Okta Identity Engine release notes (2024)

Version: 2024.01.0

January 2024

Generally Available

Sign-In Widget, version 7.14.0

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Okta Sign-In Widget Guide.

Okta On-Prem MFA Agent, version 1.7.4

This version includes security enhancements. See Okta On-Prem MFA agent version history.

Configure multiple IdP authenticators

You can now configure multiple SAML 2.0 or OIDC Identity Providers as authenticators. See Configure the IdP authenticator.

Read-only permission for admin role assignments

Super admins can now assign the View roles, resources, and admin assignments permission to their delegated admins. This permission gives admins a read-only view of the admin roles, resource sets, and admin assignments in the org. See Role permissions.

New possession constraint available in authentication policies

Admins may now require users to enter a PIN or do biometric verification when they authenticate. This enhancement enables admins to increase the security of their orgs and their authentications.

Use your own email provider

You can now use an external email provider to send email notifications in Okta. By default, email notifications such as the welcome email or an account recovery email are sent through an Okta-managed SMTP server. However, you can configure a third-party email provider in Okta and send these emails through it. Adding a custom email provider gives you more control over your email delivery. See Use your own email provider.

Operating system in the Okta Verify push challenge

The Okta Verify app now displays the correct operating system when the push challenge is initiated.

OIN connector support for Entitlement Management

The following connectors have been updated to support Entitlement Management:

  • Box
  • Google Workspace
  • Microsoft Office 365
  • Netsuite
  • Salesforce

See Provisioning-enabled apps.

System Log events for IdP keystore operations

New System Log events are generated for IdP keystore operations:

  • system.idp.key.create
  • system.idp.key.update
  • system.idp.key.delete

System Log event for GET an IdP

A new System Log event is generated for GET /api/v1/idps[/{idpId}.

Application Entitlement Policy

Admins can now override attribute mapping when assigning apps to individuals or groups. Attributes can also be reverted to their default mappings. See Override application attribute mapping. This feature will be gradually made available to all orgs.

New Smart Card attribute for user matching

A new issuerSnReverseByteOrder attribute has been added to the Smart Card IdP user match.

Google Workspace system roles

Okta now supports Google Workspace system roles.

Updated RADIUS authentication prompts

RADIUS authentication prompts are updated to be clearer.

Early Access Features

Early Access features from this release are now Generally Available.

Fixes

  • OKTA-654000

    Users authenticating with Okta FastPass could sign in with authenticators that weren't phishing-resistant even though it wasn't allowed by authentication policies.

  • OKTA-658796

    The Brand name description on the Brand Settings page contained a typo.

  • OKTA-659305

    The IdP Routing Rule page became unresponsive when multiple apps were added to a rule.

  • OKTA-660541

    Information about Integration settings for Chrome Device Trust was missing.

  • OKTA-665773

    The remediation page for Okta Verify enrollment didn't appear for some users.

  • OKTA-667066

    Resetting MFA using support user permissions didn't generate a System Log event.

  • OKTA-673705

    Admins couldn't condition permissions to include or exclude attributes from multiple user profiles.

  • OKTA-674540

    Users couldn't access Confluence On-Prem using IdP-initiated or SP-initiated flows.

  • OKTA-679833

    Some default attribute mappings for SuccessFactors were incorrect.

  • OKTA-683871

    When the User verification as a possession constraint feature was activated, the If Okta FastPass is used section disappeared from the Authentication policy rule page when admins selected the Any 1 factor type option in User must authenticate with.

Okta Integration Network

App updates

  • The AcquireTM app integration has an additional redirect URI.
  • The CodeSignal app integration has a new logo.
  • The OneRange app integration has a new description.
  • The Peakon SAML app integration has a new display name, logo, website, description, doc link, and endpoints.
  • The Peakon SCIM app integration has a new base URL and help text.
  • The Qatalog app integration has a new logo.

New Okta Verified app integrations

App integration fixes

  • ADP mykplan.com (SWA) (OKTA-669875)
  • Fidelity 401k (SWA) (OKTA-659323)

Weekly Updates

2024.01.1: Update 1 started deployment on January 22

Fixes

  • OKTA-626684

    The Security API menu and the Create token button didn't appear for some accounts with custom admin roles.

  • OKTA-638138

    In the System Log, the operating system was displayed as Unknown mobile if a user approved an Okta Verify push notification from an iOS device.

  • OKTA-676688

    Admins saw a warning if they granted OKTA API scopes to an app with an authentication policy that denied access.

  • OKTA-683128

    Customized error pages weren't displayed when admins canceled a certificate selection for PIV authentication.

  • OKTA-686546

    The Connector Configuration form was missing the Edit button in orgs with the App settings permissions for custom admin roles feature enabled.

Okta Integration Network

App updates

  • The AcquireTM app integration has an additional redirect URI.
  • The CodeSignal app integration has a new logo.
  • The Experience.com app integration now supports IdP-initiated flows.
  • The OneRange app integration has a new description.
  • The Peakon SCIM app integration has a new base URL and help text.
  • The Peakon SAML app integration has a new logo, website, description, doc link, and new endpoints.
  • The Qatalog app integration has a new logo.

New Okta Verified app integrations

App integration fixes

  • ADP mykplan.com (SWA) (OKTA-669875)
  • Fidelity401k (SWA) (OKTA-659323)

2024.01.2: Update 2 started deployment on February 5

Generally Available

Sign-In Widget, version 7.14.2

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Sign-In Widget Guide.

IP restrictions on tokens

Admins can specify allowlisted and blocklisted network zones for static, Single Sign-On Web System (SSWS) API tokens. This strengthens org security by letting them control where calls to Okta APIs can originate from. It also restricts attackers and malware from stealing SSWS tokens or replaying them outside of their IP range to gain unauthorized access.

Fixes

  • OKTA-633537

    Okta erroneously denied access to some users due to incorrect device context evaluation.

  • OKTA-637955

    In some cases, custom admins were able to view pushed groups that weren't assigned to them.

  • OKTA-649640

    Password rules weren't correctly translated in French.

  • OKTA-653740

    Custom admins could access several Active Directory and LDAP agent-related API endpoints without having the correct admin permissions.

  • OKTA-655791

    The User App Access report didn't display the Group Name, Group Source, and Group Membership columns for users that were assigned an app through an AD imported group.

  • OKTA-664370

    Product System Log events for the access token, ID token, and user SSO grants didn't include externalSessionId.

  • OKTA-665347

    No System Log event was generated when a user's password was expired using the API. When an admin used the API to expire a user's password, no System Log event was generated.

  • OKTA-665372

    A custom attribute wasn't displayed in the activation email template for some orgs.

  • OKTA-665377

    Some authenticator actions done using the API didn't appear in the System Log.

  • OKTA-665903

    In some cases, where a group was unassigned from an app, members of that group were still provisioned to the app.

  • OKTA-667063

    Affected entity wasn't included in the System Log when temporary access was granted using the Support User.

  • OKTA-668185

    Admins could add deleted network zones to an authentication policy rule.

  • OKTA-673876

    Screen readers didn't inform users of screen animations, form submission, or form loading after they clicked Next in the Sign-In Widget.

  • OKTA-674218

    System Log events for access token and ID token grants didn't include user attributes.

  • OKTA-679556

    Group Push of large groups from Okta sometimes failed to push all members to downstream apps.

  • OKTA-679914

    After an org's ISO region codes were updated, their policies prevented users from signing in from Telangana, India.

  • OKTA-683871

    When the User verification as a possession constraint feature was activated, the If Okta FastPass is used section disappeared from the Authentication policy rule page when admins selected the Any 1 factor type option in User must authenticate with.

  • OKTA-684369

    Users were sometimes not unassigned from applications after being removed from groups on orgs that had application entitlement policy enabled.

  • OKTA-684547

    In some orgs, users couldn't sign in with Okta FastPass when PIN or biometric verification was required.

  • OKTA-686081

    Some users weren't imported after being unassigned from a sourcing app.

  • OKTA-686239

    Screen readers didn't inform users which security method they selected in the Sign-In Widget for multifactor authentication.

  • OKTA-686457

    In some orgs, users couldn't sign in with Okta FastPass when PIN or biometric verification was required.

  • OKTA-686801

    Some Salesforce provisioning jobs entered a buffered state and didn't run.

  • OKTA-687001

    Sometimes the statuses that were displayed for agents were inaccurate.

  • OKTA-687369

    Okta Verify incorrectly prompted for user verification.

  • OKTA-687812

    An error with expiring signatures prevented agents from updating to the newest version of the LDAP agent. The issue has been resolved in version 5.19.1.

  • OKTA-687814

    An error with expiring signatures prevented agents from updating to the newest version of the Active Directory agent. The issue has been resolved in version 3.16.1.

  • OKTA-688020

    In some orgs, users observed a timeout and error when authenticating with AWS Account Federation.

  • OKTA-688685

    On macOS devices, some users were stuck in a sign-in loop when they tried to authenticate with Okta FastPass in a Safari browser.

Okta Integration Network

App updates

  • The Digitail app integration has new custom_location_attribute, department, and role SAML attributes.
  • The Flow of Work Co app integration has been rebranded as GoFIGR.
  • The OpsLevel app integration now has the group push, import users, and import groups functions.
  • The Saltalk app integration has been rebranded as WeBox.

New Okta Verified app integrations

App integration fixes

  • FaxSIPit (SWA) (OKTA-655845)
  • My Eaton (SWA) (OKTA-670410)

Version: 2024.02.0

February 2024

Generally Available

Sign-In Widget, version 7.15.1

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Okta Sign-In Widget Guide.

Okta LDAP agent, version 5.19.1

This version of the agent fixes the expiring signature error that prevented agents from auto-updating to the newest LDAP agent version. See Okta LDAP Agent version history.

Okta Active Directory agent, version 3.16.1

This version of the agent fixes an expiring signature error that prevented agents from auto-updating to the newest Active Directory agent version. See Okta Active Directory agent version history.

Okta MFA Credential Provider for Windows, version 1.4.2

This version includes bug fixes and security enhancements. See Okta MFA Credential Provider for Windows Version History.

Assign admin roles to an app

Orgs can now assign admin roles to their custom API Service Integrations. Apps with assigned admin roles are constrained to the permissions and resources that are included in the role assignment. This helps ensure that apps only have access to the resources that are needed to perform their tasks, and improves orgs' overall security. See Work with the admin component.

Seamless ISV experience

Okta now provides a seamless ISV experience to optimize the Okta Integration Network (OIN) submission experience for SAML and OIDC integrations. This new experience enables independent software vendors (ISVs) to build and manually test their integration metadata before submission. This reduces the time needed for the OIN team to review and validate that the integration functions as intended, which shortens the time to publish in the OIN.

This experience also incorporates communication processes in Salesforce, enabling improved collaboration internally within Okta teams and externally with ISVs. See Publish an OIN integration overview and Submit an SSO integration with the OIN Wizard guide.

Email or password no longer required in authenticator enrollment policy

Currently, the authenticator enrollment policy requires either email or password, even when you've enabled another authenticator for authentication. Now you can set email or password as optional or disabled in the policy, and instead require stronger authenticators like Okta Verify, Okta FastPass, and FIDO2 (WebAuthn) for authentication. With this change, passwordless users who initially signed in with an email now receive the activation email. See Create an authenticator enrollment policy.

Force authentication

Orgs now support force authentication for WS-Fed SSO requests. Users must re-authenticate WS-Fed authentication requests that include Wfresh=0.

DPoP support for Okta management API

You can now use OAuth 2.0 Demonstrating Proof-of-Possession (DPoP) access tokens to access Okta management APIs. See Configure OAuth 2.0 Demonstrating Proof-of-Possession.

MFA Activity report

The new MFA Activity report provides insight into the MFA trends in your org. It helps you understand which authentication methods were used to access Okta and Okta-protected apps. The report also provides information about the characteristics of authenticators, helping you measure how phishing resistant your org is. See MFA Activity report.

LDAP real-time synchronization

With real-time synchronization, user profiles, groups, and group memberships can now be updated when LDAP-sourced users sign in to Okta, or when they refresh their People page. Admins no longer need to perform full or incremental imports of user attributes, and user profiles, groups, and group memberships are always up to date. Real-time synchronization also reduces the burden on system resources because user attributes are imported and updated individually and not in large groups. See Manage your LDAP integration. This feature is being re-released.

Reports field update

The operator field of the Reports Edit Filters dialog shows the selected item in the dropdown menu.

Dynamic user schema discovery now available

Dynamic user schema discovery is now available for SCIM app integrations that support user entitlements and Identity Governance.

OIN connector support for Entitlement Management

The PagerDuty and Zendesk connectors have been updated to support Entitlement Management. See Provisioning-enabled apps.

App integration tile now available for Okta Workflows

Users who are assigned to the Okta Workflows app integration now have a dedicated tile on their End-User Dashboard to launch the Okta Workflows Console. See Workflows Console.

API setting now an Admin Console option

The Use Persistent Name ID (Higher Security) checkbox allows more secure account linking. This setting allows Okta to determine the associated user account by matching the Name ID with the External ID. When no match is found, Okta uses the IdP username value for account matching.

New action items for self-service upgrades

The OIE Upgrade Hub displays actions items if orgs have non-writable attributes in their self-service registration policy or a factor enrollment policy set to Do Not Enroll. See Self-service upgrade action items.

New System Log event

There's a new system.mfa.preregister.initiate System Log event. The event appears for event hooks and represents MFA preregistration flow initiation. Currently, it's only available for pre-registered YubiKey enrollments.

UI enhancements to Authenticator Enrollment tab

The Authenticator Enrollment tab has been updated to include information about how the enrollment works.

Super admin role now required to update direct authentication grants

Super admin permissions are now required to enable or change direct authentication grants for clients.

Early Access Features

Custom languages for email templates

Admins can now customize Okta-generated emails in any BCP47-formatted language. Previously, customizations were limited to 27 Okta-supported languages. This feature allows admins to configure additional locales using Okta's Brands API. When a new locale is configured, it's available as a new language selection within the Email Templates Editor. See Customized Email Notifications.

Dynamic OS version compliance for device assurance

You can configure OS version compliance by using device assurance. However, you have to manually update the policies every time a new OS version or patch is released. With Dynamic OS version compliance, Okta updates device assurance policies with the latest OS versions and patches, eliminating the need for manual updates. With this feature you can ensure OS version compliance in your org without tracking OS releases. See Add a device assurance policy.

Fixes

  • OKTA-649640

    Password rules weren't correctly translated in French.

  • OKTA-664368

    Assistive technologies couldn't read the Which option do you want to try? label on the Sign-In Widget.

  • OKTA-668324

    Email notifications that were sent when a password was reset by Okta Support didn't include Support information.

  • OKTA-668665

    The re-authentication frequency labels on the Authentication Policies page weren't clear.

  • OKTA-669735

    When an admin was removed from a group that was imported from an app, their user profile still displayed the admin assignments that were granted through the group's membership.

  • OKTA-678416

    Some special characters and symbols were displayed incorrectly in the Sign-In Widget (3rd generation).

  • OKTA-678489

    Voice call to some destinations didn't work when a 7 digit phone number with a 3 digit extension was entered.

  • OKTA-680179

    The Sign-In Widget displayed the wrong error message to users whose activation token was invalid when they attempted to register with Okta.

  • OKTA-680483

    The self-service registration form accepted invalid input for the first and last name fields.

  • OKTA-680795

    Admins couldn't access the Access Testing Tool in some preview orgs.

  • OKTA-681083

    Voice calls for MFA challenges were not completely translated in Vietnamese when the user's locale was set to Vietnam.

  • OKTA-682202

    If an admin's role had a conditioned permission, they couldn't assign apps to users.

  • OKTA-689632

    The IssuerDN PIV IDP matching attribute was referencing the wrong value in the certificate.

  • OKTA-690143

    Unicode characters deemed illegal for HTTP headers were being accepted.

  • OKTA-691492

    Continuous Access terminated sessions even though users were able to authenticate.

Okta Integration Network

App updates

  • The Elba SSO app integration has new redirect URIs.
  • The Ermetic app integration has been rebranded as Tenable Cloud Security.
  • The Ermetic JIT app integration has been rebranded as Tenable Cloud Security JIT.

New Okta Verified app integrations

Weekly Updates

2024.02.1: Update 1 started deployment on February 20

Generally Available

Redesigned resource set pages

The Create new resource set and Edit resource set pages that are displayed when an admin creates or edit a resource set now provide a simpler, more intuitive user experience. See Create a resource set. This feature is being re-released.

Redesigned admin role pages

The Create a role and Edit role pages for custom admin-role configuration now provide a simpler, more intuitive user experience. See Create a role. This feature is being re-released.

HTTP header filter

To improve the security of your org, Okta now filters and encodes any illegal unicode characters for outgoing HTTP headers.

Fixes

  • OKTA-597892

    In orgs configured to perform batch imports for all apps, small batch sizes resulted in slower than expected imports.

  • OKTA-630153

    The Japanese translation for the Smart Card Authenticator wasn't displayed correctly.

  • OKTA-673389

    String attributes couldn't be set to an empty string.

  • OKTA-682104

    Org2Org group push reset custom attributes to undefined.

  • OKTA-686922

    An error occurred when admins deleted inactive Microsoft Office 365 app instances that were configured to use manual federation.

  • OKTA-688729

    When an Okta admin session timed out, the Signed out window wasn't displayed correctly and the Sign in button wasn't clickable.

  • OKTA-688938

    Admins whose custom role contained the Manage customizations permission couldn't preview email templates.

  • OKTA-690143

    Illegal unicode characters were accepted for HTTP headers.

  • OKTA-691492

    Continuous Access terminated sessions for users who were able to authenticate.

  • OKTA-695783

    Users couldn't enter a period (.) in their first or last name during self-service registration.

  • OKTA-698353

    Admins couldn't enable the Prevent new single-factor access to the Admin Console feature.

Okta Integration Network

New Okta Verified app integrations

2024.02.2: Update 2 started deployment on February 26

Generally Available

Cornerstone OnDemand now uses OAuth for authentication

Cornerstone OnDemand replaced the previous authentication method with OAuth authentication to improve security for provisioning. Create a new Cornerstone OnDemand app instance and configure it to use Oauth credentials. See Configure provisioning for Cornerstone OnDemand.

Fixes

  • OKTA-491520

    The Edit Filters dialog of the MFA Enrollment by User report didn't support the operator is set and is not set for the Authenticator type field.

  • OKTA-645205

    When an admin deleted all groups or users included in a policy, the user/group condition and policy status displayed incorrect values.

  • OKTA-656265

    Sometimes, an OAuth 2.0-secured inline hook that contained a custom domain authorization server in the token URL returned a null pointer exception error, instead of an appropriate error.

  • OKTA-663294

    The issuer mode appeared blank on authorization servers when it was set to Custom URL.

  • OKTA-676932

    Users couldn't unenroll their password in password-optional configurations.

  • OKTA-679870

    Some preview org admins saw error messages while authenticating or org pages with no menu items.

  • OKTA-679978

    Content Delivery Network (CDN) resources related to the Sign-In Widget didn't serve the Subresource Integrity (SRI) attributes.

  • OKTA-683026

    Okta sometimes incorrectly returned an Invalid Phone Number error during SMS factor enrollment.

  • OKTA-686636

    Admins couldn't automatically provision users to the Cornerstone OnDemand app.

  • OKTA-687111

    When a user who was assigned an app through a group clicked the link in the activation email, they weren't directed to the app.

  • OKTA-687439

    The MFA Enrollment by User report displayed Group names instead of Groups in the Edit Filters dialog and in the Users table.

  • OKTA-688688

    Some devices didn't identify as managed due to mismatched certificate sizes.

  • OKTA-691848

    Sometimes, users could edit their profile on devices that weren't enrolled in FastPass.

Okta Integration Network

App updates

  • The Recurly app integration now has group push functionality.

New Okta Verified app integrations

Version: 2024.03.0

March 2024

Generally Available

Sign-in Widget, version 7.16.1

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Okta Sign-In Widget Guide.

Okta LDAP agent, version 5.20.0

This version of the agent includes the following:

  • Fixed an LDAP query used by the agent for retrieving group memberships using range attributes.

  • The Okta LDAP Agent service now automatically starts on boot for Red Hat and CentOS platforms.

  • Fixed an issue where some customers experienced slower than expected queries during LDAP authentication.

  • Security enhancements.

See Okta LDAP Agent version history.

Okta Hyperdrive agent, version 1.4.0

This version includes bug fixes and an upgrade of the .NET Framework to version 4.8. See Okta Hyperdrive agent version history.

Okta Hyperspace agent, version 1.4.0

This version includes bug fixes and an upgrade of the .NET Framework to version 4.8. See Okta Hyperspace Agent version history.

Okta AD agent, version 3.17.0

This version includes fixes for signing executable and DLL files that come with the Active Directory agent. See Okta Active Directory agent version history.

Enhanced Disaster Recovery

This feature enables commercial customers in the North America region (excluding Compliance cells) to recover faster in the event of a disaster or regional outage. See Overview of enhanced disaster recovery.

Admin sessions bound to Autonomous System Number (ASN)

When an admin signs in to Okta, their session is now associated with the ASN they are logging in from. If the ASN changes during the session, the admin is signed out of Okta, and an event appears in the System Log.

Admin sessions bound to IP address

The Security General Organization Security page has a new IP binding for admin console setting that's enabled by default. This setting associates all of the admin sessions in your org with the device IP address. If the IP address changes during the session, the admin is signed out of Okta, and an event appears in the System Log. This setting can be disabled, but Okta recommends keeping it enabled as a security best practice. See General Security.

Verify Zoom users with Okta

Zoom users can now attest and verify a user's identity between two independent parties using Okta-signed tokens.

Permission conditions for profile attributes

You can now apply conditions to the View users and their details and Edit users' profile attributes custom admin role permissions. Permission conditions help you limit the scope of a role by including or excluding admins' access to individual profile attributes. This gives you more granular control over your custom admin roles and helps meet your org's unique security needs. See Permission conditions.

Enhanced security of Okta Verify enrollments

The Higher security methods option on the authenticator configuration page ensures that users enroll in Okta Verify in a phishing-resistant manner. With this option, users can't enroll with QR code, email, or SMS link. See Configure Okta Verify options.

Stay signed in

Today, Keep me signed in allows the user to select whether their multifactor authenticators from previous sessions should be remembered. However, the option to select Keep me signed in was only available on the sign-in screen.

To enable Stay signed in for integrated authentication flows, admins can now configure their sign-in experience such that the option to Stay signed in is provided either before the user signs in to Okta or before and after the user completes multifactor authentication. If a user selects Stay signed in, they won't be challenged for MFA the next time they sign in. In addition, users will now be able to sign out of all active Okta sessions from the Okta End-User Dashboard. See Keep me signed in.

Granular permissions to manage directories

This feature enables you to assign permissions to view and manage directories as part of a customized admin role. Admins without universal application administrator permissions can handle directory-specific tasks.

Improved password reset process for Active Directory-sourced users

The password reset process sends password update and verification requests to the same Active Directory agent to avoid replication delay.

Device Context using Limited Access in Okta Identity Engine

You can now pass device context using Limited Access in Okta Identity Engine. See Pass Device Context using Limited Access in Okta Identity Engine

Unknown devices detection using fingerprint

Admins can now configure how unknown devices are treated based on the presence of a device fingerprint.

See Block suspicious password attempts from unknown devices.

New requirement for email customizations

To prevent phishing attacks, Okta now requires orgs to have a custom domain to send customized emails. All customized emails currently sent from the Okta domain are disabled, and orgs that use the Okta domain can send default email templates only. This feature is currently enabled by default for new orgs only.

Enhanced System Log Event

The policy.evaluate_sign_on System Log event now shows the assurance policy factor requirement and a list of the available authentication factors for the sign-on event.

Cornerstone OnDemand now uses OAuth for authentication

Cornerstone OnDemand replaced the previous authentication method with OAuth authentication to improve security for provisioning. Create a new Cornerstone OnDemand app instance and configure it to use Oauth credentials. See Configure provisioning for Cornerstone OnDemand.

Styling change for Brands pages

The CustomizationsBrands section of the Admin Console now uses Odyssey UI components. There's no change to functionality, but some of the styling is different.

AAL values for Login.gov IdP

The Login.gov IdP configuration has been updated to include all allowed AAL values. See Create an Identity Provider in Okta.

New System Log information for password policy changes

System Log entries for password policy changes now display the policy settings before and after the update was made.

Improved System Log map view

The System Log map view now includes a reset button and left and right bounds on the zoom function.

New System Log information for MFA enrollment policy changes

System Log entries for MFA enrollment policy changes now display the policy settings before and after the update was made.

IP binding for Admin Console setting

The SecurityGeneralOrganization Security page has a new IP binding for Admin Console setting. When you enable this setting, all of the admin sessions in your org are associated with the system IP address that they signed-in from. If the IP address changes during the session, the admin is signed out of Okta, and an event appears in the System Log. See General Security.

Additional operator for date filter

The date filter is now standardized across all reports and includes the in range operator.

Early Access

Direct End-User Settings access

Users may now access their Settings page through a direct URL in addition to the End-User Dashboard. This feature provides convenience and security for users, gives admins greater flexibility when working with End-User Dashboard access control scenarios, and includes accessibility and UX improvements. See User settings.

Enforce Number Challenge for Desktop MFA

You can now enforce number challenge on all push notifications for Desktop MFA, regardless of the authentication policy. See Configure Desktop MFA policies

Realms for Workforce

Realms allows you to unlock greater flexibility in managing and delegating management of your distinct user populations within a single Okta org. See Manage realms.

Trusted App filters

Trusted App filters allow orgs to block applications from invoking Okta FastPass in Windows, and in Google Chrome and Firefox browsers for macOS. See Trusted app filters .

Google Workspace 1-click federation

Admins can set up SSO to Google Workspace using a simplified integration experience that saves time and reduces the risk of errors.

New HealthInsight task

HealthInsight now includes a recommendation to apply MFA for access to the Admin Console.

Fixes

  • Sometimes group membership changes in a downstream app weren't reflected upon source app assignment in Okta. (OKTA-647132)

  • When users clicked the X in the upper-right corner of the Edit User Assignment page, the page wasn't restored to the default User Assignment view. (OKTA-651313)

  • The MFA Usage report sometimes displayed L10N_ERROR instead of the MFA factor. (OKTA-658326)

  • Office 365 user licenses were randomly removed. (OKTA-665130)

  • During Okta Verify enrollment, the Scan the QR code option was incorrectly displayed for the requests coming from a mobile device. (OKTA-671029)

  • Users in certain geolocations couldn't sign in to Okta, even when the org's policies didn't block the location. (OKTA-671528)

  • Importing large group membership data failed for orgs using ranged queries. (OKTA-672521)

  • The Jira On-Premises app authenticator didn't include a relay state parameter. (OKTA-673058)

  • Password age validation incorrectly appeared on the new user registration window. (OKTA-673824)

  • The Display application icon in the Okta Mobile app option was incorrectly available for the Application visibility property in the Application Integration Wizard (AIW). (OKTA-674235)

  • During self-service registration, users didn't receive the verification email when enrolling Okta Verify with Push. (OKTA-677750)

  • On the Tasks page, the user search didn't return any results for deactivated users. (OKTA-677822)

  • AD users created through JIT couldn't reset their password even if it was set to change after they first signed in. (OKTA-679679)

  • Google licenses were missing from the Universal Directory profile. (OKTA-684513)

  • During LDAP authentication, orgs with large customer databases experienced slower-than-expected queries. (OKTA-686417)

  • Some links on the Admin Dashboard to Okta Documentation didn't work. (OKTA-693031)

  • Users were prompted to enter a password twice when signing in. (OKTA-699026)

  • Read-only admins could modify the IP restrictions of other users' tokens. (OKTA-700117)

  • Some text was truncated on the Recent Activity page. (OKTA-700858)

  • The locale attribute from the user profile wasn't correctly populated to the telephony inline hook. (OKTA-700928)

  • Admins couldn't enroll or reset FIDO2 authenticators for staged users. (OKTA-701467)

  • An inline hook secured by an OAuth 2.0 token that had no expiry value returned an HTTP 400 Bad Request error. (OKTA-702184)

  • The Cornerstone REST API rate limit wasn't honored. (OKTA-702729)

Okta Integration Network

  • Acronis Cyber Cloud (SCIM) has a new authorize endpoint, display name, SAML attribute, and icon.
  • Dashworks (OIDC) has a new integration guide. Learn more.
  • Dashworks (SCIM) has a new integration guide. Learn more.
  • Modal (SAML) is now available. Learn more.
  • NexHealth (SAML) has a new description and an additional SAML attribute.
  • Onyxia (SAML) is now available. Learn more.
  • Paved (OIDC) is now available. Learn more.
  • Reftab Discovery (API service) is now available. Learn more.
  • Resonance by spiderSilk (SAML) is now available. Learn more.
  • Semana (SAML) is now available. Learn more.
  • SpotDraft (SAML) is now available. Learn more.
  • Vansec (SCIM) is now available. Learn more.

Weekly Updates

2024.03.1: Update 1 started deployment on March 18

Fixes

  • Authentication policy rule configurations didn't always appear on the Authentication PoliciesRules tab. (OKTA-678382)

  • AD-sourced users weren't automatically activated after they completed self-service registration. (OKTA-685912)

  • The timeout warning for the End-User Dashboard displayed the remaining session time incorrectly. (OKTA-688731)

  • Admins couldn't edit a resource set if it was included in a deleted delegated flow. (OKTA-692981)

  • Enrollment in the Duo Security authenticator failed when users tried to reset their password. (OKTA-692990)

  • Custom admins with the Manage application settings permission could trigger privilege escalation. (OKTA-693765)

  • The sign-in page displayed an inaccurate message to users who requested a reset password email. (OKTA-696975)

  • Admins couldn't create multiple group rules at the same time. (OKTA-702040)

  • When using granular authentication in some scenarios, users couldn't sign in using a security question after successful enrollment. (OKTA-702275)

  • When using granular authentication, users were prompted to enroll in authentication methods that did not satisfy the authentication policy. (OKTA-702538)

  • Group and read-only admins could manage API tokens for other admins. (OKTA-702918)

  • In orgs that used granular authentication, users sometimes saw an error message at the enrollment prompt. (OKTA-703166)

  • The help link on the SettingsFeaturesOpen betas page was incorrect. (OKTA-704223)

  • The MFA Enrollment form didn't contain a filter value for smart card authenticators. (OKTA-704634)

  • Users were assigned a random role defined in Zendesk when custom role values were mapped to Zendesk users assigned No Custom Role in Okta. (OKTA-706468)

  • Admins were unable to save sign-in page settings for the default brand when using the third-generation widget. (OKTA-712531)

Okta Integration Network

  • Adzact (OIDC) is now available. Learn more.
  • Andromeda Security (SAML) is now available. Learn more.
  • Backpac (SCIM) is now available. Learn more.
  • Brivo Identity Connector (EU) (SCIM) is now available. Learn more.
  • CardioCard (SAML) is now available. Learn more.
  • Coda (SAML) has a new integration guide and tenant ID label.
  • Coda (SCIM) has a new integration guide.
  • EasyLlama (SCIM) is now available. Learn more.
  • Flockjay (SAML) is now available. Learn more.
  • Indeed (SWA) was updated.
  • Island (SCIM) has an updated profile and field mappings.
  • Lasso Security (SAML) is now available. Learn more.
  • LeaveWizard (SAML) is now available. Learn more.
  • LeaveWizard (SCIM) is now available. Learn more.
  • NewZapp (OIDC) is now available. Learn more.
  • NexHealth (SAML) has an additional SAML attribute.
  • Office Depot (SWA) was updated.
  • Payflows (SAML) has an additional SAML attribute.
  • QReserve (SAML) has a new logo and integration guide.
  • Rotate (API service) is now available. Learn more.
  • SAP Concur Solutions (SWA) was updated.
  • Sauce Labs (SAML) is now available. Learn more.
  • senhasegura (SAML) is now available. Learn more.
  • Skippr OIDC for Organizations (SCIM) is now available. Learn more.
  • Spline (OIDC) is now available. Learn more.
  • Summize (OIDC) has a new redirect URI.
  • Summize (SCIM) is now available. Learn more.
  • Synqly Identity Connector (API service) is now available. Learn more.
  • Tamnoon (SAML) has a new logo.
  • Truckstop.com (SWA) was updated.
  • Whimsical (SAML) has a new logo and integration guide.

2024.03.2: Update 2 started deployment on April 1

Fixes

  • Timeouts occurred when fetching Workday prehires in large batches. (OKTA-497101)

  • User permission options were displayed for attributes created in an App User Profile. (OKTA-667672)

  • The Edit Rule page for sign-on policies sometimes displayed undefined instead of an Identity Provider name. (OKTA-672874)

  • Some preview org admins saw error messages while authenticating or End-User Dashboard pages with no menu items. (OKTA-679870)

  • An error occurred when an end user reset a factor nickname and left the name field empty in the End-User Dashboard. (OKTA-682875)

  • Users couldn't authenticate with Sign in with Okta FastPass when both a SAML Identity Provider (IdP) and Smart Card IdP were configured. (OKTA-688559)

  • No System Log entries were created for certain app users when they were assigned a status. (OKTA-690968)

  • Some network zone UI elements on the Create token page weren't rendered correctly. (OKTA-693688)

  • Users couldn't enroll in Okta Verify using a custom domain on Android devices. (OKTA-698916)

  • Client rate limiting configurations for the /login/login.htm endpoint were displayed incorrectly in the Rate Limit dashboard and were in an inconsistent state for some orgs. (OKTA-699914)

  • Some users encountered error messages when they tried to enroll FIDO2 security keys, Okta Verify, and the phone authenticator. (OKTA-700625)

  • A warning didn't appear when admins disallowed authentication methods that were required for phishing-resistant and hardware-protected authentication policies. (OKTA-700986)

  • Some deactivated admins continued to receive email notifications. (OKTA-702015)

  • The Japanese version of Reports used an inappropriate date selector format. (OKTA-702599)

  • In orgs that used granular authentication, users sometimes saw an error message at the inline enrollment prompt if User Verification was required and Security Question was allowed for authentication. (OKTA-702971)

  • Users received an error when trying to enroll the phone authenticator from the end user settings page. (OKTA-703248)

  • Regular expressions couldn't be used to define Allowed DB Groups for Amazon Redshift, which prevented large lists of groups from being defined. Select Use RegEx in Allowed DB Groups (Redshift) to use regular expressions when defining allowed groups. (OKTA-703940)

  • Realm searches started from the current page of results rather than the beginning of all results. (OKTA-704314)

  • When some orgs tried to publish changes to their customized sign-in page, all previous customizations were lost and it was restored to the default version. (OKTA-704885)

  • Okta sometimes incorrectly returned an Invalid Phone Number error during SMS factor enrollment. (OKTA-705078)

  • Reactivation of the Profile Enrollment feature resulted in duplicate UI elements. (OKTA-706021)

  • Users were assigned a random role defined in Zendesk when custom role values were mapped to Zendesk users assigned No Custom Role in Okta. (OKTA-706468)

  • The Security Question warning didn't apply to passwordless multifactor authentication. (OKTA-706505)

  • When no agents were connected during scheduled incremental imports, an incremental to full import conversion event was incorrectly logged. (OKTA-706698)

  • The system selected outdated profile sources during the user creation process. (OKTA-709538)

  • In organizations with Realms enabled, custom admins with the Edit users' profile attributes permission also required the Manage users permission to update a user's profile. (OKTA-709725)

  • Some users could change their username on the Personal information page. (OKTA-711450)

  • The Settings page appeared blank for some users. (OKTA-711495)

Okta Integration Network

  • Akitra (OIDC) is now available. Learn more.
  • Cisco Identity Intelligence - Read-Only Management (API service) is now available. Learn more.
  • Cloud Auth (API service) is now available. Learn more.
  • Cloud Auth (OIDC) is now available. Learn more.
  • Covey (OIDC) is now available. Learn more.
  • CrashPlan (SAML) has a new integration guide. Learn more.
  • DeleteMe (SCIM) is now available. Learn more.
  • Growrk (SAML) is now available. Learn more.
  • incentX (OIDC) is now available. Learn more.
  • Infor EAM (SWA) was updated (OKTA-710635).
  • Jurnee (OIDC) is now available. Learn more.
  • Jurnee (SCIM) is now available. Learn more.
  • Loop & Tie (OIDC) is now available. Learn more.
  • Mailosaur (OIDC) is now available. Learn more.
  • Mailosaur (SAML) has a new integration guide. Learn more.
  • Mailosaur (SCIM) is now available. Learn more.
  • Mangopay (OIDC) is now available. Learn more.
  • Morgan Stanley at Work - Administrator (SAML) is now available. Learn more.
  • Mula Shops (OIDC) is now available. Learn more.
  • NetActuate Portal (SAML) is now available. Learn more.
  • Nudge Security (OIDC) is now available. Learn more.
  • Ordergroove (OIDC) is now available. Learn more.
  • PromoJukeBox (OIDC) is now available. Learn more.
  • Reco (API service) is now available. Learn more.
  • Salto Okta Adapter OAuth (OIDC) is now available. Learn more.
  • Schwab Advisors (SWA) was updated (OKTA-699789).
  • Secure Code Warrior (SCIM) is now available. Learn more.
  • Sirius XM (SWA) was updated (OKTA-693279).
  • SpotDraft (SCIM) is now available.
  • Square 9 GlobalSearch (OIDC) is now available. Learn more.
  • Square 9 GlobalSearch (SCIM) is now available. Learn more.
  • Tabular (OIDC) is now available. Learn more.
  • WorkWhile (OIDC) is now available. Learn more.
  • Zscaler (OIDC) is now available. Learn more.
  • Zscaler (SCIM) is now available. Learn more.

Version: 2024.04.0

April 2024

Generally Available

Sign-in Widget, version 7.17.0

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Okta Sign-In Widget Guide.

Okta MFA Provider for ADFS, version 1.8.0

This release includes vulnerability fixes and a .NET Framework version upgrade.

Content Security Policy for custom domains

The Content Security Policy (CSP) feature lets admins control which URLs may be linked to from customized sign-in and error pages in orgs that use custom domains. Admins add trusted URLs to Okta that link to items such as images and add these links to the code in their sign-in and error pages. This feature enhances security by enabling admins to allow only approved content to appear and prevent the introduction of potentially malicious code to these pages. See Customize the Content Security Policy (CSP) for a custom domain.

SAML Certificate expiration notification feature

This feature notifies admins through task entries in the Admin Console about expired or soon-to-expire certificates for SAML apps. This enhances security and minimizes app downtime caused by expired certificates.

Support case management for admins

Super admins can now assign the View, create, and manage Okta support cases permission and Support Cases resource to a custom admin role. This allows delegated admins to manage the support cases that they've opened. See Role permissions.

Okta Usage report enhancements

The Okta Usage report now attempts to download the generated CSV file immediately upon loading, and updates the email template when the report is generated. The CSV file can now contain up to five million rows. These enhancements automate the tasks of downloading and emailing the report, and provide more data to admins.

Direct Authentication

Direct Authentication offers a new set of OAuth 2.0 grants that give app developers greater control over the authentication process. When redirect authentication isn't an option, you can use direct authentication to allow client apps to authenticate users directly, without relying on HTTP redirection through a web browser. This is beneficial when there's a high degree of trust between the user and the app and when browser-based flows aren't feasible, like with mobile apps. See Configure Direct Auth grant types.

Okta Verify user verification with PIN or passcode

The Okta Verify enrollment relies on biometric verification, which presents challenges for users whose devices don't support biometrics. To address this limitation, Okta Verify now supports user verification with PIN or password in addition to biometrics. This enhancement broadens accessibility, enabling all users to authenticate with Okta Verify and Okta FastPass, regardless of their device capabilities or personal constraints. See Configure Okta Verify options.

Granular API policy authenticator controls

The Authentication Policy API now includes three new constraints object parameters that provide precise control over what specific authenticators and methods are displayed to end users. Previously, some authenticators were mapped to the same authenticator types and methods. The parameters authenticationMethods and excludeAuthenticationMethods now identify (or exclude) the exact authenticator for both knowledge and possession constraints. The required parameter indicates whether the knowledge or possession constraints are required by the assurance. See the Policy API.

Granular controls for authentication policies

You can now disallow or allow individual authentication methods for an authentication policy. This gives admins more granular control over access to apps.

Require possession factor before password during MFA

You can now require users to verify their identity with a possession factor before a password or other knowledge factor during MFA. This helps protect your org against password guessing or spray attacks. See General Security.

New maximum number of connected AWS accounts

Admins can now connect a maximum of 1000 Amazon Web Services accounts to the AWS Account Federation app in Okta. This change helps avoid timeouts when testing API credentials on AWS.

Improved date filter display in reports

The date filter is now standardized and appears inline for the following reports: Telephony usage, Continuous access violation, Entity risk, At-risk user, and MFA events.

Improved Admin Dashboard and Administrators page

The appearance of several UI components (like buttons and dropdown menus) have been improved across the Admin Dashboard and the Administrators page.

Updated documentation links

Documentation links under the Security, Applications, and Customizations menus now redirect to the correct documentation.

End-User Dashboard and unsupported browsers

The End-User Dashboard no longer loads in unsupported browsers, including Internet Explorer 11 or Edge in Internet Explorer mode. This change enhances security by preventing access from browsers that no longer receive updates.

End-User Dashboard branding and accessibility enhancements

The End-User Dashboard now features design changes that provide a consistent brand experience across Okta's app and enhance accessibility for users.

New target added to a System Log event

A new target was added to the user.authentication.auth_via_mfa System Log event. The target shows the type of MFA app that was used to authenticate.

Authentication context System Log event

The new AuthenticationContext System Log event shows who accessed the configuration secrets for ADFS, Windows Credential Provider (RDP), Epic Hyperspace, and Epic Hyperdrive apps.

New DSSO user impersonation System Log event

A System Log event is now logged when a user attempts Desktop Single Sign-On (DSSO) authentication using a profile source that wasn't the highest priority.

Additional CrowdStrike signals

Okta Verify collects additional trust signals from CrowdStrike. You can view these signals in the System Log. When you configure authentication policy rules, you can use the CrowdStrike signals in Expression Language conditions. See EDR signals for custom expressions.

Early Access

Early Access features from this release are now Generally Available.

Fixes

  • Users couldn't enroll multiple Smart Cards as security methods from the End User Settings page. (OKTA-581807)

  • When end users enrolled the email authenticator, the Sign-in Widget displayed their email incorrectly. (OKTA-625907)

  • Some Microsoft Windows 365 Enterprise license names weren't displayed correctly on the Edit Assignment page. (OKTA-679276)

  • Admins could delete active network zones. (OKTA-691904)

  • No GovSlack attributes appeared for new app instances. (OKTA-693162)

  • Google Workspace default user schema attributes weren't imported into Okta. (OKTA-697236)

  • On the Configure SAML 2.0 IdP screen, the Account matching with IdP Username section appeared when Factor Only was selected for IdP Usage. (OKTA-698614)

  • When an end user enrolled in Okta Verify from an OIDC app, they received the email notification from noreply@okta.com instead of the custom email domain. (OKTA-701658)

  • When an admin enabled a self-service Early Access feature and an error occurred, a success message appeared. (OKTA-701707)

  • Users received a Bad Request error when they canceled Okta FastPass during authentication. (OKTA-706541)

  • App admins could initiate the refresh app data process for apps to which they didn't have permission. (OKTA-711670)

  • Users were unable to enroll in an authenticator with the inline enrollment prompt when the authentication policy did not contain constraints for the corresponding factor class. (OKTA-715402)

Okta Integration Network

  • Alohi (SAML) is now available. Learn more.
  • Alohi (SCIM) is now available. Learn more.
  • Better Stack (SAML) has a new logo.
  • Candor (OIDC) is now available. Learn more.
  • FAX.PLUS (SAML) has a new logo, description, and display name.
  • Humi (OIDC) is now available. Learn more.
  • Jurnee (SCIM) is now available. Learn more.
  • UMA (OIDC) is now available. Learn more.

Weekly Updates

2024.04.1: Update 1 started deployment on April 15

Generally Available

Sign-in Widget, version 7.17.1

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Okta Sign-In Widget Guide.

Fixes

  • For some non-English locales, the Use a preset version dropdown menu on the Add device assurance policy page was misplaced. (OKTA-628325)

  • Smart Card authentication method references (AMR) weren't passed correctly in OIDC ID tokens when the standard AMR org setting was enabled. (OKTA-641225)

  • Some text strings in Access Testing Tool weren't translated to Japanese. (OKTA-674050)

  • HTML was visible in some usernames in the Authenticator enrolled notification email. (OKTA-674629)

  • In the Okta Usage report, the date picker was in an incorrect date format for the US English language and the earliest possible date couldn't be selected. (OKTA-688574)

  • When a user signed in to Okta, the resulting policy.evaluate_sign_on System Log event didn't display the user's network zone correctly. (OKTA-690899)

  • Access Testing Tool didn't display an error when it failed because of permission issues. (OKTA-698999)

  • When users created passwords that didn't meet strength requirements, the Sign-In Widget incorrectly indicated in self-service registration flows that the requirements were met. (OKTA-703334)

  • The MFA Events report didn't include the date and time details. (OKTA-711575)

  • Sometimes Access Testing Tool showed no results when admins searched for existing users. (OKTA-713259)

  • The MFA Events report displayed the events in an incorrect chronological order. (OKTA-715259)

  • In the Profile Editor, there was no option to close the Delete Attribute window after reviewing the message. (OKTA-715984)

Okta Integration Network

  • Reddit (SWA) was updated (OKTA-711282).
  • RICOH Smart Integration (SAML) is now available. Learn more.
  • Schwab Advisors (SWA) was updated (OKTA-710955).
  • ShareThis (SWA) was updated (OKTA-709444).
  • Torii (Read) (API service) is now available. Learn more.
  • Torii (Read and Take action) is now available. Learn more.
  • UMR (SWA) was updated (OKTA-629864).
  • US Bank - Pivot (SWA) was updated (OKTA-710409).
  • Var Street (SWA) was updated (OKTA-693696).
  • Zerotek Lab (SAML) is now available. Learn more.

2024.04.2: Update 2 started deployment on April 22

Generally Available

Referrer-Policy HTTP header sends default value

The Referrer-Policy HTTP response header controls how much referrer header information should be included with requests. Okta currently doesn't send the Referrer-Policy response header. The default value for the header is strict-origin-when-cross-origin when it's not sent by Okta. Browsers use the current default value. With this change, Okta will send the Referrer-Policy response header with the default value of strict-origin-when-cross-origin. This feature will be gradually made available to all orgs.

Fixes

  • In orgs that configure Authentication Method References claims mapping, non-federated users weren't redirected to the IdP during re-authentication. (OKTA-697028)

  • When ineligible users attempted a self-service password reset, they saw an unusable password screen instead of an error message. (OKTA-698980)

  • When an admin-created user re-requested the welcome email, it wasn't sent to their secondary email address. (OKTA-702542)

  • DENY events incorrectly appeared in the System Log in some Okta Fastpass authentication scenarios. (OKTA-711395)

  • The Sign-In Widget (third generation) didn't load for the Okta MFA Credential Provider for Windows when it prompted users to authenticate. (OKTA-711504)

  • When the Identity Threat Protection with Okta AI feature was enabled, IdP sessions were incorrectly terminated when Continuous Access evaluation resulted in a policy violation. (OKTA-712360)

  • When Identity Threat Protection with Okta AI was enabled, Continuous Access signed users out of all apps when only one app caused a violation. (OKTA-712361)

  • User.session.start events didn't appear in the System Log. (OKTA-713292)

  • Some admins received an error when trying to view the Identity Threat Protection widgets on the Admin Dashboard. (OKTA-717868)

  • Deactivation of a user from one Office 365 app instance led to the revocation of their license despite being actively assigned to another Office 365 app instance. This also solves the issue where license removal was not happening for assigned user being in Matched or Suspended state. (OKTA-718565)

Okta Integration Network

  • Backrightup (OIDC) is now available. Learn more.
  • Calendly (SWA) was updated (OKTA-713087).
  • Carbon Voice (OIDC) is now available. Learn more.
  • Carbon Voice (SCIM) is now available. Learn more.
  • Cisco Identity Intelligence (API service) now has the okta.roles.read and okta.schemas.read scopes.
  • Cloud Auth (API service) has a new integration guide.
  • Cloud Auth (OIDC) has a new integration guide.
  • Command Zero (API service) has a new integration guide.
  • Costco (SWA) was updated (OKTA-711710).
  • Hellotracks (OIDC) is now available. Learn more.
  • Hellotracks (SCIM) is now available. Learn more.
  • KaseyaOne (SAML) is now available. Learn more.
  • NetBird (OIDC) is now available. Learn more.
  • NetBird (SCIM) is now available. Learn more.
  • Omni Analytics (SCIM) is now available. Learn more.
  • The Training Arcade (SAML) is now available. Learn more.
  • Trova (SCIM) is now available. Learn more.
  • Truckstop.com (SWA) was updated (OKTA-709674).
  • Zscaler 2.0 (SAML) has a new display name, logo, and integration guide.

2024.04.3: Update 3 started deployment on May 6

Fixes

  • Users received additional prompts for their username in some orgs that use OIDC Identity Providers. (OKTA-562692)

  • Okta Verify sometimes displayed the incorrect location when end users opened their app to approve a push notification. (OKTA-586788)

  • The Previous and Next buttons in the calendar picker weren't localized. (OKTA-658412)

  • If a user attempted to reset their password when it wasn't allowed, they weren't sent the Forgot Password Denied email. (OKTA-671864)

  • The Sign-In Widget didn't render correctly if the Multiple Okta Verify Enrollment feature was enabled along with Factor Sequencing. (OKTA-680494)

  • Some System Log events for sign-in failures appeared in the end user's language instead of English. (OKTA-691118)

  • Admins couldn't edit or update the custom header value for the Telephony Inline Hook. (OKTA-694113)

  • The System Log displayed the name of another user as the person who authenticated when the user signed in to Okta from their HR platform using delegated authentication. (OKTA-699096)

  • Chrome and Firefox users received a session expired error message after authenticating when they signed in through custom domains. (OKTA-702077)

  • Users were presented with a Page Not Found error when accessing Confluence On-Prem using IdP-initiated or SP-initiated flows. If you encounter this issue after updating Confluence On-Prem, contact Okta Support. (OKTA-704334)

  • An unhelpful error message appeared when an admin attempted to push a nonexistent group or a group that was already pushed. (OKTA-711537)

  • The app logo was distorted on the Sign-In Widget (third generation). (OKTA-712752)

  • After all supported attributes were added as identifiers, the Attribute field still displayed a dropdown menu option. (OKTA-713101)

  • Status messages that appeared after the successful execution of realm assignments were inaccurate. (OKTA-713203)

  • In progressive enrollment flows, some users who updated their profiles received an error that prevented redirection to the specified URL. (OKTA-715515)

  • The custom identifier value was case sensitive during the sign-in flow. (OKTA-719209)

  • User matching within the Smart Card IDP configuration didn't include the idpuser.issuerSnReverseByteOrder value in the IdP username dropdown list. (OKTA-720770)

  • The Back to Settings button was missing from the authentication page when users changed their profile information on the Settings or My Settings pages. (OKTA-722753)

Okta Integration Network

  • Contentstack (SCIM) is now available. Learn more.
  • Kunzapp (API service) is now available. Learn more.
  • NordLayer (OIDC) is now available. Learn more.
  • NordLayer (SCIM) is now available. Learn more.
  • Run by ADP (SWA) was updated (OKTA-719562).
  • SCIM 2.0 Test App (Basic Auth) now has SWA and SAML functionality.
  • United Health Care Member Login (SWA) was updated (OKTA-718468).

Version: 2024.05.0

May 2024

Generally Available

Sign-In Widget, version 7.18.0

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Okta Sign-In Widget Guide.

Option to enforce profile source priority for Desktop Single Sign On

Enforcing profile source priority for DSSO requires end users to authenticate using their identity from the top prioritized profile source. See Enable delegated authentication for LDAP.

Microsoft Graph commands for Office 365 Manual Domain Federation

The Manual Domain Federation configuration guide for Microsoft Office 365 now uses Microsoft Graph commands.

Support for Active Directory password complexity requirements

This feature creates an option in the password policy to match the same complexity options as Active Directory (AD). Until now, admins couldn't exactly match Okta password complexity requirements to those of their AD instances. Historically, the password complexity requirements in Okta and AD had different granularities, and the requirements displayed in the Sign-In Widget didn't always reflect the AD requirements. As a result, users were locked out without proper error messages. This feature bridges that gap. See Configure the password authenticator.

Permissions for custom admins to manage agents

Custom admins can now view, register, and manage agents. See Agent permissions.

Improved password reset process for Active Directory-sourced users

The password reset process sends password update and verification requests to the same Active Directory agent to avoid replication delay.

IME support for international characters

Admins can now use an Input Method Editor (IME) to type international characters into the Admin Console.

Support for multiple Okta Verify enrollments

Multiple Okta Verify enrollments are now supported on the Authentication and Factors APIs.

Allow multiple identities on one Smart Card

When you use this feature, you enable your end users to use one Smart Card to identify as different identities and authenticate into corresponding accounts. See Configure the Smart Card authenticator.

Deprecated user profile attributes for Office 365

The following user profile attributes are no longer supported for Office 365:

  • AuthOrig
  • DLMemRejectPerms
  • DLMemSubmitPerms
  • IsTrackingChanges
  • UnauthOrig

See Supported user profile attributes for Office 365 provisioning.

OIN connector support for Entitlement Management

The GitHub Team connector has been updated to support Entitlement Management. See Provisioning-enabled apps.

Universal Logout support for Zoom

Universal Logout in Identity Threat Protection with Okta AI (ITP) now clears Zoom sessions and tokens when triggered by the entity risk policy, Continuous Access, and the Clear user session function. This enhances the security of orgs that use ITP.

Sign-In Widget (third generation) version pinning

You can now pin the Sign-In Widget third generation (SIW3) version when updating a customized or preview sign-in page. You can pin version 7.8 or later. This ensures that orgs that use custom branding can't pin SIW3 to an incompatible version. See Customize your sign-in page and Sign-In Widget (third generation).

Granular controls for authentication policies

Admins can now disallow or allow individual authentication methods for an authentication policy. This gives admins more granular control over access to apps. This feature is made available to all orgs.

System Log events for Workflows execution history

Three new event types have been added to the System Log for logging Workflows execution history events:

  • workflows.user.flow.execution_history.activate
  • workflows.user.flow.execution_history.deactivate
  • workflows.user.flow.execution_history.delete

See the Event Types API.

System Log event update for global session policies

The policy.lifecycle.update and policy.rule.update events are updated to include more debug data and change details about the updated policy and rule.

System Log event update for Trusted Origins

If a Trusted Origin is updated using an Event Hook, the event hook ID is now displayed in the System Log event.

Early Access

Multiple Identifiers

Today, end users must sign in to Okta with a username or email address only. With the Multiple Identifiers feature, admins can configure identifiers, or user attributes from Universal Directory, that an end user can enter to authenticate. Multiplier identifiers work in sign-on, recovery, self-service registration, and unlock flows. Admins can configure up to three identifiers, including email (which is still a required identifier). See Multiple identifiers.

Skip the verify page and redirect to the IdP authenticator

This feature allows users to skip the verify step in the Sign-In Widget. They are instead redirected to the IdP authenticator for verification. When you enable this feature, end users see the option to skip the Sign-In Widget verification. If your org is configured to remember the last authenticator the user used, then the user is auto-redirected to the IdP authenticator for future sign-in attempts.

SSF Transmitter API

Okta uses CAEP to send security-related events and other data-subject signals to Apple, known as the Shared Signal Framework (SSF) receiver. After an SSF stream is configured, Okta sends signals as Security Event Tokens (SETs) to Apple. Use the SSF Transmitter API to manage SSF stream configurations between the SSF receiver and Okta.

Enhancement to protected access to Admin Console

As part of the Require MFA for Protected Actions in the Admin Console feature, step-up authentication is required to modify authentication policies applicable to Admin Console.

Fixes

  • Failed Group Push operations to ServiceNow weren't displayed on the Tasks page. (OKTA-677484)

  • Provisioning to UKG Pro sometimes failed due to WorkCountryCode. (OKTA-681623)

  • Performing a Push Now operation on an empty push group in Okta failed to reconcile the group in Zendesk. (OKTA-701099)

  • Stuck XaaS executions weren't marked as failed jobs. (OKTA-712091)

  • Users who entered an invalid username into a password-first sign-in flow saw a misleading error message. This behavior occurred only in orgs that enabled the Multiple Identifiers feature and disabled User Enumeration Prevention. (OKTA-713096)

  • Admins who were supposed to have access to the MFA Activity report couldn't access it. (OKTA-714995)

  • When Okta detected a change in an admin's IP, the caep_session_revoked signal wasn't sent to the SSF receiver. This occurred when the IP binding for admin console setting was enabled. (OKTA-717305)

  • Active Directory incremental imports were converted to full imports when a new OrganizationUnit was added or an existing OrganizationUnit was renamed. (OKTA-718186)

  • The Back to sign in link appeared on the Sign-In Widget (third generation) session expired page. (OKTA-718969)

  • Read-only admins couldn't access the Identity Threat Protection widgets and reports. (OKTA-719582)

  • Super admins with roles assigned through group assignment couldn't enable Direct Authentication grant types in an OIDC app. (OKTA-719756)

  • Some users had to click Sign in with Okta FastPass twice to initiate the enrollment. (OKTA-720029)

  • When running delegated flows from the Okta Admin Console, the event metadata wasn't recorded by the System Log. (OKTA-722302)

  • The error displayed when deleting a realm that had associated realm assignments wasn't translated to match the locale. (OKTA-722814)

  • Smart Card IdP username transformation didn't allow the space characters within the username string. This functionality is only available with custom UD attributes. (OKTA-723152)

  • The Edit button for modifying an SSWS API token's rate limit was disabled instead of hidden for admins who didn't have permission to update the rate limit. (OKTA-724333)

Okta Integration Network

  • DigiCert (SWA) was updated. (OKTA-722381)
  • Foqal Agent (SAML) is now available. Learn more.
  • Kantega SSO (OIDC) is now available. Learn more.
  • Kantega SSO (SAML) is now available. Learn more.
  • Kantega SSO (SCIM) is now available. Learn more.
  • LimbleCMMS (OIDC) now has additional redirect URIs.
  • Netdata (OIDC) is now available. Learn more.
  • Obsidian Security (SAML) now has an option to select the region for the ACS URL.
  • SCIM 1.1 Test App (OAuth Bearer Token) now has SWA and SAML functionality.
  • SCIM 2.0 Test App (OAuth Bearer Token) now has SWA and SAML functionality.
  • SCIM 2.0 with Entitlements Management (Basic Auth) now has SWA and SAML functionality.
  • SCIM 2.0 with Entitlements Management (Header Auth) now has SWA and SAML functionality.
  • SCIM 2.0 with Entitlements Management (OAuth Header Auth) now has SWA and SAML functionality.
  • Vansec (SCIM) now has updated application profile and mappings.

Weekly Updates

2024.05.1: Update 1 started deployment on May 20

Fixes

  • Inactive app users weren't included in group pushes for AWS Account Federation. (OKTA-678930)

  • Group queries in authentication policy rules didn't display more than 10 group names. (OKTA-699003)

  • Users with a custom admin role that allows them to manage a realm couldn't import users. (OKTA-709746)

  • Groups IDs were sent as part of PATCH operations. (OKTA-711633)

  • Users in China couldn't authenticate or enroll in authenticators on sign-in pages that required CAPTCHA verification. (OKTA-718806)

  • The logOnly attribute incorrectly appeared in the System Log. (OKTA-725287)

  • Sometimes actions that were taken on role assignments from entitlement bundles timed out. (OKTA-727294)

  • Some UI elements in the Identity Threat Protection dashboard didn't render correctly. (OKTA-727820)

  • Orgs that had Auto-enroll in all future EA features enabled in Features didn't get the Enforce MFA For Admin Console feature. (OKTA-729278)

Okta Integration Network

  • Amazon WorkDocs by Aquera (SCIM) description was updated.
  • Amazon WorkMail by Aquera (SCIM) description was updated.
  • Asana (SWA) was updated. (OKTA-721354)
  • Codefresh by Aquera (SCIM) description was updated.
  • Costimize (OIDC) is now available. Learn more.
  • Genian NAC (SAML) is now available. Learn more.
  • Grafana by Tech Prescient (SCIM) is now available. Learn more.
  • Highway (OIDC) is now available. Learn more.
  • JazzHR by Aquera (SCIM) is now available. Learn more.
  • NinjaOne (SAML) is now available. Learn more.
  • NordLayer (SCIM) description was updated.
  • Nudge Security (OIDC) description was updated.
  • Pando HR (OIDC) is now available. Learn more.
  • ProdPad by Aquera (SCIM) description was updated.
  • Proton VPN (SAML) is now available. Learn more.
  • Smartsheet SCIM (SAML) was updated to remove ACS URL and audience requirements.
  • SwaggerHub by Aquera (SCIM) description was updated.
  • TriNet by Aquera (SCIM) description was updated.

2024.05.2: Update 2 started deployment on June 3

Generally Available

System Log event update for telephony

The system.sms.send event is updated to include the telephony inline hook failover information.

Fixes

  • When the Identity Threat Protection feature was enabled and an admin deleted the only group in a continuous access policy rule, the policy was still enforced. (OKTA-650636)

  • Admin email notifications for user lockouts weren't translated to the org's default language. (OKTA-657967)

  • The display name of the user was missing from the analytics.feedback.provide event in the System Log. (OKTA-679669)

  • Some users received an error message when they clicked Reveal in the app settings of the Google Workspace Mail tile. (OKTA-684516)

  • Sometimes viewing group details resulted in slow page loads or timeouts if the group was assigned a Zendesk app integration that had a large number of ZendeskOrganization objects in the downstream app. (OKTA-688756)

  • The Administrator role report contained admins without active resource sets. (OKTA-698967)

  • In some cases, the Realms pages in Chrome erroneously displayed horizontal scroll tabs. (OKTA-702758)

  • When choosing push groups by name, after selecting the first group and clicking Save and Add Another, choosing the next group caused the Push group immediately option to be cleared but the group was still automatically pushed. (OKTA-704497)

  • In Okta Identity Governance orgs where AD groups were owned by deactivated Okta users, some failed imports appeared as complete. (OKTA-713146)

  • When the last standard admin role was unassigned from a user who also had a custom admin role, the System Log didn't record the event. (OKTA-715487)

  • Read-only admins couldn't use the Access Testing tool. (OKTA-716165)

  • When the Okta session and re-authentication times were set to four hours, they expired after one hour. (OKTA-716829)

  • For some types of internal errors, the LDAP interface incorrectly returned a successful result code (0) and empty results instead of an error code (80). (OKTA-716937)

  • Authenticator enrollment emails that users received when they enrolled in Okta Verify contained a Report suspicious activity link with the org's regular domain, even if the enrollment occurred on a custom domain. (OKTA-723812)

  • When a user search included the & symbol, only the first page of results was viewable. (OKTA-724819)

  • The Okta RADIUS agent was updated for a security fix. Upgrade to version 2.21.0. (OKTA-724891)

  • When viewing realm assignments where over 20 entries were listed per page, either or both of the assigned realm values and profile sources weren't displayed. (OKTA-724913)

  • Some users received an error message and couldn't view Okta pages when they signed in from an IP address that Okta identified as risky. (OKTA-726837)

Okta Integration Network

  • Clinical Maestro (SAML) has a new integration guide.
  • Elba SSO (OIDC) now has IdP SSO support, region AIP and ENUM, and a ternary operator for the initiate login URI.
  • Glimmer (SAML) is now available. Learn more.
  • Grafana by Tech Prescient (SCIM) is now available. Learn more.
  • Navit (OIDC) is now available. Learn more.
  • Oncall Scheduler (OIDC) is now available. Learn more.
  • OpenEye Web Service (SAML) has a new logo and integration guide.
  • Orca Security (SAML) has a new integration guide.
  • Planyear - Insurance Brokerage (SAML) is now available. Learn more.
  • Postman (SCIM) now has group push, a configurable base URL, and a new logo.
  • Spendesk (SAML) has a new integration guide, logo, and description.
  • Surf Security (SAML) is now available. Learn more.
  • Surf Security (SCIM) is now available. Learn more.
  • UKG HR Service Delivery (SCIM) has a new description and display name.
  • Waldo (OIDC) is now available. Learn more.
  • Workable Recruiting by Aquera (SCIM) is now available. Learn more.
  • Zerotek Lab (SCIM) is now available. Learn more.

Version: 2024.06.0

June 2024

Generally Available

Sign-In Widget, version 7.19.2

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Okta Sign-In Widget Guide.

Deprecated user profile attributes for Office 365

The following user profile attributes are no longer supported for Office 365:

  • AuthOrig
  • DLMemRejectPerms
  • DLMemSubmitPerms
  • IsTrackingChanges
  • UnauthOrig

See Supported user profile attributes for Office 365 provisioning.

Breached password protection

Protect your organization from the impact of passwords that have been compromised. If Okta determines that an Okta username and password combination has been compromised based on the data collected by our internal threat intelligence pipeline, Okta records a System Log event, expires the user's credentials, and requires the user to update their password before they can use their password to sign in again. See Breached password protection.

Rate limit update for using Okta fallback telephony provider

Orgs that use an active telephony inline hook now have a heavy rate limit for the Okta fallback mechanism.

Federation Broker Mode has been removed from OAuth Service Clients

The Federation Broker Mode option has been removed from OAuth Service Clients.

DPoP available when creating OIDC apps

You can now require the Demonstrating Proof of Possession (DPoP) condition when you create an OIDC app. Previously, this option was only available after you create the app. This streamlines the process of creating and securing OIDC apps.

Increase to Inline Hooks

The maximum number of inline hooks an org can create is now 100. The previous maximum was 50. See Add an inline hook .

Support for migration to Microsoft Graph

You can now migrate your existing Office 365 WS-Fed Manual app instances to Microsoft Graph by using the migration banner on the app dashboard.

New System Log Event

The user.authentication.universal_logout.scheduled System Log event is fired when an admin manually triggers Universal Logout against an app instance. It contains information about where and how Universal Logout was fired. This event is only fired once.

Event hook for session context changes

The user.session.context.change System Log event is now available for use in an event hook. See Event hooks.

Early Access

Same-device enrollment for Okta FastPass

On orgs with Okta FastPass, the Okta Verify enrollment process has been streamlined:

  • Users can initiate and complete enrollment on the device they're currently using. Previously, two different devices were required to set up an account.

  • Users no longer need to enter their org URL during enrollment.

  • The enrollment flow has fewer steps.

This feature is supported on Android, iOS, and macOS devices. To enable it, go to Admin Console Settings and turn on Same-Device Enrollment for Okta FastPass.

Access request conditions and resource catalog

This feature provides a new method to streamline your access requests for apps, entitlements, and groups from the app's profile page in the Admin Console.

As super admins and access request admins, you can set up app-specific access request conditions that define requester scope, access level, expiration for the access level, and the approval sequence. Based on your active conditions, requesters can request access to an app or app access level directly from their End-User Dashboard.

Compared to request types, this approach allows you to reuse existing relationships between users, groups, and apps defined in Okta to govern access instead of recreating these in Okta Access Requests. This feature also integrates the app catalog in the End-User Dashboard with Access Requests to make the process of requesting access intuitive and user-friendly. See Access Requests and Create requests.

You can also view and edit a user's access duration for the app if the app has Governance Engine enabled. See Manage user entitlements.

Continuous Access is now Post Auth Session

The Continuous Access tab in Authentication Policies is renamed to Post Auth Session.

Continuous Access widget is now Post auth session violations widget

The Continuous Access widget in the Identity Threat Protection dashboard is renamed to the Post Auth Session Violations widget.

  • Continuous access violations are renamed to Session violations.
  • Continuous access evaluation is renamed to Post auth session evaluation.

Fixes

  • The list of languages in Customizations SMS wasn't translated. (OKTA-626381)

  • When an admin attempted to create a profile with a username that contained invalid characters, an unhelpful error message appeared in orgs using a custom character restriction for usernames. (OKTA-680557)

  • Users could bypass admin approval from the import screen to sign in to Okta when Active Directory Just-In-Time provisioning was disabled. (OKTA-706392)

  • The Disable Force Authentication option was ignored for org2org apps using the SAML sign-in mode and AMR claims mapping. (OKTA-711957)

  • The Country Code attribute was missing from the profile enrollment form when admins deleted a similar attribute from a SAML Identity Provider. (OKTA-712657)

  • Some policy evaluations in Identity Threat Protection weren't processed correctly. (OKTA-713378)

  • Some Sign-In Widget error messages weren't localized. (OKTA-721035)

  • For some orgs, the last used factor was still prompted when a user clicked Verify with something else. (OKTA-726023)

  • Active Directory incremental imports were converted to full imports when a new OrganizationUnit was added or an existing OrganizationUnit was renamed. (OKTA-729735)

  • The user.risk.change System Log event displayed incorrect actor values. (OKTA-731725)

  • New Dropbox Business instances were missing a profile attribute. (OKTA-733503)

  • The Provisioning tab wasn't saved when admins created Office 365 applications, and Japanese translations of the Session Lifetime for SAML apps feature didn't appear. (OKTA-735840)

  • Versions 7.18.1 to 7.19.1 of the Sign-In Widget weren't rendered when users accessed them from legacy browsers. (OKTA-736546)

Okta Integration Network

  • candidate.fyi (OIDC) is now available. Learn more.
  • Edify (OIDC) now has sign-in URLs.
  • KiteSuite (SAML) is now available. Learn more.
  • ParkZapp (W) (OIDC) is now available. Learn more.
  • ShareThis (SWA) was updated. (OKTA-723868)
  • Umbrella Faces (SCIM) is now available. Learn more.

Weekly Updates

2024.06.1: Update 1 started deployment on June 24

Generally Available

Sign-In Widget, version 7.19.4

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Okta Sign-In Widget Guide.

Fixes

  • Some text on the Reset Password for a user page in the Admin Console wasn't translated. (OKTA-613937)

  • WebEx replaced the API used to retrieve session types with a REST API, which requires the integration to use OAuth for authentication. (OKTA-701227)

  • The policy.entity_risk.evaluate and policy.entity_risk.action events incorrectly displayed the target user as the actor instead of the Okta system. (OKTA-703424)

  • The user.authentication.universal_logout System Log event didn't capture all of the client data. (OKTA-706046)

  • Previews of customized sign-in pages didn't show all registration details. (OKTA-712636)

  • Some locked users couldn't unlock their accounts because they hadn't validated their email addresses. (OKTA-717710)

  • Clicking Sync Entitlements on the Governance tab displayed an error. (OKTA-720049)

  • Sometimes, concurrent Agentless Desktop SSO JIT operations for a user broke app assignments, which required admin intervention to correct. (OKTA-722648)

  • The System Log reported incorrect OS values for the same request. (OKTA-724428)

  • When admins manually confirmed users imported from a SCIM app, they were assigned apps that they weren't authorized to access. (OKTA-724859)

  • The System Log event description for security.events.provider.receive_event was Third Party Vendor reported risk and was updated to Security Events Provider Reported Risk. (OKTA-725427)

  • Opening a profile in a new tab from the Profile Editor displayed a list of profiles instead. (OKTA-725640)

  • A System Log event wasn't present for provisioned users when the password-only sign-in flow failed. (OKTA-727271)

  • The System Log recorded multiple user.session.context.change events when the device management status was incorrectly reported for Windows devices enrolled in Okta Verify. (OKTA-727309)

  • Sometimes, when users who hadn't enrolled in On-Prem MFA attempted to sign in using an RSA SecurID passcode in the New PIN Mode, the passcode verification failed. (OKTA-727554)

  • Some requests failed because the session cookie size exceeded browser limitations. (OKTA-727786)

  • Processing GeneralizedTime attributes while confirming new users imported from LDAP to Okta resulted in an error. (OKTA-728398)

  • Users could reuse their temporary password. (OKTA-729189)

  • The Sign-In Widget was blank when some Okta FastPass users were prompted to authenticate. (OKTA-730317)

  • When the display language was set to Japanese, some role permissions weren't translated on the Admin role assignments screen. (OKTA-730832)

  • When the display language was set to Japanese, some text on the Administrators pages wasn't translated. (OKTA-730834)

  • Some customers signing in to Okta-hosted custom domains with the first or second-generation Sign-In Widget received communications from Monotype Imaging Inc. about licensing for the Proxima Nova font. (OKTA-731216)

  • When an admin clicked Show more on the Administrator assignment by role page, additional admins with the super admin role didn't appear. (OKTA-731416)

  • Some Group Push operations for ServiceNow failed due to timing out. (OKTA-731707)

  • The UI header elements on the Authentication Policy page didn't render correctly. (OKTA-732300)

  • App filter in the Post Auth Session tab is removed for future configurations. This doesn't affect existing configurations. (OKTA-732394)

  • Workday writeback operations failed when area codes were included in the request. (OKTA-733361)

  • Authenticator names weren't translated in error messages. (OKTA-733417)

  • The End User Browser Plugins pane on the Downloads page used an outdated icon for Chromium Edge. (OKTA-733813)

  • Universal Logout didn't sign users out of Google Workspace for some app instances. (OKTA-734303)

  • Entity Risk Policy in the Admin Console didn't have a description. (OKTA-734527)

  • Some attributes weren't translated in the Profile Enrollment form. (OKTA-734938)

  • The policy.auth_reevaluate.fail System Log event wasn't recorded for customers who enabled Identity Threat Protection. (OKTA-735556)

  • The security.breached_credential.detected System Log event had a typo. (OKTA-736552)

  • Some users saw an error page after setting up their Okta account. (OKTA-737149)

  • The Okta RADIUS Server Agent was updated for a security fix. Upgrade to version 2.22.0. (OKTA-737441)

  • Widgets on the Identity Threat Protection dashboard are updated for style and design consistency. (OKTA-737798)

  • Sometimes, Group Assignments involving the Everyone group failed because of a non-performant query. (OKTA-742083)

  • Full imports for OIG-enabled apps sometimes caused users to be unexpectedly deprovisioned. (OKTA-742996)

Okta Integration Network

  • Accend (OIDC) has a new icon and description.
  • Actioner (OIDC) is now available. Learn more.
  • Aerofiler (SAML) is now available. Learn more.
  • Aerofiler (OIDC) has a new icon and OIDC endpoints.
  • Aiven (SAML) is now available. Learn more.
  • Aiven (SCIM) is now available. Learn more.
  • Amazon WorkDocs by Aquera (SCIM) has a new icon.
  • Amazon WorkMail by Aquera (SCIM) has a new icon.
  • Autotab (OIDC) is now available. Learn more.
  • Bright Breaks (SCIM) is now available. Learn more.
  • Brivo Identity Management (SCIM) has a new display name, base URL, integration guide, app profile, and mappings.
  • Codefresh by Aquera (SCIM) has a new icon.
  • Cyolo SRA (SAML) is now available. Learn more.
  • Descope (OIDC) is now available. Learn more.
  • Descope (SCIM) is now available. Learn more.
  • Detexian SSPM (API service) is now available. Learn more.
  • Docker (SAML) is now available. Learn more.
  • DOTS (SAML) is now available. Learn more.
  • Elastic Agent (API service) is now available. Learn more.
  • Favro (SCIM) is now available. Learn more.
  • Floqast (SAML) is now available. Learn more.
  • GitHub Enterprise Managed User - ghe.com (SAML) is now available. Learn more.
  • GitHub Enterprise Managed User - ghe.com (SCIM) is now available. Learn more.
  • goFLUENT (SAML) is now available. Learn more.
  • JazzHR by Aquera (SCIM) supports profile sourcing.
  • Lark (SCIM) is now available. Learn more.
  • Lattice HRIS (SCIM) is now available. Learn more.
  • Manopay (OIDC) has a new integration guide and supports IdP-initiated flows.
  • Obsidian Security (API service) is now available. Learn more.
  • PerimeterX (SCIM) is now available. Learn more.
  • Plumm (SCIM) has a new integration guide.
  • ProdPad by Aquera (SCIM) has a new icon and support URL.
  • Prowler (SAML) is now available. Learn more.
  • Rezonate Security (API service) can now read network zones data.
  • Scrut Automation (OIDC) is now available. Learn more.
  • Select Admin (OIDC) is now available. Learn more.
  • ShareCal (SAML) has a new ACS URL.
  • SmarterSends (SAML) is now available. Learn more.
  • SwaggerHub by Aquera (SCIM) has a new icon and support URL.
  • TriNet by Aquera (SCIM) supports profile sourcing.
  • Trotto Go Links (SAML) has a new icon and integration guide.
  • UKG HR Service Delivery by Aquera (SCIM) has a new icon.
  • WebWork Time Tracker (SAML) is now available. Learn more.
  • WonderProxy (SAML) is now available. Learn more.
  • Workable Recruiting by Aquera (SCIM) supports profile sourcing and has a new icon, description, and support URL.
  • Wundergraph Cosmo (SCIM) is now available. Learn more.
  • Xakia (SCIM) has a new icon and supports group push.
  • Xero by Aquera (SCIM) has a new icon and support URL.

2024.06.2: Update 2 started deployment on July 8

Generally Available

Sign-In Widget, version 7.19.6

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Okta Sign-In Widget Guide.

Update to Universal Directory attribute limits

Universal Directory has increased the limit of the number of attributes per org.

Fixes

  • The help links on the Downloads page weren't localized. (OKTA-614688)

  • Admins without the View agents permission could see the Agents page. (OKTA-651508)

  • Setting the locale to Japanese resulted in some issues when working with CSV directories. An error string appeared when scheduling weekly imports and there was insufficient space to enter which hour the import should be performed. (OKTA-656418)

  • Group Push failed for Samanage when group names contained spaces. (OKTA-668498)

  • Password reset token expiration time was not localized for some orgs. (OKTA-673386)

  • When the activation email was resent, it included an expired activation link. (OKTA-720605)

  • The notification email contained the modified IP address when X-Forwarded-For Header was modified. (OKTA-722815)

  • Some users received an error message when they tried to reset their password. (OKTA-725716)

  • The oauth2/instrospect endpoint hit rate limits without logging it in the System Log. (OKTA-726680)

  • Users who didn't enable the Multiple Identifiers feature could access the Identifiers page. (OKTA-727848)

  • During JIT reactivation through IdP, group app assignment reconciliation wasn't processed asynchronously, which caused an unexpected delay in the sign-in process. (OKTA-729103)

  • Access Testing Tool incorrectly reported that non-admin users had access to Okta Admin Console. (OKTA-729726)

  • Attempting to unassign a Google Workspace license from a user who didn't have that license resulted in an error message. (OKTA-731570)

  • A SAML app didn't open in an iFrame even when it was configured using Trusted Origins. (OKTA-734026)

  • If there was an error in the metrics for policy recommendation for an application, the recommendations didn't load properly. (OKTA-735657)

  • When an app was created by an API call with an existing clientId in the request payload, this didn't match the way an app was created in the UI. This resulted in the wrong app rate limit displayed in the rate limit dashboard. (OKTA-736117)

  • When an admin uploaded a file while configuring an app, the dates that appeared on the page weren't translated. (OKTA-736916)

  • The Okta provisioning API didn't accept user IDs that contained a backslash (\) character when users were provisioned to Org2Org instances. (OKTA-737258)

  • Admins couldn't delete existing Classic Engine Network Zones after upgrading to Identity Engine. (OKTA-737821)

  • NetSuite imports failed for new app instances that had Governance Engine enabled if users had an inactive department, location, or class. (OKTA-737844)

  • Unhandled routes for authentication policies rendered a blank page in the Admin Console. (OKTA-738033)

  • Sometimes a group owner wasn't resolved correctly and an invalid error was displayed on the Group Owner tab for the group. (OKTA-738426)

  • Some users received a Bad Gateway error when they tried to register their account. (OKTA-738828)

  • Gemini licenses for Google Workspace were unavailable. (OKTA-739005)

  • The Show More option in Trusted Origins didn't display all trusted origins when a filter was selected. (OKTA-740734)

  • The wrong font was used for text in the Sign-In Widget. (OKTA-742100)

  • The Post Auth Session Violation widget displayed incorrect UI and data when the policy was in the monitoring mode. (OKTA-742525)

  • When running an import from Active Directory into Okta, the DirSync stopped working, which resulted in users being removed from multiple groups within the Office 365 app. (OKTA-742905)

  • Full imports for OIG-enabled apps sometimes caused users to be unexpectedly deprovisioned. (OKTA-742996)

  • When trying to access OneDrive using the app on the Okta Dashboard, an error occurred if there was an active Office 365 session. (OKTA-744748)

  • In Groups API queries, some users who weren't in the "Everyone" group were missing group memberships.(OKTA-747426)

Okta Integration Network

  • Authomize Identity Security (API service) has a new icon, display name, description, website, integration guide, and okta.policies.read scope.
  • Cisco Identity Intelligence - Read-Write Management (API service) is now available. Learn more.
  • Feishu (SCIM) is now available. Learn more.
  • Forethought Dashboard (SCIM) is now available. Learn more.
  • Funnel.io (SAML) has a new icon and integration guide.
  • Klue (SAML) is now available. Learn more.
  • Klue (SCIM) is now available. Learn more.
  • KSOC (OIDC) is now available. Learn more.
  • Medicat One (OIDC) is now available. Learn more.
  • Okta Identity Security Posture Management (API service) is now available. Learn more.
  • Own (SAML) is now available. Learn more.
  • Rewind Backups (API service) is now available. Learn more.
  • Seculio (SAML) is now available. Learn more.
  • Thoropass (SAML) is now available. Learn more.
  • TriNet Zenefits by Aquera (SCIM) is now available. Learn more.
  • WINN.AI (OIDC) is now available. Learn more.
  • Workshop (SAML) is now available. Learn more.
  • Zip (SCIM) now has the approvalLevel attribute.

Version: 2024.07.0

July 2024

Generally Available

Okta Provisioning agent, version 2.1.0

This release of the Okta Provisioning agent contains vulnerability fixes. See Okta Provisioning agent and SDK version history.

Okta Active Directory agent, version 3.18.0

This release of the Okta Active Directory agent uses OAuth 2.0 for authorization and OAuth 2.0 Demonstrating Proof-of-Possession (DPoP) to securely communicate with Okta. Agents are now registered through the OAuth 2.0 device registration flow and operate independently from the account used to register them. This release also includes security enhancements and bug fixes. See Okta Active Directory agent version history.

Sign-In Widget, version 7.20.0

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Okta Sign-In Widget Guide.

Identity Threat Protection with Okta AI

Identity Threat Protection with Okta AI is a powerful risk assessment and response solution that provides post-authentication security to your org. By continuously analyzing risk signals that are native to Okta, risk signals from integrated security partner vendors, and your policy conditions, it safeguards orgs against identity attacks that occur during and outside of a user's session. When Identity Threat Protection discovers a risk, it can immediately end the user's sessions, prompt an MFA challenge, or invoke a workflow to restore your org's security posture. Using intuitive dashboard widgets and reports, you can easily monitor security threats as they happen. See Identity Threat Protection with Okta AI.

New maximum session lifetime for SAML apps

Users can now configure the maximum app session lifetime for SAML apps.

Customize branding for IdP authenticators

You can now add a custom name and logo to IdP authenticators. End users see this branding when signing in, which allows them to distinguish between different IdP authenticators. See Configure the IdP authenticator.

Improved JIT performance for directory integrations

JIT-enabled directory integrations now have improved response times for JIT requests.

New Manage API tokens admin role permission

The new Manage API tokens permission lets admins view, revoke, and update the principle rate limit for a token. This enhancement lets admins assign more granular permissions and reduce the risk of creating roles with too many privileges.

Enhanced sign-in experience for PIV/CAC

The Sign-in Widget has been updated to provide an improved user experience when signing in with a PIV/CAC card. The new experience allows users to select a different authenticator if the PIV/CAC authentication fails, instead of forcing them to restart the sign-in process. If your org uses default error pages for PIV/CAC sign-in, the new experience is automatically enabled for the org. If your org uses customized error pages for PIV/CAC sign-in, they are preserved. However, you need to contact Support to switch to the new experience.

Protected actions in the Admin Console

The protected actions feature provides an additional layer of security to your org. It prompts admins for authentication when they perform critical tasks in the Admin Console and helps ensure that only authorized admins can perform these tasks. Super admins can configure the authentication interval for their org. See Protected actions in the Admin Console and MFA for protected actions in the Admin Console. This feature will be gradually made available to all orgs.

Active Directory Bidirectional Group Management

Bidirectional Group Management for Active Directory (AD) allows you to manage AD groups from within Okta. You can add or remove users from groups based on their identity and access requirements. This ensures that changes made to user access in Okta are reflected in AD. When you use Okta Access Certifications to revoke a user's membership to an AD group, the removal is reflected in AD. Okta can only manage group memberships for users and groups imported into Okta using the AD integration. It isn't possible to manage users and groups that weren't imported through AD integration. It's also not possible to manage users and groups that are outside the organizational unit's scope for the integration using this feature. See Bidirectional Group Management with Active Directory.

Sign-In Widget account unlock flow

The account unlock flow on the Sign-In Widget now shows the Username field and authenticator selection separately.

MyAccount Management scopes

The MyAccount Management scopes are no longer added to custom authorization servers by default when an authorization server is created.

Enhanced System Log events table

The value of a client IP address, if present, is now shown below the actor in the events table.

Network Zones and API token restrictions

You can no longer update network zones so they're invalid for use with an API token. This applies only to network zones that are used as restrictions to API tokens. You can update network zones if you first remove them from the API token restriction. These zones can't be deactivated, deleted, blocklisted, or made anything other than an active IP zone.

Event hook limit increased

The limit on active event hooks per org has been increased from 10 to 25. See Create an event hook and Workflows System limits.

New System Log events for Workflows subfolder actions

Improved folder organization gives admins the flexibility to drag and drop folders into other folders or move them up to become a top-level folder. See Move a folder into another folder. When this action happens, the new workflows.user.folder.move event type appears in the System Log. See the Event Types API.

Additional System Log event information

The user.account.privilege.grant System Log event now includes information about the assigned role and target, and indicates if it was a group or individual role assignment.

Early Access

Entitlement Management with Okta Provisioning Agent with SCIM 2.0 support

This agent supports Entitlements Management for app integrations that have enabled Governance Engine. This allows the provisioning of entitlements between Okta and on-premises apps.

Certificate-based authentication for Office 365

Okta Identity Engine now supports certificate-based authentication for WS-Fed SSO requests. Users can authenticate using Smart/PIV cards to seamlessly access their Windows devices and Office 365 apps.

Fixes

  • When the Okta Identity Engine Upgrade Hub failed to load an org's upgrade eligibility the maximum number of times, a blank page was displayed to users. (OKTA-670754)

  • System Log events for API token management didn't include the token's network restriction information in the debug context. (OKTA-724469)

  • When editing a user's assignments, roles with numeric values appeared in the wrong position in the Role dropdown menu. Selecting Not mapped set the role to 629. (OKTA-729800)

  • The enrollment instructions on the Google Authenticator page incorrectly mentioned barcode instead of QR code. (OKTA-735775)

  • Errors appeared on a token's page when a network zone that was used by a token was deleted. (OKTA-736539)

  • Push Group jobs that included deleting group memberships failed if their execution time exceed one minute. (OKTA-741405)

  • The Back to Settings button wasn't visible on the End User Settings page. This occurred when managing the user's authenticators if the user completed MFA using a Smart Card or IdP authenticator. (OKTA-743091)

  • The Okta logo was missing from email notifications for protected actions. (OKTA-743776)

  • The Generated Password Health report was incomplete. (OKTA-746008)

  • The number of group members returned from the /api/v1/groups/<group_id>/users API call was inconsistent with the database query count of the same group. (OKTA-747426)

Okta Integration Network

  • Aiven (SCIM) now has sync password support.
  • Lever by Aquera (SCIM) is now available. Learn more.
  • RICOH Smart Integration (SCIM) is now available. Learn more.

Weekly Updates

2024.07.1: Update 1 started deployment on July 22

Generally Available

Sign-In Widget, version 7.20.1

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Okta Sign-In Widget Guide.

New IP service categories added

Additional IP service categories have been added to the enhanced dynamic zones IP service category list. See Supported IP service categories.

Fixes

  • Authenticators that were disabled in the authenticator enrollment policy appeared on the new End-User Settings page. (OKTA-718177)

  • Sessions were sometimes transferred from one user to another. (OKTA-719491)

  • Some users were erroneously prompted to authenticate with Okta Verify on unenrolled devices instead of being redirected to a custom device posture IdP. (OKTA-732676)

  • Some text strings on the General Settings page for custom OIDC apps weren't translated. (OKTA-739262)

  • When an X509 authentication request originated from an Okta domain, but the org used a custom domain, the Smart Card IdP didn't redirect the request correctly. (OKTA-741570)

  • When an admin clicked Show more on the Administrator assignment by role page, additional admins with the super admin role didn't appear. (OKTA-743378)

  • The app store download icons for Okta Verify have been replaced by download links on the Sign-In Widget. (OKTA-744565)

  • When a user tried to access OneDrive from the app on the Okta End-User Dashboard, an error occurred if there was an active Office 365 session. (OKTA-744748)

  • When the display language was set to Japanese, some text on the Deactivate People page wasn't translated. (OKTA-745642)

  • The Okta Agent Registration App icon sometimes appeared on the Authentication policies page beside the current default policy. (OKTA-746639)

  • The Reset Password modal had a grammatical error. (OKTA-747866)

  • If an API request in Preview contained any malformed syntax within the query string, the request was still processed. (OKTA-748246)

  • The EAP-TTLS option wasn't available for all RADIUS app integrations. (OKTA-750253)

Okta Integration Network

  • Call2Action (OIDC) is now available. Learn more.
  • ClickUp (SCIM) is now available. Learn more.
  • Clutch Security (API service) is now available. Learn more.
  • Cortex (SCIM) is now available. Learn more.
  • Exaforce (API service) is now available. Learn more.
  • LiveEdge Cloud (SAML) is now available. Learn more.
  • MangoApps (SAML) now has configurable domain support for endpoints.
  • MangoApps (SCIM) is now available. Learn more.
  • NinjaOne (SCIM) is now available. Learn more.
  • Pendo (SAML) has a new integration guide.
  • SGNL (CAEP Hub) (API service) is now available. Learn more.
  • Teamgo Visitor Sign-in (SAML) is now available. Learn more.
  • UKG Pro by Aquera (SCIM) is now available. Learn more.
  • Vanta (SCIM) is now available. Learn more.
  • Wundergraph Cosmo (SCIM) is now available. Learn more.

2024.07.2: Update 2 started deployment on August 5

Fixes

  • When the display language was set to Japanese, some text on the Delegated Authentication page wasn’t translated. (OKTA-658397)

  • Some users received an error message when they clicked Reveal in the app settings of the Google Workspace Mail tile. (OKTA-684516)

  • The End-User Settings page (version 2) didn't display the correct logo and theme when multiple brands were configured in the org. (OKTA-717476)

  • Some customers signing in to Okta-hosted custom domains with the first or second-generation Sign-In Widget received communications from Monotype Imaging Inc. about licensing for the Proxima Nova font. (OKTA-731216)

  • When the Assign and revoke super admin role protected action was enabled and an admin revoked the super admin role from the Admins tab, they weren’t prompted for additional MFA. (OKTA-733379)

  • Access Testing Tool displayed incorrect data if the Identity Provider in the global session policy rule was set to either Okta or Specific IdP. (OKTA-733455)

  • The Sign-In Widget (third generation) showed Okta instead of the customized company name on the password reset page. (OKTA-737190)

  • Some policies couldn't be merged even though the source policies were identical. (OKTA-740953)

  • If API provisioning was enabled without enabling Update User Attributes, Docusign app usernames were set to the users' full names rather than email addresses. (OKTA-742584)

  • When the display language was set to Japanese, some text on the Sign on tab for the Google Apps instance wasn’t translated. (OKTA-742635)

  • When the display language was set to Japanese, some text on the Create new resource set page wasn’t translated. (OKTA-742653)

  • Some of the help links on the Downloads page weren’t correct. (OKTA-744866)

  • The SAML single logout URL wasn't embedded in the iFrame after the correct trusted origin was configured. (OKTA-744874)

  • When users tried to create SSWS tokens, Enhanced Dynamic Zones appeared in the list but users couldn't select them. (OKTA-745607)

  • The right-click menu didn't work in the Admin Console. (OKTA-745918)

  • Admins couldn't customize the Sign-In Widget (second and third generations) for accessing bookmark apps. (OKTA-747438)

  • Users without the Okta Access Requests Admin app couldn't view any app instance pages. (OKTA-748462)

  • The protected actions email notification sometimes contained a broken link. (OKTA-749232)

  • In orgs using delegated authentication with either AD or LDAP, attempting to sign in when the username contained a wildcard character (*) resulted in an HTTP 500 error. (OKTA-749548)

  • When the device context changed based on signals from Okta Verify, the post auth session evaluation didn't work as expected and didn't fire any System Log events. (OKTA-750405)

  • When the display language was set to Japanese, some text on Policy Simulation wasn’t translated. (OKTA-751021)

  • Users were incorrectly prompted for Okta FastPass when enrolling in Okta Verify. (OKTA-753062)

Okta Integration Network

  • Cisco User Management for Secure Access (SCIM) is now called Cisco User Management Connector.
  • Clockwise (SCIM) now has Bookmark mode.
  • CoderPad has new SAML and SCIM integration guides, and the SWA app was updated.
  • Databricks has a new icon.
  • Exaforce (API service) has updated scopes.
  • getregistered (SAML) is now available. Learn more.
  • Nulab Pass (Backlog Cacoo Typetalk) (SCIM) is now available. Learn more.
  • Opensurvey Dataspace (OIDC) now supports IdP-initiated SSO.
  • Pleo (SCIM) is now available. Learn more.
  • Prowler (SAML) has a new icon.
  • Retail Zipline (SAML) now supports Single Logout (SLO) and has a new integration guide and icon.
  • Staircase AI (SCIM) is now available. Learn more.
  • WebWork Time Tracker (SCIM) is now available. Learn more.
  • Wiz (API service) is now available. Learn more.
  • Zip has an updated API.