Okta Identity Engine release notes (Preview)

Version: 2024.11.0

November 2024

Generally Available

Okta LDAP Agent, version 5.22.0

This version of the agent includes the following:

  • Agent now uses OAuth 2.0 and OAuth 2.0 Demonstrating Proof-of-Possession (DPoP) to securely communicate with Okta.
  • New agents are registered through the OAuth 2.0 device registration flow.
  • Agents now operate independently from the accounts used to register them.
  • Agents can now be installed by super admins and admins with a custom role that includes agent registration permissions. See LDAP integration prerequisites.
  • Linux LDAP agents are now managed using systemd instead of sysvinit. See Manage the Okta LDAP Agent.

See Okta LDAP Agent version history.

Improved user experience for group member counts

Groups now use async counts to determine user membership for groups that exceed 10,000 users. This improves the performance of both the Groups page and the group selector on the Sign-on policy page.

Give access to Okta Support

Admins can now control how members of the Okta Support team access their org. To support this, the Account page provides the following two options:

  • Impersonation Grants for Cases: Allows the Okta Support team to sign in to your org as a read-only admin to troubleshoot issues.
  • Support User Grants for Self-Assigned Cases: Allows an Okta Support representative to access your org settings after they've opened a case. Using these settings, admins can select the right level of Support access for their org.

See Give access to Okta Support.

Multiple Identifiers

Today, end users must sign in to Okta with a username or email address only. With the Multiple Identifiers feature, admins can configure identifiers, or user attributes from Universal Directory, that an end user can enter to authenticate. Multiple identifiers work in sign-on, recovery, self-service registration, and unlock flows. Admins can configure up to three identifiers, including email (which is still a required identifier). See Multiple identifiers.

Improved password reset process for Active Directory-sourced users

The password reset process sends the password update and verification requests to the same Active Directory agent to avoid replication delay.

Allow or disallow an authenticator instance in an authentication policy rule

You can now specify a custom authenticator instance in the allow or disallow lists of an authentication policy rule. This provides more granular control over which authenticators are available to users. See Add an authentication policy rule.

Workday supports incremental imports

Workday now has the ability to run immediate, incremental imports. Incremental imports are much faster than full imports. However, they don't detect when users only have changes to custom attributes, so you must periodically run a full import to capture these changes. See Workday.

Read-only admin permissions

Read-only admins can now view user profile policies and inline hooks. See Read-only administrators.

New column in Application Usage report

The Application Usage report now provides an Instance Name column. The new column helps users identity which apps the report was generated for.

Improved Access Requests error message

When you navigate to the Access Requests tab for an app, the resulting error message is now clearer.

Updates to User Accounts report

The maximum number of rows in a CSV export has been increased from 1 million to 5 million.

Early Access

IP Exempt Zone

Use this feature to always allow traffic from specific gateway IPs irrespective of any Okta ThreatInsight configurations or network zones that are configured as blocklists. See IP Exempt zone.

OpenID Connect Identity Providers now support group sync

OpenID Connect Identity Providers now support full group sync and adding a user to a group that they don't already belong to. A user who authenticates with an external IdP is added to all available groups when Full sync of groups is enabled. The user is added to any groups that they don't already belong to when Add user to missing groups is enabled. This allows you to specify certain groups that users should be added to.

Create dynamic resource sets with conditions

Resource set conditions help you limit the scope of a role by excluding an admin's access to certain apps. This gives you more granular control over your custom admin roles and helps meet your org's unique security needs. See Resource set conditions.

Seamless and secure authentication with passkey autofill

Passkeys offer a streamlined sign in experience to users by leveraging their browser's existing autofill capabilities. This allows users to quickly and intuitively sign in to an org without typing their credentials or seeing extra prompts. This secure, phishing-resistant solution works seamlessly across devices, delivering both enhanced security and convenience for modern authentication needs. See Configure the FIDO2 (WebAuthn) authenticator.

Secure Partner Access for external partners

Secure Partner Access provides a secure way for external business partners to access your org's resources. It streamlines your partner management tasks, reduces IT workload, and simplifies the process of configuring your org's security requirements. See Secure Partner Access.

Secure SaaS service accounts

This feature enables customers to monitor, manage, and secure access to service accounts in their SaaS apps. This new feature in Okta Privileged Access improves the Okta platform by safeguarding non-federated accounts across an org's apps. See Manage service accounts.

Fixes

  • The user count on the Groups page wasn't displayed correctly. (OKTA-603239)

  • The group picker in the Okta Browser Plugin showed an inaccurate user count. (OKTA-603587)

  • After account recovery was deferred to the Okta account management policy, users still couldn't delete authenticators that were required by the password policy. (OKTA-740130)

  • When the Settings page prompted an end user for reauthentication, the Sign-In Widget sometimes wasn't displayed correctly. (OKTA-793598)

  • Admins couldn't retry failed provisioning tasks. (OKTA-795934)

  • SUSPENDED app users weren't supported during a group push. (OKTA-803747)

  • The authenticator enrollment and email notifications for new Okta Verify enrollments on custom domains weren't correctly branded. (OKTA-805671)

  • When the Okta account management policy was configured to control recovery, all selected authenticators in the password policy were cleared. (OKTA-812311)

  • The text overflowed the Application notes for admins field in the General Settings section of the OIDC app page. (OKTA-813866)

  • When an admin clicked Show more tasks on the Tasks page after a Profile Push error occurred, the list of affected users appeared twice. (OKTA-814527)

  • Self-service unlock didn't work if user enumeration prevention was disabled and Show lock out failures was turned on. (OKTA-815680)

  • The security.partner.report.risk and user.session.end events were missing from the user.risk.change System Log event. (OKTA-818603)

  • Sometimes when an admin tried to view the Salesforce app integration, they were prompted to sign in. (OKTA-820465)

  • Sometimes an error occurred when pushing groups without a group description. (OKTA-820782)

  • On the Okta Admin Dashboard, the information in the Tasks widget wasn't aligned correctly. (OKTA-822294)

  • On the Edit role page, some role permissions weren't in the correct order. (OKTA-823779)

Okta Integration Network

  • Datadog (SAML) is now available. Learn more.
  • Diminish (OIDC) is now available. Learn more.
  • Docusign by Aquera (SCIM) is now available. Learn more.
  • EveryKey SSO (SAML) is now available. Learn more.
  • Five9 Identity Service based SSO (SAML) is now available. Learn more.
  • Fullstory (SAML) is now available. Learn more.
  • getregistered (SCIM) is now available. Learn more.
  • GitHub by Tech Prescient (SAML) is now available. Learn more.
  • LenelS2 Elements (SCIM) is now available. Learn more.
  • Lumos (SCIM) is now available. Learn more.
  • Metaphor (SCIM) has a new integration guide.
  • Ninth Brain Suite (SAML) is now available. Learn more.
  • Poggio (SAML) is now available. Learn more.
  • Schoox (SWA) has a new icon.
  • SecureTrustZone (SCIM) is now available. Learn more.
  • Seesaw (OIDC) is now available. Learn more.
  • Spherexx (SAML) has a new icon, description, and integration guide.
  • Upaknee Cloud Messaging Stack (OIDC) is now available. Learn more.

New flexible LDAP

A new LDAP schema allows flexibility by moving email to the custom schema and making first name, last name, username, and UID optional. This avoids error scenarios when an LDAP schema doesn't include specific attributes.

YubiKey preregistration

Customer admins were previously unable to enroll and ship YubiKeys as WebAuthn enrollments in a quick and automated way. The YubiKey preregistration feature enables admins to preregister YubiKey factors as WebAuthn enrollments for both staged and existing (active) users using a Workflows and Yubico integration to seamlessly handle the registration and shipment. See Require phishing-resistant authentication with pre-enrolled YubiKey.

Seamless ISV experience for SCIM

Okta now provides a seamless ISV experience to optimize the Okta Integration Network (OIN) submission experience for SCIM integrations. This new experience enables independent software vendors (ISVs) to build and manually test their SCIM integration metadata before submission to the OIN. This reduces the time needed for the OIN team to review and validate that the SCIM integration functions as intended, which shortens the time to publish in the OIN. This experience also incorporates communication processes in Salesforce, enabling improved collaboration internally within Okta teams and externally with ISVs. See Publish an OIN integration overview and Submit an integration with the OIN Wizard guide.

Prevent new single-factor access to the Admin Console

This feature prevents admins from configuring any new single-factor access to the Admin Console. This feature is now enabled by default for all orgs.

New browser tab reactivation behavior for the Sign-In Widget

The Sign-In Widget now avoids a full page refresh on custom domains when an inactive tab is reactivated. This change improves compatibility with browser memory saver features. This feature will be gradually made available to all orgs.

Sign in with duplicated email authenticators

Previously, users couldn't sign in if they had the same email enrolled twice as an authenticator. This change checks the status of each email authenticator and allows the user to sign in with the most suitable email authenticator.

End-user setting for nicknaming factors

End users can now nickname their phone, WebAuthn, and Okta Verify factors. If they have enrolled multiple instances of a factor, giving nicknames helps them identify the factors quickly (for example, "My personal cellphone" or "My office MacBook TouchID"). See the End-User documentation. This is a self-service feature.

Content security policy enforcement on end-user pages

Content Security Policy is now enforced for end-user pages in orgs with custom domains. Content Security Policy headers help detect attacks such as cross-site scripting and data injection by ensuring browsers know what kind of actions the webpage can execute. Future iterations of the Content Security Policy enforcement for end-user pages will become stricter than this first release. This feature will be gradually made available to all orgs.

Okta ThreatInsight coverage on core Okta API endpoints

Okta ThreatInsight coverage is now available for core Okta API endpoints (OpenID Connect & OAuth 2.0, Okta Management, and MyAccount API). Based on heuristics and machine learning models, Okta ThreatInsight maintains an evolving list of IP addresses that consistently show malicious activity across Okta's customer base. Requests from these bad IP addresses can be blocked or elevated for further analysis when Okta ThreatInsight is enabled for an Okta org.

Previously, Okta ThreatInsight coverage only applied to Okta authentication endpoints (including enrollment and recovery endpoints). With this release, enhanced attack patterns are detected for authentication endpoints and limited attack patterns are also detected for non-authentication endpoints.

There are no changes to the existing Okta ThreatInsight configuration. You can still enable Okta ThreatInsight with log and block mode, log mode, and exempt network zones. A new Negative IP Reputation reason is available for high security.threat.detected events. See System Log events for Okta ThreatInsight.

Application Entitlement Policy

Administrators can now override attribute mapping when assigning apps to individuals or groups. Attributes can also be reverted to their default mappings. See Override application attribute mapping. This feature will be gradually made available to all orgs.

Descriptive System Log events

When Okta identifies a security threat, the resulting security.threat.detected entry now provides a descriptive reason for the event. See System Log.

Improvements to the self-service registration experience

Earlier versions of the self-service registration (SSR) flow used a complicated array of templates to send activation emails to end users. The simplified SSR flow reduces this to only two email templates with customized welcome messages. If your application requires immediate verification of the end user's email address, Okta uses the Registration - Activation template. This template includes a magic link for a smoother sign-in experience. If email verification isn't immediately required to sign in to the application, Okta uses the Registration - Email Verification template. This template includes a link for end users to complete email verification at any time after they successfully sign in to the application. See Customize email notifications and the Okta email (magic link/OTP) integration guide.

SSO apps dashboard widget

The new SSO apps widget displays the number of user sign-in events across each of your org's apps over a selected period of time. You can use it to see which apps are used most frequently and to easily monitor the authentication activity across your org. See Monitor your apps.

Improvements to the self-service unlock process

Earlier versions of the self-service unlock (SSU) flow created unnecessary friction in the end user experience. The newly enhanced SSU feature introduces a seamless magic link experience in emails sent out to unlock accounts. Users no longer need to provide consent when using the same browser. In addition, after successfully unlocking their account, clicking the email magic link counts towards the application's assurance policy. After the assurance requirements are met, the user is signed directly in to the application. See Configure the email authenticator.

Toggle password visibility on the Okta Sign-In page

End users can now toggle visibility of their password on the Sign-In Widget, allowing them to check their password before they click Sign In. Note that passwords are visible for 30 seconds and then hidden automatically. See Authentication. See Enable delegated authentication for LDAP.

Email failure events in the System Log

Admins can now view email delivery failure events in the System Log. This helps admins better monitor the email event activity in their org. See System Log.

Choose additional filters for Office 365 sign-on policy

Filters have been added to enable admins to distinguish between web browsers and Modern Authentication clients when creating an app sign-on policy. See Office 365 sign-on rules options.

Device Authorization grant type

Advancements in internet technology have seen an explosion of smart devices and the Internet of Things. Consumers need to sign in to applications that run on these devices, but the devices either lack support for a web browser or have limited ability for input, such as smart TVs, car consoles, and thermostats. As a result, users resort to insecure authentication solutions that are error-prone and time-consuming.

The Device Authorization grant feature is an OAuth 2.0 grant type that allows users to sign in to input-constrained devices and also to devices that lack web browsers. This feature enables users to use a secondary device, such as a laptop or mobile phone, to complete sign-in to applications that run on such devices. See Configure Device Authorization.

Manage admin email notification subscriptions using API endpoints

Admins can manage email subscriptions using the Admin Email Subscription API endpoints.

  • Super admins can configure default subscription settings by admin type.

  • All admins can manage their own admin email notification subscriptions.

LDAP password reset option

LDAP delegated authentication settings can now be configured to allow users to reset their passwords. This change reduces the time needed for password management and allows users to reset their passwords quickly and easily. See Enable delegated authentication for LDAP.

LDAP admin password reset

For orgs integrated with LDAP, admins can now perform password resets for an active individual end user. See Reset a user password.