Okta Identity Engine release notes (Early Access)

Currently in Production

June 2024

Enhanced dynamic zones

Use enhanced dynamic network zones to define IP service categories (proxies, VPNs), locations, and Autonomous System Numbers (ASNs) that are allowed or blocked in a zone. See Enhanced dynamic zones.

Same-device enrollment for Okta FastPass

On orgs with Okta FastPass, the Okta Verify enrollment process has been streamlined:

  • Users can initiate and complete enrollment on the device they’re currently using. Previously, two different devices were required to set up an account.

  • Users no longer need to enter their org URL during enrollment.

  • The enrollment flow has fewer steps.

This feature is supported on Android, iOS, and macOS devices. To enable it, go to Admin Console Settings and turn on Same-Device Enrollment for Okta FastPass.

Access request conditions and resource catalog

This feature provides a new method to streamline your access requests for apps, entitlements, and groups from the app’s profile page in the Admin Console.

As super admins and access request admins, you can set up app-specific access request conditions that define requester scope, access level, expiration for the access level, and the approval sequence. Based on your active conditions, requesters can request access to an app or app access level directly from their End-User Dashboard.

Compared to request types, this approach allows you to reuse existing relationships between users, groups, and apps defined in Okta to govern access instead of recreating these in Okta Access Requests. This feature also integrates the app catalog in the End-User Dashboard with Access Requests to make the process of requesting access intuitive and user-friendly. See Access Requests and Create requests.

You can also view and edit a user’s access duration for the app if the app has Governance Engine enabled. See Manage user entitlements.

Continuous Access is now Post Auth Session

The Continuous Access tab in Authentication Policies is renamed to Post Auth Session.

Continuous Access widget is now Post auth session violations widget

The Continuous Access widget in the Identity Threat Protection dashboard is renamed to the Post Auth Session Violations widget.

  • Continuous access violations are renamed to Session violations.
  • Continuous access evaluation is renamed to Post auth session evaluation.

May 2024

Multiple Identifiers

Today, end users must sign in to Okta with a username or email address only. With the Multiple Identifiers feature, admins can configure identifiers, or user attributes from Universal Directory, that an end user can enter to authenticate. Multiplier identifiers work in sign-on, recovery, self-service registration, and unlock flows. Admins can configure up to three identifiers, including email (which is still a required identifier). See Multiple identifiers.

Skip the verify page and redirect to the IdP authenticator

This feature allows users to skip the verify step in the Sign-In Widget. They are instead redirected to the IdP authenticator for verification. When you enable this feature, end users see the option to skip the Sign-In Widget verification. If your org is configured to remember the last authenticator the user used, then the user is auto-redirected to the IdP authenticator for future sign-in attempts.

Require MFA for Admin Console access

You can require multifactor authentication to access the Okta Admin Console. When you enable this feature, all Admin Console authentication policy rules that allow single factor access are updated to require multifactor authentication. See Enable MFA for the Admin Console.

SSF Transmitter API

Okta uses CAEP to send security-related events and other data-subject signals to Apple, known as the Shared Signal Framework (SSF) receiver. After an SSF stream is configured, Okta sends signals as Security Event Tokens (SETs) to Apple. Use the SSF Transmitter API to manage SSF stream configurations between the SSF receiver and Okta.

Enhancement to protected access to Admin Console

As part of the Require MFA for Protected Actions in the Admin Console feature, step-up authentication is required to modify authentication policies applicable to Admin Console.

April 2024

Identity Threat Protection with Okta AI

Identity Threat Protection with Okta AI is a powerful risk assessment and response solution that provides post-authentication security to your org. By continuously analyzing risk signals that are native to Okta, risk signals from integrated security partner vendors, and your policy conditions, it safeguards orgs against identity attacks that occur during and outside of a user’s session. When Identity Threat Protection discovers a risk, it can immediately end the user’s sessions, prompt an MFA challenge, or invoke a workflow to restore your org’s security posture. Using intuitive dashboard widgets and reports, you can easily monitor security threats as they happen. See Identity Threat Protection with Okta AI.

March 2024

Direct End-User Settings access

Users may now access their Settings page through a direct URL in addition to the End-User Dashboard. This feature provides convenience and security for users, gives admins greater flexibility when working with End-User Dashboard access control scenarios, and includes accessibility and UX improvements. See User settings.

Enforce Number Challenge for Desktop MFA

You can now enforce number challenge on all push notifications for Desktop MFA, regardless of the authentication policy. See Configure Desktop MFA policies

Realms for Workforce

Realms allows you to unlock greater flexibility in managing and delegating management of your distinct user populations within a single Okta org. See Manage realms.

Trusted App filters

Trusted App filters allow orgs to block applications from invoking Okta FastPass in Windows, and in Google Chrome and Firefox browsers for macOS. See Trusted app filters .

Google Workspace 1-click federation

Admins can set up SSO to Google Workspace using a simplified integration experience that saves time and reduces the risk of errors.

New HealthInsight task

HealthInsight now includes a recommendation to apply MFA for access to the Admin Console.

February 2024

Detect and block requests from anonymizing proxies

Orgs can now detect and block web requests that come from anonymizers. This helps improve the overall security of your org.

Network zone allowlists for SSWS API tokens

Admins can now specify a network zone allowlist for each static (SSWS) API token. These allowlists define the IP addresses or network ranges from where Okta API requests using SSWS API tokens can be made. This restricts attackers and malware from stealing SSWS tokens and replaying them outside of the specified IP range to gain unauthorized access.

Custom languages for email templates

Admins can now customize Okta-generated emails in any BCP47-formatted language. Previously, customizations were limited to 27 Okta-supported languages. This feature allows admins to configure additional locales using Okta’s Brands API. When a new locale is configured, it's available as a new language selection within the Email Templates Editor. See Customized Email Notifications.

Dynamic OS version compliance for device assurance

You can configure OS version compliance by using device assurance. However, you have to manually update the policies every time a new OS version or patch is released. With Dynamic OS version compliance, Okta updates device assurance policies with the latest OS versions and patches, eliminating the need for manual updates. With this feature you can ensure OS version compliance in your org without tracking OS releases. See Add a device assurance policy.

Prevent new single-factor access to the Admin Console

This feature prevents admins from configuring any new single-factor access to the Admin Console. There's no impact to any existing rules that allow single-factor access.

November 2023

Make email optional authenticator

This feature allows you to upgrade your org to Identity Engine without updating your email factor settings. If you already have an Identity Engine org, it gives you and your end users more control over the email authenticator. See Skip auto-enrolling email authenticator and Make email an optional authenticator.

New app settings permissions for custom admin roles

Super admins can now assign permissions for custom admin roles to manage all app settings, or only general app settings. This enables super admins to provide more granular permissions to the admins they create, resulting in better control over org security. See Application permissions.

October 2023

Workday writeback enhancement

When this feature is enabled, Okta makes separate calls to update work and home contact information. This feature requires the Home Contact Change and Work Contact Change business process security policy permissions in Workday.

September 2023

Custom admin roles with device permissions

You can now create custom admin roles with permissions to view and manage devices. You can add the Devices to your resource set and then specify device permissions for your custom admin. See Create a resource set and Devices permissions.

Okta FastPass and Smart Card options on Sign-in page

Currently, if you configured both the Sign in with Okta FastPass option and Smart Card as an authenticator, users only see the Okta FastPass option when they sign in. With this feature, you can make both options available for your users during the sign-in process. See Configure the Smart Card authenticator.

Enhanced security of Okta Verify enrollments

To ensure users enroll in Okta Verify in a phishing-resistant manner, a Higher security methods option now appears on the authenticator configuration page. With this option, users can't enroll with QR code, email, or SMS link. See Configure Okta Verify options.

July 2023

IdP permissions for custom admin roles

Admins can now leverage new Identity Provider management permissions when creating custom admin roles. These permissions allow more precise access control and reinforce the principle of least privilege. See Role permissions.

Admin Console Japanese translation

When you set your display language to Japanese, the Admin Console is now translated. See Supported display languages.

Front-channel Single Logout

Front-channel Single Logout (SLO) allows a user to sign out of an SLO-participating app on their device and end their Okta session. Okta then automatically sends a sign-out request to all other participating apps that the user accessed during their session. See Configure Single Logout in app integrations.

June 2023

Phishing-resistant authentication with Okta FastPass on unmanaged iOS devices

While Okta FastPass can protect users against phishing attacks in most cases, it can’t secure authentication on unmanaged iOS devices. To close this gap, Okta is rolling out phishing resistance for Okta FastPass on unmanaged iOS devices. With this change, users who authenticate with Okta FastPass on their personal or unmanaged iOS devices are protected from phishing attacks. See Multifactor authentication.

This feature requires Okta Verify version 8.2.1.

May 2023

Event hook filters

You can now filter individual events of the same event type based on custom business logic hosted in Okta. These filters reduce the amount of events that trigger hooks, removing an unnecessary load on your external service.

This feature includes an improved creation workflow for event hooks and a new Filters tab that you can use to create event filters with direct Expression Language statements or with a simple UI format.

Using event hook filters significantly reduces the amount of event hook requests and the need for custom code on your respective services. See Edit an event hook filter.

April 2023

Import users to Office 365 using Microsoft Graph API

This feature allows Okta to process imports using the Microsoft Graph API. This background process doesn’t change existing procedures and makes imports more scalable, supporting Microsoft 365 tenants with larger numbers of users, groups, and group memberships. See Import users to Office 365 using Microsoft Graph API.

January 2023

AWS region support for EventBridge Log Streaming

EventBridge Log Streaming now supports all commercial AWS regions.

November 2022

Phishing-resistant authenticator requirement

To enhance security, admins may now require users to authenticate using a phishing-resistant authenticator when enrolling additional authenticators. This feature protects the authenticator enrollment process from phishing attempts. See Phishing-resistant authenticator enrollment.

Log Stream event structure update

For consistency the report structure for Log Stream events is now the same as that for System Log events. The following fields are changed and might need updating for any monitoring scripts in use:

  • Under devices, osPlatform is now platform.

  • The ipChain array is now correctly nested under request instead of client.

  • The extraneous field insertionTimestamp is removed.

October 2022

Passkey Management

Apple passkeys may be synchronized across multiple devices, including on unmanaged ones, and stored in Apple’s data centers. This may impact organizations whose security policies require that credentials never leave the device, or that only managed devices be allowed to connect. Okta now allows admins to block the enrollment of passkeys in their orgs. With the new Passkey Management feature, customers can ensure that security policies continue to be enforced, and potentially compromised devices can be kept from connecting. Existing passkey enrollments aren’t affected by turning this feature on.

New OIN app for Microsoft 365 GCC High

A new app is available for integrating Microsoft Office 365 Government Community Cloud (GCC) High. This Office 365 tenant type serves as a highly secure version of Office 365 built specifically for government entities, vendors, and contractors. The tenant provides built-in compliance with certifications and accreditations that are required by the U.S. public sector, including FedRAMP high-impact requirements.

With the new Okta Integration Network app, customers using the GCC High environment for Office 365 can securely deploy a consistent user experience for SSO and identity management. See Configure Office 365 GCC High Tenant.

Phishing-resistant authentication

Phishing-resistant authentication detects and prevents the disclosure of sensitive data to fake applications or websites. When users authenticate with Okta FastPass on managed devices, they’re protected from phishing attacks. See Phishing-resistant authentication.

New column for the User app access report

The User app access report now includes the Recently Accessed column. This allows you to view when the user accessed the app in the last 90 days.

September 2022

SSO apps dashboard widget

The new SSO apps widget displays the number of user sign-in events across each of your org’s apps over a selected period of time. You can use it to see which apps are used most frequently and to easily monitor the authentication activity across your org. See Monitor your apps.

SAML app support added for email magic links

The Email Magic Link feature now supports SAML applications for self-service registration, self-service password reset, and self-service unlock operations.

July 2022

Improvements to the self-service registration experience

Earlier versions of the self-service registration (SSR) flow used a complicated array of templates to send activation emails to end users. The simplified SSR flow reduces this to only two email templates with customized welcome messages. If your application requires immediate verification of the end user’s email address, Okta uses the Registration - Activation template. This template includes a magic link for a smoother sign-in experience. If email verification isn't immediately required to sign in to the application, Okta uses the Registration - Email Verification template. This template includes a link for end users to complete email verification at any time after they successfully sign in to the application. See Customize email notifications and the Okta email (magic link/OTP) integration guide.

June 2022

Run delegated flows from the Admin Console

With delegated flows, admins can be assigned the ability to run Okta Workflows directly from the Admin Console. Flows that are delegated to an admin appear on the Delegated Flows page where they can be invoked without signing in to the Workflows Console. This gives super admins more granular control over their admin assignments. See Delegated flows.

May 2022

New permissions for custom admin roles

Super admins can now assign these new permissions to their custom admin roles:

  • Manage authorization server

  • View authorization server

  • Manage customizations

  • View customizations

The authorization server permissions can be scoped to all or to a subset of the org’s authorization servers. With these new permissions, super admins can now create custom admin roles with more granular permissions for managing their org’s customizations and authorization servers. See Role permissions.

April 2022

Splunk available for Log Streaming

Many organizations use third-party systems to monitor, aggregate, and act on the event data in Okta System Log events.

Log Streaming enables Okta admins to more easily and securely send System Log events to a specified system such as the Splunk Cloud in near real time with simple, pre-built connectors. Log streaming scales well even with high event volume, and unlike many existing System Log event collectors, it doesn't require a third-party system to store an Okta Admin API token. See Log streaming.

March 2022

Automatically update public keys in the Admin Console

Using private_key_jwt as your app's client authentication method requires that you upload public keys to Okta and then use the private keys to sign the assertion. Then, you must update the client configuration each time you rotate the key pairs. This is time-consuming and error-prone. To seamlessly use key pairs and rotate them frequently, you can now configure private_key_jwt client authentication in the Admin Console for OAuth clients by specifying the URI where you store your public keys. See Manage secrets and keys for OIDC apps.

Incremental Imports for the Org2Org app

Okta now supports incremental imports for the Org2Org app. Incremental imports improve performance by only importing users that were created, updated, or deleted since your last import. See Okta Org2Org.

February 2022

Additional Okta username formats for LDAP-sourced users

Three additional Okta username formats are now available for LDAP-sourced users. In addition to the existing options, admins can now select Employee Number, Common Name, and Choose from schema to form the Okta username. These new options allow admins to use both delegated authentication and Just-In-Time (JIT) provisioning with LDAP directory services. With these new provisioning options, it is now easier for admins to integrate their LDAP servers with Okta. See Configure LDAP integration settings.

November 2021

Windows Autopilot integration with Okta

You can now use Okta to secure and streamline the Windows Autopilot flow on end-user devices. Before this integration, if you were using Okta Device Trust or Okta FastPass, it prohibited the enrollment of a new device through Windows Autopilot. The new integration now allows you to accommodate Not Trusted devices with Windows Autopilot while continuing to use Okta Device Trust and Okta FastPass for Trusted devices. It also allows you to add a sign-on policy rule in Okta that requires MFA when enrolling a device through Windows Autopilot. This increases security without compromising the user experience and ensures that the right person gets the access to the device. See Typical workflow for using Okta with Windows Autopilot.

Manage email notifications for custom admin roles

Super admins can configure the system notifications and Okta communications for custom admin roles. Configuring the email notifications helps ensure admins receive all of the communications that are relevant to their role. See Configure email notifications for an admin role.

August 2021

Third-Party Risk

Okta Risk Eco-System API / Third-Party Risk enables security teams to integrate IP-based risk signals to analyze and orchestrate risk-based access using the authentication layer. Practitioners can step up, reduce friction or block the user based on risk signals across the customer’s security stack. Apart from improving security efficacy, this feature also enhances the user experience by reducing friction for good users based on positive user signals. See Risk scoring.

February 2021

Enhanced Admin Console search

Admins can now search for end user email addresses in the Spotlight Search field in the Admin Console. You can also view the user's status in the search results when you search by username and email address. This robust global search helps you find what you need in the Admin Console quickly, thereby, saving time and increasing productivity. See Admin Console search.

January 2021

Workplace by Facebook Push AD Manager functionality

Admins can choose to disable Push AD Manager functionality using this self-service Early Access feature. This enables admins to control the manager attribute using Okta Expression Language syntax to avoid being dependent on AD for the field. See Workplace by Facebook.

Skip to Content improvements

End users can now click Skip to Content on the new Okta End-User Dashboard to navigate directly to the Add Apps page.

Options relocation

The Recent Activity tab, End-User preferences, Admin View, and Sign Out options are now displayed in the user drop down menu on the Okta End-User Dashboard.