Okta Identity Engine release notes (Preview)

Version: 2024.09.0

September 2024

Generally Available

Okta Active Directory Password Sync agent, version 1.6.0

This version of the agent includes security enhancements.

Sign-In Widget, version 7.23.0

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Okta Sign-In Widget Guide.

Enhanced dynamic zones

Use enhanced dynamic network zones to define IP service categories (proxies, VPNs), locations, and Autonomous System Numbers (ASNs) that are allowed or blocked in a zone. See Enhanced dynamic zones.

JIT provisioning for Smart Card

This feature enables you to provision Just-In-Time (JIT) access to users. You can do this by configuring certificate attribute criteria so that PIV/CAC card holders of other orgs can gain access to the resources they need. See Add a Smart Card Identity Provider.

Improved security for Microsoft Office 365

Microsoft Office 365 provisioning now eliminates the need for admin credentials by using a secure and modern OAuth-based authentication flow. This update will be gradually made available to all orgs.

Partial Universal Logout indicator in the OIN

The OIN catalog now indicates which apps support partial Universal Logout.

Changes to role permissions that handle API tokens

The following changes have been made to the permissions that handle API tokens:

  • The View users and their details permission now includes the View API tokens permission.
  • The Edit users' lifecycle states, Suspend users, and Clear users' sessions permissions now include the Manage API tokens permission.
  • To view or manage tokens, use the Manage API tokens permission.

See Role permissions.

OIN connector support for Entitlement Management

The Dropbox Business, ServiceNow, SmartRecruiters, and Tableau connectors have been updated to support Entitlement Management. See Provisioning-enabled apps

New System Log events for Device Assurance Policy

New System Log events are generated when a device assurance policy is created, updated, or deleted:

  • device.assurance.policy.add
  • device.assurance.policy.update
  • device.assurance.policy.delete

New System Log events for flow and table changes

The workflows.user.flow.move and workflows.user.table.move Okta Workflows events have been added to the System Log to record the changes that occur due to reorganization of folder-level resources.

New System Log entries for sign-in events

The user.authentication.auth_via_IDP System Log event has been created. This event records occurrences of unknown users attempting to sign in through an Identity Provider.

System Log event update

The user.authentication.auth_unconfigured_identifier System Log event now appears when a user signs in without an admin-configured identifier.

Support for migrating Office 365 apps to Microsoft Graph

You can now migrate your Office 365 Single Sign-On app (WS-Fed Auto) instances to a secure OAuth-based consent flow using Microsoft Graph. See Configure Single Sign-On for Office 365.

Improved API documentation

Our API documentation has a new look and feel! API content in the References section of the Developer Documentation website will be moved after September 30, 2024.

Early Access

Authentication method chain

With this feature, you can require users to verify with multiple authentication methods in a specified sequence. You can create multiple authentication method chains in an authentication policy rule to cater to different use cases and scenarios. See Authentication method chain.

IdP selection for admin resources

This feature gives customers the ability to select and manage the Identity Providers (IdPs) that they want to associate with an admin role. This enhances security by providing granular permissions to roles. See Create a resource set.

Granular configuration for Keep Me Signed In

Admins can now configure the post-authentication prompt for Keep Me Signed In (KMSI) at a granular level in authentication policies. This allows admins to selectively enable post-authentication KMSI on a per-user, per-group, or per-app basis. When enabled, this feature exposes a frequency setting that lets admins control how often the post-authentication prompt is presented to users. The post-authentication prompt text (title, subtitle, accept button, and reject button) is now customizable through the Brands management API. See Keep me signed in and Brands API.

Global token revocation for wizard SAML and OIDC apps

Universal Logout clears sessions and tokens for wizard SAML and OIDC apps. This enhancement extends Universal Logout functionality to more types of apps and provides greater flexibility to admins.

Fixes

  • Okta Behavior Detection sometimes incorrectly marked sign-in requests as new behaviors. (OKTA-664827)

  • HealthInsight showed GitLab as supporting SAML when it only supports SCIM. (OKTA-706224)

  • System Log events for post auth session and entity risk policy entries didn't indicate whether they were executed in enforced or read-only mode. (OKTA-743937)

  • When a user tried to access OneDrive from the app on the Okta End-User Dashboard, an error occurred if there was an active Office 365 session. (OKTA-744748)

  • When an admin selected the Group push mappings encountered errors task for an AD integration, they were directed to a blank tab. (OKTA-753485)

  • Users couldn't launch the ShareFile app. (OKTA-756155)

  • The enrollment date for authenticators didn't appear on the End-User Settings (version 2.0) page. (OKTA-790271)

  • The phone authenticator page didn't render correctly in certain languages if the phone extension field name was too long. (OKTA-790283)

  • On managed iOS 18 devices, an error occurred when some users attempted to authenticate silently with Okta FastPass. (OKTA-791525)

  • The Active Directory sign-in page didn't load correctly if it was embedded using a Trusted Origin. (OKTA-796094)

  • When creating or updating a profile, user first or last names that contained a dot (last.name) triggered malformed field error messages. (OKTA-798884)

  • When the Allow multiple identities matching the criteria option was enabled for Smart Card IdP, suspending a Smart Card/PIV user resulted in an error on the sign-in page. (OKTA-798997)

  • When a user entered the wrong password to sign in to an org using delegated authentication to LDAP, the login cache was cleared. (OKTA-799642)

  • The Okta Usage and Application Usage reports date range selector used 3 months instead of 90 days as the earliest available date. (OKTA-801212)

  • Single Logout (SLO) was unavailable for Salesforce instances in Preview orgs. (OKTA-805013)

  • Some users couldn't open the Okta Access Requests app from their End-User Dashboard, despite the two apps having matching authentication policies. (OKTA-806140)

  • AD imports sometimes failed when Slack had group push mappings configured as the downstream app. (OKTA-806301)

Okta Integration Network

  • Briefly AI (OIDC) is now available. Learn more.
  • CAASS (SAML) is now available. Learn more.
  • Cork (API service) is now available. Learn more.
  • Everykey Integration (API service) is now available. Learn more.
  • Heropa (SAML) is now available. Learn more.
  • kickflow (SAML) is now available. Learn more.
  • Nulab Pass (Backlog Cacoo Typetalk) (SAML) has a new integration guide.
  • Obsidian Security (SAML) has a new region URL.
  • Seismic Learning (SAML) has updated endpoints.
  • Seismic Learning (SCIM) has an updated base URL.
  • ShareFile (SWA) was updated. (OKTA-756155)
  • Spiral (SAML) is now available. Learn more.
  • Valence Okta Connector (API service) is now available. Learn more.
  • VASTOnline (SAML) is now available. Learn more.
  • Visily (SAML) is now available. Learn more.
  • WideField Security - Detect (API service) is now available. Learn more.
  • Wirespeed (API service) is now available. Learn more.

Weekly Updates

2024.09.1: Update 1 started deployment on September 18

Generally Available

Sign-In Widget, version 7.23.1

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Okta Sign-In Widget Guide.

Fixes

  • Search OUs configured for an Active Directory instance weren't updated in Okta when the corresponding OUs were deleted in AD. (OKTA-686217)

  • Full group names weren't displayed in search results on the Push Groups tab. (OKTA-710044)

  • On the Realm assignment form, the Profile Source and Realm assignment dropdown failed to display the list of available options. (OKTA-710761)

  • Users assigned to an AD or LDAP instance where delegated authentication wasn't enabled had their user login set incorrectly after enabling delegated authentication. (OKTA-711676)

  • Some admins couldn't filter the MFA Enrollment by User report by group. (OKTA-743062)

  • Users who already had the Google Authenticator enrolled saw an unclear error message if they tried to enroll it again. (OKTA-747092)

  • When a user requested a new app from the End-User Dashboard, the action wasn't recorded in the System Log. (OKTA-755410)

  • The Okta Expression Language string evaluation failed when creating a custom attribute in Universal Directory with the variable name timeZone. (OKTA-756071)

  • The Require user interaction and Require PIN or biometric user verification options were displayed in the Authentication Method Chain's policy rule even when user verification was disabled in the org. (OKTA-798034)

  • WebAuth couldn't be enrolled inline if the Authentication Method Chain feature was enabled and the enrollment policy required hardware protection. (OKTA-798371)

  • Same-Device Enrollment for Okta FastPass is now available again. The feature had been removed to resolve an Okta Verify enrollment issue. (OKTA-807716)

Okta Integration Network

  • Breezy HR by Aquera (SCIM) is now available. Learn more.
  • Ceretax (OIDC) is now available. Learn more.
  • DBSnapper (OIDC) is now available. Learn more.
  • Envoy (SCIM) has updated endpoints.
  • Focal (OIDC) is now available. Learn more.
  • Kickbox (OIDC) is now available. Learn more.
  • Okta ISPM (API Service) has a new logo.
  • Security Journey (SCIM) is now available. Learn more.
  • StrongDM now has an AIP for the SCIM/OIDC URL.
  • Teamup Calendar (OIDC) is now available. Learn more.
  • Vanta (SAML) has updated endpoints.
  • Wirespeed (API Service) has an updated description.

2024.09.2: Update 2 started deployment on September 25

Fixes

  • The End All Sessions section of the end-user Settings page didn't appear for some users. (OKTA-652620)

  • When editing a user's assignments, roles with numeric values appeared in the wrong position in the Role dropdown menu. Selecting Not mapped set the role to 629. (OKTA-729800)

  • An outdated Windows logo appeared for various downloads, such as agents. (OKTA-731993)

  • Error messages that appeared to end users when they created, updated, or deleted a security method were unclear and not translated. (OKTA-797231)

  • A custom email provider test email couldn't be sent if the email address contained a non-standard domain such as .digital. (OKTA-798388)

  • The System Log event for blocked requests didn't contain ASN in the securityContext section. (OKTA-803219)

  • Single Logout (SLO) was unavailable for Salesforce instances in Preview orgs. (OKTA-805013)

  • Some users couldn't open the Okta Access Requests app from their End-User Dashboard, despite the two apps having matching authentication policies. (OKTA-806140)

  • AD imports sometimes failed when Slack had group push mappings configured as the downstream app. (OKTA-806301)

  • In the SecurityAdministrators page, the user details incorrectly appeared in the search bar. (OKTA-806750)

Okta Integration Network

  • Bumblebee Networks (SAML) is now available. Learn more.
  • Go1 (SCIM) is now available. Learn more.
  • IDrive e2 (SAML) is now available. Learn more.
  • Iris by Cro Metrics (OIDC) is now available. Learn more.
  • Okta Identity Security Posture Management SSO (OIDC) is now available. Learn more.
  • Nightfall AI (API Service) is now available. Learn more.
  • NordLayer (OIDC) has an additional redirect URI.
  • StrongDM has an AIP for the SCIM/OIDC URL.
  • Syntinels (OIDC) is now available. Learn more.
  • WINN.AI (OIDC) was updated. (OKTA-806820)

2024.09.3: Update 3 started deployment on October 3

Generally Available

Sign-In Widget, version 7.32.2

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Okta Sign-In Widget Guide.

Fixes

  • Some System Log event descriptions and display names weren't populated correctly. (OKTA-721947)

  • When using SCIM 2.0 and on-premises provisioning, some attributes weren't being updated during provisioning and import operations. (OKTA-745515)

  • The result summary of the Access Testing Tool for a disabled authenticator didn't match the authenticator enrollment policy. (OKTA-752890)

  • On managed iOS 18 devices, an error occurred when some users attempted to authenticate silently with Okta FastPass. (OKTA-791525)

  • The generic authenticator method wasn't shown if its first instance was inactive. (OKTA-806802)

  • Sometimes an Invalid Phone Number error was incorrectly returned during SMS factor enrollment. (OKTA-807741)

  • The Features page didn't include a link to the documentation for the Workday writeback enhancement Early Access feature. (OKTA-808626)

  • macOS 15 wasn't supported in device assurance policies. (OKTA-811338)

Okta Integration Network

  • ADP Workforce Now by Aquera (SCIM) is now available. Learn more.
  • AppWork (SAML) is now available. Learn more.
  • Ben (SAML) is now available. Learn more.
  • Blacksmith InfoSec (SCIM) is now available. Learn more.
  • Cockroach Labs (OIDC) is now available. Learn more.
  • Cockroach Labs (SAML) is now available. Learn more.
  • CultureScience (OIDC) has a new display name, description, and redirect URI.
  • Cyberlift (API Service) is now available. Learn more.
  • Devolutions Hub Business (SCIM) is now available. Learn more.
  • Detexian SSPM (API Service) now has additional scopes.
  • DocketAI (SAML) is now available. Learn more.
  • Fundraise Up SSO (SAML) is now available. Learn more.
  • IELOVE-CLOUD (SAML) is now available. Learn more.
  • Middleware (OIDC) is now available. Learn more.
  • Middleware (SAML) is now available. Learn more.
  • Obsidian Security (API Service) has a new integration guide.
  • pclub.io (OIDC) is now available. Learn more.
  • Rezonate Security (API Service) now has additional scopes.
  • Rivial Cybersecurity Management Platform (SAML) is now available. Learn more.
  • Scrut Automation (API Service) is now available. Learn more.
  • Sightglass (OIDC) is now available. Learn more.
  • T3 Connect (SCIM) has an updated app profile and mapping.
  • TalentLMS by Aquera (SCIM) is now available. Learn more.
  • WINN.AI (OIDC) has an updated initiate login URI and a new redirect URI.
  • Workshop (SAML) has updated endpoints.
  • Zoomifier Web App (OIDC) is now available. Learn more.

Prevent new single-factor access to the Admin Console

This feature prevents admins from configuring any new single-factor access to the Admin Console. This feature is now enabled by default for all orgs.

New browser tab reactivation behavior for the Sign-In Widget

The Sign-In Widget now avoids a full page refresh on custom domains when an inactive tab is reactivated. This change improves compatibility with browser memory saver features. This feature will be gradually made available to all orgs.

Sign in with duplicated email authenticators

Previously, users couldn't sign in if they had the same email enrolled twice as an authenticator. This change checks the status of each email authenticator and allows the user to sign in with the most suitable email authenticator.

End-user setting for nicknaming factors

End users can now nickname their phone, WebAuthn, and Okta Verify factors. If they have enrolled multiple instances of a factor, giving nicknames helps them identify the factors quickly (for example, "My personal cellphone" or "My office MacBook TouchID"). See the End-User documentation. This is a self-service feature.

Content security policy enforcement on end-user pages

Content Security Policy is now enforced for end-user pages in orgs with custom domains. Content Security Policy headers help detect attacks such as cross-site scripting and data injection by ensuring browsers know what kind of actions the webpage can execute. Future iterations of the Content Security Policy enforcement for end-user pages will become stricter than this first release. This feature will be gradually made available to all orgs.

Okta ThreatInsight coverage on core Okta API endpoints

Okta ThreatInsight coverage is now available for core Okta API endpoints (OpenID Connect & OAuth 2.0, Okta Management, and MyAccount API). Based on heuristics and machine learning models, Okta ThreatInsight maintains an evolving list of IP addresses that consistently show malicious activity across Okta's customer base. Requests from these bad IP addresses can be blocked or elevated for further analysis when Okta ThreatInsight is enabled for an Okta org.

Previously, Okta ThreatInsight coverage only applied to Okta authentication endpoints (including enrollment and recovery endpoints). With this release, enhanced attack patterns are detected for authentication endpoints and limited attack patterns are also detected for non-authentication endpoints.

There are no changes to the existing Okta ThreatInsight configuration. You can still enable Okta ThreatInsight with log and block mode, log mode, and exempt network zones. A new Negative IP Reputation reason is available for high security.threat.detected events. See System Log events for Okta ThreatInsight.

Application Entitlement Policy

Administrators can now override attribute mapping when assigning apps to individuals or groups. Attributes can also be reverted to their default mappings. See Override application attribute mapping. This feature will be gradually made available to all orgs.

Descriptive System Log events

When Okta identifies a security threat, the resulting security.threat.detected entry now provides a descriptive reason for the event. See System Log.

Improvements to the self-service registration experience

Earlier versions of the self-service registration (SSR) flow used a complicated array of templates to send activation emails to end users. The simplified SSR flow reduces this to only two email templates with customized welcome messages. If your application requires immediate verification of the end user's email address, Okta uses the Registration - Activation template. This template includes a magic link for a smoother sign-in experience. If email verification isn't immediately required to sign in to the application, Okta uses the Registration - Email Verification template. This template includes a link for end users to complete email verification at any time after they successfully sign in to the application. See Customize email notifications and the Okta email (magic link/OTP) integration guide.

SSO apps dashboard widget

The new SSO apps widget displays the number of user sign-in events across each of your org's apps over a selected period of time. You can use it to see which apps are used most frequently and to easily monitor the authentication activity across your org. See Monitor your apps.

Improvements to the self-service unlock process

Earlier versions of the self-service unlock (SSU) flow created unnecessary friction in the end user experience. The newly enhanced SSU feature introduces a seamless magic link experience in emails sent out to unlock accounts. Users no longer need to provide consent when using the same browser. In addition, after successfully unlocking their account, clicking the email magic link counts towards the application's assurance policy. After the assurance requirements are met, the user is signed directly in to the application. See Configure the email authenticator.

Toggle password visibility on the Okta Sign-In page

End users can now toggle visibility of their password on the Sign-In Widget, allowing them to check their password before they click Sign In. Note that passwords are visible for 30 seconds and then hidden automatically. See Authentication. See Enable delegated authentication for LDAP.

Email failure events in the System Log

Admins can now view email delivery failure events in the System Log. This helps admins better monitor the email event activity in their org. See System Log.

Choose additional filters for Office 365 sign-on policy

Filters have been added to enable admins to distinguish between web browsers and Modern Authentication clients when creating an app sign-on policy. See Office 365 sign-on rules options.

Device Authorization grant type

Advancements in internet technology have seen an explosion of smart devices and the Internet of Things. Consumers need to sign in to applications that run on these devices, but the devices either lack support for a web browser or have limited ability for input, such as smart TVs, car consoles, and thermostats. As a result, users resort to insecure authentication solutions that are error-prone and time-consuming.

The Device Authorization grant feature is an OAuth 2.0 grant type that allows users to sign in to input-constrained devices and also to devices that lack web browsers. This feature enables users to use a secondary device, such as a laptop or mobile phone, to complete sign-in to applications that run on such devices. See Configure Device Authorization.

Manage admin email notification subscriptions using API endpoints

Admins can manage email subscriptions using the Admin Email Subscription API endpoints.

  • Super admins can configure default subscription settings by admin type.

  • All admins can manage their own admin email notification subscriptions.

LDAP password reset option

LDAP delegated authentication settings can now be configured to allow users to reset their passwords. This change reduces the time needed for password management and allows users to reset their passwords quickly and easily. See Enable delegated authentication for LDAP.

LDAP admin password reset

For orgs integrated with LDAP, admins can now perform password resets for an active individual end user. See Reset a user password.