Okta Identity Engine release notes (2023)

January 2023

2023.01.0: Monthly Production release began deployment on January 17

* Features may not be available in all Okta Product SKUs.

Generally Available Features

New Features

Improvements to the self-service registration experience

Earlier versions of the self-service registration (SSR) flow used a complicated array of templates to send activation emails to end users. The simplified SSR flow reduces this to only two email templates with customized welcome messages. If your application requires immediate verification of the end user's email address, Okta uses the Registration - Activation template. This template includes a magic link for a smoother sign-in experience. If email verification isn't immediately required to sign in to the application, Okta uses the Registration - Email Verification template. This template includes a link for end users to complete email verification at any time after they successfully sign in to the application. See Customize email notifications and the Okta email (magic link/OTP) integration guide. This feature is currently enabled by default for new orgs only.

Revoke user sessions

Admins can end all Okta sessions for an end user when resetting their password. This option protects the user account from unauthorized access. If policy allows, Okta-sourced end users can choose to sign themselves out of all other devices when performing self-service password reset or resetting their passwords in Settings. See Revoke all user sessions. This feature is now enabled by default for all orgs.

Directory Debugger for Okta AD and LDAP agents

Admins can now enable the Directory Debugger to provide Okta Support with access to Okta AD and LDAP agent diagnostic data. This new diagnostic and troubleshooting tool accelerates issue resolution by eliminating delays collecting data and improves communication between orgs and Okta. See Enable the Directories Debugger. This feature is being re-released.

Non-associated RADIUS agents deprecated

Access for RADIUS agents that have not been associated with an application has now been disabled. See RADIUS integrations.

Unusual telephony requests blocked by machine-learning measures

SMS and voice requests are now blocked if an internal machine-learning-based toll fraud and abuse-detection model considers the requests unusual. Telephony requests that are blocked by the machine-learning model have a DENY status in the System Log.

Enhancements

View last update info for app integrations and AD/LDAP directories

Admins can view the date an app integration was last updated by going to ApplicationsApplications and selecting the integration. They can view the date an AD/LDAP directory integration was last updated by going to DirectoryDirectory Integrations and selecting the integration.

Internet Explorer 11 no longer supported

A new banner has been added on the End-User Dashboard to notify the Internet Explorer 11 users that the browser is no longer supported.

MFA report column selection

In the MFA Enrollment by User report, you can now choose which columns to hide or show in the data table. See MFA Enrollment by User report.

Early Access Features

Enhancements

AWS region support for EventBridge Log Streaming

EventBridge Log Streaming now supports all commercial AWS regions.

Fixes

General Fixes

OKTA-437264

The HEC Token field wasn't displayed correctly in the Splunk Cloud Log Stream settings.

OKTA-454996

Some users were able to access apps on non-managed devices.

OKTA-519198

Groups and apps counts displayed on the Admin Dashboard weren't always correct.

OKTA-543969

Accented characters were replaced with question marks in log streams to Splunk Cloud.

OKTA-548780

Custom domain settings were deleted during editing if the admin chose the option Bring your own certificate.

OKTA-553006

When authenticated users attempted to access an app they weren't assigned to, they were redirected to a sign-in page with a permission error.

OKTA-553364

The Custom Authenticator allowed Android users to sign in without biometric verification even though user verification was required.

OKTA-557762

In some cases when Okta Verify wasn't active, users couldn't access apps if the authentication policy had OS version conditions for device assurance.

OKTA-559571

The Help link on the Administrators page directed users to the wrong URL.

OKTA-561259

On the Edit role page, the previously selected permission types weren't retained.

OKTA-561309

A misleading error message appeared when the authentication policy rule's possession requirements required an unavailable authenticator.

OKTA-564264

Notifications for adding or renewing fingerprint authentication were sometimes not managed correctly.

Applications

Application Update

New GitHub Teams API URL: In response to GitHub's plan to sunset deprecated Teams API endpoints over the coming months, our GitHub integration has been updated to use the new /organizations/:org_id/team/:team_id path. No action needed for Okta admins.

New Integrations

OIDC for the following Okta Verified applications:

Weekly Updates

2023.01.1: Update 1 started deployment on January 23

Fixes

General Fixes

OKTA-394045

The End-User Dashboard wasn't aligned correctly when viewed on mobile browsers.

OKTA-460054

Office 365 nested security groups sometimes failed to synchronize correctly from Okta.

OKTA-522922

Not all users deactivated in an Org2Org spoke tenant were deprovisioned in the hub tenant.

OKTA-534291

Samanage/SolarWinds schema discovery didn't display custom attributes.

OKTA-544943

When a user was deactivated in Okta, the Okta Workflows and Okta Workflows OAuth app integrations weren't removed from the user's assigned app integrations.

OKTA-547756

An incorrect error message was displayed during self-service registration when an email address that exceeded the maximum length allowed was entered.

OKTA-547978

If an admin account was deleted, certificate authorities uploaded by the admin account didn't load on the Device Integrations page.

OKTA-548390

Enabling Agentless DSSO didn't create a default routing rule if no routing rules existed.

OKTA-549213

User's weren't able to activate Windows Hello after enrolling in Okta Verify for Microsoft Windows.

OKTA-550739

Users could request that one-time passwords for SMS, Voice, and Email activation be resent more times than allowed by the rate limit.

OKTA-556056

Group claims failed if a user who belonged to more than 100 groups appeared in the group claims expression results.

OKTA-558840

Some users were unable to complete self-service password resets and received an error.

OKTA-561264

Admins received an error when they used an internal URL to configure user help for device assurance policies.

OKTA-564242

Access tokens for some users didn't match the lifetime specified in the access policy rule.

OKTA-565041

Group filtering failed when more than 100 groups appeared in the list of results.

OKTA-565899

An incorrect error message appeared when users saved an empty Website URL field in their on the fly app settings.

OKTA-566372

Users were sometimes unable to sign in to several Office 365 apps from Okta.

OKTA-567711

In some orgs, Email Change Confirmed Notification emails were sent unexpectedly. Admins should verify that the recipients lists audience settings are accurate for Change Email Confirmation and Email Change Confirmed Notification.

OKTA-567970

When users were created using the API (/users/${userId}/factors/questions), a null custom security question and answer were included in the response.

Applications

New Integrations

New SCIM Integration application:

The following partner-built provisioning integration app is now Generally Available in the OIN Catalog as partner-built:

SAML for the following Okta Verified applications:

  • Alibaba Cloud CloudSSO (OKTA-531834)

  • DoControl (OKTA-556624)

  • EasyLlama (OKTA-547466)

  • Extracker (OKTA-555971)

  • Saleo (OKTA-552314)

  • Verona (OKTA-551188)

  • Viewst (OKTA-555217)

  • WOVN.io (OKTA-551752)

OIDC for the following Okta Verified application:

2023.01.2: Update 2 started deployment on February 6

Generally Available

Content Security Policy enhancements

Over the next few months we are gradually releasing enhancements to our Content Security Policy (CSP) headers. During this time you may notice an increase in header sizes.

Fixes

General Fixes

OKTA-532840

Users created using Just-In-Time provisioning weren't assigned to a group when a group rule existed.

OKTA-537944

AD-sourced users received an error when resetting passwords while an Okta session was active in the browser.

OKTA-545918

Admin roles that were granted to a user through group membership sometimes didn't appear on the user's People Admin roles tab.

OKTA-551921

When a large number of profile mappings were associated with a user type, updates to the user type could time out.

OKTA-552273

Users who signed in to the End User Dashboard using a federated sign-in flow without a factor verification were shown an incorrect last sign-in time.

OKTA-552566

Users were sometimes asked to re-authenticate during an active session even though the authentication policy re-authentication frequency was set to Never re-authenticate if the session is active.

OKTA-553201

Users who scanned a Google Authenticator one-time passcode with Okta Verify received an error message and couldn't enroll in the authenticator.

OKTA-554013

Batch federation of multiple Microsoft Azure domains failed if the batch contained any child domains.

OKTA-557337

Users with apps provisioned with password sync enabled weren't challenged for multifactor authentication when they signed in from new IP addresses or a new city even though the Global Session Policy required re-authentication under those conditions.

OKTA-559661

Some org upgrades failed when a single sign-on factor was required for Admin Dashboard access and only the YubiKey, Duo Security, and Symantec VIP MFA factors were enabled but not recognized for migration.

OKTA-564420

Users couldn't sign in to their org subdomain from okta.com if Captcha was enabled.

OKTA-566285

A threading issue caused directory imports to fail intermittently.

OKTA-566682

When an admin configured an IdP routing rule that allowed users to access certain apps, the list of available apps was blank.

OKTA-566824

Sometimes super admins encountered a timeout when listing admin users on the Administrators page in the Admin Console.

OKTA-567707

A security issue is fixed, which requires RADIUS agent version 2.18.0.

OKTA-567972

An unclear error message was returned when a group rules API call (create, update, or activate) was made to assign users to read-only groups (for example, Everyone ).

OKTA-567979

Last update information was displayed for API Service Apps and OIDC clients.

OKTA-571393

Users couldn't enroll YubiKeys with the FIDO2 (WebAuthn) authenticator and received an error message on Firefox and Embedded Edge browsers.

Applications

New Integrations

New SCIM Integration application:

The following partner-built provisioning integration app is now Generally Available in the OIN Catalog as partner-built:

SAML for the following Okta Verified applications:

  • Better Stack (OKTA-566261)

  • Mist Cloud (OKTA-559122)

  • Tower (OKTA-567818)

OIDC for the following Okta Verified application:

February 2023

2023.02.0: Monthly Production release began deployment on February 13

* Features may not be available in all Okta Product SKUs.

Generally Available Features

New Features

Agents page removed from the navigation panel

The operational status of org agents moved from the Agent page of the Admin Console to the Status widget of the Admin Dashboard. See View your org agents' status.

Splunk edition support for Log Streaming integrations

The Spunk Cloud Log Streaming integration now supports GCP and GovCloud customers. You can set the Splunk edition parameter (settings.edition) to AWS (aws), GCP (gcp), or AWS GovCloud (aws_govcloud) in your log streaming integration. See Splunk Cloud Settings properties.

Custom links for personal information and password management on End-User Dashboard

If you manage end users' personal information and passwords in an external application, you can configure that application as the User Identity Source in Customizations. Using this setting, you can provide a link to the application in the End-User Dashboard. When end users click the link, they're taken to the third-party page to update their information and password.

This setting is only applicable to the end users whose personal information and password are managed outside of Okta (for example, Active Directory). See Customize personal information and password management.

You must upgrade to Sign-in Widget version 7.3.0 or higher to use this feature. See the Sign-In Widget Release Notes.

Run delegated flows from the Admin Console

With delegated flows, admins can be assigned the ability to run Okta Workflows directly from the Admin Console. Flows that are delegated to an admin appear on the Delegated Flows page where they can be invoked without signing in to the Workflows Console. This gives super admins more granular control over their admin assignments. See Delegated flows.

Full Featured Code Editor for error pages

Full Featured Code Editor integrates Monaco code editing library into the Admin Console to make editing code for error pages more efficient and less reliant on documentation. Developers can write, test, and publish code faster with the better syntax highlighting, autocomplete, autosave, diff view, and a Revert changes button. See Customize the Okta-hosted error pages.

Phishing-resistant authentication

Phishing-resistant authentication detects and prevents the disclosure of sensitive data to fake applications or websites. When users authenticate with Okta FastPass on managed devices, they're protected from phishing attacks. See Phishing-resistant authentication.

Custom app login

Custom app login is now available to limited customers in Identity Engine. Only orgs that actively used the feature in Classic Engine before they upgraded may continue to do so. Orgs that don't use custom app login should continue to use the Okta-hosted sign-in experience or configure IdP routing rules that redirect users to the appropriate app to sign in. See Custom app login.

New user enumeration prevention options

Okta now allows admins to enable user enumeration prevention for authentication or recovery flows, or both. This enhancement blocks attackers from attempting to identify user accounts and authenticator enrollments in a more granular way. See User enumeration prevention.

Enhancements

Enhanced MFA System Log event

The new user.mfa.factor.activate System Log event for FIDO2 (WebAuthn) enrollments has been enhanced. Whenever a user enrolls in the FIDO2 (WebAuthn) authenticator, Okta now records the credential's AAGUID value, whether the credential can be backed up, and allow-list authenticator group names that include the make and model of the authenticator device that was enrolled.

Log Streaming status messages

Log streaming status messages now include a prefix related to the log streaming operation.

Updated AWS EventBridge supported regions for Log Stream integrations

The list of supported AWS EventBridge regions has been updated based on configurable event sources. See the list of available AWS regions for Log Stream integrations.

Informative error messages for SAML sign-in

Error messages presented during a SAML sign-in flow now provide an informative description of the error along with a link to the sign-in page.

Early Access Features

Early Access features from this release are now Generally Available.

Fixes

General Fixes

OKTA-493073

An authentication policy error message wasn't applicable in some use cases.

OKTA-493531

Users were unable to sign in using passcodes when Permit Automatic Push for Okta Verify Enrolled Users was enabled.

OKTA-501372

The People page used an incorrect field name as the sorting key.

OKTA-540894

Users who attempted to cancel a Sign in with PIV/CAC card request weren't redirected back to the custom domain.

OKTA-544814

Clicking Show More in the API Trusted Origins tab resulted in an Invalid search criteria error.

OKTA-552341

After users completed an MFA challenge and signed out, their full Okta username appeared on the Sign In page.

OKTA-554006

Clicking Save and Add another to add new attributes on the Profile Editor page didn't consistently function as expected.

OKTA-555768

Improved New Device Behavior Evaluation incorrectly identified a previously used device as new when the admin accessed the Okta Admin Dashboard.

OKTA-560752

In the Admin Console, the Japanese version of the MFA Enrollment by User report contained some English.

OKTA-566469

The Coupa integration URL displayed under the application Sign On tab was incorrect.

OKTA-567511

Users weren't assigned to applications through group assignments following an import from AD into Okta.

OKTA-567991

Signing in to the End-User Dashboard through a third-party IdP displayed an incorrect error message if the password had expired.

OKTA-568319

In the End-User Dashboard, the link to access the Okta Browser Plugin installation guide redirected users to a broken page.

OKTA-572600

Sometimes, custom email domain configurations didn't appear on the Domains page in the Admin Console.

OKTA-572333

After an org upgraded to Identity Engine, some apps with the default app sign-on policy weren't assigned to the Classic Migrated policy.

OKTA-468178

In the Tasks section of the End-User Dashboard, generic error messages were displayed when validation errors occurred for pending tasks.

App Integration Fixes

The following SWA app was not working correctly and is now fixed:

  • Paychex Online (OKTA-573082)

Applications

Application Update

The HubSpot Provisioning integration is updated with a new HubSpot Roles attribute. See Configuring Provisioning for HubSpot.

New Integrations

New SCIM Integration applications:

The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:

OIDC for the following Okta Verified applications:

Weekly Updates

2023.02.1: Update 1 started deployment on February 21

Fixes

General Fixes

OKTA-537710

Users on M1 MacBooks were unable to sign in to organizations provisioned with an OS-specific workflow.

OKTA-550348

Device authorization returned an error if the authentication policy had a condition for registered devices.

OKTA-552996

If JIT provisioning wasn't enabled for a SAML IdP, users who tried to sign in received an error message instead of being redirected to the Okta sign-in page.

OKTA-556133

End users received email notifications of new sign-on events even though such notifications were disabled in the org security settings.

OKTA-561269

The YubiKey Report wasn't generated when certain report filters were applied.

OKTA-564518

The ordering of authenticators on the Verify with something else page of the Sign-In Widget sometimes changed when the page was accessed again.

OKTA-565300

Accessibility issues on the password verification page of the End-User Dashboard prevented screenreaders from reading the text.

OKTA-565984

Case sensitivity caused usernames sent in SAML 2.0 IdP assertions not to match usernames in the destination org if a custom IdP factor was used and the name ID format was unspecified.

OKTA-566892

Sometimes MFA prompts overlapped portions of the browser sign-in pages.

OKTA-567776

Super admins weren't able to access the profile of deactivated users in some Preview environments.

OKTA-572091

Some QR codes for Okta Verify enrollment weren't scannable by iOS devices.

OKTA-572416

The Help Center link on the Resources menu directed users to the wrong URL.

OKTA-574624

In Administrators Roles, the Org Admin description was incorrect.

App Integration Fixes

The following SWA apps weren't working correctly and are now fixed:

  • Adobe Stock (OKTA-564445)
  • Adyen (OKTA-561677)
  • Airbnb (OKTA-559114)
  • AlertLogic (OKTA-560876)
  • American Express @ Work (OKTA-565294)
  • BlueCross BlueShield of Texas (OKTA-564224)
  • Drilling Info (OKTA-558048)
  • Empower (OKTA-552346)
  • Endicia (OKTA-557826)
  • Glassdoor (OKTA-564363)
  • hoovers_level3 (OKTA-562717)
  • MailChimp (OKTA-554384)
  • MY.MYOB (OKTA-553331)
  • myFonts (OKTA-566037)
  • OpenAir (OKTA-545505)
  • Paychex (OKTA-561268)
  • Paychex Online (OKTA-564325)
  • Regions OnePass (OKTA-568163)
  • Truckstop (OKTA-552741)
  • VitaFlex Participan (OKTA-562503)

Applications

New Integrations

New SCIM Integration applications

The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:

SAML for the following Okta Verified applications:

  • Articulate 360 (OKTA-544737)
  • Kakao Work (OKTA-556713)
  • Pleo (OKTA-564884)
  • Tower (OKTA-567818)

2023.02.2: Update 2 started deployment on March 6

Generally Available

Fixes

General Fixes

OKTA-431900

The PeopleEnroll FIDO2 Security Key button was visible to admins who didn't have permission to enroll authentication factors.

OKTA-452990

When a user clicked the Admin button on the End-User Dashboard using a mobile device, Okta didn't check if the user's session was still active.

OKTA-495146

The MFA Usage report and various API responses displayed different authenticator enrollment dates for users.

OKTA-503419

App catalog search results didn't include SCIM functionality labels.

OKTA-516494

Group imports from AD to Okta sometimes failed.

OKTA-558628

Some orgs experienced an error when using legacy endpoints.

OKTA-566637

The agentless DSSO just-in-time provisioning flow imported ineligible AD groups in to Okta.

OKTA-566891

Users with multiple Windows Okta Verify enrollments received an error when they attempted to log in with Windows Okta Verify.

OKTA-568575

Orgs couldn't upgrade to Identity Engine if their app sign-on policy rules contained On Network or Off Network location settings.

OKTA-572089

Browsing the Provisioning tab for an app triggered a System Log update.

OKTA-574711

The sign-in process didn't exit after users selected No, It's Not Me in Okta Verify.

OKTA-574890

When the End-User Dashboard was in grid view, screen readers couldn't recognize apps as clickable links.

OKTA-576067

Custom domains couldn't be validated if there were uppercase characters in a subdomain.

OKTA-578439

Some event hook requests failed to send in Preview orgs.

OKTA-579157

For orgs that were updated to SCIM 2.0, Workplace by Facebook profile pushes that included the manager attribute failed.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed:

  • Adobe Creative (OKTA-555215)

  • Asana (OKTA-566187)

  • ManageEngine Support Center Plus (OKTA-529921)

Applications

New Integrations

New SCIM Integration applications:

The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:

SAML for the following Okta Verified applications:

  • Scalr.io (OKTA-552065)

  • Trusaic (OKTA-559106)

OIDC for the following Okta Verified applications:

March 2023

2023.03.0: Monthly Production release began deployment on March 13

* Features may not be available in all Okta Product SKUs.

Generally Available Features

Okta LDAP agent, version 5.16.0

This version of the agent contains:

  • Use of FIPS 140-2 validated cryptographic security modules
    • bc-fips: Version 1.0.2.3
    • bcpkix-fips: Version 1.0.6
    • bctls-fips: Version 1.0.13
  • Support for LDAP agent auto-update
    • This version allows support for LDAP agent auto-update. Stay tuned for the self-service EA feature within Okta that will enable LDAP agent auto-update when available.
    • Upon agent installation on Linux platforms, we now grant the OktaLDAPService user permission to automatically install the newest agent version using the auto-update feature.
  • Bug fixes
  • Security enhancements

See Okta LDAP Agent version history.

Agents page added to the navigation panel

The operational status of org agents can now be viewed by selecting the Agents page from the navigation panel. See View your org agents' status.

Device management signal collection

Device management attestation signals are collected only when an associated endpoint management configuration is present.

Rate limit increased for Event Hooks

The number of events that can be delivered to Event Hooks is now 400,000 events per org, per day. See Hooks.

New error pages

Authenticator enrollment flow errors now redirect to user-friendly error pages.

Updated Okta logo

New Okta branding is now used for the Admin Console, the sign-in page, and the browser page flavicon.

Manage the Okta loading animation for custom apps

You can now disable the default Okta loading animation (interstitial page) that appears when users are redirected to custom applications. End users are shown a blank interstitial page, instead. This allows you to present a more branded end user experience. For more information, see Customize your Okta org. This feature is being re-released.

SAML logout metadata

SAML app integration metadata details now includes logout URL information when Single Logout is enabled.

OIN Manager enhancements

The OIN Manager now includes text to support API Service integrations.

System Log event

A new System Log event is created when an LDAP interface operation fails because an administrative rate limit was exceeded.

Enhanced Admin Console search

The Admin Console search now displays your search results in a user-friendly drop-down list. The list provides Top results, People, Apps, and Groups filters so you can quickly and easily find what you're looking for. See Admin Console search.

Improvements to self-service account activities for AD and LDAP users

Previously, the self-service unlock (SSU) and self-service password reset (SSPR) flows created unnecessary friction for AD and LDAP users. This enhancement introduces a seamless magic link in emails sent to unlock accounts and reset passwords. Users no longer need to provide consent when using the same browser. In addition, after successfully unlocking their account, clicking the email magic link counts towards the application's assurance policy. After the assurance requirements are met, the user is signed in directly to the application. See Configure the email authenticator.

Optional consent settings for OAuth 2.0 scopes

OAuth 2.0 Optional Consent provides an Optional setting that enables a user to opt in or out of an app's requested OAuth scopes. When Optional is set to true, the user can skip consent for that scope. See Create API access scopes .

SAML setup parameters

More setup parameters are now visible when configuring SAML as a sign-in method for app integrations. See Configure Single Sign-On options.

Log Streaming

While Okta captures and stores its System Log events, many organizations use third-party systems to monitor, aggregate, and act on event data.

Log Streaming enables Okta admins to more easily and securely send System Log events to a specified system such as Amazon Eventbridge in real time with simple, pre-built connectors. They can easily scale without worrying about rate limits, and no admin API token is required. See Log streaming.

OIDC Identity Providers private/public key pair support

Previously, Okta only supported the use of client secret as the client authentication method with an OpenID Connect-based Identity Provider. Okta now supports the use of private/public key pairs (private_key_jwt) with OpenID Connect-based Identity Providers. Additionally, the Signed Request Object now also supports the use of private/public key pairs. See Create an Identity Provider in Okta.

Early Access Features

Early Access features from this release are now Generally Available.

Fixes

OKTA-520182

Self-service account unlock sometimes displayed an error message even though inputs were correct.

OKTA-530926

Authentication sometimes failed for LDAP users due to a null pointer exception. The issue is fixed in LDAP agent version 5.16.0.

OKTA-544910

Target types for authentication policies and profile enrollment rules in the System Log didn't match all policy types.

OKTA-548568

Password validation caused an unexpected error during a self-service password reset.

OKTA-554109

Read-only admins were able to edit application integration pages.

OKTA-561769

A user with a Custom Administrator role could make changes to the End-User Dashboard but couldn't preview the dashboard.

OKTA-562113

Auto-population of non-English variable names in the Profile Editor didn't work as expected.

OKTA-564673

Empty groups caused LDAP delegated authentication testing to fail.

OKTA-578615

Some users could request a new one-time passcode after exceeding the limit for failed MFA attempts.

OKTA-580307

The Sign-in Widget sometimes failed to load for testing LDAP authentication.

OKTA-581530

Missing logos on the Groups page were displayed as broken links.

Applications

New Integrations

New SCIM integration applications:

The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:

SAML for the following Okta Verified application:

  • Wistia (OKTA-561362)

App Integration Fixes

The following SWA apps were not working correctly and are now fixed:

  • Adobe (OKTA-569857)

  • Adobe Stock (OKTA-564445)

  • Brex (OKTA-573146)

  • Criteo (OKTA-577154)

  • CTCC OncoEMR (OKTA-576358)

  • Lucidchart (OKTA-566188)

  • MyFonts (OKTA-566037)

  • Washington Post (OKTA-575907)

Weekly Updates

2023.03.1: Update 1 started deployment on March 20

Generally Available

Fixes

OKTA-401654

Users were able to perform an unlimited number of Security Question authentication attempts.

OKTA-464288

SMS customization wasn't restricted in free developer orgs.

OKTA-544970

When orgs used email template injection, some internal class information was visible in the message.

OKTA-551444

Device EDR rules that used Okta Expression Language were ignored if EDR signals weren't collected.

OKTA-562755

On the Admin Dashboard, the Total admins and Individually assigned counts were incorrect.

OKTA-565487

After an org was upgraded to Identity Engine, email was auto-enrolled as an authenticator for deactivated users.

OKTA-567399

A deactivated Identity Provider couldn't be reactivated.

OKTA-567906

Admins were able to configure an authenticator enrollment policy that allowed the Okta Verify Push mode but didn't allow the one-time password mode.

OKTA-570664

BambooHR reported an error when Okta attempted to update a value using the value of a custom attribute.

OKTA-576483

Admins weren't able to add a network zone with the name BlockedIPZone.

OKTA-578561

Enrollment policy rules weren't applied when the user enrolled an authenticator from the End User Settings page.

OKTA-578983

During self-service registration, users who didn't complete enrollment of optional authenticators were blocked from signing in to their apps.

OKTA-584624

Some orgs with custom domains were unable to upgrade to Identity Engine.

OKTA-585688

The client-initiated backchannel authentication flow didn't appear as a grant type option for OIDC native app integrations.

OKTA-585800

Some Cornerstone profiles failed to import due to missing information.

OKTA-589114

When orgs used daylight savings time, the Admin Dashboard and the System Log events timestamps were one hour behind.

Applications

Application update

The Front SCIM integration is updated to support group push.

New Integrations

New SCIM Integration application:

The following partner-built provisioning integration app is now Generally Available in the OIN Catalog as partner-built:

OIDC for the following Okta Verified applications:

SAML for the following Okta Verified application:

  • ASP.NET (OKTA-575640)

App Integration Fixes

The following SWA apps weren't working correctly and are now fixed:

  • Acorns (OKTA-579034)

  • GoToMeeting (OKTA-566182)

  • PayPal (OKTA-562742)

2023.03.2: Update 2 started deployment on March 27

Generally Available

Fixes

OKTA-503099

Admins were able to modify the auth_time claim for an access token using a token inline hook.

OKTA-535435

During password resets, some text strings in the Sign-In Widget weren't translated.

OKTA-545664

Active Directory Single Sign-On couldn't be completed in iFrames.

OKTA-565953

After iPhone users signed in to a SAML app through Okta, the app opened in a browser window instead of the native app window.

OKTA-566659

DocuSign group pushes failed when removing users from a group.

OKTA-568170

Some orgs couldn't disable the New Sign-On Notifications email.

OKTA-568376

Users couldn't enroll an IdP as an authentication factor if their username didn't match the case of the username in their IdP profile.

OKTA-579088

In AgentsOn-premise, the Description link next to each of the agents was incorrect.

OKTA-584216

A suffix was added to the application label for new Onspring instances.

OKTA-587063

An older version of the OAuth library was included in the Okta Provisioning agent. The issue is fixed in Okta Provisioning agent 2.0.14.

OKTA-588262

The favicons for the Admin Console and End-User Dashboard were misaligned.

Applications

New Integrations

New SCIM Integration applications

The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:

SAML for the following Okta Verified application:

  • Laurel (OKTA-586151)

OIDC for the following Okta Verified application:

App Integration Fix

The following SWA app wasn't working correctly and is now fixed:

  • Poll Everywhere (OKTA-585747))

2023.03.3: Update 3 started deployment on April 3

Fixes

OKTA-573597

In Identity Engine orgs that were upgraded from Classic Engine, authentication policy rules that included groups and users weren't applied correctly.

OKTA-576159

On the IdP configuration page, searching for groups under JIT Settings sometimes returned an error.

OKTA-581158

System Log events for manual imports showed that the import was scheduled by Okta.

OKTA-582181

When a user requested a password reset and user enumeration prevention was enabled, the password reset error was incorrect.

OKTA-585107

The hidden permissions count on the Edit role page was incorrect.

OKTA-585478

App sign-on events with usernames that exceeded 100 characters weren't always added to the System Log.

OKTA-587347

On mobile devices, users with long email addresses couldn't see all the options in their settings dropdown menu.

OKTA-588528

When users attempted to connect to a remote server using an Okta Verify Push prompt and Number Matching Challenge wasn't enabled, an error occurred.

OKTA-592074

Screen readers read apps on the End-User Dashboard as buttons instead of links.

Applications

New Integrations

New SCIM Integration applications

The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:

SAML for the following Okta Verified applications:

  • Bitdefender GravityZone (OKTA-575873 - Okta-hosted instructions)

  • CorporateFitness.app (OKTA-575873 - Okta-hosted instructions)

OIDC for the following Okta Verified applications:

API service app for the following Okta Verified application:

April 2023

2023.04.0: Monthly Production release began deployment on April 10

* Features may not be available in all Okta Product SKUs.

Generally Available Features

Okta AD agent, version 3.14.0

This version of the agent contains the following changes:

  • Security enhancements.

  • Bug fixes.

  • Installer will show a warning if the service account isn't a member of Pre-Windows 2000 Compatible Access.

  • Migration of the Windows installer from Internet Explorer to Edge.

The installer now requires Edge WebView2. WebView2 is downloaded automatically during the agent installation if your machine is connected to the internet. If not, you must manually install it before installing the new agent version. See Okta Active Directory agent version history.

Okta Provisioning agent, version 2.0.14

This version of the agent contains security fixes. See Okta Provisioning agent and SDK version history.

OAuth 2.0 authentication for inline hooks

Okta inline hook calls to third-party external web services previously provided only header-based authentication for security. Although sent with SSL, the header or custom header authentication didn't meet more stringent security requirements for various clients and industries.

To improve the security of inline hooks, Okta now supports authentication with OAuth 2.0 access tokens. Tokens ensure secure calls to external web services.

When creating inline hooks in the Admin Console (or by API), administrators or developers can now select OAuth 2.0 authentication and choose between two methods of OAuth 2.0: Client Secret or Private Key. A new Key Management API and Admin Console page is also available to create public/private key pairs for use with OAuth 2.0 inline hooks. See Manage keys.

Using the OAuth 2.0 framework provides better security than Basic Authentication, and is less work than setting up an IP allowlisting solution. Clients also have the ability to use access tokens minted by their own custom authorization servers to guarantee that Okta is calling their client web services and it isn't triggered by any external actors. See Add an inline hook

API Service Integrations

Using a more secure OAuth 2.0 connection than access tokens, this integration type uses the Core Okta API to access or modify resources like System Logs, apps, sessions, and policies. See API Service Integrations.

OIN Manager support for Workflow Connector submission

Okta Workflows is a no-code, if-this-then-that logic builder that Okta orgs can use to automate custom or complex employee onboarding and offboarding flows in your application. You can now publish Workflow connectors that you create with the Workflows Connector Builder in the Okta Integration Network (OIN) catalog. Publishing a Workflows Connector with Okta allows your customers to deeply integrate your product with all other connectors in the catalog. Submit your Workflow Connector by using the OIN Manager. See Submit an integration for Workflows connectors.

Configurable rate limits available for OAuth 2.0 apps

Rate limit violations mainly occur on authenticated endpoints. Currently, it isn't clear which OAuth 2.0 authenticated app consumes all the rate limits for an org. This increases the risk that one app consumes the entire rate limit bucket. To avoid this possibility, Okta admins can now configure how much rate limit capacity an individual OAuth 2.0 app can consume by editing the Application rate limits tab for each app. By setting a capacity on individual OAuth 2.0 apps, Okta admins have a new tool to monitor and investigate rate limit violations, and have the ability to view rate limit traffic generated by individual OAuth 2.0 apps. See Rate limit dashboard bar graph.

Authentication policy rule enhancement

When admins select the Any 1 factor type option in an authentication policy, the Possession factor constraints are section isn't shown. This helps guide admins in making configuration choices that achieve the desired level and type of assurance. There is also a new advanced mode view that shows the JSON code of the authentication policy rule. It appears when admins edit a rule that was created before this feature was enabled, when their org has any authentication policy rules in which the Any 1 factor type option was selected, and when possession factor constraints were configured. This provides admins with a summary of the options that were selected before this feature was activated. See Add an authentication policy rule.

Support added for DPoP with service apps

Okta now supports Demonstrating Proof-of-Possession for service apps. However, service apps can provide the same level of security by using private_key_jwt for client authentication. See Configure OAuth 2.0 Demonstrating Proof-of-Possession and Client authentication.

Multiple IdP profiles in Google Workspace

The Google Workspace integration now supports multiple IdP profiles. See How to Configure SAML 2.0 for Google Workspace.

Okta FastPass enhancements

Okta FastPass silently collects device signals in every authentication attempt.

Early Access Features

Import users to Office 365 using Microsoft Graph API

This feature allows Okta to process imports using the Microsoft Graph API. This background process doesn't change existing procedures and makes imports more scalable, supporting Microsoft 365 tenants with larger numbers of users, groups, and group memberships. See Import users to Office 365 using Microsoft Graph API.

Fixes

OKTA-511637

If users clicked the reveal password icon in the Sign-In Widget before they entered their password, blank spaces were removed upon submission.

OKTA-528821

Verification pages in the Sign-In Widget were inconsistent for the self-service password recovery and self-service unlock flows.

OKTA-557115

SSO on mobile devices where an OIDC token exchange occurred between two apps sometimes failed for the second app.

OKTA-562885

Some users were prompted to sign in with a username and password even if Sign in with Okta FastPass was selected.

OKTA-567476

Users could not sign in to Office 365 using SWA due to an error in the SSO rule.

OKTA-570362

The End-User Dashboard displayed email confirmation notifications for users who didn't change their primary email.

OKTA-573667

The dates on the Agent auto-update settings page in the Admin Dashboard were missing the year.

OKTA-578369

The Expired Password URL was displayed instead of the password reset flow when a user's password was about to expire.

OKTA-581516

HTML wasn't formed correctly in SAML responses.

OKTA-586482

Sometimes users couldn't enroll in or set up On-Prem MFA or RSA SecurID.

OKTA-588390

Token Preview for custom authorization servers failed for group claims with more than 100 groups.

OKTA-592588

The Routing rules tab on the Identity Providers page wasn't hidden for users without admin permissions.

OKTA-593452

The Everyone group in Okta couldn't be imported through the Okta Org2Org app.

Applications

New Integrations

SAML for the following Okta Verified applications:

OIDC for the following Okta Verified application:

Weekly Updates

2023.04.1: Update 1 started deployment on April 17

Fixes

  • OKTA-529298

    Renaming an individually selected organizational unit in Active Directory caused it to be unselected in Okta when imported.

  • OKTA-571266

    Token exchange errors occurred when users selected Keep me signed in during sign-in flows for Native SSO or the Okta AWS CLI.

  • OKTA-573682

    Some of the widgets on the Admin Dashboard didn't use the correct date and time format.

  • OKTA-578310

    Some labels and error messages related to assigning applications were untranslated.

  • OKTA-584757

    Sometimes group push operations to ServiceNow failed.

  • OKTA-586222

    If orgs upgraded to Identity Engine with a Factor Sequencing chain, users couldn't enroll authenticators when they signed in.

  • OKTA-586995

    Some text strings in the Authenticator enrollment pages weren't translated.

  • OKTA-588493

    Some text strings in the Authentication policy Add Rule dialog weren't translated.

  • OKTA-592839

    In orgs with user enumeration prevention enabled, users in a staged status received an error when they tried to sign in.

Applications

New Integrations

New SCIM Integration applications:

The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:

SAML for the following Okta Verified application:

OIDC for the following Okta Verified application:

App Integration Fix

The following SWA app wasn't working correctly and is now fixed:

  • Adobe Stock (OKTA-564445)

2023.04.2: Update 2 started deployment on May 1

Generally Available

Okta Verify for Windows EXE bundle

On the Admin Console Downloads page, the Okta Verify for Windows app is now available as a single EXE bundle that includes MSI files. A separate MSI file is no longer available for this app. See Deploy Okta Verify to Windows devices.

Fixes

  • OKTA-475223

    On the Admin Dashboard, the Tasks menu Pending and Complete labels overlapped with the dropdown icon.

  • OKTA-500841

    RADIUS server agent was incorrectly listed among Disconnects and reconnects under System notifications.

  • OKTA-541966

    The Back to sign in link sometimes failed to return the user to the sign-in page.

  • OKTA-549472

    In identifier-first sign-in flows, users weren't notified when they exceeded the password lock out setting.

  • OKTA-555152

    The shortcut URL /login/default didn't always go to the End User Dashboard.

  • OKTA-564388

    When Multibrand was enabled, orgs couldn't add an email domain that they'd previously deleted.

  • OKTA-566659

    Pushing group changes to Docusign failed when a member was removed from a group or a group push mapping was removed in Okta.

  • OKTA-567763

    After orgs were upgraded to Identity Engine, the IWA tab and IWA Agents were still displayed on the Agents page available from the Admin Dashboard.

  • OKTA-568489

    Pushing groups for provisioning to Office 365 failed if the groups already existed.

  • OKTA-568851

    Some URLs on multifactor authentication app pages pointed to incorrect destinations.

  • OKTA-571178

    When orgs using custom sign-out URLs upgraded to Identity Engine, users received misleading error messages.

  • OKTA-573390

    When users attempted to edit their profiles, they received an Okta Verify Push prompt and their profile page remained in read-only mode after they responded to the prompt. If they tried to edit their profile again, users encountered an authentication loop.

  • OKTA-579360

    Users were still active in the hub org after being deactivated in a spoke org.

  • OKTA-583585

    Admins were unable to update passwords for SWA apps in orgs with certain configurations.

  • OKTA-585424

    When session authentication method references (session.amr) were expected in SAML responses, multiple channel authentication (mca) information was missing for IdP plus phone authentication.

  • OKTA-585741

    Empty values for attribute statements in SAML assertions didn't remove previously specified values.

  • OKTA-586713

    The variable ${baseURL} in the HTML for some email templates didn't resolve in the browser.

  • OKTA-587325

    After activating their accounts, users who enrolled through the Sign up link received an error if they clicked Set up later on the Security methods page.

  • OKTA-588140

    The Delegated flows page was visible to orgs that hadn't configured any delegable flows.

  • OKTA-588408

    Admins could configure the Maximum Okta session lifetime setting for a global session policy rule that denied access.

  • OKTA-591800

    When the sign-in page was edited using the code editor, the event type system.custom_error.update was logged.

  • OKTA-592655

    After upgrading to Identity Engine, production orgs failed to redirect users to Salesforce for SP-initiated SSO.

  • OKTA-593131

    Some attributes previously added to user profiles from incoming SAML responses weren't cleared when the attribute was later omitted.

  • OKTA-594051

    Sometimes new users created through self-service registration applications received inaccurate errors when they signed in.

  • OKTA-594268

    Multiple Smart Card IdPs couldn't be added or updated on the Smart Card IdP Authenticator Settings page.

  • OKTA-595042

    A successful MFA that followed unsuccessful MFA attempts mistakenly locked out users.

  • OKTA-596437

    When the API Service Integration feature was disabled, a query for inactive app integrations incorrectly returned a list with revoked API service integrations.

  • OKTA-597697

    When Multibrand was enabled, orgs couldn't reset the default application for the Sign-In Widget.

  • OKTA-599024

    In Okta Expression Language, user.status returned incorrect values.

  • OKTA-599062

    On the Push Groups to Active Directory page Okta admins were unable to view all the organizational unit.

  • OKTA-599243

    When the redesigned resource editor feature was enabled, admins could save the Add Resource screen without selecting a resource.

  • OKTA-602563

    In orgs that were upgraded to Identity Engine, some users received a 404 error when they opened the Okta Verify app to approve a push notification.

Applications

New Integrations

New SCIM Integration applications:

The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:

SAML for the following Okta Verified applications:

OIDC for the following Okta Verified applications:

App Integration Fix

The following SWA app wasn't working correctly and is now fixed:

  • Louisiana Medicaid (OKTA-578791)

2023.04.3: Update 3 started deployment on May 8

Fixes

  • OKTA-570851

    Some app provisioning error strings weren't translated.

  • OKTA-578140

    End users could delete all of their enrolled factors.

  • OKTA-587935

    If a new user abandoned and then resumed an activation flow, they received an activation email with the ${oneTimePassword} macro visible.

  • OKTA-588661

    When users clicked expired email sign-in tokens, they received incorrect error messages.

  • OKTA-591232

    Logos weren't correctly displayed on email templates.

  • OKTA-597761

    Some unsupported apps were included in the authentication policy mapping count.

  • OKTA-599684

    When Active Directory users were added through an import or JIT provisioning, their application groups were retrieved from an incorrect domain. This caused an internal error that prevented users from signing in to Okta.

  • OKTA-601320

    When an OpenID Connect authorization request included an empty IdP query parameter, users were sent to a blank sign-in page.

  • OKTA-604536

    An older library was being used by the toolkit used by Okta Confluence Authenticator and Okta Jira Authenticator. The issue is fixed in version 3.2.2 of the toolkit.

  • OKTA-607199

    ThreatInsight temporarily prevented non-malicious users from accessing Okta.

Applications

New Integrations

New SCIM Integration applications:

The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:

SAML for the following Okta Verified applications:

May 2023

2023.05.0: Monthly Production release began deployment on May 15

* Features may not be available in all Okta Product SKUs.

Generally Available Features

Okta AD agent, version 3.15.0

This version of the agent contains the following changes:

  • Bug fixes. Active Directory (AD) agent auto-update health check caused auto-update to fail when upgrading from version 3.13.0 to 3.14.0.

See Okta Active Directory agent version history.

Okta On-Prem MFA agent, version 1.7.0

This version includes support for extended client session timeout. See Install the On-Prem MFA Agent.

Confluence Authenticator, version 3.2.2

This release contains security fixes. See Okta Confluence Authenticator version history.

Okta Jira Authenticator, version 3.2.2

This release contains security fixes. See Okta Jira Authenticator Version History.

Import users to Office 365 using Microsoft Graph API

This feature allows Okta to process imports using the Microsoft Graph API. This background process doesn't change existing procedures and makes imports more scalable, supporting Microsoft 365 tenants with larger numbers of users, groups, and group memberships. See Import users to Office 365 using Microsoft Graph API. This feature will be gradually made available to all orgs.

OAuth 2.0 On-Behalf-Of Token Exchange

Exchange helps retain the user context in requests to downstream services. It provides a protocol approach to support scenarios where a client can exchange an access token received from an upstream client with a new token by interacting with the authorization server. See Set up OAuth 2.0 On-Behalf-Of Token Exchange.

Number Matching Challenge for Okta Verify

When an org enables the Number Matching Challenge feature, it's always enforced for Okta Verify during self-service password resets.

Okta Expression Language matches operator deprecated

The Okta Expression Language matches operator that is used to evaluate a string against a regular expression is deprecated. This feature is currently enabled by default for new orgs only.

Okta administrators group for all org admins

A default Okta administrators group is now available in every Okta org. The new group allows you to create sign-on policies that automatically apply to all admins in your org. See Groups.

Improved email magic link authentication experience

Email magic links have been enhanced to allow end users to authenticate in two different contexts. They can authenticate in the same location where they click the link and quickly return to the application context. Or, if the end user clicks the link in a different browser, they can enter a one-time password to proceed with authentication. Previously when using email magic links to sign in to an application, end users had to return to the original browser location where they initiated the sign-in attempt. Okta ensures that end users can prove ownership of both the originating tab and the tab where they clicked the email magic link. See Configure the email authenticator and Sign in to resources protected by Okta. This feature is now enabled by default for all orgs.

Improvements to the self-service registration experience

Earlier versions of the self-service registration (SSR) flow used a complicated array of templates to send activation emails to end users. The simplified SSR flow reduces this to only two email templates with customized welcome messages. If your application requires immediate verification of the end user's email address, Okta uses the Registration - Activation template. This template includes a magic link for a smoother sign-in experience. If email verification isn't immediately required to sign in to the application, Okta uses the Registration - Email Verification template. This template includes a link for end users to complete email verification at any time after they successfully sign in to the application. See Customize email notifications and the Okta email (magic link/OTP) integration guide. This feature is now enabled by default for all orgs.

Improvements to the self-service password reset experience

Previously, the self-service password reset (SSPR) flow created unnecessary friction in the user experience. The newly enhanced SSPR feature introduces a seamless magic link experience for password reset emails. Users no longer need to provide consent when using the same browser. After a successful password reset where the password meets the application's assurance policy, the user is signed directly to the app. See Configure the email authenticator. This feature is now enabled by default for all orgs.

Improvements to the self-service unlock process

Earlier versions of the self-service unlock (SSU) flow created unnecessary friction in the end user experience. The newly enhanced SSU feature introduces a seamless magic link experience in emails sent out to unlock accounts. Users no longer need to provide consent when using the same browser. In addition, after successfully unlocking their account, clicking the email magic link counts towards the application's assurance policy. After the assurance requirements are met, the user is signed directly in to the application. See Configure the email authenticator. This feature is now enabled by default for all orgs.

Improvements to self-service account activities for AD and LDAP users

Previously, the self-service unlock (SSU) and self-service password reset (SSPR) flows created unnecessary friction for AD and LDAP users. This enhancement introduces a seamless magic link in emails sent to unlock accounts and reset passwords. Users no longer need to provide consent when using the same browser. In addition, after successfully unlocking their account, clicking the email magic link counts towards the application's assurance policy. After the assurance requirements are met, the user is signed in directly to the application. See Configure the email authenticator. This feature is now enabled by default for all orgs.

Help links for standard admin roles

In AdministratorsRoles, each standard admin role now provides a link to its corresponding help page. This allows admins to quickly and easily locate the documentation that supports their standard role assignments.

Unauthorized IdP setup options hidden

Two group-related options on the IdP configuration page were visible to admins in a custom role that lacked group viewing permissions: Auto-Link Restrictions in Authentication Settings and Group Assignments in JIT Settings. Now these settings are visible only when the user has the appropriate permissions.

More events eligible for hooks

The following System Log events are now eligible for event hooks:

  • group.application_assignment.add

  • group.application_assignment.remove

  • group.application_assignment.update

New legal disclaimer in Okta Trial accounts

A new legal disclaimer is displayed on the Add Person dialog in Okta trial accounts to prevent sending unsolicited and unauthorized activation emails.

Okta branding changes for the Admin Console

Branding updates to headings, fonts, colors, borders, and logos are now available in the Admin Console.

Additional measures to counter toll fraud

For SMS and voice authentications, additional mitigation measures now help counter phone number-based toll fraud.

Early Access Features

Event hook filters

You can now filter individual events of the same event type based on custom business logic hosted in Okta. These filters reduce the amount of events that trigger hooks, removing an unnecessary load on your external service.

This feature includes an improved creation workflow for event hooks and a new Filters tab that you can use to create event filters with direct Expression Language statements or with a simple UI format.

Using event hook filters significantly reduces the amount of event hook requests and the need for custom code on your respective services. See Edit an event hook filter.

Fixes

  • OKTA-566113

    After changing the display language for an Okta org from English to another language, some text was still displayed in English.

  • OKTA-580684

    In the Okta Expression Language, the isMemberOfGroupNameContains expression couldn't differentiate underscores and hyphens, which caused unexpected user membership assignments.

  • OKTA-587429

    Admins saw Okta FastPass listed in the GET /api/v1/users/{{userId}}/factors response for users who didn't enable the factor.

  • OKTA-595053

    Users who clicked Back to sign in before setting up their security methods were incorrectly notified that their configuration was successful. This occurred only in orgs with custom domains.

  • OKTA-596444

    Users received an error message after successfully performing a self-service account unlock.

  • OKTA-596600

    For apps with Group Push enabled, the Application Push Groups tab displayed incorrect dates and times.

  • OKTA-597396

    Pushing groups from Okta to Microsoft Office 365 sometimes failed if an empty group description was updated.

  • OKTA-599408

    GMT timezones couldn't be selected correctly in the System Log.

  • OKTA-600867

    The Yubikey Reports page wasn't properly translated.

  • OKTA-600874

    When a user responded to a Custom Push prompt while attempting to edit their profile, the profile displayed in read-only mode. If the user tried to edit their profile again, an authentication loop occurred.

  • OKTA-603305

    On the Edit resource set page, an error appeared when an admin deleted a resource type and then added it again. This occurred when the redesigned resource editor feature was enabled.

  • OKTA-607249

    Service clients with the correct permissions couldn't modify policies that contained the Okta Administrator Group.

Applications

New Integrations

New SCIM Integration applications

The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog:

SAML for the following Okta Verified applications

OIDC for the following Okta Verified applications

Weekly Updates

2023.05.1: Update 1 started deployment on May 22

Fixes

  • OKTA-542869

    Users were prompted to set up voice call authentication even though SMS authentication was already set up in the Phone authenticator.

  • OKTA-570696

    Some placeholder values in the Password Changed email template weren't translated.

  • OKTA-588667

    After creating accounts, some users weren't able to complete the sign-in process.

  • OKTA-596446

    Error summary messages weren't written to the System Log when custom errors occurred during an import inline hook operation.

  • OKTA-597490

    The LDAP interface didn't return any result for a deactivated user when the cn value was combined with other filters.

  • OKTA-597959

    Okta users authenticating through Agentless Desktop SSO (ADSSO) were sometimes incorrectly shown a migration-check error message.

  • OKTA-601618

    Email change confirmation notices came from an Okta test account rather than a brand-specific sender.

  • OKTA-603731

    Macros in email subjects weren't processed correctly for some email templates.

  • OKTA-604404

    Imports performed during UltiPro maintenance resulted in inconsistent data being returned.

  • OKTA-604914

    When the redesigned resource editor feature was enabled, admins couldn't add individual applications to their resource sets.

  • OKTA-609336

    Incorrect descriptions were displayed on the AgentsOn-premise tab.

Applications

New Integrations

New SCIM Integration applications

The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog:

SAML for the following Okta Verified applications

OIDC for the following Okta Verified applications

2023.05.2: Update 2 started deployment on May 30

Fixes

  • OKTA-414791

    LDAP requests resulted in an error if the memberOf filter didn't include a Group DN.

  • OKTA-423781

    The Privacy link on the Okta dashboard wasn't translated.

  • OKTA-585123

    When the Full Featured Code Editor was enabled, some admins couldn't edit the Sign-In Widget version or their sign-in page draft changes.

  • OKTA-591228

    Admins with a custom role couldn't receive user reports of suspicious activity in email notifications.

  • OKTA-592530

    A deleted policy rule was still referenced in the System Log when a user signed in to Office 365.

  • OKTA-594682

    Sometimes user session IDs weren't unique per session.

  • OKTA-595145

    After a user enrolled in Okta Verify, the session displayed inconsistent AMR values.

  • OKTA-599276

    SSO on mobile devices where an OIDC token exchange occurred between two apps sometimes failed for the second app.

  • OKTA-599817

    Scope grant requests failed if any of the scope names contained periods.

  • OKTA-602635

    Some text on the Administrator assignment by role page wasn't translated properly.

  • OKTA-602794

    Token inline hooks failed even when a URL claim name was correctly encoded with a JSON pointer.

  • OKTA-602932

    FastPass Smart Signal Collection attempted to gather signals from users without Okta Verify.

  • OKTA-603996

    WebAuthn enrollment sometimes failed if the authentication policy enforced hardware-protected possession constraints.

  • OKTA-604825

    When an admin added the Manage users permission to a role, any existing permission conditions were removed. Also, admins with restricted profile attributes could edit those attributes on their own profile.

  • OKTA-609070

    Some users couldn't unlock their accounts if they had multiple Okta Verify and phone authenticator enrollments.

  • OKTA-613226

    Some of the new Okta branding changes weren't displayed in the Admin Console.

Applications

New Integrations

New SCIM Integration applications

The following partner-built provisioning integration app is now Generally Available in the OIN Catalog:

SAML for the following Okta Verified applications

API service app for the following Okta Verified applications

OIDC for the following Okta Verified applications

2023.05.3: Update 3 started deployment on June 12

Fixes

  • OKTA-516583

    The application logo wasn't displayed on the Groups page for some groups.

  • OKTA-554024

    Some users received a Bad Request message after successfully unlocking their accounts.

  • OKTA-566503

    When no tokens were listed on the API Tokens page, the displayed message wasn't translated.

  • OKTA-572820

    Deleting large numbers of IdP routing rules with API calls caused System Log discrepancies.

  • OKTA-577794

    The destination in SAML responses sometimes didn't match the Assertion Consumer Service URL in signed authentication requests.

  • OKTA-583072

    The System Log showed that an MFA reset notification email was sent when that notification option was disabled and no email was sent.

  • OKTA-595603

    The Forgot Password link didn't work unless orgs enabled User Enumeration Prevention and disabled Profile Enrollment.

  • OKTA-597009

    The Microsoft Team Exploratory licenses weren't imported correctly into Okta, which prevented users from provisioning the correct licenses.

  • OKTA-599540

    HTTP replies to SP-initated SAML requests contained two session IDs, which sometimes caused user sessions to expire unexpectedly.

  • OKTA-599994

    The Honor Force Authentication SAML setting didn't work with Agentless Desktop Single Sign-on (ADSSO).

  • OKTA-602946

    On password hash import, users couldn't change their passwords even after the minimum password age setting period.

  • OKTA-604985

    Approvers received duplicate task approval requests when users requested an app from the End-User Dashboard.

  • OKTA-605016

    In the Add Dynamic Zone dialog, the Bagmati region of Nepal was missing from the State/Region dropdown menu.

  • OKTA-605955

    Users were prompted for Okta FastPass or WebAuthn after they'd satisfied the possession requirements of an authentication policy.

  • OKTA-606914

    Some orgs weren't migrated to newly deployed default app versions.

  • OKTA-607167

    The search bar in the Groups tab on the user profile page didn't display the placeholder text correctly.

  • OKTA-610185

    When the Conditions for Admin Access feature was enabled, restricted profile attributes were visible in User > Profile for imported users.

  • OKTA-611235

    After upgrading to Identity Engine, some orgs experienced undesired behavior with apps that shared authentication policies.

  • OKTA-611867

    The Active User Statuses field didn't appear in some configurations.

  • OKTA-612177

    Some users in China didn't receive one-time passwords through SMS.

  • OKTA-612312

    Admins couldn't delete a custom email domain if it was used by multiple orgs.

  • OKTA-612972

    When the redesigned resource editor feature was enabled, large sets of resources were displayed outside of the Add Resource dialog, and the tooltip didn't specify the resource limit.

  • OKTA-613226

    Some of the Okta branding changes weren't displayed in the Admin Console.

  • OKTA-613979

    The Microsoft Office 365 Sign On tab displayed incorrect information in the Metadata details section.

Applications

New Integrations

New SCIM Integration applications

The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog:

SAML for the following Okta Verified applications

API service app for the following Okta Verified application

OIDC for the following Okta Verified applications

June 2023

2023.06.0: Monthly Production release began deployment on June 20

* Features may not be available in all Okta Product SKUs.

Generally Available Features

Okta Provisioning agent, version 2.0.15

This release of the Okta Provisioning agent contains vulnerability fixes. See Okta Provisioning agent and SDK version history.

Multibrand customizations

Multibrand customizations allow customers to use one org to manage multiple brands and multiple custom domains. This drastically simplifies multi-tenant architectures where customers create multiple orgs to satisfy branding requirements. Multibrand customizations allow orgs to create up to three custom domains (more upon request), which can be mapped to multiple sign-in pages, multiple sets of emails, error pages, and multiple versions of the End-User Dashboard. See Branding.

Device assurance remediation instructions in the sign-in widget

When users try to access Okta-protected resources from devices that don't meet device assurance policies, access is denied. To help users troubleshoot, you can now enable remediation messages in the Sign-In Widget. This helps users learn why they can't access an app and how to fix the problem. The messages also include links to more troubleshooting instructions. See Add user help for device assurance.

Smart Card IdP with Agentless DSSO

Okta can now be configured to allow users to use Agentless DSSO without being prompted when Smart Card IdP is configured.

Facebook at Work integration enhancement

Facebook at Work uses the Okta Expression Language to map the manager attribute. This allows admins to adjust how the manager attribute is stored in the user profile so they can choose between an id field or a name.

Transactional verification with CIBA

Organizations are constantly looking for ways to offer a frictionless user experience without compromising security. It becomes even more challenging when the users try to perform sensitive transactions. Okta uses Client-initiated Backchannel Authentication (CIBA) to provide customers with a simple and secure transaction verification solution.

CIBA extends OIDC to define a decoupled flow where the authentication or transaction flow is initiated on one device and verified on another. The device in which the transaction is initiated by the OIDC application is called the consumption device and the device where the user verifies the transaction is called the authentication device. See Create OpenID Connect app integrations.

Flexible deny enrollment options for SSO and recovery scenarios

Admins now have the option to deny enrollment to any authenticator for both SSO and recovery scenarios. Previously, admins could only deny authenticator enrollment to users signing in with SSO. This enhancement gives granular control to admins when configuring authenticator enrollment policies for either scenario. See Configure an authenticator enrollment policy rule.

Enhancement to the Remember Last-Used Factor feature

On the Sign-In Widget, if a user clicks Verify with something else and then selects a new authentication method, the Remember Last-Used Factor feature no longer retains the user's previously selected factor. This helps streamline the sign-in and authentication flow.

Device probing enhancement

You can now collect device signals from every authentication with Okta FastPass. By collecting fresh device signals, you enhance the overall security of your org. Note that users might receive additional verification prompts. See Okta FastPass.

New System Log events for Workflows subfolders

The System Log now displays the following subfolders events for Okta Workflows:

  • workflows.user.folder.create
  • workflows.user.folder.rename
  • workflows.user.folder.export
  • workflows.user.folder.import
  • workflows.user.table.schema.import
  • workflows.user.table.schema.export

New event for hooks

The user.authentication.sso event is now eligible for use in event hooks.

Enhanced reports value selection

The following reports provide improved selectors for Users, Groups, and Apps in the filters configuration:

  • Telephony Usage
  • User App Access
  • Group Membership
  • User Accounts
  • Past Access Requests
  • Past Campaign Summary
  • Past Campaign Details
  • MFA Enrollment by User

Universal Directory attribute and enum limits

Universal Directory now has limits to the number of attributes per org and the number of enums that can be defined for a single attribute.

Smart Card authenticator available for more orgs

Smart Card authenticator is now available for orgs using Customer Identity Cloud with MFA or Adaptive MFA.

Early Access Features

Phishing-resistant authentication with Okta FastPass on unmanaged iOS devices

While Okta FastPass can protect users against phishing attacks in most cases, it can't secure authentication on unmanaged iOS devices. To close this gap, Okta is rolling out phishing resistance for Okta FastPass on unmanaged iOS devices. With this change, users who authenticate with Okta FastPass on their personal or unmanaged iOS devices are protected from phishing attacks. See Multifactor authentication.

This feature requires Okta Verify version 8.2.1.

Fixes

  • OKTA-508715

    The System Log recorded events for inactive Okta FastPass users.

  • OKTA-516348

    Clicking the help link on the Sign-In Widget opened the URL in the same tab.

  • OKTA-520205

    Apple product names were used in place of platform names in the Admin Console.

  • OKTA-543277

    Admins couldn't change the labels of base attributes in profile enrollment policies.

  • OKTA-558186

    Pushing new users to the Genesys app with the Sync Password option disabled failed with a bad request error message.

  • OKTA-588559

    The max_age=0 property wasn't treated the same as prompt=login for OAuth 2.0 /authorize requests.

  • OKTA-592400

    Invalid attributes in the UISchema prevented admins from adding attributes to the default profile enrollment policy.

  • OKTA-597490

    Searches in the LDAP interface didn't return results for a deactivated user when the common name (cn) value was combined with other filters.

  • OKTA-600091

    The email change notification triggered from the Admin Dashboard sometimes displayed an Okta subdomain instead of the org's custom domain.

  • OKTA-603669

    The network zone fields on the Add Rule and Edit Rule pages for authentication and global session policies didn't display special characters correctly.

  • OKTA-607434

    Unhelpful error messages appeared when the NameIdPolicy was unspecified in SAML client requests that required signed requests.

  • OKTA-611709

    On the Administrators page, the Resource set, Role, and Admin icon labels weren't translated.

  • OKTA-615063

    After upgrading to Identity Engine, orgs with Okta Verify enrollments encountered an error when they added an active Custom Push Authenticator.

  • OKTA-615404

    When an admin searched for a group with more than 1000 members, the Top results tab displayed 1001 instead of 1000+.

  • OKTA-615412

    The Identity Provider (IdP) AMR claims mapping feature ignored the IdP admin configuration for trusting AMR claims.

  • OKTA-616169

    When the Assign admin roles to public client app feature was enabled, admins couldn't assign roles to groups.

Applications

New Integrations

New SCIM Integration applications

The following partner-built provisioning integration app is now Generally Available in the OIN:

SAML for the following Okta Verified applications

OIDC for the following Okta Verified application

Weekly Updates

2023.06.1: Update 1 started deployment on June 26

Generally Available

Sign-In Widget, version 7.7.2

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Sign-In Widget Guide.

Fixes

  • OKTA-549617

    The Application Usage report didn't include SSO events for RADIUS-enabled apps.

  • OKTA-551193

    Some users encountered a server error during inbound SAML authentication.

  • OKTA-557618

    Some end users encountered a server error when completing an Okta Verify challenge.

  • OKTA-570405

    User activation email templates for Okta trial orgs didn't have a current legal disclaimer in the footer.

  • OKTA-596780

    When a user's OIDC IdP authentication factor enrollment failed, no System Log event was recorded.

  • OKTA-599156

    In some orgs, the access denied error message didn't display custom URLs correctly.

  • OKTA-605001

    Admins could edit profile attributes that they didn't have permission to edit, which caused errors.

  • OKTA-605968

    Some orgs couldn't change the default email template variant for a custom brand.

  • OKTA-607193

    HealthInsight didn't include admins with custom roles when it evaluated the percentage of admins with super admin privileges.

  • OKTA-610007

    Customers that used the Zoom Identity Attestation feature without API Access Management enabled couldn't complete the sign-in flow.

  • OKTA-614168

    The YubiKey report incorrectly showed that a revoked key was last used instead of the current key.

  • OKTA-616067

    Users could access the End-User Dashboard after Okta Verify enrollment even though the Global Session Policy disallowed access.

  • OKTA-618295

    The Smart Card authenticator was incorrectly named the Smart Card IdP.

  • OKTA-618732

    The SMS authentication factor couldn't always be set up for Australian phone numbers.

Applications

New Integrations

New SCIM Integration applications

The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog:

OIDC for the following Okta Verified applications

2023.06.2: Update 2 started deployment on July 10

Fixes

  • OKTA-564847

    Sign-out errors sometimes appeared as raw JSON text rather than triggering an Okta error page.

  • OKTA-579735

    When a user account was unenrolled in Okta Verify, the linked device remained active.

  • OKTA-581496

    Some apps that had provisioning enabled appeared on the Provisioning Capable Apps reports.

  • OKTA-588414

    Users who were removed from an Okta group using an API call were added back to the group because of the group rules.

  • OKTA-588559

    The max_age=0 property wasn't treated the same as prompt=login for OAuth 2.0 /authorize requests.

  • OKTA-602343

    The System Log didn't display client details for user_claim_evaluation_failure events if a token inline hook was enabled.

  • OKTA-602566

    Apps using a custom identity source displayed user and group assignments in the General tab.

  • OKTA-603563

    Custom authenticator allowed multiple enrollments on the same device for the same user.

  • OKTA-604491

    Users were sometimes unable to display authorization server access policies in the Admin Console.

  • OKTA-612193

    The System Log for Okta FastPass didn't include authNRequestId.

  • OKTA-613164

    Some admins could access IdP configuration editing pages without sufficient permissions.

  • OKTA-617952

    When the Redesigned Resource Editor feature was enabled, super admins couldn't preview the resource set assignments for the access requests and access certifications admin roles.

  • OKTA-619651

    My Okta didn't load when the Enable Sync Account Information setting wasn't selected.

  • OKTA-621542

    For SAML IdP configurations, searches for a user group to assign to the app sometimes failed to stop.

  • OKTA-627295

    NetSuite couldn't be provisioned to new users.

Applications

Application Updates

The following SCIM integrations now support group push:

  • Rootly

  • Zerotek

New Integrations

New SCIM Integration applications

The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog:

SAML for the following Okta Verified applications

OIDC for the following Okta Verified applications

App Integration Fixes

The following SWA apps weren't working correctly and are now fixed:

  • Bill.com (OKTA-617155)

  • Chatwork (OKTA-612555)

  • CrowdStrike Falcon (OKTA-606550)

  • EmblemHealth (OKTA-616627)

  • HelloSign (OKTA-606499)

  • MYOB Essentials (OKTA-611408)

  • NearMap.com (OKTA-619941)

The following SAML app wasn't working correctly and is now fixed:

  • ManageEngine (OKTA-571050)

July 2023

2023.07.0: Monthly Production release began deployment on July 17

* Features may not be available in all Okta Product SKUs.

Generally Available Features

Sign-In Widget, version 7.8.0

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Okta Sign-In Widget Guide.

Okta LDAP agent, version 5.17.0

This version of the agent contains:

  • Migration of the Windows installer from Internet Explorer to Edge
  • The service OktaLDAPAgent stop command now correctly terminates agents installed on Red Hat and CentOS platforms
  • Security enhancements

See Okta LDAP Agent version history.

System Log time zone formats updated

In the System Log, the time zone dropdown menu now provides additional information about each available time zone. See System Log.

App Password Health report uses browser time zone

On the App Password Health report, last-reset request dates and times are now based on the browser's time zone settings. See App Password Health report.

Okta-generated client secret length increase

The length of Okta-generated client secrets is increased from 40 to 64 characters.

Updated Okta logo

A branding update to the Okta groups logo is now available in the Admin Console.

RADIUS sign-in error prevention

For orgs that upgraded from Classic Engine, if the Okta Verify authenticator is configured with number challenge, the challenge may be presented unexpectedly to RADIUS users. This can prevent users from using RADIUS with Okta Verify because RADIUS doesn't support the number challenge today. For upgraded orgs, a new feature is enabled that prevents any such errors. See RADIUS applications in Okta.

New authenticator management functionality

Okta now enables you to manage which authenticators are allowed in your org for new enrollments, authentication enrollment policies, and user verification. You can view a list of all Okta-recognized authenticators, create authenticator groups, and use them in policies. This allows admins to have greater control over which authenticators may be used in their orgs and determine which users may access them in a granular way. See Configure the FIDO2 (WebAuthn) authenticator.

Google Authenticator available for account recovery

Admins may now allow their users to initiate account recovery scenarios with Google Authenticator, Email, Phone, or Okta Verify. Increasing the number of options available for recovery enhances the user experience. See Configure the password authenticator.

Early Access Features

IdP permissions for custom admin roles

Admins can now leverage new Identity Provider management permissions when creating custom admin roles. These permissions allow more precise access control and reinforce the principle of least privilege. See Role permissions.

Admin Console Japanese translation

When you set your display language to Japanese, the Admin Console is now translated. See Supported display languages.

Front-channel Single Logout

Front-channel Single Logout (SLO) allows a user to sign out of an SLO-participating app on their device and end their Okta session. Okta then automatically sends a sign-out request to all other participating apps that the user accessed during their session. See Configure Single Logout in app integrations.

Fixes

  • OKTA-556787

    During step-up verification, multiple indistinguishable enrollments for the smart card authenticator were displayed. Now only one smart card authenticator enrollment is displayed.

  • OKTA-602939

    The Admin role assignments report email wasn't translated.

  • OKTA-615453

    Some text strings were incorrect on the End-User Dashboard layout page.

  • OKTA-623542

    The link to the Access Policy Simulation help topic on the Features page was incorrect.

Applications

Application Updates

  • The Rybbon app integration has been rebranded as BHN Rewards.

New Integrations

New SCIM Integration applications

The following partner-built provisioning integration apps are now Generally Available in the OIN:

  • Apono: For configuration information, see Okta SCIM.

SAML for the following Okta Verified applications

App Integration Fixes

The following SWA app was not working correctly and is now fixed:

  • BlueHost (OKTA-620224)

Weekly Updates

2023.07.1: Update 1 started deployment on August 1

Fixes

  • OKTA-457661

    Testing the Agentless Desktop Single Sign-on configuration with an active Okta session failed with an error.

  • OKTA-599540

    HTTP replies to SP-initated SAML requests contained two session IDs, which sometimes caused user sessions to expire unexpectedly.

  • OKTA-605041

    An unclear error message appeared when an admin created a role or resource set with a long name.

  • OKTA-606195

    Some users couldn't access Okta on a shared workstation until they cleared cookies from the browser.

  • OKTA-606938

    Log streaming apps were incorrectly included in the number of assigned apps shown for the default policy on the Authentication policies page.

  • OKTA-612727

    The Admin Dashboard Tasks table displayed an incorrect amount of provisioning capable apps.

  • OKTA-612875

    After managerId was removed from the Salesforce schema in Okta, it couldn't be added again.

  • OKTA-613076

    In the Sign On tab of Office 365, the Okta MFA from Azure AD option appeared disabled. When the option was switched to edit mode, it was enabled.

  • OKTA-613162

    Admin couldn't manually create a new user with a password when password was configured as an optional authenticator.

  • OKTA-613394

    Users couldn't sign in with a PIV in an Org2Org flow.

  • OKTA-615345

    Some admins couldn't view the password for SWA applications that were assigned a common username and password.

  • OKTA-615407

    For custom SAML apps, the last-selected authenticator wasn't saved and reused for subsequent admin sign-in events.

  • OKTA-615441

    Some users couldn't sign in with Agentless Desktop Single Sign-on because routing rules were re-evaluated during the sign-on process.

  • OKTA-615457

    The Edit resources to a standard role page didn't display apps that had the same name.

  • OKTA-617528

    The auto-update schedules for the Active Directory and LDAP agents were incorrectly shown as up-to-date, even when a new version was released.

  • OKTA-617817

    Admins were sometimes unable to access the Admin Console from a custom domain.

  • OKTA-618825

    The Okta-hosted Sign-In Widget displayed the wrong error message to users who were locked out.

  • OKTA-619704

    Newly provisioned users who signed in with a PIV prior to setting a password couldn't set a password later without admin intervention.

  • OKTA-620153

    ACS URL validation failed for orgs that used SAML SSO with Okta-to-Okta IdP configurations and had subdomain names that weren't all lowercase characters.

  • OKTA-620651

    Validation messages that appeared during a self-service upgrade to Identity Engine incorrectly stated that a configuration change was required.

  • OKTA-622541

    In the Self-Service Unlock when Account is not Locked email template, the base URL variable wasn't replaced with the Okta tenant URL.

  • OKTA-626022

    Some Active Directory agents that had previously failed to auto-update were incorrectly marked as Queued for update, despite being updated to the latest version.

  • OKTA-627415

    On the Features page, the link to access the LDAP Agent Auto-update documentation was broken.

  • OKTA-628522

    RADIUS agent libraries contained internal security issues. Fixes require upgrading to agent version 2.19.0 and using Microsoft Edge as the browser.

Applications

Application Update

  • The OpenPath app integration has been rebranded as Avigilon Alta.

New Integrations

New SCIM Integration applications

The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog:

SAML for the following Okta Verified applications

OIDC for the following Okta Verified applications

2023.07.2: Update 2 started deployment on August 7

Generally Available

Sign-In Widget, version 7.8.2

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Sign-In Widget Guide.

Fixes

  • OKTA-604448

    Some text on the Groups page wasn't translated.

  • OKTA-613162

    Admin couldn't manually create a user with password when password was configured as an optional authenticator.

  • OKTA-618825

    The Okta-hosted Sign-In Widget displayed the wrong error message to users who were locked out.

  • OKTA-620583

    On the Add Resource dialog, the list of search results was misaligned.

  • OKTA-620873

    Admins couldn't upload PEM-formatted certificates containing encrypted private keys for RADIUS apps.

  • OKTA-622783

    The initial expiresIn date for the Salesforce authentication token wasn't set from the API.

  • OKTA-626593

    Admins couldn't access the Create new resource set page directly from a URL.

  • OKTA-631303

    Admins couldn't access the Administrator assignment by role page. This occurred when a public client app with a custom client ID was assigned a standard admin role.

Applications

New Integrations

SAML for the following Okta Verified applications:

OIDC for the following Okta Verified applications:

App Integration Fixes

The following SWA apps were not working correctly and are now fixed:

  • E-OSCAR (OKTA-624390)

  • UPS (OKTA-625886)

  • UPS CampusShip (OKTA-624286)

August 2023

2023.08.0: Monthly Production release began deployment on August 14

* Features may not be available in all Okta Product SKUs.

Generally Available Features

Okta AD agent, version 3.16.0

When the executor.log and coordinator.log files exceed 5 MB in size, the contents roll over into executor.log.old and coordinator.log.old files.

Okta Active Directory Federation Services Plugin, version 1.7.13

Version 1.7.13 of the Okta Active Directory Federation Services (ADFS) Plugin is now available for download. It includes support for Microsoft Windows Server 2022 and includes bug fixes and security hardening. See Okta ADFS Plugin version history.

Telephony inline hook required for phone authenticator

New orgs now require a Telephony inline hook to use the phone authenticator. You can connect an external telephony provider with Okta using the inline hook. See Configure the phone authenticator. Alternatively, you can acquire the Okta SMS/Voice SKU.

Hardware-protected FIDO2 WebAuthn available

Hardware-protected FIDO2 WebAuthn as defined by the FIDO Metadata Service is now available in authentication policies when the Hardware-protected checkbox is selected. See Configure the FIDO2 (WebAuthn) authenticator.

Integrate with any identity source

To get Okta's full HR-driven provisioning and LCM functionality for an HR integration, customers previously had to use one of five pre-integrated HR systems or build complex custom code with the Okta Users API to replicate some of Okta's LCM functionality for other identity sources.

With Anything-as-a-Source (XaaS), customers now have the flexibility to connect any identity source to Okta and realize the full benefits of HR-driven provisioning with a simpler solution. See Anything-as-a-Source.

Smart Card authenticator available

You can add a new Smart Card authenticator that enables PIV to be used in authentication policies. You can also restrict the authentication policies to use only Smart Card Authenticator as MFA. See Configure the Smart Card authenticator.

Getting Started video for new orgs

The Getting Started page now displays an introductory video. The video provides a quick overview of the common tasks and functions for new orgs, and helps admins familiarize themselves with the Admin Console. See Get started with Okta.

API service integration client secret rotation in the Admin Console

New in this release is the ability to rotate client secrets for an API service integration through the Admin Console. Previously, if a customer wanted to update the client secret for an API service integration, they had to reinstall the integration to obtain a new client ID and secret. There was no option to revoke the client secret while maintaining the client ID and API service integration instance in Okta. With this new feature, customers can generate a new secret, deactivate an old secret, and remove a deactivated secret from the API service integration instance. These functionalities help customers implement security best practices without service downtime. See API Service Integrations.

New event types for User Auth Events

Two additional event types are now available under User Auth Events:

  • User's session was cleared
  • User's MFA factor was updated

New application lifecycle event hook

An event hook to deny user access due to a condition in an authentication policy is now available to admins. See Create an event hook .

Polling enhancements for Agentless DSSO

When the server is in SAFE_MODE, Agentless DSSO polling signs in a user if they are in ACTIVE state in Okta.

Early Access Features

Early Access features from this release are now Generally Available.

Fixes

  • OKTA-575884

    The Okta Active Directory Federation Services (ADFS) Plugin wrote errors to the plugin log when users attempted to sign in.

  • OKTA-595086

    The display of the authorization server Access Policies page froze with large numbers of policies.

  • OKTA-596293

    After upgrades to Identity Engine, users were sometimes asked to re-authenticate when refreshing their Okta dashboards even though the sessions were still valid.

  • OKTA-606898

    Some users got stuck in a password expiration warning loop when they signed in with AD delegated authentication and updated their password.

  • OKTA-610347

    Some orgs couldn't add more than 50 global session policies.

  • OKTA-617816

    After orgs upgraded to Identity Engine, the application name in OV Push disappeared.

  • OKTA-626699

    On the Administrator assignment by admin page, the Role dropdown list sometimes displayed duplicate admin roles.

  • OKTA-626968

    The error message that appeared when the admin attempted to add an inactive Smart Card IdP to the authenticator didn't mention the name of the IdP.

  • OKTA-631657

    Users were sometimes improperly redirected to a device-posture provider when none was configured in the authentication policy.

  • OKTA-631752

    Adding some IdPs as Factor only caused errors.

  • OKTA-632786

    Admins could require Smart Card in an authentication policy even when it wasn't set up as an authenticator.

Applications

New Integrations

New SCIM Integration applications

The following partner-built provisioning integration apps are now Generally Available in the OIN:

SAML for the following Okta Verified applications

OIDC for the following Okta Verified applications

Weekly Updates

2023.08.1: Update 1 started deployment on August 22

Fixes

  • OKTA-619028

    Read-only admins received user reports of suspicious activity email notifications in error.

  • OKTA-624193

    The Access Testing Tool results showed an incorrect value for the profile enrollment self-service registration option.

  • OKTA-627533

    Removing the emailAuthenticationLink variable from the email template didn't update the Sign-In Widget.

  • OKTA-631142

    Orgs using a custom client_id in their OAuth2 client apps were unable to delete enrolled users.

  • OKTA-632131

    OpenID Connect /token requests using the SAML 2.0 Assertion grant type flow failed if the SAML assertion expiry was greater than 30 days.

  • OKTA-632850

    Slack provisioning didn't automatically retry after exceeding rate limits.

  • OKTA-633585

    The on-demand auto-update banners for the Active Directory agent displayed updates in a random order.

  • OKTA-634923

    Users weren't present in the import queue after being unassigned from an app.

  • OKTA-635579

    When a super admin went to the Groups Admin Roles tab, the Edit group assignments button was mislabeled.

  • OKTA-636652

    The Administrators page wasn't translated to Japanese.

Applications

Application Update

  • Group push and group import is now available for the Smartsheet SCIM integration.

New Integrations

New SCIM Integration applications

The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:

SAML for the following Okta Verified applications:

OIDC for the following Okta Verified applications:

2023.08.2: Update 2 started deployment on August 28

Fixes

  • OKTA-601623

    When configuring an API Service Integration (either through the Admin Console or using APIs), admins could set a JWKS URL using HTTP instead of HTTPS.

  • OKTA-620953

    When user enumeration prevention wasn't enabled, the UserId and user profile were visible in the network response prior to authentication.

  • OKTA-621214

    Long custom label text was sometimes truncated on the Sign-In Widget during enrollment.

  • OKTA-621253

    Email Change Confirmed Notification messages weren't sent if the audience was set to Admin only.

  • OKTA-627175

    Some tasks displayed a greater-than sign (>) instead of the date.

  • OKTA-630368

    RADIUS logs showed multiple, repetitious Invalid cookie header warning messages.

  • OKTA-634010

    Users who were locked out of Okta but not Active Directory could receive Okta Verify push prompts and sign in to Okta.

  • OKTA-637641

    Some users received a Bad Request error when they signed in with Okta FastPass.

  • OKTA-639427

    When admins added a new user in Preview orgs, the Realm attribute appeared on the dialog.

Applications

New API Service Integration applications:

OIDC for the following Okta Verified applications:

2023.08.3: Update 3 started deployment on September 5

Fixes

  • OKTA-620655

    When an error occurred during Identity Engine upgrades, a Customer Config Required message appeared instead of an Okta Assistance Required message.

  • OKTA-622753

    The Access Testing Tool allowed access to applications even though authenticator enrollment was denied.

  • OKTA-641043

    Admins could select values from disabled dropdown menus.

Applications

Okta Verified applications:

September 2023

2023.09.0: Monthly Production release began deployment on September 18

* Features may not be available in all Okta Product SKUs.

Generally Available Features

Sign-In Widget, version 7.10.0

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Okta Sign-In Widget Guide.

Okta LDAP agent, version 5.18.0

This version of the agent contains security enhancements.

Note: In Windows, the LDAP Agent auto-update feature isn't capable of deploying all security enhancements that are introduced in version 5.18. To completely deploy all security enhancements from this release, all LDAP agents running version 5.17 or earlier must be uninstalled, and version 5.18 must be manually installed. See Install the Okta LDAP Agent.

Okta MFA Credential Provider for Windows, version 1.3.9

This release includes bug fixes, security enhancements, and support for an additional top-level domain. See Okta MFA Credential Provider for Windows Version History.

Chrome Device Trust connector integration

With the introduction of the Chrome Device Trust Connector integration for Device Assurance, administrators can create policies that ensure compliance with specific device requirements prior to accessing resources protected by Okta. This integration between Okta and Google facilitates access policies that receive device posture signals directly from a Google API backend, eliminating the need for any agent deployment. As a result, users logging in to a ChromeOS device, or managed Chrome browser, benefit from enhanced authentication security through device security signals.

Authentication challenge for redirects

Users now receive an authentication challenge for each redirect sent to an Identity Provider with Factor only configured, even if the IdP session is active.

Access Testing tool

With the Access Testing tool you can quickly and easily test policies and validate whether your desired security outcomes will be achieved. This tool allows you to simulate user access attributes, such as IP address, device, risk, and so on, to test whether the user will be granted access to the specified application. The tool helps you identify potential security risks and compliance issues before you implement a policy. See Access Testing Tool.

Custom Identity Source app available

The Custom Identity Source app is now available in Okta Integration Network.

Count summary added to report

The User accounts report now displays the total number of records returned for the report.

Product Offers dashboard widget

A Product Offers widget now displays on the Admin Dashboard for super and org admins. The widget provides a cost- and commitment-free way for admins to explore and test the capabilities of various Okta products. When a new free trial is available, admins can click Get started to activate it, or Not interested to dismiss the widget.

Okta Verify requirements for self-service upgrades

Orgs with incorrect Okta Verify enrollment settings are now notified of configuration requirements before they upgrade to Identity Engine.

Automatically assign the super admin role to an app

Admins can now automatically assign the super admin role to all of their newly created public client apps. See Work with the admin component.

Device attributes label update

Some device attribute labels are renamed for clarity and to accommodate the new Chrome Device Trust connector.

Okta apps and plugin no longer available to certain users

Beta users of the PingFederate MFA plugin can no longer create Okta apps or download the plugin.

Early Access Features

Custom admin roles with device permissions

You can now create custom admin roles with permissions to view and manage devices. You can add the Devices to your resource set and then specify device permissions for your custom admin. See Create a resource set and Devices permissions.

Okta FastPass and Smart Card options on Sign-in page

Currently, if you configured both the Sign in with Okta FastPass option and Smart Card as an authenticator, users only see the Okta FastPass option when they sign in. With this feature, you can make both options available for your users during the sign-in process. See Configure the Smart Card authenticator.

Enhanced security of Okta Verify enrollments

To ensure users enroll in Okta Verify in a phishing-resistant manner, a Higher security methods option now appears on the authenticator configuration page. With this option, users can't enroll with QR code, email, or SMS link. See Configure Okta Verify options.

Fixes

  • OKTA-570804

    The RADIUS Server Agent installer for versions 1.3.7 and 1.3.8 didn't prompt users to install missing C++ runtime libraries on Microsoft Windows servers.

  • OKTA-574216

    Reconciling group memberships sometimes failed for large groups.

  • OKTA-578184

    The inbound delegated authentication endpoint didn't correctly handle errors when the authentication request wasn't associated with an org.

  • OKTA-592745

    Full and incremental imports of Workday users took longer than expected.

  • OKTA-605996

    A token inline hook secured by an OAuth 2.0 private key returned an error for all users except super admins.

  • OKTA-616604

    The password requirements list on the Sign-In Widget contained a grammatical error.

  • OKTA-616905

    Events weren't automatically triggered for Add assigned application to group, Remove assigned group from application, and Update Assign application group event hooks.

  • OKTA-618302

    Application users weren't created when a required application user attribute was missing.

  • OKTA-619102

    Invalid text sometimes appeared in attribute names.

  • OKTA-619179

    A timeout error occurred when accessing a custom report for UKG Pro (formerly UltiPro).

  • OKTA-619419

    Group admins could see their org's app sign-in data.

  • OKTA-624387

    Sometimes attempting to change an app's username failed due to a timeout.

  • OKTA-627559

    Access policy evaluation for custom authorization servers was inconsistent when default scopes were used.

  • OKTA-628944

    Email notifications from Okta Verify were sent from the default domain address instead of the email address configured for the brand.

  • OKTA-631621

    Read-only admins couldn't review the details of IdP configurations.

  • OKTA-633431

    When an Okta Org2Org integration encountered an API failure, the resulting error message was displayed in Japanese.

  • OKTA-634308

    Group app assignment ordering for Office 365 apps couldn't be changed.

  • OKTA-636839

    Smart Card IdP users couldn't set a password after signing in for the first time.

  • OKTA-637259

    An error occurred when importing users from Solarwinds Service Desk.

  • OKTA-641062

    The link to Slack configuration documentation was invalid.

  • OKTA-641447

    Super admins couldn't save new custom admin roles.

  • OKTA-648092

    New admins didn't get the Support app in their End-User Dashboard.

Okta Integration Network

App updates

  • The CoRise app integration has been rebranded as Uplimit.

New Okta Verified app integrations

App integration fixes

  • American Express Online (OKTA-637925)
  • hoovers_level3 (OKTA-637274)
  • MSCI ESG Manager (OKTA-637624)
  • PartnerXchange (OKTA-632251)
  • Staples Advantage (OKTA-639141)

Weekly Updates

2023.09.1: Update 1 started deployment on September 25

Generally Available

Sign-In Widget, version 7.10.1

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Sign-In Widget Guide.

Content security policy enforcement extended for custom domains

Content Security Policy is now enforced for all non-customizable pages in orgs with custom domains. Content Security Policy headers help detect attacks such as cross-site scripting and data injection by ensuring browsers know what kind of actions the webpage can execute. Future iterations of the Content Security Policy enforcement for all non-customizable pages in orgs with custom domains will become stricter than this first release. This feature will be gradually made available to all orgs.

Enhanced Okta LDAP integrations with Universal Directory

Okta LDAP integrations now feature custom mapping, schema discovery, and a fully extensible attribute schema that allows you to import or update any attribute stored in LDAP. With these enhancements, Okta LDAP matches the schema functionality already available to Active Directory integrations. See Profile Editor. This feature is being re-released. This feature will be gradually made available to all orgs.

Fixes

  • OKTA-595549

    IdP users were redirected to an unbranded sign-in page after SSO failure.

  • OKTA-609243

    The Admin Console referred to the phone authenticator's 5-digit OTP for SMS or voice as 6-digit.

  • OKTA-614488

    Admins could view only 50 applications in the Default application for the Sign-In Widget dropdown menu when configuring a custom sign-in page.

  • OKTA-619163

    When the Universal Distribution List group was pushed to Active Directory, some users' group memberships didn't sync.

  • OKTA-621695

    Possession factor constraints settings weren't preserved when switching from advanced to basic mode in an authentication policy rule.

  • OKTA-627119

    Some users encountered a 400 HTTP error when authenticating through a service provider.

  • OKTA-627660

    Users whose admin permissions were revoked continued to receive emails with an Admin only audience setting.

  • OKTA-628227

    Some SAML-linked accounts in DocuSign couldn't use SWA.

  • OKTA-629263

    Email change confirmation notices came from an Okta test account rather than a brand-specific sender.

  • OKTA-637801

    Admins without permission to manage apps saw an Edit button for the app's VPN Notification settings.

  • OKTA-638911

    The RSA Authenticator used the old SamAccountName of AD-sourced users after it was changed.

  • OKTA-639465

    The LDAP Agent Update service used an unquoted path, which could allow arbitrary code execution. For more information, see the Okta security advisory.

  • OKTA-641892

    Labels were incorrect for the Enrollment by Authenticator Type chart in the MFA Enrollment by User report.

  • OKTA-647842

    Okta displayed two different titles for the End-User Dashboard to users whose locale was set to Vietnamese.

Okta Integration Network

App updates

  • The Amazon Business SAML app now has a configurable SAML issuer.
  • The Amazon Business SCIM app now has a configurable SCIM base URL and Authorize endpoint.
  • Application profile and mapping has been updated for the Jostle SCIM app.
  • The mobile.dev SAML app has been rebranded as Maestro Cloud.

New Okta Verified app integrations

App integration fixes

  • American Express Online by Concur (OKTA-642832)

2023.09.2: Update 2 started deployment on October 9

Fixes

  • OKTA-619723

    When the Conditions for admin access feature was enabled, admins who were restricted from viewing certain profile attributes couldn't access the GroupsGroup page.

  • OKTA-623635

    Group mappings were unexpectedly pushed to downstream apps after the corresponding app instances were deleted.

  • OKTA-627290

    Okta didn't record a System Log entry when admins deleted all the users or groups that were associated with an active authentication policy rule.

  • OKTA-627805

    The unsuccessful attempt number counter for Security Question didn't reset after a successful sign-in.

  • OKTA-627862

    Incorrect values for group metrics, such as the number of groups added and updated, were displayed on the Import Monitoring page.

  • OKTA-633507

    The pagination cursor was ignored when requests to the Groups API (api/v1/groups) included the ID of the All Admin group.

  • OKTA-639397

    The Okta Verify MFA prompt didn't appear when users tried to access the AWS Okta CLI after their Okta session expired.

  • OKTA-641112

    System Log events weren't generated when Active Directory and LDAP users were deactivated during sign-in.

  • OKTA-641457

    When self-service password recovery was disabled, AD users received the Forgot Password Denied email template instead of Active Directory Password Reset Denied.

  • OKTA-643204

    Active Directory and LDAP users weren't unassigned from applications when they were deactivated during sign-in.

  • OKTA-643499

    Sometimes the processing of group rules for smaller groups took longer than expected when other large operations were in progress.

  • OKTA-648750

    SP-initiated SSO flows without a session didn't correctly populate the context.session object for SAML inline hooks.

Okta Integration Network

App updates

  • The Experience.com OIDC app now has additional redirect URIs.
  • The Planview Admin SAML app now has the Audience ID variable.

New Okta Verified app integrations

App integration fixes

  • Bloomberg (SWA) (OKTA-642380)
  • BlueCross Blueshield of Illinois (SWA) (OKTA-641490)
  • Citi Velocity (SWA) (OKTA-637196)
  • SAP Concur Solutions (SWA) (OKTA-643965)

October 2023

2023.10.0: Monthly Production release began deployment on October 16

* Features may not be available in all Okta Product SKUs.

Generally Available Features

Sign-In Widget, version 7.11.0

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Sign-In Widget Guide.

SharePoint People Picker, version 2.4.0.0

SharePoint People Picker 2.4.0.0 is now available for download. See Configure Okta SharePoint People Picker agent.

Custom email domain

You can configure a custom domain so that email Okta sends to your end users appears to come from an address that you specify instead of the default Okta sender noreply@okta.com. This allows you to present a more branded experience to your end users. See Configure a custom email address. This feature is being re-released.

OpenLDAP support for Auxiliary Object classes

You can now input a comma-separated list of auxiliary object classes when importing users from LDAP. See LDAP integration. This feature is being re-released.

New custom admin role permission

Super admins can now assign View delegated flow permission to their custom admin roles. See Role permissions.

Configure management attestation for mobile devices with pre-existing security key

You can now use a pre-existing secret key when you configure Device Management for mobile devices. If you upgrade from Classic Engine, you can reuse your secret key in Identity Engine. See Configure Device Management for mobile devices.

Desktop MFA

Desktop MFA allows you to secure users' desktops with MFA. With this solution, you can customize the sign-in flow so that users are prompted for MFA methods after they enter a Windows password. See Desktop MFA for Windows.

Desktop Password Sync for macOS

Desktop Password Sync for macOS allows users to access their macOS device with their Okta password. This solution lets users maintain a consistent password across devices and web resources. If strong password policies are set in Okta, Desktop Password Sync gives confidence that users also have a strong password for their macOS device. See Desktop Password Sync for macOS.

FastPass phishing resistance for unmanaged iOS devices

While Okta FastPass can protect users against most phishing attacks, it can't secure authentication on unmanaged iOS devices. To close this gap, Okta is rolling out phishing resistance for Okta FastPass on unmanaged iOS devices. With this change, users who authenticate with Okta FastPass on their personal or unmanaged iOS devices are protected from phishing attacks. See Okta FastPass.

Additional resource and entitlements reports

Reports help your Okta org manage and track user access to resources, meet audit and compliance requirements, and monitor organizational security. The following reports are now available:

  • Group Membership report: Lists individual members of a group and how membership was granted.
  • User App Access report: Lists which users can access an application and how access was granted.
  • User accounts report: Lists users with accounts in Okta and their profile information.

See Entitlements and Access Reports.

MFA enrollment by user report

Use this report to view the types and counts of authenticators that users in your org have enrolled. This can improve the security posture of your org by enabling you to understand the adoption of strong authenticators like Okta Verify. See MFA Enrollment by User report.

Updates to profile enrollment policy

This feature delivers parity for upgraded orgs who used the Self-Service Registration (SSR) feature in Classic Engine. Previously in Identity Engine, SSR was combined with profile enrollment. Users were unable to sign in after the upgrade if their org used read-only or hidden attributes for SSR in Classic Engine. Identity Engine now separates SSR and profile enrollment, and turns off progressive profiling by default. This ensures that no admins are locked out and users can sign in to their orgs even if they have special attributes. See Collect profile information and register users.

Sign-in requirements for new devices

Users are now prompted for MFA each time they sign in when an authentication policy rule requires MFA for new devices.

IdP lifecycle event hooks

IdP lifecycle events are now eligible for use as event hooks. See Event Types.

Toggle between 2nd and 3rd generations of the Sign-In Widget

Admins can switch their orgs between the second and third generation of the Sign-In Widget using a new toggle switch. See Sign-In Widget (third generation).

Early Access Features

Workday writeback enhancement

When this feature is enabled, Okta makes separate calls to update work and home contact information. This feature requires the Home Contact Change and Work Contact Change business process security policy permissions in Workday.

Fixes

  • OKTA-398711

    Text on the Administrator assignment by admin page was misaligned.

  • OKTA-575513

    Super admins that tried to open the Okta Workflows console received an error, and {0} appeared as the app name, when their account wasn't assigned to the Workflows app.

  • OKTA-616574

    Some System Log events included non-English text.

  • OKTA-619175

    UI elements didn't work properly on the Global Session Policy and Authentication Policies pages.

  • OKTA-619223

    Content was displayed incorrectly on the Change User Type page.

  • OKTA-620144

    For some users, logos for imported app groups didn't appear in the Admin Console.

  • OKTA-620771

    When a group was pushed from Okta, a blank app icon appeared for some users and clicking the icon resulted in an error.

  • OKTA-621526

    The MFA Usage Report didn't display the correct PIV/Smart Card label.

  • OKTA-631952

    The Sign-In Widget didn't display the correct validation error message for the Username field.

  • OKTA-635926

    Some users were directed to an unintended page when enrolling in Okta Verify by sign-in URL.

  • OKTA-636864

    Org navigation elements were hidden when authentication settings were changed for orgs embedded in an iFrame or that redirected to an iFrame.

  • OKTA-639089

    When a user was moved from one AD domain to another, their original group app assignments were retained.

  • OKTA-642630

    Users received an error when they entered an OTP from an SMS message after the org was upgraded to Identity Engine.

  • OKTA-643148

    The Tasks page didn't indicate when each task was assigned.

  • OKTA-643598

    The Secure Web Authentication (SWA) module failed to sign users in to PagerDuty.

  • OKTA-646978

    Updating the profile enrollment policy in the Admin Console failed when invalid profile attributes were present.

  • OKTA-649240

    Super admins couldn't edit the scoped resources that were assigned to an Application admin.

  • OKTA-650511

    Inconsistent AD agent verion formatting appeared on the Agent Monitor page during on-demand auto updates.

  • OKTA-654506

    The writeback enhancement failed to push profile information to Workday when a user's profile was empty.

  • OKTA-655148

    The SAMLResponse field in the HTML response couldn't be retrieved for some clients.

Okta Integration Network

New Okta Verified app integrations

App integration fixes

  • 1Password Business (SWA) (OKTA-646676)
  • Canva (SWA) (OKTA-642049)
  • concur-solutions (SWA) (OKTA-649651)
  • Dice (SWA) (OKTA-645005)
  • mySE: My Schneider Electric (SWA) (OKTA-644927)
  • PagerDuty (SWA) (OKTA-643598)

Weekly Updates

2023.10.1: Update 1 started deployment on October 23

Generally Available

Sign-In Widget, version 7.11.2

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Sign-In Widget Guide.

Admin sessions bound to Autonomous System Number (ASN)

When an admin signs in to Okta, their session is now associated with the ASN they are logging in from. If the ASN changes during the session, the admin is signed out of Okta, and an event appears in the System Log.

Fixes

  • OKTA-613809

    The System Log displayed incorrect email delivery events if the Registration - Activation template audience was set to Admins only.

  • OKTA-632174

    The Edit User Assignment page showed roles that had already been removed by an admin.

  • OKTA-636990

    If an admin attempted to cancel or retry the enrollment of the WebAuth authenticator on behalf of a user, the page closed.

  • OKTA-638649

    Field validation didn't work for Trusted Origins URLs.

  • OKTA-640158

    The Honor Force Authentication SAML setting didn't work with ADSSO.

  • OKTA-644143

    Users who were added to a group through group assignments were displayed as manually assigned.

  • OKTA-648338

    The Zendesk app integration made API requests using the GET command instead of the POST command.

  • OKTA-650249

    In rare cases, a verified push factor could be replaced by an Okta FastPass factor during a session. This required users to re-authenticate with a push factor when signing in to a new app.

  • OKTA-653489

    Admins couldn't add custom default Salesforce attributes that had been deleted from the Profile Editor.

  • OKTA-657472

    The Add Apps to this Policy page included apps that had already been added to the authentication policy.

Okta Integration Network

App updates

  • The Extracker app integration has been rebranded as Clearstory.
  • The Inflection app integration has new Assertion Consumer Service (ACS) URLs, and a new URI, logo, and integration guide link.
  • The Mapiq app integration has a new logo.
  • The People Experience Hub app integration no longer has an Encryption Certificate field.

  • The Secure Code Warrior app integration has new SSO URLs and a new Instance Region option.
  • The Tableau Online app integration has been rebranded as Tableau Cloud. The app has new application profile, custom patch batch size, and website.

New Okta Verified app integrations

App integration fixes

  • Tableau Cloud (SCIM) (OKTA-625933)

2023.10.2: Update 2 started deployment on November 6

Generally Available

Sign-In Widget, version 7.11.3

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Sign-In Widget Guide.

Fixes

  • OKTA-457923

    The browser's back button removed filters set for the MFA Enrollment by User report rather than returning to the Reports page.

  • OKTA-559609

    Email notifications for report downloads sometimes didn't refer to the report name correctly.

  • OKTA-565078

    A display issue with the certificate's common name was corrected in the Smart Card IdP configuration.

  • OKTA-568355

    When trying to launch the SuccessFactors app, credentials weren't automatically filled, which caused the launch to fail.

  • OKTA-578997

    Read-only and helpdesk admins were able to incorrectly install and configure new Active Directory, LDAP, IWA Web, and Okta Provisioning agents.

  • OKTA-586764

    On Okta-hosted sign-in pages, some fonts weren't loaded or rendered correctly.

  • OKTA-597530

    Admins couldn't delete authorization server clients on the Access Policies page.

  • OKTA-612507

    Some errors weren't translated.

  • OKTA-626459

    When an org attempted to upgrade to Identity Engine, verified event hooks that were subscribed to the system.voice.send_phone_verification_call and system.sms.send_phone_verification_message event types returned warnings or consent requirements.

  • OKTA-627678

    An error occurred when the postLogoutReidrectUris value in an OpenID Connect app was more than 65,535 characters.

  • OKTA-633831

    Global Session Policies in newly migrated Identity Engine orgs didn't interpret sign-on rules correctly and locked users out.

  • OKTA-638799

    Okta System Logs didn't show device.user.remove events.

  • OKTA-639311

    When Cloud Identity was selected as the Google Workspace license type, entitlements weren't pushed.

  • OKTA-647442

    Sometimes, a search request would fail if it included a recently created user.

  • OKTA-649659

    The OTP page displayed an error if users opened a password reset link in a different browser or on a different device.

  • OKTA-650304

    AD-sourced users could set a password compliant with the AD password policy even if the Okta password policy was more restrictive. This happens because the Okta password policy doesn't apply to these users.

  • OKTA-650571

    Some user agents weren't parsed properly as a macOS X platform.

  • OKTA-651062

    Users couldn't enroll duplicate instances of Desktop MFA for multiple platforms.

  • OKTA-651722

    Clicking Reapply Mappings set unmapped values to empty in orgs with certain configurations.

  • OKTA-653019

    Base attributes of new Slack integrations weren't visible.

  • OKTA-654857

    Org navigation elements appeared behind app tiles and other user interface elements for some iOS and macOS users.

  • OKTA-658533

    AMR claims weren't accepted when the inbound SAML assertion was encrypted.

  • OKTA-659879

    The email challenge validity time wasn't consistently applied.

  • OKTA-665293

    When an admin's network location changed, their IdP session wasn't terminated.

Okta Integration Network

App updates

  • The Cisco Umbrella User Management app integration has been rebranded as Cisco User Management for Secure Access. The app integration has a new logo, description, and URL.
  • The Fullview app integration has a new direct URI and a new initiate login URI.
  • The YesWeHack app intergration has a new icon.

New Okta Verified app integrations

App integration fixes

  • Adobe (SWA) (OKTA-647811)
  • Algolia (SWA) (OKTA-654566)
  • American Express (Business) (SWA) (OKTA-649753)
  • Application Bank of America CashPro (SWA) (OKTA-648836)
  • i-Ready (SWA) (OKTA-644769)
  • IMDB Pro (SWA) (OKTA-653918)
  • MIT Technology Review (SWA) (OKTA-656622)
  • SuccessFactors (SWA) (OKTA-568355)
  • Trend Micro Worry-Free Business Security Services (SWA) (OKTA-648083)
  • Twilio (SWA) (OKTA-655486)

November 2023

2023.11.0: Monthly Production release began deployment on November 13

* Features may not be available in all Okta Product SKUs.

Generally Available Features

Sign-In Widget, version 7.12.0

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Okta Sign-In Widget Guide.

Improved Behavior Detection

Okta now stores additional information about successful requests. This ensures that more behaviors are recognized during subsequent sign-in events. See Behavior Detection and evaluation.

Okta LDAP Agent automatic update support

Admins can now initiate or schedule automatic updates to Okta LDAP agents from the Admin Console. With agent auto-update functionality, admins no longer need to manually uninstall and then reinstall Okta LDAP agents when a new agent version is released. Agent auto-updates keep your agents up to date and compliant with the Okta support policy, and help ensure your org has the latest Okta features and functionality. Single or multiple agents can be updated on demand, or updates can be scheduled to occur outside of business hours to reduce downtime and disruption to users. See Automatically update Okta LDAP agents.

Lockout Prevention

This feature adds the ability to block suspicious sign-in attempts from unknown devices. Users who sign in to Okta with devices they've used before aren't locked out when unknown devices cause lockouts.

FIPS compliance for iOS or Android devices

Federal Information Processing Standards (FIPS) compliance is now available for iOS or Android devices. FIPS can be enabled on the Okta Verify configuration page. When FIPS compliance is enabled, admins can be confident that only FIPS-compliant software is used.

See Configure Okta Verify options.

Third-generation Sign-In Widget

The third-generation Sign-In Widget is more accessible and uses modern frameworks that provide a better end user and developer experience. Okta built the experience from the ground up for Identity Engine, which allows for better velocity, customization, accessibility, and globalization. See Sign-In Widget (third generation).

Custom email domain updates

The Custom email domain wizard now includes an optional Mail subdomain field. See Configure a custom domain.

Improved LDAP provisioning settings error message

During validation of LDAP provisioning settings, an incorrect syntax results in an error message. An LDAP search query isn't sent if there is an incorrect syntax.

Additional data to support debugging user authentication

When the user.authentication.auth_unconfigured_identifier event is triggered, the Okta username and email are added to the event. This helps orgs find who to communicate with about the changes.

Modified System Log event for Autonomous System Number (ASN) changes

When an admin is signed out of Okta because their ASN changed during their session, the System Log now displays a security.session.detect_client_roaming event instead of a user.session.context.change event.

OIN Manager notice

The integration estimated-verification-time notice has been updated in the OIN Manager.

Early Access Features

Make email optional authenticator

This feature allows you to upgrade your org to Identity Engine without updating your email factor settings. If you already have an Identity Engine org, it gives you and your end users more control over the email authenticator. See Skip auto-enrolling email authenticator and Make email an optional authenticator.

New app settings permissions for custom admin roles

Super admins can now assign permissions for custom admin roles to manage all app settings, or only general app settings. This enables super admins to provide more granular permissions to the admins they create, resulting in better control over org security. See Application permissions.

Fixes

  • OKTA-566962

    Some text strings on the Global Session Policy page weren't translated.

  • OKTA-633313

    A user with a custom admin role couldn't create federated users due to misplaced permissions.

  • OKTA-633789

    When an Okta group name contained $, the push group feature either removed $ or caused the sAMAccountName to fail validation when populating the Active Directory group.

  • OKTA-637612

    In orgs with the Email as an Optional Authenticator feature enabled, some users could skip enrolling their email even when it was required by the policy.

  • OKTA-644131

    The Google Authenticator enrollment process didn't work properly during the password reset flow.

  • OKTA-645728

    Users who weren't eligible for self-service account recovery could view the Unlock Account page.

  • OKTA-649810

    The Add Resource dialog box sometimes displayed duplicate group names.

  • OKTA-653657

    Some text strings in the Sign-In Widget weren't translated.

  • OKTA-653756

    When many apps were added to routing rules through the API, system performance was degraded.

  • OKTA-657359

    When a partial set of AMRs was passed in an IdP-initiated flow, Okta redirected the user to the IdP instead of challenging for remaining factors.

  • OKTA-664830

    Developer and free-trial orgs redirected users to the configured redirect URI when errors occurred. The redirects now target an error page.

  • OKTA-666396

    When the display language was set to Japanese, the Global Session Policy page displayed a translation error instead of the Everyone group name.

Okta Integration Network

App updates

  • The RFPIO app integration has been rebranded as Responsive. The app has a new logo and integration guide link.
  • The YardiOne Dashboard app integration has been rebranded as YardiOne. The app has a new logo and new integration guide links, as well as Just-In-Time (JIT) provisioning support for SAML integrations.

New Okta Verified app integrations

Weekly Updates

2023.11.1: Update 1 started deployment on December 4

Generally Available

Sign-In Widget, version 7.12.2

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Sign-In Widget Guide.

Fixes

  • OKTA-649293

    Users couldn't be assigned to Box using the Assign Box to People page.

  • OKTA-649788

    A tooltip was truncated on the API Tokens page.

  • OKTA-651979

    Some custom scopes weren't listed in the search box used for adding scopes to OIDC access policy rules.

  • OKTA-653966

    Admins couldn't edit their ThreatInsight settings if the Exempt Zones list included a deleted network zone.

  • OKTA-657130

    When admin translations were enabled, some users saw an error when they tried to access an app.

  • OKTA-658969

    Attributes defined in Okta for ServiceNow failed to sync by default.

  • OKTA-659369

    An Okta FastPass validation workflow failed in Safari for some users.

  • OKTA-659568

    After upgrading to Identity Engine, some orgs were prompted for certificates as part of a Device Trust workflow.

  • OKTA-661489

    When an app was renamed, all characters that appeared after a symbol character ( &, ", /, \ ) were removed.

  • OKTA-661859

    The app count message was inaccurate on the Profile Enrollment Policy page.

  • OKTA-661982

    When an import failed for a user, unique attributes for that user were sometimes retained in Okta.

  • OKTA-662487

    The Session Management labels on the Global Session Policy rule page were confusing.

  • OKTA-663777

    In the Add Resource dialog box, admins couldn't search for apps with special characters.

  • OKTA-666323

    When an admin added a SAML app to an existing resource set, users who were assigned the resource set couldn't access the app.

  • OKTA-667580

    Users weren't prompted to reauthenticate when they revealed their credentials for personal apps.

Okta Integration Network

New Okta Verified app integrations

December 2023

2023.12.0: Monthly Production release began deployment on December 11

* Features may not be available in all Okta Product SKUs.

Generally Available Features

Sign-In Widget, version 7.13.1

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Okta Sign-In Widget Guide.

Okta LDAP agent, version 5.19.0

This version of the agent contains:

  • Security enhancements.
  • Configurable fipsMode setting. Users can now enable or disable FIPS-supported encryption algorithms.

Note: To revert to an older version of the agent, Linux agent users must uninstall version 5.19.0 and then reinstall the older version. See Okta LDAP Agent version history.

Okta MFA Credential Provider for Windows, version 1.4.0

This version includes bug fixes and security enhancements. See Okta MFA Credential Provider for Windows Version History.

New prompts for admins configuring MFA policies

New warning prompts appear if you create weak authentication or authenticator enrollment policies. Prompts also appear if you change a strong policy to a weak one, except for those that enable phishing-resistant settings. This enhances security by helping you prevent the use of weak MFA policies in your org.

Demonstrating Proof-of-Possession

OAuth 2.0 Demonstrating Proof-of-Possession (DPoP) is a security feature that adds an extra layer of protection to OAuth 2.0 access tokens. It enables the client to demonstrate that it possesses a particular key or secret associated with the access token. OAuth 2.0 DPoP can help prevent certain attacks, such as token theft or token replay attacks, where an attacker intercepts a legitimate access token and uses it to gain unauthorized access to a protected resource. See Create OpenID Connect app integrations.

Responsive Admin Dashboard layout

When you resize the Admin Console to 600 x 751 pixels or smaller, the dashboard widgets now stack vertically instead of horizontally.

Improved Product Offers dashboard widget

The appearance and readability of the Product Offers dashboard widget have been improved to provide a better user experience.

Copy System Log events

A copy button is now available for each event listed in the System Log.

Enhancements to the Sign-In Widget for screen readers

The Sign-In Widget now includes enhancements that make it easier for users that rely on screen readers to select sign-in methods.

New attributes available for Smart Card username

Issuer and Serial Number attributes are now available when you configure the IdP username for the Smart Card Identity Provider.

Early Access Features

Early Access features from this release are now Generally Available.

Fixes

  • OKTA-419477

    There was a typographical error on the Active Directory Import page.

  • OKTA-633269

    The Merge Duplicate Policy feature didn't remove duplicate policies nor populate the Consolidate CSV report with a record of the change.

  • OKTA-633280

    Some org configurations allowed invalid username entries.

  • OKTA-636211

    The footer message in User Activation email templates contained an inaccurate email link.

  • OKTA-642341

    During an SP-initiated sign-in flow, an interstitial page didn't appear in the browser's configured language.

  • OKTA-650686

    Memory cache errors sometimes occurred when admins performed imports on orgs with a large number of app assignments.

  • OKTA-655084

    Some AD provisioning events that failed were shown as successful in the System Log.

  • OKTA-655746

    SSO failed when Authorization-Method References (AMRs) weren't included in SAML assertions.

  • OKTA-657022

    Setting the group owner in Okta sometimes failed when the ManagedBy field from Active Directory was used.

  • OKTA-661591

    When users enabled Keep me signed in, Okta allowed easier access than intended on subsequent sign-in attempts.

  • OKTA-661797

    When a user clicked an app tile on the Okta Dashboard, the Safari browser opened apps in a new window without user interface controls instead of a new tab.

  • OKTA-664847

    Application assignments sometimes failed in orgs that use custom admin roles.

  • OKTA-668354

    An incorrect warning appeared on the Administrator assignment page when a custom admin role was assigned with granular directory permissions and an Active Directory resource set.

  • OKTA-669774

    After upgrading to Identity Engine, admins couldn't access the Authenticators page if the org had a large number of custom OTP authenticator enrollments.

Okta Integration Network

App updates

  • The BombBomb app integration has a new logo.

New Okta Verified app integrations

App integration fixes

  • Bank of America CashPro (SWA) (OKTA-668979)
  • Delta Dental (SWA) (OKTA-664057)
  • HelloFax (SWA) (OKTA-657466)
  • MacStadium (SWA) (OKTA-662973)
  • SendGrid (SWA) (OKTA-657094)
  • Team Gantt (SWA) (OKTA-663418)
  • Unity Ads (SWA) (OKTA-658284)
  • ZipCar (SWA) (OKTA-657448)
  • Zurich Adviser Portal (SWA) (OKTA-662671)

Weekly Updates

2023.12.1: Update 1 started deployment on December 18

Fixes

  • OKTA-607948

    Error messages were unclear when an LDAP query filter was invalid in Active Directory and LDAP integrations.

  • OKTA-640503

    Custom admins didn't receive email notifications when the LDAP and Active Directory agent was disconnected or reconnected.

  • OKTA-644010

    The System Log didn't log the time when the user was prompted for authenticator enrollment or verification.

  • OKTA-662134

    Resetting a user's security question using the API endpoint didn't generate a System Log entry.

  • OKTA-663793

    The System Log didn't capture a failed user authentication during LDAP delegated authentication.

  • OKTA-667475

    Updated custom schema values weren't imported from Google.

  • OKTA-668140

    Users sometimes received an error message when accessing the Profile Editor from the Admin Dashboard.

  • OKTA-669824

    When the display language was set to Polish, the Sign-In Widget wasn't translated properly.

  • OKTA-669999

    Some users weren't imported after being unassigned from a sourcing app.

Okta Integration Network

App updates

  • The Blameless app integration has updated endpoints.

New Okta Verified app integrations

2023.12.2: Update 2 started deployment on January 8

Generally Available

Admin Console session configuration

Admins can now set the session lifetime and idle time for Admin Console users independently of global session limits. This provides greater security control over the Admin Console.

See Configure Admin Console session lifetime.

Fixes

  • OKTA-636560

    When using Okta Expression Language in Identity Engine, the group.profile.name key didn't return exact matches.

  • OKTA-646953

    Users couldn't sign in to URLs for custom domains.

  • OKTA-651667

    When retrying a batch update of Active Directory agents, agents that had already been updated were marked as updates in progress in the email notification.

  • OKTA-657959

    When assigning users to a group using group rules, the group rule evaluation timed out, and users who matched the attributes weren't added to the group.

  • OKTA-661907

    Some users on Android 6 devices were erroneously granted access to Okta-protected resources despite the authentication policy rule.

  • OKTA-663893

    Users without API access management enabled saw a Create Authorization Server banner on the APIAuthorization Servers page.

  • OKTA-668142

    Third-party admin status couldn't be removed from an admin. This occurred when they belonged to a third-party admin group that no longer had admin privileges.

  • OKTA-672678

    Sometimes countdown messages weren't displayed when Admin Console sessions were close to expiring.

  • OKTA-675063

    RADIUS agent libraries contained internal security issues. Upgrade to version 2.20.0 to correct those issues.

  • OKTA-675938

    Google USB-C/NFC Titan Security Key (K52T) enrollment wasn't supported.

  • OKTA-679640

    Admins sometimes received an error when trying to access the Admin Console.

Okta Integration Network

App updates

  • The CodeSignal SAML app integration has a new description.
  • The HackerRank For Work SCIM app integration now supports user deactivation.
  • The Perimeter 81 SCIM app integration now supports group push.
  • The Symantec Secure Access Cloud app integration has been rebranded as Symantec ZTNA.
  • The WorkRamp app integration now supports EU locations.
  • The ZAMP OIDC app integration now has IdP-initiated support.

New Okta Verified app integrations