Okta Identity Engine release notes (Production)
Version: 2024.04.0
April 2024
Generally Available
Sign-in Widget, version 7.17.0
For details about this release, see the Sign-In Widget Release Notes.
For more information about the Widget, see the Okta Sign-In Widget Guide.
Okta MFA Provider for ADFS, version 1.8.0
This release includes vulnerability fixes and a .NET Framework version upgrade.
Content Security Policy for custom domains
The Content Security Policy (CSP) feature lets admins control which URLs may be linked to from customized sign-in and error pages in orgs that use custom domains. Admins add trusted URLs to Okta that link to items such as images and add these links to the code in their sign-in and error pages. This feature enhances security by enabling admins to allow only approved content to appear and prevent the introduction of potentially malicious code to these pages. See Customize the Content Security Policy (CSP) for a custom domain.
SAML Certificate expiration notification feature
This feature notifies admins through task entries in the Admin Console about expired or soon-to-expire certificates for SAML apps. This enhances security and minimizes app downtime caused by expired certificates.
Support case management for admins
Super admins can now assign the View, create, and manage Okta support cases permission and Support Cases resource to a custom admin role. This allows delegated admins to manage the support cases that they’ve opened. See About role permissions.
Okta Usage report enhancements
The Okta Usage report now attempts to download the generated CSV file immediately upon loading, and updates the email template when the report is generated. The CSV file can now contain up to five million rows. These enhancements automate the tasks of downloading and emailing the report, and provide more data to admins.
Direct Authentication
Direct Authentication offers a new set of OAuth 2.0 grants that give app developers greater control over the authentication process. When redirect authentication isn't an option, you can use direct authentication to allow client apps to authenticate users directly, without relying on HTTP redirection through a web browser. This is beneficial when there's a high degree of trust between the user and the app and when browser-based flows aren't feasible, like with mobile apps. See Configure Direct Auth grant types.
Okta Verify user verification with PIN or passcode
The Okta Verify enrollment relies on biometric verification, which presents challenges for users whose devices don’t support biometrics. To address this limitation, Okta Verify now supports user verification with PIN or password in addition to biometrics. This enhancement broadens accessibility, enabling all users to authenticate with Okta Verify and Okta FastPass, regardless of their device capabilities or personal constraints. See Configure Okta Verify options.
Granular API policy authenticator controls
The Authentication Policy API now includes three new constraints object parameters that provide precise control over what specific authenticators and methods are displayed to end users. Previously, some authenticators were mapped to the same authenticator types and methods. The parameters authenticationMethods and excludeAuthenticationMethods now identify (or exclude) the exact authenticator for both knowledge and possession constraints. The required parameter indicates whether the knowledge or possession constraints are required by the assurance. See the Policy API.
Granular controls for authentication policies
You can now disallow or allow individual authentication methods for an authentication policy. This gives admins more granular control over access to apps.
Require possession factor before password during MFA
You can now require users to verify their identity with a possession factor before a password or other knowledge factor during MFA. This helps protect your org against password guessing or spray attacks. See General Security.
New maximum number of connected AWS accounts
Admins can now connect a maximum of 1000 Amazon Web Services accounts to the AWS Account Federation app in Okta. This change helps avoid timeouts when testing API credentials on AWS.
Improved date filter display in reports
The date filter is now standardized and appears inline for the following reports: Telephony usage, Continuous access violation, Entity risk, At-risk user, and MFA events.
Improved Admin Dashboard and Administrators page
The appearance of several UI components (like buttons and dropdown menus) have been improved across the Admin Dashboard and the Administrators page.
Updated documentation links
Documentation links under the Security, Applications, and Customizations menus now redirect to the correct documentation.
End-User Dashboard and unsupported browsers
The End-User Dashboard no longer loads in unsupported browsers, including Internet Explorer 11 or Edge in Internet Explorer mode. This change enhances security by preventing access from browsers that no longer receive updates.
End-User Dashboard branding and accessibility enhancements
The End-User Dashboard now features design changes that provide a consistent brand experience across Okta's app and enhance accessibility for users.
New target added to a System Log event
A new target was added to the user.authentication.auth_via_mfa System Log event. The target shows the type of MFA app that was used to authenticate.
Authentication context System Log event
The new AuthenticationContext System Log event shows who accessed the configuration secrets for ADFS, Windows Credential Provider (RDP), Epic Hyperspace, and Epic Hyperdrive apps.
New DSSO user impersonation System Log event
A System Log event is now logged when a user attempts Desktop Single Sign-On (DSSO) authentication using a profile source that wasn't the highest priority.
Additional CrowdStrike signals
Okta Verify collects additional trust signals from CrowdStrike. You can view these signals in the System Log. When you configure authentication policy rules, you can use the CrowdStrike signals in Expression Language conditions. See EDR signals for custom expressions.
Early Access
Identity Threat Protection with Okta AI
Identity Threat Protection with Okta AI is a powerful risk assessment and response solution that provides post-authentication security to your org. By continuously analyzing risk signals that are native to Okta, risk signals from integrated security partner vendors, and your policy conditions, it safeguards orgs against identity attacks that occur during and outside of a user’s session. When Identity Threat Protection discovers a risk, it can immediately end the user’s sessions, prompt an MFA challenge, or invoke a workflow to restore your org’s security posture. Using intuitive dashboard widgets and reports, you can easily monitor security threats as they happen. See Identity Threat Protection with Okta AI.
Fixes
-
Users couldn't enroll multiple Smart Cards as security methods from the End User Settings page. (OKTA-581807)
-
When end users enrolled the email authenticator, the Sign-in Widget displayed their email incorrectly. (OKTA-625907)
-
Some Microsoft Windows 365 Enterprise license names weren't displayed correctly on the Edit Assignment page. (OKTA-679276)
-
Admins could delete active network zones. (OKTA-691904)
-
No GovSlack attributes appeared for new app instances. (OKTA-693162)
-
Google Workspace default user schema attributes weren't imported into Okta. (OKTA-697236)
-
On the Configure SAML 2.0 IdP screen, the Account matching with IdP Username section appeared when Factor Only was selected for IdP Usage. (OKTA-698614)
-
When an end user enrolled in Okta Verify from an OIDC app, they received the email notification from noreply@okta.com instead of the custom email domain. (OKTA-701658)
-
When an admin enabled a self-service Early Access feature and an error occurred, a success message appeared. (OKTA-701707)
-
Users received a Bad Request error when they canceled Okta FastPass during authentication. (OKTA-706541)
-
App admins could initiate the refresh app data process for apps to which they didn't have permission. (OKTA-711670)
-
Users were unable to enroll in an authenticator with the inline enrollment prompt when the authentication policy did not contain constraints for the corresponding factor class. (OKTA-715402)
Okta Integration Network
- Alohi (SAML) is now available. Learn more.
- Alohi (SCIM) is now available. Learn more.
- Better Stack (SAML) has a new logo.
- Candor (OIDC) is now available. Learn more.
- FAX.PLUS (SAML) has a new logo, description, and display name.
- Humi (OIDC) is now available. Learn more.
- Jurnee (SCIM) is now available. Learn more.
- UMA (OIDC) is now available. Learn more.
Weekly Updates
Generally Available
Sign-in Widget, version 7.17.1
For details about this release, see the Sign-In Widget Release Notes.
For more information about the Widget, see the Okta Sign-In Widget Guide.
Fixes
-
For some non-English locales, the Use a preset version dropdown menu on the Add device assurance policy page was misplaced. (OKTA-628325)
-
Smart Card authentication method references (AMR) weren't passed correctly in OIDC ID tokens when the standard AMR org setting was enabled. (OKTA-641225)
-
Some text strings in Access Testing Tool weren't translated to Japanese. (OKTA-674050)
-
HTML was visible in some usernames in the Authenticator enrolled notification email. (OKTA-674629)
-
In the Okta Usage report, the date picker was in an incorrect date format for the US English language and the earliest possible date couldn't be selected. (OKTA-688574)
-
When a user signed in to Okta, the resulting policy.evaluate_sign_on System Log event didn’t display the user’s network zone correctly. (OKTA-690899)
-
Access Testing Tool didn't display an error when it failed because of permission issues. (OKTA-698999)
-
When users created passwords that didn't meet strength requirements, the Sign-In Widget incorrectly indicated in self-service registration flows that the requirements were met. (OKTA-703334)
-
The MFA Events report didn't include the date and time details. (OKTA-711575)
-
Sometimes Access Testing Tool showed no results when admins searched for existing users. (OKTA-713259)
-
The MFA Events report displayed the events in an incorrect chronological order. (OKTA-715259)
-
In the Profile Editor, there was no option to close the Delete Attribute window after reviewing the message. (OKTA-715984)
Okta Integration Network
- Reddit (SWA) was updated (OKTA-711282).
- RICOH Smart Integration (SAML) is now available. Learn more.
- Schwab Advisors (SWA) was updated (OKTA-710955).
- ShareThis (SWA) was updated (OKTA-709444).
- Torii (Read) (API service) is now available. Learn more.
- Torii (Read and Take action) is now available. Learn more.
- UMR (SWA) was updated (OKTA-629864).
- US Bank - Pivot (SWA) was updated (OKTA-710409).
- Var Street (SWA) was updated (OKTA-693696).
- Zerotek Lab (SAML) is now available. Learn more.
Generally Available
Referrer-Policy HTTP header sends default value
The Referrer-Policy HTTP response header controls how much referrer header information should be included with requests. Okta currently doesn't send the Referrer-Policy response header. The default value for the header is strict-origin-when-cross-origin when it's not sent by Okta. Browsers use the current default value. With this change, Okta will send the Referrer-Policy response header with the default value of strict-origin-when-cross-origin. This feature will be gradually made available to all orgs.
Fixes
-
In orgs that configure Authentication Method References claims mapping, non-federated users weren't redirected to the IdP during re-authentication. (OKTA-697028)
-
When ineligible users attempted a self-service password reset, they saw an unusable password screen instead of an error message. (OKTA-698980)
-
When an admin-created user re-requested the welcome email, it wasn't sent to their secondary email address. (OKTA-702542)
-
DENY events incorrectly appeared in the System Log in some Okta Fastpass authentication scenarios. (OKTA-711395)
-
The Sign-In Widget (third generation) didn't load for the Okta MFA Credential Provider for Windows when it prompted users to authenticate. (OKTA-711504)
-
When the Identity Threat Protection with Okta AI feature was enabled, IdP sessions were incorrectly terminated when Continuous Access evaluation resulted in a policy violation. (OKTA-712360)
-
When Identity Threat Protection with Okta AI was enabled, Continuous Access signed users out of all apps when only one app caused a violation. (OKTA-712361)
-
User.session.start events didn't appear in the System Log. (OKTA-713292)
-
Some admins received an error when trying to view the Identity Threat Protection widgets on the Admin Dashboard. (OKTA-717868)
-
When an admin deactivated a user from an Office 365 app instance, the user's license was revoked, even if they were assigned to another Office 365 app instance. (OKTA-718565)
Okta Integration Network
- Backrightup (OIDC) is now available. Learn more.
- Calendly (SWA) was updated (OKTA-713087).
- Carbon Voice (OIDC) is now available. Learn more.
- Carbon Voice (SCIM) is now available. Learn more.
- Cisco Identity Intelligence (API service) now has the okta.roles.read and okta.schemas.read scopes.
- Cloud Auth (API service) has a new integration guide.
- Cloud Auth (OIDC) has a new integration guide.
- Command Zero (API service) has a new integration guide.
- Costco (SWA) was updated (OKTA-711710).
- Hellotracks (OIDC) is now available. Learn more.
- Hellotracks (SCIM) is now available. Learn more.
- KaseyaOne (SAML) is now available. Learn more.
- NetBird (OIDC) is now available. Learn more.
- NetBird (SCIM) is now available. Learn more.
- Omni Analytics (SCIM) is now available. Learn more.
- The Training Arcade (SAML) is now available. Learn more.
- Trova (SCIM) is now available. Learn more.
- Truckstop.com (SWA) was updated (OKTA-709674).
- Zscaler 2.0 (SAML) has a new display name, logo, and integration guide.
Version: 2024.03.0
March 2024
Generally Available
Sign-in Widget, version 7.16.1
For details about this release, see the Sign-In Widget Release Notes.
For more information about the Widget, see the Okta Sign-In Widget Guide.
Okta LDAP agent, version 5.20.0
This version of the agent includes the following:
-
Fixed an LDAP query used by the agent for retrieving group memberships using range attributes.
-
The Okta LDAP Agent service now automatically starts on boot for Red Hat and CentOS platforms.
-
Fixed an issue where some customers experienced slower than expected queries during LDAP authentication.
-
Security enhancements.
Okta Hyperdrive agent, version 1.4.0
This version includes bug fixes and an upgrade of the .NET Framework to version 4.8. See Okta Hyperdrive agent version history.
Okta Hyperspace agent, version 1.4.0
This version includes bug fixes and an upgrade of the .NET Framework to version 4.8. See Okta Hyperspace Agent Version History.
Okta AD agent, version 3.17.0
This version includes fixes for signing executable and DLL files that come with the Active Directory agent. See Okta Active Directory agent version history.
Enhanced Disaster Recovery
This feature enables commercial customers in the North America region (excluding Compliance cells) to recover faster in the event of a disaster or regional outage. See Overview of enhanced disaster recovery.
Admin sessions bound to Autonomous System Number (ASN)
When an admin signs in to Okta, their session is now associated with the ASN they are logging in from. If the ASN changes during the session, the admin is signed out of Okta, and an event appears in the System Log.
Admin sessions bound to IP address
The General Security.
page has a new IP binding for admin console setting that's enabled by default. This setting associates all of the admin sessions in your org with the device IP address. If the IP address changes during the session, the admin is signed out of Okta, and an event appears in the System Log. This setting can be disabled, but Okta recommends keeping it enabled as a security best practice. SeeVerify Zoom users with Okta
Zoom users can now attest and verify a user’s identity between two independent parties using Okta-signed tokens.
Permission conditions for profile attributes
You can now apply conditions to the View users and their details and Edit users' profile attributes custom admin role permissions. Permission conditions help you limit the scope of a role by including or excluding admins' access to individual profile attributes. This gives you more granular control over your custom admin roles and helps meet your org’s unique security needs. See Permission conditions.
Enhanced security of Okta Verify enrollments
The Higher security methods option on the authenticator configuration page ensures that users enroll in Okta Verify in a phishing-resistant manner. With this option, users can't enroll with QR code, email, or SMS link. See Configure Okta Verify options.
Stay signed in
Today, Keep me signed in allows the user to select whether their multifactor authenticators from previous sessions should be remembered. However, the option to select Keep me signed in was only available on the sign-in screen.
To enable Stay signed in for integrated authentication flows, admins can now configure their sign-in experience such that the option to Stay signed in is provided either before the user signs in to Okta or before and after the user completes multifactor authentication. If a user selects Stay signed in, they won't be challenged for MFA the next time they sign in. In addition, users will now be able to sign out of all active Okta sessions from the Okta End-User Dashboard. See Stay signed in.
Granular permissions to manage directories
This feature enables you to assign permissions to view and manage directories as part of a customized admin role. Admins without universal application administrator permissions can handle directory-specific tasks.
Improved password reset process for Active Directory-sourced users
The password reset process sends password update and verification requests to the same Active Directory agent to avoid replication delay.
Device Context using Limited Access in Okta Identity Engine
You can now pass device context using Limited Access in Okta Identity Engine. See Pass Device Context using Limited Access in Okta Identity Engine
Unknown devices detection using fingerprint
Admins can now configure how unknown devices are treated based on the presence of a device fingerprint.
New requirement for email customizations
To prevent phishing attacks, Okta now requires orgs to have a custom domain to send customized emails. All customized emails currently sent from the Okta domain are disabled, and orgs that use the Okta domain can send default email templates only. This feature is currently enabled by default for new orgs only.
Enhanced System Log Event
The policy.evaluate_sign_on System Log event now shows the assurance policy factor requirement and a list of the available authentication factors for the sign-on event.
Cornerstone OnDemand now uses OAuth for authentication
Cornerstone OnDemand replaced the previous authentication method with OAuth authentication to improve security for provisioning. Create a new Cornerstone OnDemand app instance and configure it to use Oauth credentials. See Configure provisioning for Cornerstone OnDemand.
Styling change for Brands pages
The
section of the Admin Console now uses Odyssey UI components. There's no change to functionality, but some of the styling is different.AAL values for Login.gov IdP
The Login.gov IdP configuration has been updated to include all allowed AAL values. See Create an Identity Provider in Okta.
New System Log information for password policy changes
System Log entries for password policy changes now display the policy settings before and after the update was made.
Improved System Log map view
The System Log map view now includes a reset button and left and right bounds on the zoom function.
New System Log information for MFA enrollment policy changes
System Log entries for MFA enrollment policy changes now display the policy settings before and after the update was made.
IP binding for Admin Console setting
The General Security.
page has a new IP binding for Admin Console setting. When you enable this setting, all of the admin sessions in your org are associated with the system IP address that they signed-in from. If the IP address changes during the session, the admin is signed out of Okta, and an event appears in the System Log. SeeAdditional operator for date filter
The date filter is now standardized across all reports and includes the in range operator.
Early Access
Direct End-User Settings access
Users may now access their Settings page through a direct URL in addition to the End-User Dashboard. This feature provides convenience and security for users, gives admins greater flexibility when working with End-User Dashboard access control scenarios, and includes accessibility and UX improvements. See User settings.
Enforce Number Challenge for Desktop MFA
You can now enforce number challenge on all push notifications for Desktop MFA, regardless of the authentication policy. See Configure Desktop MFA policies
Realms for Workforce
Realms allows you to unlock greater flexibility in managing and delegating management of your distinct user populations within a single Okta org. See Manage realms.
Trusted App filters
Trusted App filters allow orgs to block applications from invoking Okta FastPass in Windows, and in Google Chrome and Firefox browsers for macOS. See Trusted app filters .
Google Workspace 1-click federation
Admins can set up SSO to Google Workspace using a simplified integration experience that saves time and reduces the risk of errors.
Fixes
-
Sometimes group membership changes in a downstream app weren't reflected upon source app assignment in Okta. (OKTA-647132)
-
When users clicked the X in the upper-right corner of the Edit User Assignment page, the page wasn't restored to the default User Assignment view. (OKTA-651313)
-
The MFA Usage report sometimes displayed L10N_ERROR instead of the MFA factor. (OKTA-658326)
-
Office 365 user licenses were randomly removed. (OKTA-665130)
-
During Okta Verify enrollment, the Scan the QR code option was incorrectly displayed for the requests coming from a mobile device. (OKTA-671029)
-
Users in certain geolocations couldn’t sign in to Okta, even when the org’s policies didn’t block the location. (OKTA-671528)
-
Importing large group membership data failed for orgs using ranged queries. (OKTA-672521)
-
The Jira On-Premises app authenticator didn't include a relay state parameter. (OKTA-673058)
-
Password age validation incorrectly appeared on the new user registration window. (OKTA-673824)
-
The Display application icon in the Okta Mobile app option was incorrectly available for the Application visibility property in the Application Integration Wizard (AIW). (OKTA-674235)
-
During self-service registration, users didn't receive the verification email when enrolling Okta Verify with Push. (OKTA-677750)
-
On the Tasks page, the user search didn't return any results for deactivated users. (OKTA-677822)
-
AD users created through JIT couldn't reset their password even if it was set to change after they first signed in. (OKTA-679679)
-
Google licenses were missing from the Universal Directory profile. (OKTA-684513)
-
During LDAP authentication, orgs with large customer databases experienced slower-than-expected queries. (OKTA-686417)
-
Some links on the Admin Dashboard to Okta Documentation didn't work. (OKTA-693031)
-
Users were prompted to enter a password twice when signing in. (OKTA-699026)
-
Read-only admins could modify the IP restrictions of other users' tokens. (OKTA-700117)
-
Some text was truncated on the Recent Activity page. (OKTA-700858)
-
The locale attribute from the user profile wasn't correctly populated to the telephony inline hook. (OKTA-700928)
-
Admins couldn't enroll or reset FIDO2 authenticators for staged users. (OKTA-701467)
-
An inline hook secured by an OAuth 2.0 token that had no expiry value returned an HTTP 400 Bad Request error. (OKTA-702184)
-
The Cornerstone REST API rate limit wasn't honored. (OKTA-702729)
Okta Integration Network
- Acronis Cyber Cloud (SCIM) has a new authorize endpoint, display name, SAML attribute, and icon.
- Dashworks (OIDC) has a new integration guide. Learn more.
- Dashworks (SCIM) has a new integration guide. Learn more.
- Modal (SAML) is now available. Learn more.
- NexHealth (SAML) has a new description and an additional SAML attribute.
- Onyxia (SAML) is now available. Learn more.
- Paved (OIDC) is now available. Learn more.
- Reftab Discovery (API service) is now available. Learn more.
- Resonance by spiderSilk (SAML) is now available. Learn more.
- Semana (SAML) is now available. Learn more.
- SpotDraft (SAML) is now available. Learn more.
- Vansec (SCIM) is now available. Learn more.
Weekly Updates
Fixes
-
Authentication policy rule configurations didn't always appear on the
tab. (OKTA-678382) -
AD-sourced users weren't automatically activated after they completed self-service registration. (OKTA-685912)
-
The timeout warning for the End-User Dashboard displayed the remaining session time incorrectly. (OKTA-688731)
-
Admins couldn't edit a resource set if it was included in a deleted delegated flow. (OKTA-692981)
-
Enrollment in the Duo Security authenticator failed when users tried to reset their password. (OKTA-692990)
-
Custom admins with the Manage application settings permission could trigger privilege escalation. (OKTA-693765)
-
The sign-in page displayed an inaccurate message to users who requested a reset password email. (OKTA-696975)
-
Admins couldn't create multiple group rules at the same time. (OKTA-702040)
-
When using granular authentication in some scenarios, users couldn't sign in using a security question after successful enrollment. (OKTA-702275)
-
When using granular authentication, users were prompted to enroll in authentication methods that did not satisfy the authentication policy. (OKTA-702538)
-
Group and read-only admins could manage API tokens for other admins. (OKTA-702918)
-
In orgs that used granular authentication, users sometimes saw an error message at the enrollment prompt. (OKTA-703166)
-
The help link on the
page was incorrect. (OKTA-704223) -
The MFA Enrollment form didn't contain a filter value for smart card authenticators. (OKTA-704634)
-
Users were assigned a random role defined in Zendesk when custom role values were mapped to Zendesk users assigned No Custom Role in Okta. (OKTA-706468)
-
Admins were unable to save sign-in page settings for the default brand when using the third-generation widget. (OKTA-712531)
Okta Integration Network
- Adzact (OIDC) is now available. Learn more.
- Andromeda Security (SAML) is now available. Learn more.
- Backpac (SCIM) is now available. Learn more.
- Brivo Identity Connector (EU) (SCIM) is now available. Learn more.
- CardioCard (SAML) is now available. Learn more.
- Coda (SAML) has a new integration guide and tenant ID label.
- Coda (SCIM) has a new integration guide.
- EasyLlama (SCIM) is now available. Learn more.
- Flockjay (SAML) is now available. Learn more.
- Indeed (SWA) was updated.
- Island (SCIM) has an updated profile and field mappings.
- Lasso Security (SAML) is now available. Learn more.
- LeaveWizard (SAML) is now available. Learn more.
- LeaveWizard (SCIM) is now available. Learn more.
- NewZapp (OIDC) is now available. Learn more.
- NexHealth (SAML) has an additional SAML attribute.
- Office Depot (SWA) was updated.
- Payflows (SAML) has an additional SAML attribute.
- QReserve (SAML) has a new logo and integration guide.
- Rotate (API service) is now available. Learn more.
- SAP Concur Solutions (SWA) was updated.
- Sauce Labs (SAML) is now available. Learn more.
- senhasegura (SAML) is now available. Learn more.
- Skippr OIDC for Organizations (SCIM) is now available. Learn more.
- Spline (OIDC) is now available. Learn more.
- Summize (OIDC) has a new redirect URI.
- Summize (SCIM) is now available. Learn more.
- Synqly Identity Connector (API service) is now available. Learn more.
- Tamnoon (SAML) has a new logo.
- Truckstop.com (SWA) was updated.
- Whimsical (SAML) has a new logo and integration guide.
Fixes
-
Timeouts occurred when fetching Workday prehires in large batches. (OKTA-497101)
-
User permission options were displayed for attributes created in an App User Profile. (OKTA-667672)
-
The Edit Rule page for sign-on policies sometimes displayed undefined instead of an Identity Provider name. (OKTA-672874)
-
Some preview org admins saw error messages while authenticating or End-User Dashboard pages with no menu items. (OKTA-679870)
-
An error occurred when an end user reset a factor nickname and left the name field empty in the End-User Dashboard. (OKTA-682875)
-
Users couldn't authenticate with Sign in with Okta FastPass when both a SAML Identity Provider (IdP) and SmartCard IdP were configured. (OKTA-688559)
-
No System Log entries were created for certain app users when they were assigned a status. (OKTA-690968)
-
Some network zone UI elements on the Create token page weren't rendered correctly. (OKTA-693688)
-
Users couldn't enroll in Okta Verify using a custom domain on Android devices. (OKTA-698916)
-
Client rate limiting configurations for the /login/login.htm endpoint were displayed incorrectly in the Rate Limit dashboard and were in an inconsistent state for some orgs. (OKTA-699914)
-
Some users encountered error messages when they tried to enroll FIDO2 security keys, Okta Verify, and the phone authenticator. (OKTA-700625)
-
A warning didn't appear when admins disallowed authentication methods that were required for phishing-resistant and hardware-protected authentication policies. (OKTA-700986)
-
Some deactivated admins continued to receive email notifications. (OKTA-702015)
-
The Japanese version of Reports used an inappropriate date selector format. (OKTA-702599)
-
In orgs that used granular authentication, users sometimes saw an error message at the inline enrollment prompt if User Verification was required and Security Question was allowed for authentication. (OKTA-702971)
-
Users received an error when trying to enroll the phone authenticator from the end user settings page. (OKTA-703248)
-
Regular expressions couldn't be used to define Allowed DB Groups for Amazon Redshift, which prevented large lists of groups from being defined. Select Use RegEx in Allowed DB Groups (Redshift) to use regular expressions when defining allowed groups. (OKTA-703940)
-
Realm searches started from the current page of results rather than the beginning of all results. (OKTA-704314)
-
When some orgs tried to publish changes to their customized sign-in page, all previous customizations were lost and it was restored to the default version. (OKTA-704885)
-
Okta sometimes incorrectly returned an Invalid Phone Number error during SMS factor enrollment. (OKTA-705078)
-
Reactivation of the Profile Enrollment feature resulted in duplicate UI elements. (OKTA-706021)
-
Users were assigned a random role defined in Zendesk when custom role values were mapped to Zendesk users assigned No Custom Role in Okta. (OKTA-706468)
-
The Security Question warning didn't apply to passwordless multifactor authentication. (OKTA-706505)
-
When no agents were connected during scheduled incremental imports, an incremental to full import conversion event was incorrectly logged. (OKTA-706698)
-
The system selected outdated profile sources during the user creation process. (OKTA-709538)
-
In organizations with Realms enabled, custom admins with the Edit users' profile attributes permission also required the Manage users permission to update a user's profile. (OKTA-709725)
-
Some users could change their username on the Personal information page. (OKTA-711450)
-
The Settings page appeared blank for some users. (OKTA-711495)
Okta Integration Network
- Akitra (OIDC) is now available. Learn more.
- Cisco Identity Intelligence - Read-Only Management (API service) is now available. Learn more.
- Cloud Auth (API service) is now available. Learn more.
- Cloud Auth (OIDC) is now available. Learn more.
- Covey (OIDC) is now available. Learn more.
- CrashPlan (SAML) has a new integration guide. Learn more.
- DeleteMe (SCIM) is now available. Learn more.
- Growrk (SAML) is now available. Learn more.
- incentX (OIDC) is now available. Learn more.
- Infor EAM (SWA) was updated (OKTA-710635).
- Jurnee (OIDC) is now available. Learn more.
- Jurnee (SCIM) is now available. Learn more.
- Loop & Tie (OIDC) is now available. Learn more.
- Mailosaur (OIDC) is now available. Learn more.
- Mailosaur (SAML) has a new integration guide. Learn more.
- Mailosaur (SCIM) is now available. Learn more.
- Mangopay (OIDC) is now available. Learn more.
- Morgan Stanley at Work - Administrator (SAML) is now available. Learn more.
- Mula Shops (OIDC) is now available. Learn more.
- NetActuate Portal (SAML) is now available. Learn more.
- Nudge Security (OIDC) is now available. Learn more.
- Ordergroove (OIDC) is now available. Learn more.
- PromoJukeBox (OIDC) is now available. Learn more.
- Reco (API service) is now available. Learn more.
- Salto Okta Adapter OAuth (OIDC) is now available. Learn more.
- Schwab Advisors (SWA) was updated (OKTA-699789).
- Secure Code Warrior (SCIM) is now available. Learn more.
- Sirius XM (SWA) was updated (OKTA-693279).
- SpotDraft (SCIM) is now available. Learn more.
- Square 9 GlobalSearch (OIDC) is now available. Learn more.
- Square 9 GlobalSearch (SCIM) is now available. Learn more.
- Tabular (OIDC) is now available. Learn more.
- WorkWhile (OIDC) is now available. Learn more.
- Zscaler (OIDC) is now available. Learn more.
- Zscaler (SCIM) is now available. Learn more.
Version: 2024.02.0
February 2024
Generally Available
Sign-In Widget, version 7.15.1
For details about this release, see the Sign-In Widget Release Notes.
For more information about the Widget, see the Okta Sign-In Widget Guide.
Okta LDAP agent, version 5.19.1
This version of the agent fixes the expiring signature error that prevented agents from auto-updating to the newest LDAP agent version. See Okta LDAP Agent version history.
Okta Active Directory agent, version 3.16.1
This version of the agent fixes an expiring signature error that prevented agents from auto-updating to the newest Active Directory agent version. See Okta Active Directory agent version history.
Okta MFA Credential Provider for Windows, version 1.4.2
This version includes bug fixes and security enhancements. See Okta MFA Credential Provider for Windows Version History.
Assign admin roles to an app
Orgs can now assign admin roles to their custom API Service Integrations. Apps with assigned admin roles are constrained to the permissions and resources that are included in the role assignment. This helps ensure that apps only have access to the resources that are needed to perform their tasks, and improves orgs' overall security. See Work with the admin component.
Seamless ISV experience
Okta now provides a seamless ISV experience to optimize the Okta Integration Network (OIN) submission experience for SAML and OIDC integrations. This new experience enables independent software vendors (ISVs) to build and manually test their integration metadata before submission. This reduces the time needed for the OIN team to review and validate that the integration functions as intended, which shortens the time to publish in the OIN.
This experience also incorporates communication processes in Salesforce, enabling improved collaboration internally within Okta teams and externally with ISVs. See Publish an OIN integration overview and Submit an SSO integration with the OIN Wizard guide.
Email or password no longer required in authenticator enrollment policy
Currently, the authenticator enrollment policy requires either email or password, even when you’ve enabled another authenticator for authentication. Now you can set email or password as optional or disabled in the policy, and instead require stronger authenticators like Okta Verify, Okta FastPass, and FIDO2 (WebAuthn) for authentication. With this change, passwordless users who initially signed in with an email now receive the activation email. See Create an authenticator enrollment policy.
Force authentication
Orgs now support force authentication for WS-Fed SSO requests. Users must re-authenticate WS-Fed authentication requests that include Wfresh=0.
DPoP support for Okta management API
You can now use OAuth 2.0 Demonstrating Proof-of-Possession (DPoP) access tokens to access Okta management APIs. See Configure OAuth 2.0 Demonstrating Proof-of-Possession.
MFA Activity report
The new MFA Activity report provides insight into the MFA trends in your org. It helps you understand which authentication methods were used to access Okta and Okta-protected apps. The report also provides information about the characteristics of authenticators, helping you measure how phishing resistant your org is. See MFA Activity report.
LDAP real-time synchronization
With real-time synchronization, user profiles, groups, and group memberships can now be updated when LDAP-sourced users sign in to Okta, or when they refresh their People page. Admins no longer need to perform full or incremental imports of user attributes, and user profiles, groups, and group memberships are always up to date. Real-time synchronization also reduces the burden on system resources because user attributes are imported and updated individually and not in large groups. See Manage your LDAP integration. This feature is being re-released.
Reports field update
The operator field of the Reports Edit Filters dialog shows the selected item in the dropdown menu.
Dynamic user schema discovery now available
Dynamic user schema discovery is now available for SCIM app integrations that support user entitlements and Identity Governance.
OIN connector support for Entitlement Management
The PagerDuty and Zendesk connectors have been updated to support Entitlement Management. See Provisioning-enabled apps.
App integration tile now available for Okta Workflows
Users who are assigned to the Okta Workflows app integration now have a dedicated tile on their End-User Dashboard to launch the Okta Workflows Console. See Workflows Console.
API setting now an Admin Console option
The Use Persistent Name ID (Higher Security) checkbox allows more secure account linking. This setting allows Okta to determine the associated user account by matching the Name ID with the External ID. When no match is found, Okta uses the IdP username value for account matching.
New action items for self-service upgrades
The OIE Upgrade Hub displays actions items if orgs have non-writable attributes in their self-service registration policy or a factor enrollment policy set to Do Not Enroll. See Self-service upgrade action items.
New System Log event
There's a new system.mfa.preregister.initiate System Log event. The event appears for event hooks and represents MFA preregistration flow initiation. Currently, it's only available for pre-registered YubiKey enrollments.
UI enhancements to Authenticator Enrollment tab
The Authenticator Enrollment tab has been updated to include information about how the enrollment works.
Super admin role now required to update direct authentication grants
Super admin permissions are now required to enable or change direct authentication grants for clients.
Early Access Features
Protected actions in the Admin Console
The protected actions feature provides an additional layer of security to your org. It prompts admins for authentication when they perform critical tasks in the Admin Console and helps ensure that only authorized admins can perform these tasks. Super admins can configure the authentication interval for their org. SeeProtected actions in the Admin Console.
Detect and block requests from anonymizing proxies
Orgs can now detect and block web requests that come from anonymizers. This helps improve the overall security of your org.
Network zone allowlists for SSWS API tokens
Admins can now specify a network zone allowlist for each static (SSWS) API token. These allowlists define the IP addresses or network ranges from where Okta API requests using SSWS API tokens can be made. This restricts attackers and malware from stealing SSWS tokens and replaying them outside of the specified IP range to gain unauthorized access.
Custom languages for email templates
Admins can now customize Okta-generated emails in any BCP47-formatted language. Previously, customizations were limited to 27 Okta-supported languages. This feature allows admins to configure additional locales using Okta’s Brands API. When a new locale is configured, it's available as a new language selection within the Email Templates Editor. See Customized Email Notifications.
Dynamic OS version compliance for device assurance
You can configure OS version compliance by using device assurance. However, you have to manually update the policies every time a new OS version or patch is released. With Dynamic OS version compliance, Okta updates device assurance policies with the latest OS versions and patches, eliminating the need for manual updates. With this feature you can ensure OS version compliance in your org without tracking OS releases. See Add a device assurance policy.
Prevent new single-factor access to the Admin Console
This feature prevents admins from configuring any new single-factor access to the Admin Console. There's no impact to any existing rules that allow single-factor access.
-
OKTA-649640
Password rules weren't correctly translated in French.
-
OKTA-664368
Assistive technologies couldn't read the Which option do you want to try? label on the Sign-In Widget.
-
OKTA-668324
Email notifications that were sent when a password was reset by Okta Support didn't include Support information.
-
OKTA-668665
The re-authentication frequency labels on the Authentication Policies page weren't clear.
-
OKTA-669735
When an admin was removed from a group that was imported from an app, their user profile still displayed the admin assignments that were granted through the group’s membership.
-
OKTA-678416
Some special characters and symbols were displayed incorrectly in the Sign-In Widget (3rd generation).
-
OKTA-678489
Voice call to some destinations didn't work when a 7 digit phone number with a 3 digit extension was entered.
-
OKTA-680179
The Sign-In Widget displayed the wrong error message to users whose activation token was invalid when they attempted to register with Okta.
-
OKTA-680483
The self-service registration form accepted invalid input for the first and last name fields.
-
OKTA-680795
Admins couldn't access the Access Testing Tool in some preview orgs.
-
OKTA-681083
Voice calls for MFA challenges were not completely translated in Vietnamese when the user's locale was set to Vietnam.
-
OKTA-682202
If an admin’s role had a conditioned permission, they couldn’t assign apps to users.
-
OKTA-689632
The IssuerDN PIV IDP matching attribute was referencing the wrong value in the certificate.
-
OKTA-690143
Unicode characters deemed illegal for HTTP headers were being accepted.
-
OKTA-691492
Continuous Access terminated sessions even though users were able to authenticate.
Okta Integration Network
App updates
- The Elba SSO app integration has new redirect URIs.
- The Ermetic app integration has been rebranded as Tenable Cloud Security.
- The Ermetic JIT app integration has been rebranded as Tenable Cloud Security JIT.
New Okta Verified app integrations
- Bedrock Security (SAML)
- Boomerang by BuyerAssist.io (OIDC)
- Codefresh by Aquera (SCIM)
- Handoffs (OIDC)
- Procyon (OIDC)
- Procyon (SCIM)
- ProdPad by Aquera (SCIM)
- SwaggerHub by Aquera (SCIM)
- TallyFi (SAML)
- TriNet by Aquera (SCIM)
- Xero by Aquera (SCIM)
Weekly Updates
Generally Available
Redesigned resource set pages
The Create new resource set and Edit resource set pages that are displayed when an admin creates or edit a resource set now provide a simpler, more intuitive user experience. See Create a resource set. This feature is being re-released.
Redesigned admin role pages
The Create a role and Edit role pages for custom admin-role configuration now provide a simpler, more intuitive user experience. See Create a role. This feature is being re-released.
HTTP header filter
To improve the security of your org, Okta now filters and encodes any illegal unicode characters for outgoing HTTP headers.
Fixes
-
OKTA-597892
In orgs configured to perform batch imports for all apps, small batch sizes resulted in slower than expected imports.
-
OKTA-630153
The Japanese translation for the Smart Card Authenticator wasn't displayed correctly.
-
OKTA-673389
String attributes couldn't be set to an empty string.
-
OKTA-682104
Org2Org group push reset custom attributes to undefined.
-
OKTA-686922
An error occurred when admins deleted inactive Microsoft Office 365 app instances that were configured to use manual federation.
-
OKTA-688729
When an Okta admin session timed out, the Signed out window wasn't displayed correctly and the Sign in button wasn't clickable.
-
OKTA-688938
Admins whose custom role contained the Manage customizations permission couldn't preview email templates.
-
OKTA-690143
Illegal unicode characters were accepted for HTTP headers.
-
OKTA-691492
Continuous Access terminated sessions for users who were able to authenticate.
-
OKTA-695783
Users couldn't enter a period (.) in their first or last name during self-service registration.
-
OKTA-698353
Admins couldn't enable the Prevent new single-factor access to the Admin Console feature.
Okta Integration Network
New Okta Verified app integrations
- Amazon WorkDocs by Aquera (SCIM)
- Amazon WorkMail by Aquera (SCIM)
- Mailosaur (SAML)
- Smartsheet v2 (SAML)
Generally Available
Cornerstone OnDemand now uses OAuth for authentication
Cornerstone OnDemand replaced the previous authentication method with OAuth authentication to improve security for provisioning. Create a new Cornerstone OnDemand app instance and configure it to use Oauth credentials. See Configure provisioning for Cornerstone OnDemand.
Fixes
-
OKTA-491520
The Edit Filters dialog of the MFA Enrollment by User report didn't support the operator is set and is not set for the Authenticator type field.
-
OKTA-645205
When an admin deleted all groups or users included in a policy, the user/group condition and policy status displayed incorrect values.
-
OKTA-656265
Sometimes, an OAuth 2.0-secured inline hook that contained a custom domain authorization server in the token URL returned a null pointer exception error, instead of an appropriate error.
-
OKTA-663294
The issuer mode appeared blank on authorization servers when it was set to Custom URL.
-
OKTA-676932
Users couldn't unenroll their password in password-optional configurations.
-
OKTA-679870
Some preview org admins saw error messages while authenticating or org pages with no menu items.
-
OKTA-679978
Content Delivery Network (CDN) resources related to the Sign-In Widget didn't serve the Subresource Integrity (SRI) attributes.
-
OKTA-683026
Okta sometimes incorrectly returned an Invalid Phone Number error during SMS factor enrollment.
-
OKTA-686636
Admins couldn't automatically provision users to the Cornerstone OnDemand app.
-
OKTA-687111
When a user who was assigned an app through a group clicked the link in the activation email, they weren't directed to the app.
-
OKTA-687439
The MFA Enrollment by User report displayed Group names instead of Groups in the Edit Filters dialog and in the Users table.
-
OKTA-688688
Some devices didn't identify as managed due to mismatched certificate sizes.
-
OKTA-691848
Sometimes, users could edit their profile on devices that weren't enrolled in FastPass.
Okta Integration Network
App updates
- The Recurly app integration now has group push functionality.
New Okta Verified app integrations
- Mark AI (SAML)
- NexHealth (SAML)
- Payflows (SAML)
- Rimo Voice (SAML)
- Sendoso (SCIM)
- Tradespace (SCIM)