Okta Identity Engine release notes (Early Access)
Currently in Production
September 2024
Authentication method chain
With this feature, you can require users to verify with multiple authentication methods in a specified sequence. You can create multiple authentication method chains in an authentication policy rule to cater to different use cases and scenarios. See Authentication method chain.
IdP selection for admin resources
This feature gives customers the ability to select and manage the Identity Providers (IdPs) that they want to associate with an admin role. This enhances security by providing granular permissions to roles. See Create a resource set.
Granular configuration for Keep Me Signed In
Admins can now configure the post-authentication prompt for Keep Me Signed In (KMSI) at a granular level in authentication policies. This allows admins to selectively enable post-authentication KMSI on a per-user, per-group, or per-app basis. When enabled, this feature exposes a frequency setting that lets admins control how often the post-authentication prompt is presented to users. The post-authentication prompt text (title, subtitle, accept button, and reject button) is now customizable through the Brands management API. See Keep me signed in and Brands API.
Global token revocation for wizard SAML and OIDC apps
Universal Logout clears sessions and tokens for wizard SAML and OIDC apps. This enhancement extends Universal Logout functionality to more types of apps and provides greater flexibility to admins.
August 2024
Require MFA for accessing Identity Governance admin apps
If your org uses Okta Identity Governance, you can require MFA for admins who access these first-party apps:
- Okta Access Certifications
- Okta Entitlement Management
- Okta Access Requests Admin
If you have auto-enabled Early Access features in your org, MFA is automatically enforced for those apps. See Enable MFA for the Admin Console.
OAuth 2.0 security for invoking API endpoints
Okta Workflows users can now securely invoke API endpoints using OAuth 2.0 protocols and their Okta org authorization server. Compared with the existing token authorization option, this feature is more secure while also being easier to implement. Add the okta.workflows.invoke.manage scope to any new or existing app integration to make it eligible to invoke your API endpoint. See Invoke a flow with an API endpoint.
YubiKey preregistration
Customer admins were previously unable to enroll and ship YubiKeys as WebAuthn enrollments in a quick and automated way. The YubiKey preregistration feature enables admins to preregister YubiKey factors as WebAuthn enrollments for both staged and existing (active) users using a Workflows and Yubico integration to seamlessly handle the registration and shipment. See Require phishing-resistant authentication with pre-enrolled YubiKey.
Okta account management policy
The Okta account management policy helps admins easily build phishing resistance into actions such as account unlock, password recovery, and authenticator enrollment. Using the familiar rule-based framework of an authentication policy, admins can now customize which phishing-resistant authenticators are required when users attempt these common self-service actions. All of the configurations in the authentication policies can now be applied for authenticator management. See Okta account management policy.
Biometric user verification in authentication policies
You can now configure authentication policies to require biometric user verification (no passcode). With this feature you ensure that users confirm their biometrics when they authenticate with Okta FastPass or Okta Verify Push. See Biometric user verification in authentication policies.
July 2024
Entitlement Management with Okta Provisioning Agent with SCIM 2.0 support
This agent supports Entitlements Management for app integrations that have enabled Governance Engine. This allows the provisioning of entitlements between Okta and on-premises apps.
Certificate-based authentication for Office 365
Okta Identity Engine now supports certificate-based authentication for WS-Fed SSO requests. Users can authenticate using Smart/PIV cards to seamlessly access their Windows devices and Office 365 apps.
June 2024
Same-device enrollment for Okta FastPass
On orgs with Okta FastPass, the Okta Verify enrollment process has been streamlined:
-
Users can initiate and complete enrollment on the device they're currently using. Previously, two different devices were required to set up an account.
-
Users no longer need to enter their org URL during enrollment.
-
The enrollment flow has fewer steps.
This feature is supported on Android, iOS, and macOS devices. To enable it, go to Same-Device Enrollment for Okta FastPass.
and turn onAccess request conditions and resource catalog
This feature provides a new method to streamline your access requests for apps, entitlements, and groups from the app's profile page in the Admin Console.
As super admins and access request admins, you can set up app-specific access request conditions that define requester scope, access level, expiration for the access level, and the approval sequence. Based on your active conditions, requesters can request access to an app or app access level directly from their End-User Dashboard.
Compared to request types, this approach allows you to reuse existing relationships between users, groups, and apps defined in Okta to govern access instead of recreating these in Okta Access Requests. This feature also integrates the app catalog in the End-User Dashboard with Access Requests to make the process of requesting access intuitive and user-friendly. See Access Requests and Create requests.
You can also view and edit a user's access duration for the app if the app has Governance Engine enabled. See Manage user entitlements.
Continuous Access is now Post Auth Session
The Continuous Access tab in Authentication Policies is renamed to Post Auth Session.
Continuous Access widget is now Post auth session violations widget
The Continuous Access widget in the Identity Threat Protection dashboard is renamed to the Post Auth Session Violations widget.
- Continuous access violations are renamed to Session violations.
- Continuous access evaluation is renamed to Post auth session evaluation.
May 2024
Multiple Identifiers
Today, end users must sign in to Okta with a username or email address only. With the Multiple Identifiers feature, admins can configure identifiers, or user attributes from Universal Directory, that an end user can enter to authenticate. Multiplier identifiers work in sign-on, recovery, self-service registration, and unlock flows. Admins can configure up to three identifiers, including email (which is still a required identifier). See Multiple identifiers.
Skip the verify page and redirect to the IdP authenticator
This feature allows users to skip the verify step in the Sign-In Widget. They are instead redirected to the IdP authenticator for verification. When you enable this feature, end users see the option to skip the Sign-In Widget verification. If your org is configured to remember the last authenticator the user used, then the user is auto-redirected to the IdP authenticator for future sign-in attempts.
SSF Transmitter API
Okta uses CAEP to send security-related events and other data-subject signals to Apple, known as the Shared Signal Framework (SSF) receiver. After an SSF stream is configured, Okta sends signals as Security Event Tokens (SETs) to Apple. Use the SSF Transmitter API to manage SSF stream configurations between the SSF receiver and Okta.
Enhancement to protected access to Admin Console
As part of the Require MFA for Protected Actions in the Admin Console feature, step-up authentication is required to modify authentication policies applicable to Admin Console.
April 2024
Early Access features from this release are now Generally Available.
March 2024
Direct End-User Settings access
Users may now access their Settings page through a direct URL in addition to the End-User Dashboard. This feature provides convenience and security for users, gives admins greater flexibility when working with End-User Dashboard access control scenarios, and includes accessibility and UX improvements. See User settings.
Enforce Number Challenge for Desktop MFA
You can now enforce number challenge on all push notifications for Desktop MFA, regardless of the authentication policy. See Configure Desktop MFA policies
Realms for Workforce
Realms allows you to unlock greater flexibility in managing and delegating management of your distinct user populations within a single Okta org. See Manage realms.
Trusted App filters
Trusted App filters allow orgs to block applications from invoking Okta FastPass in Windows, and in Google Chrome and Firefox browsers for macOS. See Trusted app filters .
Google Workspace 1-click federation
Admins can set up SSO to Google Workspace using a simplified integration experience that saves time and reduces the risk of errors.
New HealthInsight task
HealthInsight now includes a recommendation to apply MFA for access to the Admin Console.
February 2024
Custom languages for email templates
Admins can now customize Okta-generated emails in any BCP47-formatted language. Previously, customizations were limited to 27 Okta-supported languages. This feature allows admins to configure additional locales using Okta's Brands API. When a new locale is configured, it's available as a new language selection within the Email Templates Editor. See Customized Email Notifications.
Dynamic OS version compliance for device assurance
You can configure OS version compliance by using device assurance. However, you have to manually update the policies every time a new OS version or patch is released. With Dynamic OS version compliance, Okta updates device assurance policies with the latest OS versions and patches, eliminating the need for manual updates. With this feature you can ensure OS version compliance in your org without tracking OS releases. See Add a device assurance policy.
November 2023
Make email optional authenticator
This feature allows you to upgrade your org to Identity Engine without updating your email factor settings. If you already have an Identity Engine org, it gives you and your end users more control over the email authenticator. See Skip auto-enrolling email authenticator and Make email an optional authenticator.
New app settings permissions for custom admin roles
Super admins can now assign permissions for custom admin roles to manage all app settings, or only general app settings. This enables super admins to provide more granular permissions to the admins they create, resulting in better control over org security. See Application permissions.
October 2023
Workday writeback enhancement
When this feature is enabled, Okta makes separate calls to update work and home contact information. This feature requires the Home Contact Change and Work Contact Change business process security policy permissions in Workday.
September 2023
Custom admin roles with device permissions
You can now create custom admin roles with permissions to view and manage devices. You can add the Devices to your resource set and then specify device permissions for your custom admin. See Create a resource set and Devices permissions.
Okta FastPass and Smart Card options on Sign-in page
Currently, if you configured both the Sign in with Okta FastPass option and Smart Card as an authenticator, users only see the Okta FastPass option when they sign in. With this feature, you can make both options available for your users during the sign-in process. See Configure the Smart Card authenticator.
Enhanced security of Okta Verify enrollments
To ensure users enroll in Okta Verify in a phishing-resistant manner, a Higher security methods option now appears on the authenticator configuration page. With this option, users can't enroll with QR code, email, or SMS link. See Configure Okta Verify options.
July 2023
IdP permissions for custom admin roles
Admins can now leverage new Identity Provider management permissions when creating custom admin roles. These permissions allow more precise access control and reinforce the principle of least privilege. See Role permissions.
Admin Console Japanese translation
When you set your display language to Japanese, the Admin Console is now translated. See Supported display languages.
Front-channel Single Logout
Front-channel Single Logout (SLO) allows a user to sign out of an SLO-participating app on their device and end their Okta session. Okta then automatically sends a sign-out request to all other participating apps that the user accessed during their session. See Configure Single Logout in app integrations.
June 2023
Phishing-resistant authentication with Okta FastPass on unmanaged iOS devices
While Okta FastPass can protect users against phishing attacks in most cases, it can't secure authentication on unmanaged iOS devices. To close this gap, Okta is rolling out phishing resistance for Okta FastPass on unmanaged iOS devices. With this change, users who authenticate with Okta FastPass on their personal or unmanaged iOS devices are protected from phishing attacks. See Multifactor authentication.
This feature requires Okta Verify version 8.2.1.
May 2023
Event hook filters
You can now filter individual events of the same event type based on custom business logic hosted in Okta. These filters reduce the amount of events that trigger hooks, removing an unnecessary load on your external service.
This feature includes an improved creation workflow for event hooks and a new Filters tab that you can use to create event filters with direct Expression Language statements or with a simple UI format.
Using event hook filters significantly reduces the amount of event hook requests and the need for custom code on your respective services. See Edit an event hook filter.
April 2023
Import users to Office 365 using Microsoft Graph API
This feature allows Okta to process imports using the Microsoft Graph API. This background process doesn't change existing procedures and makes imports more scalable, supporting Microsoft 365 tenants with larger numbers of users, groups, and group memberships. See Import users to Office 365 using Microsoft Graph API.
January 2023
AWS region support for EventBridge Log Streaming
EventBridge Log Streaming now supports all commercial AWS regions.
November 2022
Phishing-resistant authenticator requirement
To enhance security, admins may now require users to authenticate using a phishing-resistant authenticator when enrolling additional authenticators. This feature protects the authenticator enrollment process from phishing attempts. See Phishing-resistant authenticator enrollment.
Log Stream event structure update
For consistency the report structure for Log Stream events is now the same as that for System Log events. The following fields are changed and might need updating for any monitoring scripts in use:
-
Under devices, osPlatform is now platform.
-
The ipChain array is now correctly nested under request instead of client.
-
The extraneous field insertionTimestamp is removed.
October 2022
Passkey Management
Apple passkeys may be synchronized across multiple devices, including on unmanaged ones, and stored in Apple's data centers. This may impact organizations whose security policies require that credentials never leave the device, or that only managed devices be allowed to connect. Okta now allows admins to block the enrollment of passkeys in their orgs. With the new Passkey Management feature, customers can ensure that security policies continue to be enforced, and potentially compromised devices can be kept from connecting. Existing passkey enrollments aren't affected by turning this feature on.
New OIN app for Microsoft 365 GCC High
A new app is available for integrating Microsoft Office 365 Government Community Cloud (GCC) High. This Office 365 tenant type serves as a highly secure version of Office 365 built specifically for government entities, vendors, and contractors. The tenant provides built-in compliance with certifications and accreditations that are required by the U.S. public sector, including FedRAMP high-impact requirements.
With the new Okta Integration Network app, customers using the GCC High environment for Office 365 can securely deploy a consistent user experience for SSO and identity management. See Configure Office 365 GCC High Tenant.
Phishing-resistant authentication
Phishing-resistant authentication detects and prevents the disclosure of sensitive data to fake applications or websites. When users authenticate with Okta FastPass on managed devices, they're protected from phishing attacks. See Phishing-resistant authentication.
New column for the User app access report
The User app access report now includes the Recently Accessed column. This allows you to view when the user accessed the app in the last 90 days.
September 2022
SSO apps dashboard widget
The new SSO apps widget displays the number of user sign-in events across each of your org's apps over a selected period of time. You can use it to see which apps are used most frequently and to easily monitor the authentication activity across your org. See Monitor your apps.
SAML app support added for email magic links
The Email Magic Link feature now supports SAML applications for self-service registration, self-service password reset, and self-service unlock operations.
July 2022
Improvements to the self-service registration experience
Earlier versions of the self-service registration (SSR) flow used a complicated array of templates to send activation emails to end users. The simplified SSR flow reduces this to only two email templates with customized welcome messages. If your application requires immediate verification of the end user's email address, Okta uses the Registration - Activation template. This template includes a magic link for a smoother sign-in experience. If email verification isn't immediately required to sign in to the application, Okta uses the Registration - Email Verification template. This template includes a link for end users to complete email verification at any time after they successfully sign in to the application. See Customize email notifications and the Okta email (magic link/OTP) integration guide.
June 2022
Run delegated flows from the Admin Console
With delegated flows, admins can be assigned the ability to run Okta Workflows directly from the Admin Console. Flows that are delegated to an admin appear on the Delegated Flows page where they can be invoked without signing in to the Workflows Console. This gives super admins more granular control over their admin assignments. See Delegated flows.
May 2022
New permissions for custom admin roles
Super admins can now assign these new permissions to their custom admin roles:
-
Manage authorization server
-
View authorization server
-
Manage customizations
-
View customizations
The authorization server permissions can be scoped to all or to a subset of the org's authorization servers. With these new permissions, super admins can now create custom admin roles with more granular permissions for managing their org's customizations and authorization servers. See Role permissions.
April 2022
Splunk available for Log Streaming
Many organizations use third-party systems to monitor, aggregate, and act on the event data in Okta System Log events.
Log Streaming enables Okta admins to more easily and securely send System Log events to a specified system such as the Splunk Cloud in near real time with simple, pre-built connectors. Log streaming scales well even with high event volume, and unlike many existing System Log event collectors, it doesn't require a third-party system to store an Okta Admin API token. See Log streaming.
March 2022
Automatically update public keys in the Admin Console
Using private_key_jwt as your app's client authentication method requires that you upload public keys to Okta and then use the private keys to sign the assertion. Then, you must update the client configuration each time you rotate the key pairs. This is time-consuming and error-prone. To seamlessly use key pairs and rotate them frequently, you can now configure private_key_jwt client authentication in the Admin Console for OAuth clients by specifying the URI where you store your public keys. See Manage secrets and keys for OIDC apps.
Incremental Imports for the Org2Org app
Okta now supports incremental imports for the Org2Org app. Incremental imports improve performance by only importing users that were created, updated, or deleted since your last import. See Okta Org2Org.
February 2022
Additional Okta username formats for LDAP-sourced users
Three additional Okta username formats are now available for LDAP-sourced users. In addition to the existing options, admins can now select Employee Number, Common Name, and Choose from schema to form the Okta username. These new options allow admins to use both delegated authentication and Just-In-Time (JIT) provisioning with LDAP directory services. With these new provisioning options, it is now easier for admins to integrate their LDAP servers with Okta. See Configure LDAP integration settings.
November 2021
Windows Autopilot integration with Okta
You can now use Okta to secure and streamline the Windows Autopilot flow on end-user devices. Before this integration, if you were using Okta Device Trust or Okta FastPass, it prohibited the enrollment of a new device through Windows Autopilot. The new integration now allows you to accommodate Not Trusted devices with Windows Autopilot while continuing to use Okta Device Trust and Okta FastPass for Trusted devices. It also allows you to add a sign-on policy rule in Okta that requires MFA when enrolling a device through Windows Autopilot. This increases security without compromising the user experience and ensures that the right person gets the access to the device. See Typical workflow for using Okta with Windows Autopilot.
Manage email notifications for custom admin roles
Super admins can configure the system notifications and Okta communications for custom admin roles. Configuring the email notifications helps ensure admins receive all of the communications that are relevant to their role. See Configure email notifications for an admin role.
August 2021
Third-Party Risk
Okta Risk Eco-System API / Third-Party Risk enables security teams to integrate IP-based risk signals to analyze and orchestrate risk-based access using the authentication layer. Practitioners can step up, reduce friction or block the user based on risk signals across the customer's security stack. Apart from improving security efficacy, this feature also enhances the user experience by reducing friction for good users based on positive user signals. See Risk scoring.
February 2021
Enhanced Admin Console search
Admins can now search for end user email addresses in the Spotlight Search field in the Admin Console. You can also view the user's status in the search results when you search by username and email address. This robust global search helps you find what you need in the Admin Console quickly, thereby, saving time and increasing productivity. See Admin Console search.
January 2021
Workplace by Facebook Push AD Manager functionality
Admins can choose to disable Push AD Manager functionality using this self-service Early Access feature. This enables admins to control the manager attribute using Okta Expression Language syntax to avoid being dependent on AD for the field. See Workplace by Facebook.
Skip to Content improvements
End users can now click Skip to Content on the new Okta End-User Dashboard to navigate directly to the Add Apps page.
Options relocation
The Recent Activity tab, End-User preferences, Admin View, and Sign Out options are now displayed in the user drop down menu on the Okta End-User Dashboard.