Hyperdrive agent, version 1.2.0

Okta for MFA provides more security for Electronic Prescribing for Controlled Substances (EPCS) clinician flows when using the Epic Hyperdrive platform. This plugin is compatible with both Classic Engine and Identity Engine orgs (EPCS clinician flows for customers still using the deprecated Epic Hyperspace platform aren't supported on Identity Engine). See MFA for Electronic Prescribing for Controlled Substances - Hyperdrive and Okta Hyperdrive agent version history.

Okta LDAP agent, version 5.13.0

This version contains:

• An upgraded version of Amazon Corretto

• Security fixes

• Improved handling of exception in poller thread

• Bug fixes

This agent will be gradually made available to all orgs.

See Okta LDAP Agent version history.

JIRA Authenticator Toolkit, version 3.1.9

This version contains:

• Support for Jira 8.22.2

• Bug fixes

See Okta Jira Authenticator Version History.

Okta Browser Plugin, version 6.10.0

This version includes the following fixes:

• Some elements weren't accessible in the Okta Browser Plugin Change password dialog.
• The Okta Browser Plugin briefly displayed a prompt when users opened SWA apps from the dashboard.

See Okta Browser Plugin version history.

Expose groups in the LDAP interface directory information tree (DIT)

To simplify access control decisions for their orgs, admins can now select the groups they want to expose in the LDAP interface directory information tree (DIT). In addition to Okta groups, admins now have the option to view the application groups that are significant to their orgs, including Active Directory (AD) and LDAP groups. See Expose app groups in the LDAP interface directory information tree.

Symantec VIP authenticator now available

The Symantec VIP authenticator is now available in Okta Identity Engine. Enterprises that use Symantec VIP to verify their users’ identities may now integrate this authenticator into their Okta environments and use it to protect access to their Okta orgs and apps. See Configure Symantec VIP authenticator.

Password as optional authenticator

Passwords are weak authenticators and prone to security issues. Currently all users are required to enroll a password. This also causes friction during the self-service registration process. You can now create a password-optional or passwordless sign-in experience for your end users. It makes the registration process quicker by removing the need to set up a password. It also provides a safer and more secure sign-in experience as users can instead use stronger authenticators such as possession-based authenticators or biometrics. Okta gives you the flexibility to target specific groups of users in your organization with passwordless flows, allowing you to gradually roll out the experience across your entire user base. See Set up passwordless sign-in experience.

Improved email magic link authentication experience

Email magic links have been enhanced to allow end users to authenticate in two different contexts. They can authenticate in the same location where they click the link and quickly return to the application context. Or, if the end user clicks the link in a different browser, they can enter a one-time password to proceed with authentication. Previously when using email magic links to sign in to an application, end users had to return to the original browser location where they initiated the sign-in attempt. Okta ensures that end users can prove ownership of both the originating tab and the tab where they clicked the email magic link. See Configure the Email authenticator and Sign in to resources protected by Okta.

New System Log events

Two new System Log events track when a new authenticator is created and when an existing authenticator is updated:

• security.authenticator.lifecycle.create: This event is recorded when an admin creates a new authenticator for the org. It can be used to identify who created an authenticator and which authenticator was created. The actor specifies the user who created the authenticator and the target specifies the authenticator name and the ID. This event may also contain some authenticator-specific information.

  

• security.authenticator.lifecycle.update: This event is recorded when an admin updates an authenticator in the org. It can be used to identify who updated an authenticator and which authenticator was updated. The actor specifies the user that updated the authenticator and the target specifies the authenticator name and the ID. This event may also contain some authenticator-specific information.

  

System Log events for telephony rate limit violations

Telephony system.sms.send.* and system.voice.send.* events are now issued with a DENY System Log message when SMS or voice messages are blocked due to telephony operational rate limit violations. The system.operation.rate_limit.violation event is still fired but will be deprecated in the 2022.08.0 release.

See System Log.

Enhancements to the base OIDC IdP connector

The generic OpenID Connect (OIDC) identity provider (IdP) connector offers PKCE as an additional verification mechanism. You can also define a regular expression to match Okta usernames when authenticating through this connector. See Create an Identity Provider in Okta.

OIN Manager user interface changes

The OIN Manager includes the following updates:

• The App categories field has been renamed to Use cases to be consistent with the OIN catalog.

• Single Sign-On is the default use case.

JWT claim enhancement

For custom JSON Web Token (JWT) claims, the name portion now supports the URI format, including the slash and colon characters. Any name containing a colon character must be a URI.

System Log enhancement for inline hook types

The inline hook type is now included in the debug data for a System Log debug context event.

Unique names enforced for custom admin roles

When a super admin creates a custom admin role with a duplicate role name, the following error message now appears: There is already an admin role with this name. See Custom administrator roles.

Improved text for resource set constraints

On the Create new resource set and Edit resource set pages, the Constrain to all check box labels now include the selected resource type (Constrain to all groups, for example). See Work with the resource set component.

User interface label change

The Device Bound checkbox label on the Authentication Policy Add Rule modal has been changed to Exclude phone and email authenticators. See Add an authentication policy rule.

Additional detail now provided on the Sign-In Widget

The Verify it’s you with a security method page of the Sign-In Widget now displays the name of the app under each security method listed.

User interface help text changes

Enhancements to the help text on the Identity Provider pages align with product changes and improve user experience. See Identity Providers.

User Activation template update

Admins can now add the fromURI to the User Activation email template. This enables user activation from any registered OIDC app in the org.

Help menu updates

In the global help dropdown menu, help links are renamed and now contain resource descriptions.

Global session policy UI updates

UI strings for the global session policy’s authenticator requirements were updated. SeeAdd a global session policy rule.

Policy condition text changes

Enhancements were made to the multifactor authentication items on the Global Session Policy Add Rule modal to improve user experience. See Add a global session policy rule.

System Log enhancements for token exchange flow

A ResponseTime field has been added to the System Log to track the performance of the token exchange flow.

Revised error message for password policy rule updates

Admins now see a clearer error message if they attempt to require additional verification in a password policy rule in which the Email, Phone, or Okta Verify authenticator are used for recovery and no other authenticators are enabled.

OIDC Identity Providers private/public key pair support

Previously, Okta only supported the use of client secret as the client authentication method with an OpenID Connect-based Identity Provider. Okta now supports the use of private/public key pairs (private_key_jwt) with OpenID Connect-based Identity Providers. Additionally, the Signed Request Object now also supports the use of private/public key pairs. See Create an Identity Provider in Okta.

OKTA-471339

Creating a new LDAP integration from the App Catalog resulted in a Resource not found error.

OKTA-479711

When a user added or removed from a group with a custom admin role, the System Log displayed a Grant user privilege event.

OKTA-480925

Admins didn’t receive timely email notifications when users locked themselves out of their accounts.

OKTA-482826

Some users imported from Active Directory were stuck in one-time password mode if they were activated more than once.

OKTA-488912

When a super admin searched for a group on the Edit resources to a standard role page, the search results didn’t appear until the admin typed in at least three characters.

OKTA-489049

When admins clicked the Tasks tab on the End-user Dashboard, the page took too long to load and the web browser became unresponsive if there were a large number of entitlements.

OKTA-491194

Deleting a custom attribute created a job that consistently timed out for orgs with a large number of users.

OKTA-491583

When using an OIDC app with refresh tokens, clients could obtain an access token through an existing refresh token if the user consent to the offline_access scope was revoked.

OKTA-493059

Admins couldn't upload certificate chains in tree format.

OKTA-493075

The Admin Role Assignments report sometimes included duplicate records.

OKTA-493119

Some users who attempted to sign in through an external IdP received a rate limit error and couldn't return to the sign-in page.

OKTA-496025

The Delete dialog in the LDAP interface was missing a question mark.

OKTA-497934

The Group Search endpoint didn't reflect the last membership update.

OKTA-498383

Some read-only admins could edit policy assignments.

OKTA-501623

Simultaneous user profile updates and deactivations sometimes resulted in a permanent DEACTIVATING status for the user.

OKTA-501729

When an admin created a new user with the User must change password on first login option selected, the user's status was mistakenly set to ACTIVE instead of PASSWORD_EXPIRED.

OKTA-502404

Users couldn’t temporarily sign in if their org subdomain was changed.

OKTA-502620

In Assign People, users who were removed from the permitted group were still available.

OKTA-503017

On the Profile Enrollment page, admins could delete the Default Policy. After refreshing the page, the default profile enrollment policy was restored, but attempting to edit that policy resulted in a blank page.

OKTA-503377

Users could use ADSSO to sign in to Okta when delegated authentication was disabled.

OKTA-503378

Users could continue to use the Okta IWA Web agent to sign in to Okta when delegated authentication was disabled.

OKTA-503715

The file sizes and hash values displayed on the Downloads page for the Linux RADIUS installers were incorrect.

OKTA-505960H

Admins who clicked the Resources > Help Center link from the Admin Console weren’t automatically signed into the Okta Help Center.

Okta AD agent, version 3.11.0

This version of the agent contains the following changes:

• Increased minimum .NET version supported to 4.6.2. If the installer doesn't detect .NET 4.6.2 or higher, it won't be installed.

• Security enhancements

• Removed unsupported libraries

See Okta Active Directory agent version history.

Okta ADFS plugin, version 1.7.10

This version of the plugin contains bug fixes and security enhancements. See Okta ADFS Plugin Version History.

Okta RADIUS agent, version 2.17.4

This version of the agent contains bug fixes and security enhancements. See Okta RADIUS Server Agent Version History.

Okta On-Prem MFA agent, version 1.5.0

This version of the agent contains security enhancements. See Okta On-Prem MFA Agent Version History.

Jira Authenticator, version 3.1.8

This release contains bug fixes. See Okta Jira Authenticator Version History.

Okta Resource Center access

The Okta Resource Center is a collection of product tours, step-by-step guides, and announcements that helps you learn about new features and how to perform tasks within the Admin Console. You can launch the Okta Resource Center by clicking the blue icon from anywhere in the Admin Console. See Okta Resource Center.

Use Okta MFA for Azure AD Conditional Access and Windows Hello for Business Enrollment

You can use Okta MFA to:

• Satisfy Azure AD Conditional Access MFA requirements for your federated Office 365 app instance.
• Enroll end users into Windows Hello for Business.

See Use Okta MFA to satisfy Azure AD MFA requirements for Office 365.

Sign-In Widget enhancements for self-service password reset and default registration page

Okta has enabled the self-service password reset function for embedded authorization on all new and upgraded Identity Engine orgs. For integrations using embedded authentication, client applications can now use a recovery token when launching the Sign-In Widget to start the recovery flow. In addition, a new endpoint at /{orgurl}/signin/register gives you the ability to point your Sign-In Widget directly to the registration page for default applications.

Client secret rotation and key management

Rotating client secrets without service or application downtime is a challenge. Additionally, JSON Web Key management can be cumbersome. To make client secret rotation a seamless process and improve JWK management, you can now create overlapping client secrets and manage JWK key pairs in the Admin Console. You can also create JWK key pairs from the admin console without having to use an external tool. See Manage secrets and keys for OIDC apps.

Personal Identity Verification

Personal Identity Verification is now supported on Okta Identity Engine. See Add a Smart Card IdP.

Okta API access with OAuth 2.0 for Org2Org

Previously, the Org2Org integration only supported token-based access to the Okta API. You can now configure the Org2Org integration to access the Okta API as an OAuth 2.0 client. This increases security by limiting the scope of access and providing a better mechanism to rotate credentials. See Integrate Okta Org2Org with Okta.

Custom help links in the Sign-In Widget

Admins can add a custom help link on the authenticator page of the Sign-In Widget. This link can provide just-in-time help with multifactor authentication and can point to an in-house resource or other location. See Customize text on your sign-in page.

PKCE is a verification method for OIDC SPA and Native app integrations

The OIDC App Integration Wizard now identifies that PKCE is not a client authentication method. Instead, for SPA and Native apps, the AIW creates apps listing PKCE as a verification method. See Create OIDC app integrations using AIW.

Add agent permissions to custom admin roles

Custom admins can perform AD agent auto-updates for AD instances they have access to. They can also view the agents dashboard page to see the statuses of all agents associated with app instances they can manage. See Automatically update Okta agents.

Group count tooltip on the Admin Dashboard

On the Admin Dashboard, the Overview section now provides an "Includes only Okta sourced groups and excludes those sourced externally, such as AD groups" tooltip for the Groups count. The new tooltip helps you understand how your groups count is calculated. You can view the tooltip by hovering your cursor over the Groups count on the Overview section. See View your org at a glance.

Okta End-User Dashboard enhancements

• Unread notifications are more visible to users.

• The End-User Dashboard Preview function bar has moved to a separate dialog. See Preview an end user's dashboard.

• The Last sign in link at the bottom of the Okta End-User Dashboard now includes the entire text of the message in the hyperlink.

• The title of the copy password dialog in the Okta End-User Dashboard is more specific.

System Log enhancements for block zone events

• The zone.make_blacklist event in the System Log now encompasses two actions: when an admin creates a blocked network zone, and when an admin marks an existing blocked zone as unblocked. Previously, this event was only recorded when a pre-existing network zone was converted into a block list.

  

• The zone.remove_blacklist System Log event now encompasses two actions: when a network zone is converted into an allow list, and when an admin deletes a blocked zone. Previously, this event was only recorded when a pre-existing network zone was converted to an allow list.

  

System Log enhancement for network zone events

A network zone ID is now added as a target for all network zone events in the System Log.

Enhancements to ThreatInsight

ThreatInsight is improved to further protect rate limit consumption from malicious actors. Requests from actors with a high threat level continue to be logged and/or blocked depending on the org's configuration. Now, additional requests that seem malicious but have a lower threat level no longer count towards org rate limits.

Enhancements to multifactor authentication validation in authentication policies

When creating authentication policies, admins can only select authenticators that are enabled in their org and available to the associated group of users.

OIN Catalog enhancements

Integrations in the OIN Catalog help end users address issues across a variety of industries. Okta has added the ability to filter integrations by industry to help both prospective and current Okta users identify the OIN integrations that best meet their needs. Additionally, the OIN Catalog interface has been updated with the following enhancements for improved navigation:

• The search interface has been updated and popular search terms can now be selected.

• Details pages for integrations have been updated for usability.

• Navigation breadcrumbs have been added to the OIN Catalog.

• Integrations can now be sorted alphabetically and by recently added.

See Add existing app integrations.

OIN Catalog search functionality and filter updates

• OIN Catalog search results now prioritize complete word matches from the search phrase.

• Integrations in the OIN Catalog can now be filtered by RADIUS functionality.

See Add existing app integrations.

OIN Manager enhancements

The OIN Manager now requires that ISV submissions for SCIM integrations confirm that the integration meets API response timing requirements. See Publish an OIN integration.

OKTA-386570

If an LDAP interface bind request failed, subsequent searches failed with an internal server error instead of a permissions denied error.

OKTA-435855

Web and SPA app integrations created with an Authorization code or Interaction code grant type incorrectly returned an error if the Login Initiated By Either Okta or App option was selected.

OKTA-476570

The System Log didn’t display the app name when users entered invalid credentials during an SP-initiated flow.

OKTA-476896

On the Administrators page, deactivated users with assigned admin roles were included in the Individually assigned count.

OKTA-477494

Some invalid EL expressions incorrectly passed validation.

OKTA-477634

Some users experienced delays when searching for an app on the Okta End-User Dashboard.

OKTA-481752

When users tried to enroll in Okta Verify, VoiceOver screen readers didn't highlight the mobile device type correctly or allow users to select a device. It also selected the iPhone option even though the Android option was also available.

OKTA-482266

During PIV authentication where no certificate or an expired certificate was provided, a 404 error was displayed.

OKTA-482435

When admins upgraded an app to SAML 2.0, the SAML 2.0 setup instructions used the org-scoped certificate instead of the app-scoped certificate.

OKTA-483062

Custom application access error pages redirected to the default Okta error page.

OKTA-484366

Admins couldn’t use the objectGuid attribute as a unique identifier when integrating AD LDS LDAP servers with Okta.

OKTA-486141

If an inline hook was registered and in use under a profile enrollment policy, admins could deactivate or delete the hook. This resulted in an error when that policy was used for self-service registration.

OKTA-486974

An internal ID incorrectly appeared in a policy System Log event.

OKTA-488233

Parallel JIT requests for the same username created duplicate users.

OKTA-488234

The sign-in page didn’t load correctly for some orgs after they upgraded to Identity Engine.

OKTA-488428

Some users lost the ability to reveal passwords for an app when the app drawer feature was enabled.

OKTA-488663

When Full Featured Code Editor was enabled, the full screen toggle on the error page code editor didn’t change to a minimize icon.

OKTA-489050

Sometimes an error message was displayed when admins viewed applications in the Admin Console.

OKTA-489448

In SP-initiated flows, the message instructing users to create their accounts was formatted incorrectly.

OKTA-490811

When an unenrolled device attempted to access an app that required device management, the sign-in request didn't fail gracefully.

OKTA-491164

Some admins weren’t assigned the Admin Console when they were added to a group with assigned admin roles.

OKTA-491264

Sometimes when a super admin deleted a custom admin role that contained email notifications, admins couldn’t update their email notification settings.

OKTA-495549

When groups were exposed in the LDAP interface directory information tree, some filters referencing the entryDn attribute returned the incorrect result code if the group wasn’t found.

OKTA-495598

AD-sourced users who reset their passwords in AD had to reset their passwords again when using IWA or ADSSO to sign in to Okta.

App Integration Fix

The following SWA app was not working correctly and is now fixed:

• NDFR/SDU (OKTA-485335)

Okta On-Prem MFA Agent, version 1.4.9

This version of the agent contains security enhancements. See Okta On-Prem MFA Agent Version History.

Okta Browser Plugin, version 6.9.0 for all browsers

This version includes the following changes:

• Keyboard navigation didn't work properly when users attempted to switch to a new app list in the plugin popover window. Users were unable to close the plugin popover window with keyboard input.
• Version 6.8.0 of the plugin caused issues for some users when they attempted to sign in to an SWA app in an iframe.

See Okta Browser Plugin version history.

Admin Experience Redesign toggle removed

The toggle that allowed super admins to switch between the Admin Experience Redesign and the old experience has been removed. All Okta admins now benefit from our restyled Okta Admin Dashboard, responsive navigation side bar, and modern look and feel.

Allow or deny custom clients in Office 365 sign-on policy

You can filter specific clients in an Office 365 app sign-on rule to allow or deny them access to Office 365 resources. This filter can be used to deny access to untrusted clients or to only allow trusted clients. See Allow or deny custom clients in Office 365 sign on policy

Endpoint integrations

The Device Integrations page now includes an Endpoint Security tab, which allows Admins to manage endpoint integrations with Windows Security Center and CrowdStrike. Endpoint Detection and Response (EDR) integration extends device posture evaluation by enabling Okta Verify to capture signals collected by your EDR client running on the same device. See Endpoint security integrations.

Okta FastPass enhancement

With Okta FastPass, an error now appears in the Sign-In Widget if User Verification is not provided when it is required.

Improved AD group membership synchronization

The ADAppUser distinguished name field is now updated when a user is added to an Okta group and a matching group exists in AD. When an Okta provisioning request moves a user to a new organizational unit, the change is quickly duplicated in AD. This new functionality helps ensure the accuracy and integrity of AD group membership information. Manage Active Directory users and groups.

New App Drawer

The updated app settings panel on the Okta End-User Dashboard allows end users to see all app details in a single view without having to expand multiple sections. End users can quickly differentiate between SWA apps where they have set a username and password and SAML / OIDC apps that are admin-managed with no additional user settings. The updated app settings panel also provides accessibility improvements with better screen reader support and color contrast. See View the app settings page.

ShareFile REST OAuth

Admins can now upgrade to the latest version of our ShareFile integration. OAuth provides more secure authentication and will be now used for Provisioning and Imports. See Configure ShareFile OAuth and REST integration. This feature is made available to all orgs.

Recent activity page link for end users

If Recent Activity is enabled, users can click Last sign in in the footer of the left navigation bar to go directly to the Recent Activity page.

Burst rate limits available on Rate Limit Dashboard

The Rate Limit Dashboard, available from the Admin Console, now includes data on burst limits in your Okta org, in addition to rate limit warnings and violations. The Violations dashboard was renamed Events to acknowledge the increase of scope, and includes the ability to filter on timeline as well as the type of event (warning, burst, and violation). Hovering over the burst rates in the graphs provides more detail and links to the system log for individual endpoint calls. The individual Usage graphs provide details on bursts for the individual API. See Rate limit dashboard and Burst rate limits.

New ThreatInsight enforcement action

If you configure ThreatInsight to log and enforce security based on the threat level detected, ThreatInsight can either limit or block authentication requests from suspicious IP addresses. For example, if a specific IP address is suspected of malicious activity but the threat level is considered low, authentication requests from the IP address are not denied access but might be subjected to a rate limit. See Configure Okta ThreatInsight.

PIV IDP user profile mapping

You can now use idpuser.subjectUid in an Okta user profile when mapping IDP Username for Personal Identity Verification (PIV) IDPs. See Add a Smart Card identity provider.

Default policy updates

The Default Global Session Policy and the default authentication policy now allow access to users with any two factors. See Global session policies.

Global Session Policy default rule

Admins can now edit the primary factor condition in the default rule of their org’s Default Global Session Policy. See Edit a global session policy.

Custom app logo preview

Admins can now preview a custom logo before applying it to an app. See Customize an application logo.

Updated error message for Microsoft Graph API

An error message for Microsoft Graph API has been updated to include more details and a possible workaround.

Debug logging for token exchange

The following fields have been added to the System Log for assistance in debugging OAuth2 token exchange events:

• requested_token_type
• subject_token_type
• actor_token_type
• resource

Updated SAML setup instructions

Setup instructions for SAML 2.0 apps now use per app SHA2 certificate during the app creation.

Change to the number of free SMS messages allowed

To balance growing costs of SMS usage while maintaining a commitment to developer and free trial orgs, Okta is changing the number of free SMS messages these orgs are allowed each month. Beginning April 4, 2022, orgs may send a maximum of 100 messages per month. For more information about this change, visit the Okta Developer Community.

OKTA-442031

Some Okta Mobile sign-in flows didn’t work for admins when the Okta Admin Console app required step-up authentication.

OKTA-456484

When more than one authenticator appeared on the authenticator enrollment page, the Return to authenticator list link didn’t appear.

OKTA-460284

SAP Litmos imports failed with an unexpected error.

OKTA-467278

If an error occurred in Okta Verify during authentication or if authentication was cancelled, a delay occurred before the user was prompted again to select a security method.

OKTA-472816

When app admins selected the Agents tab, the error message “Error rendering agents monitor table” appeared and no agents were listed.

OKTA-473180

Sometimes AssertionId for SAML1.1 assertions was poorly formatted.

OKTA-475767

Sometimes, in the Groups page Description column, an equals sign (=) replaced the forward slash ( / ) in LDAP-sourced group names.

OKTA-475774

Users could use ADSSO to sign in to Okta when delegated authentication was disabled.

OKTA-478467

Admins who didn’t have permission to view the Agent monitors page received agent auto-update email notifications.

OKTA-478537

When admins searched for an authentication policy, only the first 100 policies were visible. This occurred on both the Applications page and the Authentication policies page.

OKTA-479110

The sender email address on the Customizations > Emails page was inconsistent with the sender email address on individual templates.

OKTA-479701

Admins were shown events that were unrelated to their account in the Security Events section of the Recent Activity page.

OKTA-482086

Some admins saw an error if they tried to run a report using resource sets created more than a year ago.

OKTA-483011

Sometimes, Okta IWA agent authentications failed during deployment when IWA replay attack detection was enabled.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed:

• MyFonts (OKTA-476809)

• Quickbooks Time Tracker (OKTA-476695)

Okta Active Directory Password Sync agent, version 1.5.0

This version of the agent includes:

• Security enhancements.

• Making .NET Framework 4.6.2 the minimal supported version. Earlier versions are automatically upgraded during agent installation.

• Okta Military Cloud support.

See Okta Active Directory Password Sync Agent version history.

Okta AD agent, version 3.10.0

This version of the agent contains:

• Okta Military Cloud support.

• Bug fixes.

See Okta Active Directory agent version history.

Okta LDAP agent, version 5.12.0

This version of the agent contains support for Okta Military Cloud. See Okta LDAP Agent version history.

Event hooks for custom admin roles

Custom admin role events are now available for use as Event Hooks. This provides more security to admins by ensuring that they have the correct permission to perform tasks. See Event hooks.

Enforce limit and log per client mode for OAuth 2.0 /authorize and /login/login.htm endpoints

The default client-based rate limit for OAuth 2.0 /authorize and /login/login.htm endpoints is now elevated to Enforce limit and log per client (recommended) mode. This means that if your org’s client-based rate limit was previously set to Do nothing or Log per client, the setting is changed to Enforce limit and log per client (recommended) mode.

Note that based on the email communication sent out on Feb 3, 2022 and Feb 25, 2022, these changes are not applicable to certain orgs. See Default client-based rate limit mode change.

New ThreatInsight enforcement option

ThreatInsight evaluates authentication requests to detect potentially malicious activity from IP addresses exhibiting suspicious behavior. If you enable the Log and enforce security based on threat level option, ThreatInsight can limit or block authentication requests from suspicious IP addresses based on the threat level detected. For example, if a specific IP address is suspected of malicious activity but the threat level is considered low, authentication requests from the IP address are not denied access but might be subjected to a rate limit. The rate limit helps ensure that requests from a suspicious IP address don't overload authentication services and affect legitimate traffic. However, if an IP address is suspected of malicious activity and the threat level detected is high, authentication requests from the IP address are blocked. See Configure Okta ThreatInsight.

Validation for custom message templates

If you customize the default SMS message template, the Admin Console checks the message to determine whether it contains GSM or non-GSM characters and enforces the GSM or non-GSM character limit before saving the message. This check ensures that you don't create custom SMS messages that exceed the GSM or non-GSM character limit for message segments.

If you change existing custom templates, the new restrictions are enforced if your messages contain non-GSM characters.

For more information about customizing SMS templates, see Configure and use telephony.

Sign-In Widget updates for Okta FastPass

The Sign in with Okta FastPass button no longer appears on the Sign-In Widget when users access Android Native apps that use Webview. Webview doesn't support this functionality.

Copy button updates

In the app settings panel of the Okta End-User Dashboard, the copy buttons for the username and password fields are renamed Copy username and Copy password.

Two new reports

Monitor and improve the security of your org with the following new reports:

• MFA enrollment by user report
  Use this report to view the types and counts of authenticators that users in your org have enrolled. This can improve the security posture of your org by enabling you to understand the adoption of strong authenticators like Okta Verify. See MFA Enrollment by User report.
• User accounts report
  
  Use this report to view users with accounts in Okta and their profile information. It helps you manage and track user access to resources, meet audit and compliance requirements, and monitor the security of your org. The report is located in the Entitlements and Access section of the Reports page. See User Accounts report

OKTA-447833

Admins couldn’t set up a custom domain URL with a top-level domain of .inc.

OKTA-455641

The Edit Assignment page for the Box app didn’t handle non-alphabetical characters properly.

OKTA-466022

Admins whose custom role contained the Run imports permission couldn’t view their org’s LDAP integrations.

OKTA-468707

The System Log didn't display ThreatSuspected=false for authentication events when no threat evaluation was done.

OKTA-468751

When Okta Verify was the only enrolled authenticator, time-based one-time password (TOTP) wasn’t automatically selected even though it was the last-used authentication method.

OKTA-471299

When ThreatInsight evaluated sign-in attempts for unknown users, the threat level was incorrectly displayed as threatLevel=UNKNOWN in the System Log.

OKTA-471605H

In SP-initiated flows, users' sessions ended when they closed the browser even if they selected Keep me signed in.

OKTA-471815

Some customers noticed duplicate Windows devices on the Devices page when users re-enrolled with Okta Verify.

OKTA-471605H

In SP-initiated flows, users' sessions ended when they closed the browser even if they selected Keep me signed in.

OKTA-472304H

Group push for some customers resulted in a timeout error after one minute.

OKTA-473512

When the Custom Admin Roles feature was enabled, super admins were called Super Organization Administrators.

App Integration Fixes

The following SWA app were not working correctly and are now fixed

• Asana (OKTA-467306)
• Dashlane Business (OKTA-466333)
• Guardian Insurance (OKTA-470966)
• Loop11 (OKTA-471181)
• Names & Faces (OKTA-468537)
• Nord Layer (OKTA-469771)
• Optum Health Financial (OKTA-465956)
• QuickBooks (OKTA-467864)
• Twitter (OKTA-470889)

OKTA-419847

On-Prem MFA API tokens contained scopes beyond what was required for agent operation.

OKTA-433751

End users received errors when accessing SWA apps through the Okta End-User Dashboard if their app passwords contained ampersands.

OKTA-436486

Some orgs couldn’t save email templates containing Velocity variables. This occurred for orgs with Enhanced Email Macros enabled.

OKTA-442296

Some end users received a 400 error after signing in to the Okta End-User Dashboard.

OKTA-443777

Admins couldn’t use the objectGuid attribute as a unique identifier when integrating AD LDS LDAP servers with Okta.

OKTA-451206

When admins enabled LDAP real-time synchronization, the system.agent.ad.realtimesync event erroneously appeared in the System Log.

OKTA-455372

If the information required to evaluate behavior was not available, the System Log displayed BAD_REQUEST for rules that included behavior detection.

OKTA-456046

When upgrading to Identity Engine, orgs received an error stating that they had Sharepoint On-Premises app instances that weren't supported by Identity Engine.

OKTA-459571

In the admin console, the status of RADIUS agents randomly changed from Operational to Disrupted.

OKTA-459778

Customized Sign-In Widgets didn’t match the preview on the Sign-In Widget code editor.

OKTA-460366

On Security > Networks > Add IP Zone, proxy IP addresses weren't explicitly identified as trusted proxy IP addresses.

OKTA-461015

Event information was missing from the Report Suspicious Activity page after users changed their password in the Sign-In Widget.

OKTA-461198

When the Custom Admin Roles feature was enabled, read-only admins could see the Assign to People, Assign to Groups, and Edit User buttons on the Applications page.

OKTA-462025

Admins who refreshed a page in the custom URL domain wizard weren’t returned to the correct step.

OKTA-462114

The ${user.login} variable appeared in default email templates.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

• AppSplit (OKTA-462294)
• Auth0 (OKTA-456042)
• Dockerhub (OKTA-463515)
• FinServ (OKTA-463959)
• LoansPQ (OKTA-462410)
• MeridianLink LoansPQ (OKTA-460940)
• New Relic (OKTA-464710)
• ProtonMail (OKTA-463545)
• Salto Keys (OKTA-464469)
• WePay (OKTA-462296)
• Wikispaces (OKTA-462300)

Okta On-Prem MFA agent, version 1.4.8

This version of the agent contains security fixes. See Okta On-Prem MFA Agent Version History.

Okta Active Directory agent, version 3.8.0

This version of the agent contains:

• Agent auto-update support
• Improved logging functionality to assist with issue resolution
• Bug fixes

See Okta Active Directory agent version history.

Okta RADIUS Server agent, version 2.17.2

This version of the agent contains security fixes. See Okta RADIUS Server Agent Version History.

Admin Console user interface changes

On the Device Integrations page, the Endpoint Management tab now includes an Activate/Deactivate action for legacy Device Trust desktop configurations. It also includes a warning message if an admin attempts to deactivate Device Trust when their Identity Engine app sign-on policy is not configured correctly for devices that are not trusted.

Delivery status of SMS messages in the System Log

Administrators can now view the delivery status for SMS messages in the System Log. For information about the new event type, see Configure and use telephony.

Feature name change: New Sign-On Notification

The New Device Notification functionality is renamed to New Sign-On Notification in the Admin Dashboard, the email notification title, and elsewhere. It refers to the email notification a user receives when there’s a sign-in event from an unrecognized device.

New permissions for custom admin roles

The following new permissions can now be assigned to a custom admin role:

• Activate users

• Deactivate users

• Suspend users

• Unsuspend user

• Delete users

• Unlock users

• Clear user sessions

• Reset users' authenticators

• Reset users' passwords

• Set users' temporary password

• Run imports.

The new permissions give super admins more granular control over their delegated org permissions. See About role permissions.

YubiKey OTP authentication now available

YubiKey one-time-password (OTP) mode authentication is now available to Okta Identity Engine users. See Configure YubiKey OTP for one-time passwords

Password change notifications for LDAP-sourced users

Password change email notifications may now be sent to LDAP-sourced users.

API token ID displayed in tokens

API token ID is now displayed under API tokens for easy tracking.

SHA type displayed for SAML certificates

SHA type is now displayed for SAML certificates in the Admin Console.

New System Log event

A new policy.mapping.create event is added to the System Log for profile enrollment and app sign-on policies.

OKTA-420065

Launch on sign-in apps on the Okta End-User Dashboard launched multiple times after the user signed in.

OKTA-448006

Some branded pages used an org’s previously uploaded logo rather than their new theme logo.

OKTA-452612

User context wasn’t included in some orgs' token inline hook request data.

OKTA-453969

Some Duo users were unable to authenticate after upgrading to Okta Identity Engine.

OKTA-454206

Some admins without super admin permissions could view a link to the Admin role assignments report. This occurred for orgs with the Custom Admin Roles feature enabled.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed:

• Bendigo Bank (OKTA-454211)

• EdgeCast (OKTA-453148)

• Maxwell Health (OKTA-454213)

• My T-Mobile (OKTA-455732)

• Redis (OKTA-454218)