Okta Identity Engine release notes (Preview)
Version: 2024.05.0
May 2024
Generally Available
Sign-In Widget, version 7.18.0
For details about this release, see the Sign-In Widget Release Notes.
For more information about the Widget, see the Okta Sign-In Widget Guide.
Option to enforce profile source priority for Desktop Single Sign On
Enforcing profile source priority for DSSO requires end users to authenticate using their identity from the top prioritized profile source. See Enable delegated authentication.
Microsoft Graph commands for Office 365 Manual Domain Federation
The Manual Domain Federation configuration guide for Microsoft Office 365 now uses Microsoft Graph commands.
Remember last used authentication factor
Okta helps reduce user friction by prompting for the last used authentication factor. Previously, this was only available to those signing in through a web browser. Now, the last used authentication factor functionality is also available for thick clients and non-browser based authentications.
Enhanced sign-in experience for PIV/CAC
The Sign-in Widget has been updated to provide an improved user experience when signing in with a PIV/CAC card. The new experience allows users to select a different authenticator if the PIV/CAC authentication fails, instead of forcing them to restart the sign-in process. If your org uses default error pages for PIV/CAC sign-in, the new experience is automatically enabled for the org. If your org uses customized error pages for PIV/CAC sign-in, they are preserved. However, you need to contact Support to switch to the new experience.
Sign in with duplicated email authenticators
Previously, users couldn’t sign in if they had the same email enrolled twice as an authenticator. This change checks the status of each email authenticator and allows the user to sign in with the most suitable email authenticator.
OIN connector support for Entitlement Management
The GitHub Team connector has been updated to support Entitlement Management. See Provisioning-enabled apps.
Universal Logout support for Zoom
Universal Logout in Identity Threat Protection with Okta AI (ITP) now clears Zoom sessions and tokens when triggered by the entity risk policy, Continuous Access, and the Clear user session function. This enhances the security of orgs that use ITP.
Sign-In Widget (third generation) version pinning
You can now pin the Sign-In Widget third generation (SIW3) version when updating a customized or preview sign-in page. You can pin version 7.8 or later. This ensures that orgs that use custom branding can't pin SIW3 to an incompatible version. See Customize your sign-in page and Sign-In Widget (third generation).
Granular controls for authentication policies
Admins can now disallow or allow individual authentication methods for an authentication policy. This gives admins more granular control over access to apps. This feature is made available to all orgs.
System Log events for Workflows execution history
Three new event types have been added to the System Log for logging Workflows execution history events:
- workflows.user.flow.execution_history.activate
- workflows.user.flow.execution_history.deactivate
- workflows.user.flow.execution_history.delete
See the Event Types API.
System Log event update for global session policies
The policy.lifecycle.update and policy.rule.update events are updated to include more debug data and change details about the updated policy and rule.
System Log event update for Trusted Origins
If a Trusted Origin is updated using an Event Hook, the event hook ID is now displayed in the System Log event.
Early Access
Multiple Identifiers
Today, end users must sign in to Okta with a username or email address only. With the Multiple Identifiers feature, admins can configure identifiers, or user attributes from Universal Directory, that an end user can enter to authenticate. Multiplier identifiers work in sign-on, recovery, self-service registration, and unlock flows. Admins can configure up to three identifiers, including email (which is still a required identifier). See Multiple identifiers.
Skip the verify page and redirect to the IdP authenticator
This feature allows users to skip the verify step in the Sign-In Widget. They are instead redirected to the IdP authenticator for verification. When you enable this feature, end users see the option to skip the Sign-In Widget verification. If your org is configured to remember the last authenticator the user used, then the user is auto-redirected to the IdP authenticator for future sign-in attempts.
Require MFA for Admin Console access
You can require multifactor authentication to access the Okta Admin Console. When you enable this feature, all Admin Console authentication policy rules that allow single factor access are updated to require multifactor authentication. See Enable MFA for the Admin Console.
SSF Transmitter API
Okta uses CAEP to send security-related events and other data-subject signals to Apple, known as the Shared Signal Framework (SSF) receiver. After an SSF stream is configured, Okta sends signals as Security Event Tokens (SETs) to Apple. Use the SSF Transmitter API to manage SSF stream configurations between the SSF receiver and Okta.
Enhancement to protected access to Admin Console
As part of the Require MFA for Protected Actions in the Admin Console feature, step-up authentication is required to modify authentication policies applicable to Admin Console.
Fixes
-
Failed Group Push operations to ServiceNow weren't displayed on the Tasks page. (OKTA-677484)
-
Provisioning to UKG Pro sometimes failed due to WorkCountryCode. (OKTA-681623)
-
Performing a Push Now operation on an empty push group in Okta failed to reconcile the group in Zendesk. (OKTA-701099)
-
Stuck XaaS executions weren't marked as failed jobs. (OKTA-712091)
-
Users who entered an invalid username into a password-first sign-in flow saw a misleading error message. This behavior occurred only in orgs that enabled the Multiple Identifiers feature and disabled User Enumeration Prevention. (OKTA-713096)
-
Admins who were supposed to have access to the MFA Activity report couldn't access it. (OKTA-714995)
-
When Okta detected a change in an admin’s IP, the caep_session_revoked signal wasn't sent to the SSF receiver. This occurred when the IP binding for admin console setting was enabled. (OKTA-717305)
-
Active Directory incremental imports were converted to full imports when a new OrganizationUnit was added or an existing OrganizationUnit was renamed. (OKTA-718186)
-
The Back to sign in link appeared on the Sign-In Widget (third generation) session expired page. (OKTA-718969)
-
Read-only admins couldn't access the Identity Threat Protection widgets and reports. (OKTA-719582)
-
Super admins with roles assigned through group assignment couldn't enable Direct Authentication grant types in an OIDC app. (OKTA-719756)
-
Some users had to click Sign in with Okta FastPass twice to initiate the enrollment. (OKTA-720029)
-
When running delegated flows from the Okta Admin Console, the event metadata wasn't recorded by the System Log. (OKTA-722302)
-
The error displayed when deleting a realm that had associated realm assignments wasn't translated to match the locale. (OKTA-722814)
-
Smart Card IdP username transformation didn't allow the space characters within the username string. This functionality is only available with custom UD attributes. (OKTA-723152)
-
The Edit button for modifying an SSWS API token's rate limit was disabled instead of hidden for admins who didn't have permission to update the rate limit. (OKTA-724333)
Okta Integration Network
- DigiCert (SWA) was updated. (OKTA-722381)
- Foqal Agent (SAML) is now available. Learn more.
- Kantega SSO (OIDC) is now available. Learn more.
- Kantega SSO (SAML) is now available. Learn more.
- Kantega SSO (SCIM) is now available. Learn more.
- LimbleCMMS (OIDC) now has additional redirect URIs.
- Netdata (OIDC) is now available. Learn more.
- Obsidian Security (SAML) now has an option to select the region for the ACS URL.
- SCIM 1.1 Test App (OAuth Bearer Token) now has SWA and SAML functionality.
- SCIM 2.0 Test App (OAuth Bearer Token) now has SWA and SAML functionality.
- SCIM 2.0 with Entitlements Management (Basic Auth) now has SWA and SAML functionality.
- SCIM 2.0 with Entitlements Management (Header Auth) now has SWA and SAML functionality.
- SCIM 2.0 with Entitlements Management (OAuth Header Auth) now has SWA and SAML functionality.
- Vansec (SCIM) now has updated application profile and mappings.
Weekly Updates
Fixes
-
Inactive app users weren't included in group pushes for AWS Account Federation. (OKTA-678930)
-
Workday imports intermittently fail due to connection resets. (OKTA-696604)
-
Group queries in authentication policy rules didn't display more than 10 group names. (OKTA-699003)
-
Users with a custom admin role that allows them to manage a realm couldn't import users. (OKTA-709746)
-
Groups IDs were sent as part of PATCH operations. (OKTA-711633)
-
Users in China couldn't authenticate or enroll in authenticators on sign-in pages that required CAPTCHA verification. (OKTA-718806)
-
The logOnly attribute incorrectly appeared in the System Log. (OKTA-725287)
-
Sometimes actions that were taken on role assignments from entitlement bundles timed out. (OKTA-727294)
-
Some UI elements in the Identity Threat Protection dashboard didn't render correctly. (OKTA-727820)
-
Orgs that had Auto-enroll in all future EA features enabled in Features didn't get the Enforce MFA For Admin Console feature. (OKTA-729278)
Okta Integration Network
- Amazon WorkDocs by Aquera (SCIM) description was updated.
- Amazon WorkMail by Aquera (SCIM) description was updated.
- Asana (SWA) was updated. (OKTA-721354)
- Codefresh by Aquera (SCIM) description was updated.
- Costimize (OIDC) is now available. Learn more.
- Genian NAC (SAML) is now available. Learn more.
- Grafana by Tech Prescient (SCIM) is now available. Learn more.
- Highway (OIDC) is now available. Learn more.
- JazzHR by Aquera (SCIM) is now available. Learn more.
- NinjaOne (SAML) is now available. Learn more.
- NordLayer (SCIM) description was updated.
- Nudge Security (OIDC) description was updated.
- Pando HR (OIDC) is now available. Learn more.
- ProdPad by Aquera (SCIM) description was updated.
- Proton VPN (SAML) is now available. Learn more.
- Smartsheet SCIM (SAML) was updated to remove ACS URL and audience requirements.
- SwaggerHub by Aquera (SCIM) description was updated.
- TriNet by Aquera (SCIM) description was updated.
Okta Personal for Workforce
Okta Personal for Workforce is a set of features that allows admins to separate their users' work data from non-work data. Admins can now offer their end users a free Okta Personal account to store personal data, allow them to switch between accounts, and migrate personal apps from Okta enterprise tenant to Okta Personal. When Okta Personal for Workforce is enabled, personalized comms will be sent to the end users encouraging them to use Okta Personal for personal data and Okta enterprise for work data. See Okta Personal for Workforce User Experience.
Customize branding for IdP authenticators
You can now add a custom name and logo to IdP authenticators. End users see this branding when signing in, which allows them to distinguish between different IdP authenticators. See Configure the IdP authenticator.
End-user setting for nicknaming factors
End users can now nickname their phone, WebAuthn, and Okta Verify factors. If they have enrolled multiple instances of a factor, giving nicknames helps them identify the factors quickly (for example, “My personal cellphone” or “My office MacBook TouchID”). See the End-User documentation. This is a self-service feature.
Content security policy enforcement on end-user pages
Content Security Policy is now enforced for end-user pages in orgs with custom domains. Content Security Policy headers help detect attacks such as cross-site scripting and data injection by ensuring browsers know what kind of actions the webpage can execute. Future iterations of the Content Security Policy enforcement for end-user pages will become stricter than this first release. This feature will be gradually made available to all orgs.
Okta ThreatInsight coverage on core Okta API endpoints
Okta ThreatInsight coverage is now available for core Okta API endpoints (OpenID Connect & OAuth 2.0, Okta Management, and MyAccount API). Based on heuristics and machine learning models, Okta ThreatInsight maintains an evolving list of IP addresses that consistently show malicious activity across Okta's customer base. Requests from these bad IP addresses can be blocked or elevated for further analysis when Okta ThreatInsight is enabled for an Okta org.
Previously, Okta ThreatInsight coverage only applied to Okta authentication endpoints (including enrollment and recovery endpoints). With this release, enhanced attack patterns are detected for authentication endpoints and limited attack patterns are also detected for non-authentication endpoints.
There are no changes to the existing Okta ThreatInsight configuration. You can still enable Okta ThreatInsight with log and block mode, log mode, and exempt network zones. A new Negative IP Reputation reason is available for high security.threat.detected events. See System Log events for Okta ThreatInsight.
Application Entitlement Policy
Administrators can now override attribute mapping when assigning apps to individuals or groups. Attributes can also be reverted to their default mappings. See Override application attribute mapping. This feature will be gradually made available to all orgs.
Descriptive System Log events
When Okta identifies a security threat, the resulting security.threat.detected entry now provides a descriptive reason for the event. See System Log.
Improvements to the self-service registration experience
Earlier versions of the self-service registration (SSR) flow used a complicated array of templates to send activation emails to end users. The simplified SSR flow reduces this to only two email templates with customized welcome messages. If your application requires immediate verification of the end user's email address, Okta uses the Registration - Activation template. This template includes a magic link for a smoother sign-in experience. If email verification isn't immediately required to sign in to the application, Okta uses the Registration - Email Verification template. This template includes a link for end users to complete email verification at any time after they successfully sign in to the application. See Customize email notifications and the Okta email (magic link/OTP) integration guide.
New App Drawer
The updated app settings panel on the Okta End-User Dashboard allows end users to see all app details in a single view without having to expand multiple sections. End users can quickly differentiate between SWA apps where they have set a username and password and SAML / OIDC apps that are admin-managed with no additional user settings. The updated app settings panel also provides accessibility improvements with better screen reader support and color contrast. See View the app settings page.
SSO apps dashboard widget
The new SSO apps widget displays the number of user sign-in events across each of your org’s apps over a selected period of time. You can use it to see which apps are used most frequently and to easily monitor the authentication activity across your org. See Monitor your apps.
Improvements to the self-service unlock process
Earlier versions of the self-service unlock (SSU) flow created unnecessary friction in the end user experience. The newly enhanced SSU feature introduces a seamless magic link experience in emails sent out to unlock accounts. Users no longer need to provide consent when using the same browser. In addition, after successfully unlocking their account, clicking the email magic link counts towards the application's assurance policy. After the assurance requirements are met, the user is signed directly in to the application. See Configure the email authenticator.
Toggle password visibility on the Okta Sign-In page
End users can now toggle visibility of their password on the Sign-In Widget, allowing them to check their password before they click Sign In. Note that passwords are visible for 30 seconds and then hidden automatically. See Authentication. See Enable delegated authentication.
Email failure events in the System Log
Admins can now view email delivery failure events in the System Log. This helps admins better monitor the email event activity in their org. See System Log.
Shareable Authentication Policies
Admins can now manage authentication policies using a centralized view. While authentication policies allowed admins the ability to make application access decisions using user, device, and other contextual information, managing these policies across hundreds of applications became challenging and error-prone. On the new Authentication Policies page, admins can create new policies, apply those policies to multiple applications, and assess what application access decisions are impacted by each policy. Two policy name changes are included in this release: app sign-on policy is renamed authentication policy, and Okta sign-on policy is renamed Global Session Policy. See Authentication policies.
Choose additional filters for Office 365 sign-on policy
Filters have been added to enable admins to distinguish between web browsers and Modern Authentication clients when creating an app sign-on policy. See Office 365 sign-on rules options.
Device Authorization grant type
Advancements in internet technology have seen an explosion of smart devices and the Internet of Things. Consumers need to sign in to applications that run on these devices, but the devices either lack support for a web browser or have limited ability for input, such as smart TVs, car consoles, and thermostats. As a result, users resort to insecure authentication solutions that are error-prone and time-consuming.
The Device Authorization grant feature is an OAuth 2.0 grant type that allows users to sign in to input-constrained devices and also to devices that lack web browsers. This feature enables users to use a secondary device, such as a laptop or mobile phone, to complete sign-in to applications that run on such devices. See Configure Device Authorization.
User Verification options for admins
In the Admin Console, admins can now configure whether end users are required to provide biometrics for device enrollment. See Enable Okta FastPass
Manage admin email notification subscriptions using API endpoints
Admins can manage email subscriptions using the Admin Email Subscription API endpoints.
-
Super admins can configure default subscription settings by admin type.
-
All admins can manage their own admin email notification subscriptions.
End-User Dashboard and Plugin redesign
The Okta End-User Dashboard and Okta Browser Plugin have been redesigned with a modern look and feel that includes new sidebar navigation, fuzzy search, and sections that replaces tabs.
Admins can enable this new design all at once or by groups. The new experience is 50% faster, more intuitive to use, and more responsive to smaller screens. Design changes also improve accessibility and app discovery for end users.
See Create sign-on policies with Okta Applications.
This feature will gradually be made available to all Preview orgs.
LDAP password reset option
LDAP delegated authentication settings can now be configured to allow users to reset their passwords. This change reduces the time needed for password management and allows users to reset their passwords quickly and easily. See Enable delegated authentication.
LDAP admin password reset
For orgs integrated with LDAP, admins can now perform password resets for an active individual end user. See Reset a user password.
Incremental Imports for CSV
Incremental imports improve performance by importing only users who were created, updated, or deleted since your last import. See Manage your CSV directory integration. Note that this feature is being re-released having previously been released to Production in 2020.09.0.
Password changed notification email
To eliminate unnecessary email notifications, the Password changed notification email setting is no longer enabled by default on new preview orgs. See Password changed notification for end users.
Office 365 Silent Activation
Using Okta as the Identity Provider, Okta Office 365 Silent Activation allows for a seamless experience for your Microsoft Office 365 end users accessing Office 365 apps on domain joined shared Workstations or VDI environments. Once your end users have logged into a domain-joined Windows machine, no further activation steps are required. See Office 365 Silent Activation: New Implementations.
End-user Welcome emails localized
The ability to localize the Welcome email that Okta sends to new end users by referencing the users' default locale property is now Generally Available. See Configure general customization settings.
People page improvements
The People page has been improved so the people list can be filtered by user type. See Universal Directory custom user types known issues.
Mobile tab available for mobile-capable apps
The Mobile tab available in the Okta Admin Console for mobile-capable OIN apps allows you to publish mobile applications to an App Store and deploy them to your end users.
Provisioning page UI element change
Drop-down menus on the Provisioning page (General Settings) were standardized.
UI element change
Drop-down menus on the Provisioning page (General Settings) are standardized. See Provision applications.
Early Access features, auto-enroll
You can now opt to auto-enroll in all Early Access features, instead of having to enable them as they become available.
Connecting Apps to Okta using the LDAP Interface
The LDAP Interface allows you to authenticate legacy LDAP apps to Universal Directory in the cloud. With the LDAP Interface, authentication is done directly against Okta via LDAP, without the need for an on-premise LDAP server. In addition, the LDAP interface supports other LDAP functions like search. See Set up and manage the LDAP Interface.