Okta Identity Engine release notes (Early Access)

Currently in Production

November 2024

IP Exempt Zone

Use this feature to always allow traffic from specific gateway IPs irrespective of any Okta ThreatInsight configurations or network zones that are configured as blocklists. See IP Exempt zone.

OpenID Connect Identity Providers now support group sync

OpenID Connect Identity Providers now support full group sync and adding a user to a group that they don't already belong to. A user who authenticates with an external IdP is added to all available groups when Full sync of groups is enabled. The user is added to any groups that they don't already belong to when Add user to missing groups is enabled. This allows you to specify certain groups that users should be added to.

Create dynamic resource sets with conditions

Resource set conditions help you limit the scope of a role by excluding an admin's access to certain apps. This gives you more granular control over your custom admin roles and helps meet your org's unique security needs. See Resource set conditions.

Seamless and secure authentication with passkey autofill

Passkeys offer a streamlined sign in experience to users by leveraging their browser's existing autofill capabilities. This allows users to quickly and intuitively sign in to an org without typing their credentials or seeing extra prompts. This secure, phishing-resistant solution works seamlessly across devices, delivering both enhanced security and convenience for modern authentication needs. See Configure the FIDO2 (WebAuthn) authenticator.

Secure Partner Access for external partners

Secure Partner Access provides a secure way for external business partners to access your org's resources. It streamlines your partner management tasks, reduces IT workload, and simplifies the process of configuring your org's security requirements. See Manage Secure Partner Access.

Secure SaaS service accounts

This feature enables customers to monitor, manage, and secure access to service accounts in their SaaS apps. This new feature in Okta Privileged Access improves the Okta platform by safeguarding non-federated accounts across an org's apps. See Manage service accounts.

October 2024

Step-up authentication for Office 365

This enhancement enables customers to dynamically prompt for Okta MFA when needed, without having MFA configured in the authentication policy. See Use Okta MFA for Azure Active Directory.

Grace period for device assurance

Occasionally, users' devices might fall out of compliance with security policies due to temporary conditions such as missed software updates or unapproved network connections. Without a grace period, they would be immediately blocked from accessing critical resources, which disrupts productivity and causes frustration. The Grace period for device assurance feature allows you to define a temporary window during which non-compliant devices can still access resources. This gives users time to remediate issues without being locked out, balancing productivity with security standards. See Add a device assurance policy.

Identity Verification with third-party Identity Verification providers

When users take certain actions, Identity Verification enables you to use a third-party Identity Verification provider to verify the identity of your users. Verification requirements and the Identity Verification provider are based on your authentication policies and configurations within your Okta org. Okta supports Persona as a third-party Identity Verification provider. See Add an Identity Verification vendor as Identity Provider.

Same-Device Enrollment for Okta FastPass reactivated

Same-Device Enrollment for Okta FastPass is now available again. The feature had been removed to resolve an Okta Verify enrollment issue. On orgs with Okta FastPass, the Okta Verify enrollment process has been streamlined:

  • Users can initiate and complete enrollment on the device they're currently using. Previously, a second device was required for enrollments. Note that enrollment requires 2FA if possible, which may involve a second device.
  • Users no longer need to enter their org URL during enrollment.
  • The enrollment flow has fewer steps. This feature is supported on Android, iOS, and macOS devices.

To enable it, go to Admin ConsoleSettings and turn on Same-Device Enrollment for Okta FastPass.

Biometric user verification support in Authentication Method Chain

The Require biometric user verification option is now supported in Authentication Method Chains.

Authenticator actions hidden

Users must satisfy the requirements of an Okta account management policy to reset or remove their existing security methods. If they don't, the authenticator actions are now hidden from their Settings page. See Okta account management policy.

Custom Keep me signed in labels

Admins can now customize the Keep me signed in label on their sign-in page. See Branding.

Design enhancements for OIDC and SAML app integrations

When the Front-channel Single Logout feature is enabled, the OIDC and SAML app integration pages now have a single Logout section that includes all of the logout settings for the app. See Application Integration Wizard SAML field reference.

September 2024

Authentication method chain

With this feature, you can require users to verify with multiple authentication methods in a specified sequence. You can create multiple authentication method chains in an authentication policy rule to cater to different use cases and scenarios. See Authentication method chain.

IdP selection for admin resources

This feature gives customers the ability to select and manage the Identity Providers (IdPs) that they want to associate with an admin role. This enhances security by providing granular permissions to roles. See Create a resource set.

Granular configuration for Keep Me Signed In

Admins can now configure the post-authentication prompt for Keep Me Signed In (KMSI) at a granular level in authentication policies. This allows admins to selectively enable post-authentication KMSI on a per-user, per-group, or per-app basis. When enabled, this feature exposes a frequency setting that lets admins control how often the post-authentication prompt is presented to users. The post-authentication prompt text (title, subtitle, accept button, and reject button) is now customizable through the Brands management API. See Keep me signed in and Brands API.

Global token revocation for wizard SAML and OIDC apps

Universal Logout clears sessions and tokens for wizard SAML and OIDC apps. This enhancement extends Universal Logout functionality to more types of apps and provides greater flexibility to admins.

August 2024

Require MFA for accessing Identity Governance admin apps

If your org uses Okta Identity Governance, you can require MFA for admins who access these first-party apps:

  • Okta Access Certifications
  • Okta Entitlement Management
  • Okta Access Requests Admin

If you have auto-enabled Early Access features in your org, MFA is automatically enforced for those apps. See Enable MFA for the Admin Console.

OAuth 2.0 security for invoking API endpoints

Okta Workflows users can now securely invoke API endpoints using OAuth 2.0 protocols and their Okta org authorization server. Compared with the existing token authorization option, this feature is more secure while also being easier to implement. Add the okta.workflows.invoke.manage scope to any new or existing app integration to make it eligible to invoke your API endpoint. See Invoke a flow with an API endpoint.

Okta account management policy

The Okta account management policy helps admins easily build phishing resistance into actions such as account unlock, password recovery, and authenticator enrollment. Using the familiar rule-based framework of an authentication policy, admins can now customize which phishing-resistant authenticators are required when users attempt these common self-service actions. All of the configurations in the authentication policies can now be applied for authenticator management. See Okta account management policy.

Biometric user verification in authentication policies

You can now configure authentication policies to require biometric user verification (no passcode). With this feature you ensure that users confirm their biometrics when they authenticate with Okta FastPass or Okta Verify Push. See Biometric user verification in authentication policies.

July 2024

Entitlement Management with Okta Provisioning Agent with SCIM 2.0 support

This agent supports Entitlements Management for app integrations that have enabled Governance Engine. This allows the provisioning of entitlements between Okta and on-premises apps.

Certificate-based authentication for Office 365

Okta Identity Engine now supports certificate-based authentication for WS-Fed SSO requests. Users can authenticate using Smart/PIV cards to seamlessly access their Windows devices and Office 365 apps.

June 2024

Same-device enrollment for Okta FastPass

On orgs with Okta FastPass, the Okta Verify enrollment process has been streamlined:

  • Users can initiate and complete enrollment on the device they're currently using. Previously, two different devices were required to set up an account.

  • Users no longer need to enter their org URL during enrollment.

  • The enrollment flow has fewer steps.

This feature is supported on Android, iOS, and macOS devices. To enable it, go to Admin Console Settings and turn on Same-Device Enrollment for Okta FastPass.

Access request conditions and resource catalog

This feature provides a new method to streamline your access requests for apps, entitlements, and groups from the app's profile page in the Admin Console.

As super admins and access request admins, you can set up app-specific access request conditions that define requester scope, access level, expiration for the access level, and the approval sequence. Based on your active conditions, requesters can request access to an app or app access level directly from their End-User Dashboard.

Compared to request types, this approach allows you to reuse existing relationships between users, groups, and apps defined in Okta to govern access instead of recreating these in Okta Access Requests. This feature also integrates the app catalog in the End-User Dashboard with Access Requests to make the process of requesting access intuitive and user-friendly. See Access Requests and Create requests.

You can also view and edit a user's access duration for the app if the app has Governance Engine enabled. See Manage user entitlements.

Continuous Access is now Post Auth Session

The Continuous Access tab in Authentication Policies is renamed to Post Auth Session.

Continuous Access widget is now Post auth session violations widget

The Continuous Access widget in the Identity Threat Protection dashboard is renamed to the Post Auth Session Violations widget.

  • Continuous access violations are renamed to Session violations.
  • Continuous access evaluation is renamed to Post auth session evaluation.

May 2024

Skip the verify page and redirect to the IdP authenticator

This feature allows users to skip the verify step in the Sign-In Widget. They are instead redirected to the IdP authenticator for verification. When you enable this feature, end users see the option to skip the Sign-In Widget verification. If your org is configured to remember the last authenticator the user used, then the user is auto-redirected to the IdP authenticator for future sign-in attempts.

SSF Transmitter API

Okta uses CAEP to send security-related events and other data-subject signals to Apple, known as the Shared Signal Framework (SSF) receiver. After an SSF stream is configured, Okta sends signals as Security Event Tokens (SETs) to Apple. Use the SSF Transmitter API to manage SSF stream configurations between the SSF receiver and Okta.

Enhancement to protected access to Admin Console

As part of the Require MFA for Protected Actions in the Admin Console feature, step-up authentication is required to modify authentication policies applicable to Admin Console.

April 2024

Early Access features from this release are now Generally Available.

March 2024

Direct End-User Settings access

Users may now access their Settings page through a direct URL in addition to the End-User Dashboard. This feature provides convenience and security for users, gives admins greater flexibility when working with End-User Dashboard access control scenarios, and includes accessibility and UX improvements. See User settings.

Enforce Number Challenge for Desktop MFA

You can now enforce number challenge on all push notifications for Desktop MFA, regardless of the authentication policy. See Configure Desktop MFA policies

Realms for Workforce

Realms allows you to unlock greater flexibility in managing and delegating management of your distinct user populations within a single Okta org. See Manage realms.

Trusted App filters

Trusted App filters allow orgs to block applications from invoking Okta FastPass in Windows, and in Google Chrome and Firefox browsers for macOS. See Trusted app filters .

Google Workspace 1-click federation

Admins can set up SSO to Google Workspace using a simplified integration experience that saves time and reduces the risk of errors.

New HealthInsight task

HealthInsight now includes a recommendation to apply MFA for access to the Admin Console.

February 2024

Custom languages for email templates

Admins can now customize Okta-generated emails in any BCP47-formatted language. Previously, customizations were limited to 27 Okta-supported languages. This feature allows admins to configure additional locales using Okta's Brands API. When a new locale is configured, it's available as a new language selection within the Email Templates Editor. See Customized Email Notifications.

Dynamic OS version compliance for device assurance

You can configure OS version compliance by using device assurance. However, you have to manually update the policies every time a new OS version or patch is released. With Dynamic OS version compliance, Okta updates device assurance policies with the latest OS versions and patches, eliminating the need for manual updates. With this feature you can ensure OS version compliance in your org without tracking OS releases. See Add a device assurance policy.

November 2023

Make email optional authenticator

This feature allows you to upgrade your org to Identity Engine without updating your email factor settings. If you already have an Identity Engine org, it gives you and your end users more control over the email authenticator. See Skip auto-enrolling email authenticator and Make email an optional authenticator.

New app settings permissions for custom admin roles

Super admins can now assign permissions for custom admin roles to manage all app settings, or only general app settings. This enables super admins to provide more granular permissions to the admins they create, resulting in better control over org security. See Application permissions.

October 2023

Workday writeback enhancement

When this feature is enabled, Okta makes separate calls to update work and home contact information. This feature requires the Home Contact Change and Work Contact Change business process security policy permissions in Workday.

September 2023

Custom admin roles with device permissions

You can now create custom admin roles with permissions to view and manage devices. You can add the Devices to your resource set and then specify device permissions for your custom admin. See Create a resource set and Devices permissions.

Okta FastPass and Smart Card options on Sign-in page

Currently, if you configured both the Sign in with Okta FastPass option and Smart Card as an authenticator, users only see the Okta FastPass option when they sign in. With this feature, you can make both options available for your users during the sign-in process. See Configure the Smart Card authenticator.

Enhanced security of Okta Verify enrollments

To ensure users enroll in Okta Verify in a phishing-resistant manner, a Higher security methods option now appears on the authenticator configuration page. With this option, users can't enroll with QR code, email, or SMS link. See Configure Okta Verify options.

July 2023

IdP permissions for custom admin roles

Admins can now leverage new Identity Provider management permissions when creating custom admin roles. These permissions allow more precise access control and reinforce the principle of least privilege. See Role permissions.

Admin Console Japanese translation

When you set your display language to Japanese, the Admin Console is now translated. See Supported display languages.

Front-channel Single Logout

Front-channel Single Logout (SLO) allows a user to sign out of an SLO-participating app on their device and end their Okta session. Okta then automatically sends a sign-out request to all other participating apps that the user accessed during their session. See Configure Single Logout in app integrations.

June 2023

Phishing-resistant authentication with Okta FastPass on unmanaged iOS devices

While Okta FastPass can protect users against phishing attacks in most cases, it can't secure authentication on unmanaged iOS devices. To close this gap, Okta is rolling out phishing resistance for Okta FastPass on unmanaged iOS devices. With this change, users who authenticate with Okta FastPass on their personal or unmanaged iOS devices are protected from phishing attacks. See Multifactor authentication.

This feature requires Okta Verify version 8.2.1.

May 2023

Event hook filters

You can now filter individual events of the same event type based on custom business logic hosted in Okta. These filters reduce the amount of events that trigger hooks, removing an unnecessary load on your external service.

This feature includes an improved creation workflow for event hooks and a new Filters tab that you can use to create event filters with direct Expression Language statements or with a simple UI format.

Using event hook filters significantly reduces the amount of event hook requests and the need for custom code on your respective services. See Edit an event hook filter.

April 2023

Import users to Office 365 using Microsoft Graph API

This feature allows Okta to process imports using the Microsoft Graph API. This background process doesn't change existing procedures and makes imports more scalable, supporting Microsoft 365 tenants with larger numbers of users, groups, and group memberships. See Import users to Office 365 using Microsoft Graph API.

January 2023

AWS region support for EventBridge Log Streaming

EventBridge Log Streaming now supports all commercial AWS regions.

November 2022

Phishing-resistant authenticator requirement

To enhance security, admins may now require users to authenticate using a phishing-resistant authenticator when enrolling additional authenticators. This feature protects the authenticator enrollment process from phishing attempts. See Phishing-resistant authenticator enrollment.

Log Stream event structure update

For consistency the report structure for Log Stream events is now the same as that for System Log events. The following fields are changed and might need updating for any monitoring scripts in use:

  • Under devices, osPlatform is now platform.

  • The ipChain array is now correctly nested under request instead of client.

  • The extraneous field insertionTimestamp is removed.

October 2022

Passkey Management

Apple passkeys may be synchronized across multiple devices, including on unmanaged ones, and stored in Apple's data centers. This may impact organizations whose security policies require that credentials never leave the device, or that only managed devices be allowed to connect. Okta now allows admins to block the enrollment of passkeys in their orgs. With the new Passkey Management feature, customers can ensure that security policies continue to be enforced, and potentially compromised devices can be kept from connecting. Existing passkey enrollments aren't affected by turning this feature on.

New OIN app for Microsoft 365 GCC High

A new app is available for integrating Microsoft Office 365 Government Community Cloud (GCC) High. This Office 365 tenant type serves as a highly secure version of Office 365 built specifically for government entities, vendors, and contractors. The tenant provides built-in compliance with certifications and accreditations that are required by the U.S. public sector, including FedRAMP high-impact requirements.

With the new Okta Integration Network app, customers using the GCC High environment for Office 365 can securely deploy a consistent user experience for SSO and identity management. See Configure Office 365 GCC High Tenant.

Phishing-resistant authentication

Phishing-resistant authentication detects and prevents the disclosure of sensitive data to fake applications or websites. When users authenticate with Okta FastPass on managed devices, they're protected from phishing attacks. See Phishing-resistant authentication.

New column for the User app access report

The User app access report now includes the Recently Accessed column. This allows you to view when the user accessed the app in the last 90 days.

September 2022

SSO apps dashboard widget

The new SSO apps widget displays the number of user sign-in events across each of your org's apps over a selected period of time. You can use it to see which apps are used most frequently and to easily monitor the authentication activity across your org. See Monitor your apps.

SAML app support added for email magic links

The Email Magic Link feature now supports SAML applications for self-service registration, self-service password reset, and self-service unlock operations.

July 2022

Improvements to the self-service registration experience

Earlier versions of the self-service registration (SSR) flow used a complicated array of templates to send activation emails to end users. The simplified SSR flow reduces this to only two email templates with customized welcome messages. If your application requires immediate verification of the end user's email address, Okta uses the Registration - Activation template. This template includes a magic link for a smoother sign-in experience. If email verification isn't immediately required to sign in to the application, Okta uses the Registration - Email Verification template. This template includes a link for end users to complete email verification at any time after they successfully sign in to the application. See Customize email notifications and the Okta email (magic link/OTP) integration guide.

June 2022

Run delegated flows from the Admin Console

With delegated flows, admins can be assigned the ability to run Okta Workflows directly from the Admin Console. Flows that are delegated to an admin appear on the Delegated Flows page where they can be invoked without signing in to the Workflows Console. This gives super admins more granular control over their admin assignments. See Delegated flows.

May 2022

New permissions for custom admin roles

Super admins can now assign these new permissions to their custom admin roles:

  • Manage authorization server

  • View authorization server

  • Manage customizations

  • View customizations

The authorization server permissions can be scoped to all or to a subset of the org's authorization servers. With these new permissions, super admins can now create custom admin roles with more granular permissions for managing their org's customizations and authorization servers. See Role permissions.

April 2022

Splunk available for Log Streaming

Many organizations use third-party systems to monitor, aggregate, and act on the event data in Okta System Log events.

Log Streaming enables Okta admins to more easily and securely send System Log events to a specified system such as the Splunk Cloud in near real time with simple, pre-built connectors. Log streaming scales well even with high event volume, and unlike many existing System Log event collectors, it doesn't require a third-party system to store an Okta Admin API token. See Log streaming.

March 2022

Automatically update public keys in the Admin Console

Using private_key_jwt as your app's client authentication method requires that you upload public keys to Okta and then use the private keys to sign the assertion. Then, you must update the client configuration each time you rotate the key pairs. This is time-consuming and error-prone. To seamlessly use key pairs and rotate them frequently, you can now configure private_key_jwt client authentication in the Admin Console for OAuth clients by specifying the URI where you store your public keys. See Manage secrets and keys for OIDC apps.

Incremental Imports for the Org2Org app

Okta now supports incremental imports for the Org2Org app. Incremental imports improve performance by only importing users that were created, updated, or deleted since your last import. See Okta Org2Org.

February 2022

Additional Okta username formats for LDAP-sourced users

Three additional Okta username formats are now available for LDAP-sourced users. In addition to the existing options, admins can now select Employee Number, Common Name, and Choose from schema to form the Okta username. These new options allow admins to use both delegated authentication and Just-In-Time (JIT) provisioning with LDAP directory services. With these new provisioning options, it is now easier for admins to integrate their LDAP servers with Okta. See Configure LDAP integration settings.

November 2021

Windows Autopilot integration with Okta

You can now use Okta to secure and streamline the Windows Autopilot flow on end-user devices. Before this integration, if you were using Okta Device Trust or Okta FastPass, it prohibited the enrollment of a new device through Windows Autopilot. The new integration now allows you to accommodate Not Trusted devices with Windows Autopilot while continuing to use Okta Device Trust and Okta FastPass for Trusted devices. It also allows you to add a sign-on policy rule in Okta that requires MFA when enrolling a device through Windows Autopilot. This increases security without compromising the user experience and ensures that the right person gets the access to the device. See Typical workflow for using Okta with Windows Autopilot.

Manage email notifications for custom admin roles

Super admins can configure the system notifications and Okta communications for custom admin roles. Configuring the email notifications helps ensure admins receive all of the communications that are relevant to their role. See Configure email notifications for an admin role.

August 2021

Third-Party Risk

Okta Risk Eco-System API / Third-Party Risk enables security teams to integrate IP-based risk signals to analyze and orchestrate risk-based access using the authentication layer. Practitioners can step up, reduce friction or block the user based on risk signals across the customer's security stack. Apart from improving security efficacy, this feature also enhances the user experience by reducing friction for good users based on positive user signals. See Risk scoring.

February 2021

Enhanced Admin Console search

Admins can now search for end user email addresses in the Spotlight Search field in the Admin Console. You can also view the user's status in the search results when you search by username and email address. This robust global search helps you find what you need in the Admin Console quickly, thereby, saving time and increasing productivity. See Admin Console search.

January 2021

Workplace by Facebook Push AD Manager functionality

Admins can choose to disable Push AD Manager functionality using this self-service Early Access feature. This enables admins to control the manager attribute using Okta Expression Language syntax to avoid being dependent on AD for the field. See Workplace by Facebook.

Skip to Content improvements

End users can now click Skip to Content on the new Okta End-User Dashboard to navigate directly to the Add Apps page.

Options relocation

The Recent Activity tab, End-User preferences, Admin View, and Sign Out options are now displayed in the user drop down menu on the Okta End-User Dashboard.