Production release notes

September 2022

2022.09.0: Monthly Production release began deployment on September 6

* Features may not be available in all Okta Product SKUs.

Generally Available Features

New Features

Okta ADFS plugin, version 1.7.11

This version of the plugin contains bug fixes, security enhancements, and support for an additional top-level domain. See Okta ADFS Plugin Version History.

Okta MFA Credential Provider for Windows, version 1.3.7

This version of the agent contains fixes, security enhancements, and support for an additional top-level domain. See Okta MFA Credential Provider for Windows Version History.

PKCE validation for OIDC app integrations

You can now require Proof Key for Code Exchange (PKCE) as an additional verification step for any OIDC app integration except service apps. The OAuth Security Best Current Practice recommendation is to use PKCE for all uses of the authorization code flow, regardless of the client type. See Create OIDC app integrations using AIW.

Validation and verification of signed SAML requests

Using signed SAML requests ensures that incoming requests are from genuine applications. When this is configured, Okta only accepts SAML requests signed using the certificate associated with the app integration. Having signed SAML requests also resolves scenarios where the Assertion Consumer Service (ACS) URL requested after authentication can be one of several domains or URLs. When a Service Provider sends a signed authentication request, Okta can accept dynamic ACS values as part of the SAML request and posts the SAML assertion response to the ACS value specified in the request. See the Advanced Settings section of Create SAML app integrations using AIW.

Shared SWA app accounts, password restriction

For SWA apps with an account sign in option set to Users share a single username and password set by administrator, only Super admins or App admins with permissions for that app can view the password.

Device assurance for unmanaged devices

While you can secure access to your corporate resources with passwordless MFA using Okta FastPass, you can’t ensure the security posture of the device itself before granting access. This is especially true for unmanaged devices, where a complementary device management agent isn’t present to validate the compliance status of that device. Device Assurance policies enable you to define device security posture requirements that must be satisfied in order for a user to access a protected resource. This allows you to protect your organization's data and services by ensuring access is only granted to secure devices, even if those devices aren’t managed. See Device assurance.

LDAP real-time synchronization

With real-time synchronization, user profiles, groups, and group memberships can now be updated when LDAP-sourced users sign in to Okta, or when they refresh their People page. Admins no longer need to perform full or incremental imports of user attributes, and user profiles, groups, and group memberships are always up to date. Real-time synchronization also reduces the burden on system resources because user attributes are imported and updated individually and not in large groups. See Manage your LDAP integration.

New Recent Activity page on the new Okta end-user dashboard

The Recent Activity page provides end users with a summary of recent sign-in and security events for their Okta account. End users can also report suspicious activity to their Okta admin by clicking I don’t recognize this. See Recent Activity.

Enhancements

Custom domain status

On Customizations > Domain, a new Status field indicates whether the Custom URL Domain configuration is active, pending, or certificate expired. See Customize the Okta URL Domain.

Clarified sign in widget text

The instructions on the Verify with your email page of the Sign-In Widget now specify that the end user must click the action button for Okta to generate and send the verification email.

OIN Manager user interface changes

The OIN Manager includes the following updates:

  • The UI has been updated to match the current Okta style.
  • The Okta logo has been updated.
  • A note that lists the time required to process new submissions is displayed.

403 error for rate limit violations

When an org reaches its operational rate limit for SMS requests, a 403 Forbidden error is now displayed instead of a 429 Too many requests error. See Configure client-based rate limiting

Early Access Features

New Features

SSO apps dashboard widget

The new SSO apps widget displays the number of user sign-in events across each of your org’s apps over a selected period of time. You can use it to see which apps are used most frequently and to easily monitor the authentication activity across your org. See Monitor your SSO apps.

Enhancements

SAML app support added for email magic links

The Email Magic Link feature now supports SAML applications for self-service registration, self-service password reset, and self-service unlock operations.

Fixes

General Fixes

OKTA-482997

The Custom Authenticator sent push notifications even when the Send push automatically checkbox wasn’t selected.

OKTA-496347

The password field in the Add Person widget was incorrectly truncated.

OKTA-499408

The help link for Automatically update Okta Active Directory (AD) agents on the Early Access page pointed to an outdated help topic.

OKTA-506480

AD agent emails incorrectly indicated that agents already running the latest version had recently been auto-updated.

OKTA-515159

When an admin customized an email template not used for sign-in flows, the app.id, app.name, and app.label variables didn't resolve correctly.

OKTA-518347

Some Org2Org users had the same ExternalID on the target org.

OKTA-522912

The text in the Sign-In Widget implied that the verification code was sent in a email but Okta hadn’t generated that email yet.

OKTA-523033

Inline enrollment of additional authenticators asked users to enroll authenticators based on global session policy settings.

OKTA-523140

When Salesforce provisioning was configured using OAuth, Salesforce Community Profiles weren’t displayed.

OKTA-523607

Users could sign in with ADSSO after delegated authentication was disabled.

OKTA-524632

Searching for users on the Assign People page returned an Invalid Search Criteria error if the secondary email was marked as a sensitive attribute.

OKTA-529018

The catch-all rule in the default authentication policy required password only.

App Integration Fixes

The following SAML app was not working correctly and is now fixed

  • Salesforce (OKTA-516730)

Applications

Application Updates

Due to company re-branding we have deprecated the ParkOffice app and replaced it with the Wayleadr app.

New Integrations

SAML for the following Okta Verified applications

  • Grayscale (OKTA-508602)

  • ParkOffice (OKTA-522526)

  • Wayleadr (OKTA-522520)

Weekly Updates

August 2022

2022.08.0: Monthly Production release began deployment on August 8

* Features may not be available in all Okta Product SKUs.

Generally Available Features

New Features

Customize Okta to use the telecommunications provider of your choice

While Okta provides out of the box telephony functionality, many customers need the ability to integrate their existing telecommunications provider with Okta to deliver SMS and Voice messages.

The Telephony Inline Hook allows customers to generate one-time passcodes within Okta and then use their existing telecommunications provider to deliver the messages for MFA enrollment/verification, password reset, and account unlock using SMS or Voice. This allows customers to use their existing telephony solution within Okta, due to the time they've already invested in their existing telephony solution, the need to use a specific regional provider, or simply the desire to maintain flexibility. See Customize your telephony service provider.

Configurable API token rate limits

Admins can now configure a percentage rate-limit capacity for individual API tokens. Previously, when a token rate limit violation occurred, it wasn’t clear which token consumed the limit. Setting a maximum capacity for each token solves this problem and gives admins a new tool to investigate rate-limit violations and plan for future deployments. See API token management.

Salesforce REST OAuth

Admins can now upgrade to the latest version of our Salesforce integration. OAuth authentication will be now used for Provisioning and Imports. See Configure OAuth and REST integration. This feature is made available to all orgs.

Merge tool for duplicate authentication policies

Admins can simplify policy management by merging duplicate authentication policies. The merge tool finds authentication policies with the same rules, moves their apps to a single policy, and then deletes the duplicates. After the automated process runs, admins can then make edits and app assignments in a single policy. See Merge duplicate policies.

Custom Administrator Roles

The standard admin roles available today don’t always meet all the granular delegated administration requirements, which may result in admins having either more or less permissions than they need.

The Custom Administrator Roles feature allows super admins to:

  • Create admin assignments with granular roles, which include specific user, group, and application permissions.

  • Constrain these admin assignments to resource sets.

Use Custom Administrators Roles to:

  • Increase admin productivity.

  • Decentralize the span of access that any one admin has.

  • Grant autonomy to different business units for self-management.

Some important things to note:

  • The Administrators page has been updated with a new, more intuitive interface for managing roles and permissions. See About the Administrators page.

  • Your pre-existing roles are referred to as “standard roles”. The standard role functionality is the same as earlier but the UI is different. See Use standard roles.

  • You can continue using the pre-existing roles and your existing assignments remain the same.

  • You can also assign custom roles to users who have standard roles assigned.

See Custom administrator roles and Best practices for creating a custom role assignment.

Bulk assign users to groups

Admins can now use bulk import functionality to assign multiple users to specific Okta groups. Bulk user import significantly reduces the time admins spend managing user group assignments. In addition, this functionality makes it easier for large enterprise orgs to adopt Okta as their access management provider. See Bulk assign people to a group. This feature will be gradually made available to all orgs.

Okta Admin Console Groups page enhancements

The Okta Admin Console Groups page has been updated to simplify the addition of large numbers of users to groups and reduce the likelihood that all users can be accidentally removed from a group. In addition, search functionality has been significantly improved to make adding and removing users from groups quicker and easier. See Manage groups. This feature will be gradually made available to all orgs.

Advanced search for users and groups

To make it easier for admins to quickly locate and manage users and groups, enhanced people and group search functionality is now available. Admins can limit search results to specific criteria using the SCIM protocol to query. They can also use Created On and Last Updated On in their queries to identify when users or groups were created or last modified, and search for groups and users using both base and custom attributes. These advanced search options optimize search results and help reduce the time spent searching for specific information. See View group members. This feature will be gradually made available to all orgs.

Trusted Origins for iFrame embedding

You can now choose which origins can embed Okta sign-in pages and the Okta End-User Dashboard using Trusted Origins for iFrame embedding. This feature offers a granular control over iFrame embedding compared to the existing embedding option in Customization, which doesn't let you distinguish between secure and non-secure origins. Trusted Origins under Security > API allows you to selectively configure the origins you trust. It also provides enhanced security as it uses a more secure frame-ancestors directive in Content Security Policy that protects your data from web attacks such as clickjacking. You can also migrate your existing iFrames to Trusted Origins. See Trusted Origins for iFrame embedding.

Okta AD agent, version 3.12.0

This version of the agent contains the following changes:

  • Improved group membership information logging

  • Security enhancements

See Okta Active Directory agent version history.

Okta RADIUS Server agent, version 2.17.5

This version of the agent contains security fixes and resolves a memory leak that occurred when agents were configured for EAP-TTLS. See Okta RADIUS Server Agent Version History.

Okta On-Prem MFA agent, version 1.5.1

This version of the agent contains security fixes. See Okta Okta On-Prem MFA Agent Version History.

Event hooks for log streaming

To provide better visibility into changes in the state of Okta log streams, event logs pertaining to log stream management, such as stream deactivation, are now eligible for event hooks. Event hooks allow you to automate detection and responses to changes in the state of a log stream. See Log Streaming.

Rate Limits dashboard includes API Token data

The Rate Limits dashboard now includes API Token data on the Rate limit usage over time graph. You can view bar graph data from API tokens or by IP address to review any spike in traffic. See bar graph and API rate limits by token.

Enhancements

System Log events for Report CSV actions

For enhanced security and auditing, the System Log now records new events when CSVs of reports are requested, generated, and downloaded.

System Log update for authentication policy

Authentication policy update events include a new DebugData field with details about how the rule was changed.

System Log update for telephony operations

The system.operation.rate_limit.violation event is no longer fired when SMS or Voice messages are blocked due to telephony operational rate limit violations. Instead, telephony system.sms.send.* and system.voice.send.* events are issued as a DENY System Log message.

Microsoft Azure Join documentation

Help documentation is now available for users integrating Azure Join and Okta. See Typical workflow for integrating Hybrid Azure AD Join.

AD Agent auto-updates only when operational

The AD agent auto-update scheduler no longer automatically updates non-operational agents. See Schedule agent auto-updates.

The YubiKey authenticator renamed

The YubiKey authenticator is renamed YubiKey OTP. See Configure YubiKey OTP for one-time passwords.

OIN Manager enhancements

The contents of the automated email sent when an integration has been moved to Draft after a period of inactivity have been updated.

Dynamic issuer mode for identity providers

You can configure the dynamic issuer mode for an identity provider using the Identity Provider API. When you set issuerMode to DYNAMIC, Okta uses the domain from the authorizeURI as the domain for the redirect URI when returning the authentication response.

Clock skew requirement removed

Users can now access the End-User Dashboard without syncing their device clock to the server time. See The new Okta end-user experience.

Early Access Features

New Features

New custom authenticator for push notifications

Before now, Okta Verify was the only solution for using push notifications and biometrics as part of your Okta user verification strategy. Now, we have the Devices SDK, which lets you embed push notifications and biometric verification inside your organization’s mobile apps. Your users are presented with a push and biometric experience within your organization’s apps, with your organization’s branding on it. They never have to leave your app, and they don’t need to download a third-party app, such as Okta Verify, to complete their verification. See Configure the Custom Authenticator

Fixes

General Fixes

OKTA-454135

The pending user action status was unclear on the new group membership page.

OKTA-466964

The Edit icons on the Application > Provisioning tab were visible to admins who didn’t have the Manage applications permission.

OKTA-492931

Admins couldn’t edit the MFA requirement and session expiration settings in the default rule of a global session policy.

OKTA-494505

Okta Expression Language worked incorrectly in app pages after the page was saved and reloaded.

OKTA-505852

AD agents running versions prior to 3.8.0 were displayed in existing auto-update schedules.

OKTA-508762

Workday incremental imports with a pre-hire level set prematurely picked up some updates from within the pre-hire interval.

OKTA-509105

Upgrading to Identity Engine resulted in AWS Redshift connectivity issues.

OKTA-509671

When a custom admin role was deleted, users with no other assigned admin roles could still see the Admin button on the Okta End-User Dashboard.

OKTA-511909

When admins applied the Not managed filter on the Devices inventory page, some unmanaged devices were missing from the list.

OKTA-511933

LDAP agents failed to parse queries when group names had special characters.

OKTA-512433

On the Admin Dashboard, the Items count for the Applications can be updated to use SAML task wasn’t correct.

OKTA-515783

Sometimes, in the Groups page Description column, an equals sign (=) replaced the forward slash ( / ) in LDAP-sourced group names.

OKTA-518090

The Authentication Policies page didn’t load if a policy name contained an apostrophe.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • Accredible (OKTA-511942)

  • SurveyMonkey (OKTA-509109)

Applications

New Integrations

New SCIM Integration applications:

The following partner-built provisioning integration app is now Generally Available in the OIN Catalog as partner-built:

OIDC for the following Okta Verified applications:

Weekly Updates

July 2022

2022.07.0: Monthly Production release began deployment on July 11

* Features may not be available in all Okta Product SKUs.

Generally Available Features

New Features

Server-generated secret keys lengthened

Server-generated secret keys have been lengthened to enhance security. These keys are used to generate one-time passwords for multifactor authentication in FIPS-enabled environments and orgs.

See Configure Okta Verify options.

Introducing the Progressive Enrollment experience

Typically, collecting end-user data during the initial sign-up process creates friction and abandonment. The addition of the Progressive Enrollment feature helps you to capture the minimum user information required to create a profile and then expand and enhance those user profiles during subsequent sign-in operations. Admins can control what information is collected, validate those input values, and trigger inline hooks during the self-service registration and progressive enrollment flows. See Registration of end users.

Password synchronization for LDAP-sourced users

When the passwords of LDAP-sourced users are reset in Okta and LDAP delegated authentication is enabled, the new password is now immediately synchronized to the user's assigned applications that are configured for password synchronization. This change makes sure that user passwords remain current and reduces the likelihood that users will be unable to access their applications. See Application password synchronization.

Configure sign-on policies based on identity providers

Admins now have the option to configure a sign-on policy based on a specific identity provider. This allows admins more flexibility to dictate which IDP can be used to obtain an Okta session. See Add an authentication policy rule.

Additional detail now provided on the Sign-In Widget

The Verify it’s you with a security method page on the Sign-In Widget now indicates whether a security method is used for authentication, recovery, or both.

Remember my last-used MFA authenticator

Okta now remembers all MFA authenticators that the user selected the last time they successfully signed in. On subsequent sign-in attempts, the last-used authenticator is automatically selected by default. Users can still select another authenticator by clicking Verify with something else. This feature will be gradually made available to all orgs.

SSO capability to OIN apps

Customers who subscribe to the MFA-only package of services now have basic single sign-on functionality to Okta Integration Network apps.

Legacy user group ID support

Validation rules have been relaxed to support user group entity legacy ID formats created prior to 2012.

FIDO2 security key enrollment

Admins may now enroll a FIDO2 security to a user’s account, on their behalf, from the Okta user interface. This enables admins to provide extra levels of assistance in the event that a user is unable to complete the enrollment themselves. See Configure a FIDO2 (WebAuthn) authenticator.

New catch-all rule conditions

The catch-all rule in new authentication policies now allows access with any two factor types and requires re-authentication after 12 hours. See Add a global session policy rule.

OIN Manager developer terms

OIN Manager pages now include links to developer terms and conditions. See Developer Terms.

Enhancements

Session management section for adding a global session policy rule

A new Session management section is available when adding a new global session policy rule or editing an existing one.

The section includes two new options:

  • Maximum Okta session lifetime: Set time limit for user sessions.

  • Persist session cookies across browser sessions: Allow the user to continue a session after reopening a closed browser.

These options were previously only available through the Okta API, but now they can be configured from the Admin Console also.

Session Expires After is now renamed Expire session after user has been idle on Okta for.

Additional warnings and descriptions clarify the functionality of the fields and how to better configure them.

See Add a global session policy rule.

User.session.start System Log events

A user.session.start System Log event is fired after successful app-specific DelAuth sign-in events.

Default policy new conditions

The default authentication now allows access with any two factor types and requires re-authentication after 12 hours. See Add an authentication policy rule.

Default policy name change

For new and upgrading orgs, the default authentication policy has been renamed Any two factors. This policy allows access with any two factor types and requires re-authentication after 12 hours. See Preset authentication policies.

OIN App Catalog user interface changes

The Languages Supported section of the app details page has been removed.

Improvements to API authorization server interface

Administrators working with OIDC client applications can now see a preview of the information contained in the refresh token and the device secret returned by the authorization server. See API Access Management.

Updated System Log event

The authenticatorKey data now appears in the System Log when an authenticator is created, updated, activated, or deactivated.

New HealthInsight security task

A new MFA Requirements task appears if admins set up a global session policy with New Device behavior but don't select At every sign-in.

The purpose of this security task is to ensure that the MFA requirements configured by the admin aren’t in conflict with Okta’s Behavior Detection functionality, and that the MFA policy rule isn’t bypassed unintentionally. When users select the security task, recommendations appear for correcting the configuration. See MFA requirements

Organization settings name change

The Organization section of the Security > General page is renamed Organization Security. See General Security.

Early Access Features

New Features

Improvements to the self-service registration experience

Earlier versions of the self-service registration (SSR) flow used a complicated array of templates to send activation emails to end users. The simplified SSR flow reduces this to only two email templates with customized welcome messages. If your application requires immediate verification of the end user’s email address, Okta uses the Registration - Activation template. This template includes a magic link for a smoother sign-in experience. If email verification isn't immediately required to sign in to the application, Okta uses the Registration - Email Verification template. This template includes a link for end users to complete email verification at any time after they successfully sign in to the application. See Customize email notifications and the Okta email (magic link/OTP) integration guide.

Fixes

General Fixes

OKTA-449159

In the Add Identity Provider - Microsoft UI, the Microsoft Scopes help link pointed to an incorrect URL.

OKTA-480772

AD-sourced users who reset their passwords in AD had to reset their passwords again when using IWA or ADSSO to sign in to Okta.

OKTA-498957

When configuring SAML signing certificates for a SAML 2.0 app, admins were unable to right-click and copy the Identity Provider metadata link in the Admin Console.

OKTA-500367

Unique properties associated with non-existent users weren't cleared when user validation failed during user creation.

OKTA-502678

Users who enrolled Okta Verify on multiple devices and clear the Send push automatically checkbox didn’t receive a push notification when they selected Get a push notification.

OKTA-506002

Since uniqueness requires exact value matches, making schema properties of type Number unique was an issue and is no longer supported. Use Integer or String properties instead.

OKTA-506333

Warning messages appeared on the Global Session Policy - Add Rule and Edit Rule page even though the relevant fields weren’t visible.

OKTA-507888

On the Pages panel of Customizations > Branding, the Okta defaults appeared instead of an org’s selected theme.

OKTA-509079

The Welcome page, SMS reminder prompt, and security image prompt weren’t shown for users who accessed Okta using AD SSO in Incognito mode.

OKTA-510254

The profile enrollment form didn't permit more than 10 allowed attributes.

OKTA-510483

Sometimes an error occurred when an admin attempted to edit a resource set that included a deleted app.

OKTA-515057H

Clicking the Force Sync button resulted in a 404 error with an incorrect message.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed:

  • GetFeedback (OKTA-505764)

  • GoToWebinar (OKTA-502955)

  • NordLayer (OKTA-505977)

Applications

Application Updates

The existing Balsamiq integration has been removed and renamed to Balsamiq (deprecated).

Customers should use the Balsamiq Wireframes (SAML) integration in our OIN Catalog moving forward.

Weekly Updates