Okta Identity Engine release notes (Production)

Sign-In Widget, version 7.24.1

Hyperspace Agent version 1.5.0

Hyperspace Agent version 1.5.0 is now available. This version uses Microsoft Edge WebView2 Runtime to display Sign-In Widget content. See Okta Hyperspace Agent version history.

JIT provisioning for Smart Card

This feature enables you to provision Just-In-Time (JIT) access to users. You can do this by configuring certificate attribute criteria so that PIV/CAC card holders of other orgs can gain access to the resources they need. See Add a Smart Card Identity Provider.

Enhanced dynamic zones

Use enhanced dynamic network zones to define IP service categories (proxies, VPNs), locations, and Autonomous System Numbers (ASNs) that are allowed or blocked in a zone. See Enhanced dynamic zones.

Device assurance OS version update

The following OS versions are now supported in device assurance policies: -

• Android 15
• iOS 17.7
• macOS 13.7
• macOS 14.7
• Windows 10 (10.0.17763.6293, 10.0.19044.4894, 10.0.19045.4957)
• Windows 11 (10.0.22000.3197, 10.0.22621.4249, 10.0.22631.4249)

Nonce rollout for Content Security Policy

Okta is rolling out nonces for the script-src directive of the Content Security Policy for every endpoint that returns html content. This is a two stage process: first, the nonce is added to the Content-Security-Policy-Report-Only header script-src directive; later, after any unsafe inline scripts are identified and fixed, the nonce is added to the Content-Security-Policy header script-src directive. This update will be gradually applied to all endpoints.

Deprecating provisioning for Confluence (Atlassian)

Provisioning for Confluence (Atlassian) has been deprecated.

UI update on the Brands page

Dropdown menus on the Brands page have been updated to provide a more consistent look and feel.

OIN connector support for Entitlement Management

The following connectors have been updated to support Entitlement Management:

• Coupa
• DocuSign
• WebEx

See Provisioning-enabled apps.

Group Owner assignments removed

The Group Owner assignment option has been removed from Access Requests for admin roles sequences.

Updated content on Entity Risk Policy page

UI text on the Entity Risk Policy page is updated for clarity and consistency.

New Okta Secure Identity collection in the OIN catalog

A new Okta Secure Identity collection is available in the Okta Integration Network (OIN) catalog. This collection identifies integrations that are part of the Okta Secure Identity commitment. See the OIN catalog for a list of integrations assigned to this collection.

Improved notifications in Admin Console policy

Notifications in the Admin Console authentication policy have been improved for better user experience.

System Log event types and outcome reasons

The user.authentication.auth_via_IDP and user.authentication.auth_via_social System Log event types now indicate whether a successful Identity Provider sign-in attempt was due to JIT provisioning or account linking. See Event types.

OIDC Identity Provider options

OIDC Identity Providers can now have both the Account Link and JIT policies set to disabled.

Event hooks for Identity Provider authentication

You can now use user authentication with Identity Provider events as event hooks. See Event Types for a list of events that you can use with event hooks.

Okta Active Directory Password Sync agent, version 1.6.0

This version of the agent includes security enhancements.

Sign-In Widget, version 7.23.0

Okta LDAP Agent automatic update support

Admins can now initiate or schedule automatic updates to Okta LDAP agents from the Admin Console. With agent auto-update functionality, admins no longer need to manually uninstall and then reinstall Okta LDAP agents when a new agent version is released. Agent auto-updates keep your agents up to date and compliant with the Okta support policy, and help ensure your org has the latest Okta features and functionality. Single or multiple agents can be updated on demand, or updates can be scheduled to occur outside of business hours to reduce downtime and disruption to users. See Automatically update Okta LDAP agents.

Trusted App filters

Trusted App filters allow orgs to block applications from invoking Okta FastPass in Windows, and in Google Chrome and Firefox browsers for macOS. See Trusted app filters .

Admin Console Japanese translation

When this feature is enabled, all admin users in the org who use Japanese as their display language will see the Admin Console in Japanese. See Supported display languages.

System Log event updates

In the System Log, the user.risk.detect event now appears instead of the user.risk.change event when Okta detects an entity that's associated with a risk level.

Continuous Access has been renamed to Post auth session. As a part of the change, the following System Log events have been renamed as well:

• policy.continuous_access.evaluate has been renamed to policy.auth_reevaluate.enforce
• policy.continuous_access.action has been renamed to policy.auth_reevaluate.action

See System Log events for Identity Threat Protection.

Deprecating App Password Health report

The App Password Health report has been deprecated. Use the Sign On Mode filter in the User App Access report to view SWA application password reset dates. The capability to ask users to reset SWA passwords has been removed.

Deprecating Recent Unassignments report

The Recent Unassignments report has been deprecated.

• Use the System Log event application.user_membership.remove to identify users who have been unassigned from an application. See Recently unassigned users.
• Use the User App Access report to identify users currently assigned to applications. See User App Access report.

Updates to App Usage report

The Application Usage report has been updated.

• The maximum number of rows in a CSV is increased to five million.
• The date range field uses the user's local time zone when determining results.
• The report downloads automatically when possible.

Improved JIT performance for directory integrations

JIT-enabled directory integrations now have improved response times for JIT requests.

Require MFA for Admin Console access

You can require multifactor authentication to access the Okta Admin Console. When you enable this feature, all Admin Console authentication policy rules that allow single factor access are updated to require multifactor authentication. See Enable MFA for the Admin Console. This feature will be gradually made available to all orgs.

Okta Personal for Workforce

Okta Personal for Workforce is a set of features that allows admins to separate their users' work data from non-work data. Admins can now offer their end users a free Okta Personal account to store personal data, allow them to switch between accounts, and migrate personal apps from an Okta enterprise tenant to Okta Personal. When Okta Personal for Workforce is enabled, personalized communications are sent to the end users encouraging them to use Okta Personal for personal data and Okta enterprise for work data. See Okta Personal for Workforce.

IP session restrictions for Okta Workflows

Okta super admins can now enable IP session restrictions for Okta Workflows. This feature ensures that all Workflows requests in a session use the same IP address that was logged when the session was created. If the IP address doesn't match any request, the session is terminated and the Workflows admin must sign in again.

Improved security for Microsoft Office 365

Microsoft Office 365 provisioning now eliminates the need for admin credentials by using a secure and modern OAuth-based authentication flow. This update will be gradually made available to all orgs.

Partial Universal Logout indicator in the OIN

The OIN catalog now indicates which apps support partial Universal Logout.

Changes to role permissions that handle API tokens

The following changes have been made to the permissions that handle API tokens:

• The View users and their details permission now includes the View API tokens permission.
• The Edit users' lifecycle states, Suspend users, and Clear users' sessions permissions now include the Manage API tokens permission.
• To view or manage tokens, use the Manage API tokens permission.

See Role permissions.

OIN connector support for Entitlement Management

The Dropbox Business, ServiceNow, SmartRecruiters, and Tableau connectors have been updated to support Entitlement Management. See Provisioning-enabled apps

New System Log events for Device Assurance Policy

New System Log events are generated when a device assurance policy is created, updated, or deleted:

• device.assurance.policy.add
• device.assurance.policy.update
• device.assurance.policy.delete

New System Log events for flow and table changes

The workflows.user.flow.move and workflows.user.table.move Okta Workflows events have been added to the System Log to record the changes that occur due to reorganization of folder-level resources.

New System Log entries for sign-in events

The user.authentication.auth_via_IDP System Log event has been created. This event records occurrences of unknown users attempting to sign in through an Identity Provider.

System Log event update

The user.authentication.auth_unconfigured_identifier System Log event now appears when a user signs in without an admin-configured identifier.

Support for migrating Office 365 apps to Microsoft Graph

You can now migrate your Office 365 Single Sign-On app (WS-Fed Auto) instances to a secure OAuth-based consent flow using Microsoft Graph. See Configure Single Sign-On for Office 365.

Improved API documentation

Our API documentation has a new look and feel! API content in the References section of the Developer Documentation website will be moved after September 30, 2024.