engine release notes (Preview)

Version: 2025.02.0

February 2025

Generally Available

Improved group search functionality

You can now search for groups whose names or descriptions contain specified text. This makes it easier to find a group when you don't recall its exact name.

Improved user search functionality

You can now search for users whose names, email addresses, or usernames contain specified text, making it easier to do user lookups and add users to groups.

Universal Logout for Cerby app

Cerby now supports Universal Logout. This enables admins to automatically sign users out of this app when Universal Logout is triggered.

New look and feel in Access Certifications

In Access Certifications, the Access Certification Reviews app located on your dashboard now has a new look and feel, including a restyled top navigation bar and the addition of a gray background.

Authentication method chain options

The Pin or biometric verification label for authentication method chains on the authentication policy rule page has been changed to User interaction. See Authentication method chain.

Realms for Workforce

Realms allow you to unlock greater flexibility in managing and delegating the management of your distinct user populations within a single Okta org. See Manage realms.

New System Log attribute

The application.policy.sign_on.deny_access System Log event now shows the app instance ID. This makes it easier to identify the affected app and enables resource-based filtering for the event.

New System Log attributes

The PolicyName field was added to the policy.evaluate_sign_on System Log event. This change makes it easier for admins to identify the policy that was involved in user sign-in attempts.

Authentication policy rule page updated

The If Okta FastPass is used section of the the authentication policy rule page has been removed. Users can select the Require user interaction option in the Possession factor constraints are section instead. See Add an authentication policy rule.

Discover inactive users and review admin access

You can now use preconfigured campaigns to discover inactive users who are assigned to apps and review their admin access. Preconfigured campaigns are a set of ready-to-use campaigns where Okta presets some default settings. See Access Certifications for admin roles.

Shared signal receiver available for AMFA orgs

Adaptive MFA customers are now able to integrate security events from security event providers compatible with Open ID's Shared Signals Framework into Okta. If these risk events are fired for those assigned the super admin role, risk events will be fired that are actionable using Workflows. See Configure a shared signal receiver.

This feature is following a slow rollout process.

ITP detections for AMFA orgs

Adaptive MFA orgs now benefit from ITP detections on sessions and entity users when these are detected on directly assigned super admins. These detection events are actionable using Workflows. This feature aligns with the Okta Secure Identity Commitment. See Identity Threat Protection events in System Log.

This feature is following a slow rollout process.

IP Exempt Zone

Use this feature to allow traffic from specific gateway IPs irrespective of Okta ThreatInsight configurations, blocked network zones, or IP change events within Identity Threat Protection with Okta AI. See IP exempt zone.

Case numbers for impersonation events

When an org grants impersonation for a support case, the case number now appears in the System Log. See Give access to Okta Support.

System Log event for public client app admins

When an admin selects the Automatically assign the super admin role to all newly created public client apps checkbox on the Account page, the System Log now records an event.

Enforce Number Challenge for Desktop MFA

You can now enforce number challenge on all push notifications for Desktop MFA, regardless of the authentication policy. See Configure access policies.

Early Access

Authentication claims sharing between Okta orgs

Authentication claims sharing allows an admin to configure their Okta org to trust claims from IdPs during SSO. Sharing claims also allows Okta to interpret the authentication context from an IdP. This helps eliminate duplicate factor challenges during user authentication and helps improve security posture. See Add a SAML Identity Provider.

Custom admin role for Okta Device Access

You can now configure custom admin roles to view and manage Okta Device Access functionality. This enhancement enables IT teams to designate admins who can effectively manage Okta Device Access capabilities without requiring them to have the most elevated security permissions. See Desktop MFA Recovery.

On-prem Connector for SAP Netweaver ABAP

On-prem Connector for SAP NetWeaver ABAP provides an out-of-the-box solution that connects SAP on-premises apps with Okta Identity Governance. It enables the discovery, visibility, and management of SAP entitlements (roles) directly in Okta. This integration enhances security, saves time, and simplifies governance by eliminating the need for custom integrations and by streamlining entitlement management. See SAP Netweaver ABAP.

Step-up authentication for updating policies

Okta prompts for step-up authentication when admins perform protected actions in the Admin Console, like updating sign-on policies. The changes are only allowed after the admin authenticates successfully. This feature enhances org security by allowing admins to require MFA before performing protected actions. See Protected actions in the Admin Console.

Granular account linking for certain Identity Providers

When admins link users from SAML and OIDC Identity Providers, they can now exclude specific users and admins. This improves security by allowing admins to configure granular access control scenarios.

OIDC IdPs now support group sync

OpenID Connect (OIDC) identity providers (IdPs) now support full group sync and adding a user to a group that they don't already belong to. A user who authenticates with an external IdP is added to all available groups when Full sync of groups is enabled. The user is added to any groups that they don't already belong to when Add user to missing groups is enabled. This allows you to specify certain groups that users should be added to.

Global token revocation for wizard SAML and OIDC apps

Universal Logout clears sessions and tokens for wizard SAML and OIDC apps. This enhancement extends Universal Logout functionality to more types of apps and provides greater flexibility to admins.

Track MFA abandonment in the System Log

You can now monitor abandoned MFA attempts in the System Log using the user.authentication.auth_via_mfa event. The event now has two additional statuses for the event outcome:

  • UNANSWERED: MFA prompt was abandoned, but the user eventually signed in using another authenticator.
  • ABANDONED: MFA prompt was abandoned and the user couldn't sign in. See Track MFA abandonment in the System Log

Fixes

  • The new end-user Settings page didn't display links, password source text, or custom profile data. (OKTA-806262)

  • A warning banner was incorrectly displayed during the WS-Federation setup, even though the setup was completed successfully. (OKTA-807313)

  • The Sign-In Widget (third generation) wasn't the correct size and was missing the app name. (OKTA-822649)

  • In Org2Org configurations where Okta is the source org, passwords weren't synced after the user signed in using a newly reset password. (OKTA-833862)

  • Autofilled passkeys in the Sign-In Widget (third generation) failed and displayed an Invalid passkey error. (OKTA-836910)

  • When employees were imported into SuccessFactors, past employment records were imported instead of current records. (OKTA-844570)

  • When a custom domain was deleted or its enrollment was reset, the resulting email confirmation had a broken link and no branding. (OKTA-848261)

  • When users signed in to the Secure Partner Access portal, they were redirected to the End-User Dashboard. (OKTA-855049)

  • Microsoft's MSOL deprecation testing triggered the last remaining MSOL call in Okta's Office 365 provisioning, resulting in a failure to synchronize user attributes. (OKTA-870164)

Okta Integration Network

  • Calendly by Aquera (SCIM) is now available. Learn more.
  • Payflows has an additional SAML attribute.
  • SAP ERP by Aquera (SCIM) is now available. Learn more.
  • SAP HANA Provisioning Connector by Aquera has a new display name.

Weekly Updates

2025.02.1: Update 1 started deployment on February 12

Generally Available

New On-Prem MFA agent version

Version 1.8.1 of the On-Prem MFA agent is now available. This version includes security enhancements.

Device assurance OS version update

The following OS versions are now supported in device assurance policies:

  • Android 12, 13, 14, 15 security patch 2025-02-05
  • iOS 18.3
  • macOS Ventura 13.7.3
  • macOS Sonoma 14.7.3
  • macOS Sequoia 15.3
  • Windows 10 (10.0.17763.6775, 10.0.19044.5371, 10.0.19045.5371)
  • Windows 11 (10.0.22621.4751, 10.0.22631.4751, 10.0.26100.2894)

Fixes

  • When the third-party admin status was granted or revoked from an admin or group, the System Log didn't record an event. (OKTA-823842)
  • In the Admin Console, updates in the code editor that Okta couldn't parse returned a 500 Internal Server Error. (OKTA-837068)
  • Users whose profiles were imported from Active Directory or LDAP received an error message when they clicked Forgot password. (OKTA-840053)
  • Users whose account had a password expired status couldn't be added as group owners. (OKTA-846195)
  • Admins without proper permissions were able to view the Import Monitoring report. (OKTA-850050)
  • Some users encountered a double sign-in prompt from Okta FastPass when they tried to access apps on iOS devices. (OKTA-856105)
  • NORDLAYER_VPN was incorrectly announced as a supported IP service category in enhanced dynamic zones. (OKTA-857826)
  • Global session policies incorrectly displayed an error message for some authenticators for trust claims. (OKTA-860139)
  • AMR values weren't forwarded to the app when a user signed in and Okta-to-Okta claims sharing was configured. (OKTA-860242)
  • The help link for the Okta-to-Okta claims sharing feature was missing. (OKTA-860321)
  • The help link for possession constraints was missing from the authentication policy rule page. (OKTA-862670)

Okta Integration Network

  • ADP Recruiting Management by Aquera (SCIM) is now available. Learn more.
  • Console (API Service) is now available. Learn more.
  • Console (OIDC) is now available. Learn more.
  • Dayforce by Aquera (SCIM) now has additional use cases.
  • Microsoft SQL Server by Aquera (SCIM) now has additional use cases.
  • Neowit (SAML) is now available. Learn more.
  • Neowit (SCIM) is now available. Learn more.
  • NordPass (OIDC) is now available. Learn more.
  • QuickBooks Online by Aquera (SCIM) now has additional use cases.
  • Redshift by Aquera (SCIM) now has additional use cases.
  • Subble (API Service) is now available. Learn more.
  • Symantec ZTNA (SAML) is now available. Learn more.
  • Udemy Business (SAML) is now available. Learn more.

Sign-In Widget, version 7.27.1

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Okta Sign-In Widget Guide.

Granular configuration for Keep Me Signed In

Admins can now configure the post-authentication prompt for Keep Me Signed In (KMSI) at a granular level in authentication policies. This allows admins to selectively enable post-authentication KMSI on a per-user, per-group, or per-app basis. When enabled, this feature exposes a frequency setting that lets admins control how often the post-authentication prompt is presented to users. The post-authentication prompt text (title, subtitle, accept button, and reject button) is now customizable through the Brands management API. See Keep me signed in and Brands API.

OIN app for Microsoft Office GCC High

Office 365 app in GCC High environment is now generally available. This app is a highly secure version of Office 365 designed specifically for government entities, vendors, and contractors. See Configure Office 365 GCC High Tenant.

Workday supports incremental imports

Workday now has the ability to run immediate, incremental imports. Incremental imports are much faster than full imports. However, they don't detect when users only have changes to custom attributes, so you must periodically run a full import to capture these changes. See Workday.

New flexible LDAP

A new LDAP schema allows flexibility by moving email to the custom schema and making first name, last name, username, and UID optional. This avoids error scenarios when an LDAP schema doesn't include specific attributes.

Prevent new single-factor access to the Admin Console

This feature prevents admins from configuring any new single-factor access to the Admin Console. This feature is now enabled by default for all orgs.

New browser tab reactivation behavior for the Sign-In Widget

The Sign-In Widget now avoids a full page refresh on custom domains when an inactive tab is reactivated. This change improves compatibility with browser memory saver features. This feature will be gradually made available to all orgs.

Sign in with duplicated email authenticators

Previously, users couldn't sign in if they had the same email enrolled twice as an authenticator. This change checks the status of each email authenticator and allows the user to sign in with the most suitable email authenticator.

End-user setting for nicknaming factors

End users can now nickname their phone, WebAuthn, and Okta Verify factors. If they have enrolled multiple instances of a factor, giving nicknames helps them identify the factors quickly (for example, "My personal cellphone" or "My office MacBook TouchID"). See the End-User documentation. This is a self-service feature.

Content security policy enforcement on end-user pages

Content Security Policy is now enforced for end-user pages in orgs with custom domains. Content Security Policy headers help detect attacks such as cross-site scripting and data injection by ensuring browsers know what kind of actions the webpage can execute. Future iterations of the Content Security Policy enforcement for end-user pages will become stricter than this first release. This feature will be gradually made available to all orgs.

Okta ThreatInsight coverage on core Okta API endpoints

Okta ThreatInsight coverage is now available for core Okta API endpoints (OpenID Connect & OAuth 2.0, Okta Management, and MyAccount API). Based on heuristics and machine learning models, Okta ThreatInsight maintains an evolving list of IP addresses that consistently show malicious activity across Okta's customer base. Requests from these bad IP addresses can be blocked or elevated for further analysis when Okta ThreatInsight is enabled for an Okta org.

Previously, Okta ThreatInsight coverage only applied to Okta authentication endpoints (including enrollment and recovery endpoints). With this release, enhanced attack patterns are detected for authentication endpoints and limited attack patterns are also detected for non-authentication endpoints.

There are no changes to the existing Okta ThreatInsight configuration. You can still enable Okta ThreatInsight with log and block mode, log mode, and exempt network zones. A new Negative IP Reputation reason is available for high security.threat.detected events. See System Log events for Okta ThreatInsight.

Application Entitlement Policy

Administrators can now override attribute mapping when assigning apps to individuals or groups. Attributes can also be reverted to their default mappings. See Override application attribute mapping. This feature will be gradually made available to all orgs.

Descriptive System Log events

When Okta identifies a security threat, the resulting security.threat.detected entry now provides a descriptive reason for the event. See System Log.

Improvements to the self-service registration experience

Earlier versions of the self-service registration (SSR) flow used a complicated array of templates to send activation emails to end users. The simplified SSR flow reduces this to only two email templates with customized welcome messages. If your application requires immediate verification of the end user's email address, Okta uses the Registration - Activation template. This template includes a magic link for a smoother sign-in experience. If email verification isn't immediately required to sign in to the application, Okta uses the Registration - Email Verification template. This template includes a link for end users to complete email verification at any time after they successfully sign in to the application. See Customize email notifications and the Okta email (magic link/OTP) integration guide.

SSO apps dashboard widget

The new SSO apps widget displays the number of user sign-in events across each of your org's apps over a selected period of time. You can use it to see which apps are used most frequently and to easily monitor the authentication activity across your org. See Monitor your apps.

Improvements to the self-service unlock process

Earlier versions of the self-service unlock (SSU) flow created unnecessary friction in the end user experience. The newly enhanced SSU feature introduces a seamless magic link experience in emails sent out to unlock accounts. Users no longer need to provide consent when using the same browser. In addition, after successfully unlocking their account, clicking the email magic link counts towards the application's assurance policy. After the assurance requirements are met, the user is signed directly in to the application. See Configure the email authenticator.

Toggle password visibility on the Okta Sign-In page

End users can now toggle visibility of their password on the Sign-In Widget, allowing them to check their password before they click Sign In. Note that passwords are visible for 30 seconds and then hidden automatically. See Authentication. See Enable delegated authentication for LDAP.

Email failure events in the System Log

Admins can now view email delivery failure events in the System Log. This helps admins better monitor the email event activity in their org. See System Log.

Choose additional filters for Office 365 sign-on policy

Filters have been added to enable admins to distinguish between web browsers and Modern Authentication clients when creating an app sign-on policy. See Office 365 sign-on rules options.

Device Authorization grant type

Advancements in internet technology have seen an explosion of smart devices and the Internet of Things. Consumers need to sign in to applications that run on these devices, but the devices either lack support for a web browser or have limited ability for input, such as smart TVs, car consoles, and thermostats. As a result, users resort to insecure authentication solutions that are error-prone and time-consuming.

The Device Authorization grant feature is an OAuth 2.0 grant type that allows users to sign in to input-constrained devices and also to devices that lack web browsers. This feature enables users to use a secondary device, such as a laptop or mobile phone, to complete sign-in to applications that run on such devices. See Configure Device Authorization.

Manage admin email notification subscriptions using API endpoints

Admins can manage email subscriptions using the Admin Email Subscription API endpoints.

  • Super admins can configure default subscription settings by admin type.

  • All admins can manage their own admin email notification subscriptions.

LDAP password reset option

LDAP delegated authentication settings can now be configured to allow users to reset their passwords. This change reduces the time needed for password management and allows users to reset their passwords quickly and easily. See Enable delegated authentication for LDAP.

LDAP admin password reset

For orgs integrated with LDAP, admins can now perform password resets for an active individual end user. See Reset a user password.