Okta Identity Engine release notes (Preview)

Version: 2024.07.0

July 2024

Generally Available

Okta Provisioning agent, version 2.1.0

This release of the Okta Provisioning agent contains vulnerability fixes. See Okta Provisioning agent and SDK version history.

Okta Active Directory agent, version 3.18.0

This release of the Okta Active Directory agent uses OAuth 2.0 for authorization and OAuth 2.0 Demonstrating Proof-of-Possession (DPoP) to securely communicate with Okta. Agents are now registered through the OAuth 2.0 device registration flow and operate independently from the account used to register them. This release also includes security enhancements and bug fixes. See Okta Active Directory agent version history.

Sign-In Widget, version 7.20.0

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Okta Sign-In Widget Guide.

Identity Threat Protection with Okta AI

Identity Threat Protection with Okta AI is a powerful risk assessment and response solution that provides post-authentication security to your org. By continuously analyzing risk signals that are native to Okta, risk signals from integrated security partner vendors, and your policy conditions, it safeguards orgs against identity attacks that occur during and outside of a user’s session. When Identity Threat Protection discovers a risk, it can immediately end the user’s sessions, prompt an MFA challenge, or invoke a workflow to restore your org’s security posture. Using intuitive dashboard widgets and reports, you can easily monitor security threats as they happen. See Identity Threat Protection with Okta AI.

Prevent new single-factor access to the Admin Console

This feature prevents admins from configuring any new single-factor access to the Admin Console. This feature is currently enabled by default for new orgs only.

Network zone allowlists for SSWS API tokens

Admins can now specify a network zone allowlist for each static (SSWS) API token. These allowlists define the IP addresses or network ranges from where Okta API requests using SSWS API tokens can be made. This restricts attackers and malware from stealing SSWS tokens and replaying them outside of the specified IP range to gain unauthorized access.

Updates to the Suspicious Activity report

The Suspicious Activity report has been updated to a System Log report. Use the System Log query to search and filter for unusual activities in your org. The query allows you to filter events with more precision and provides more information about each event than what the previous report provided. This information can help you better determine the validity of user actions. See Suspicious activity events.

Updates to Deprovisioning Details report

The Deprovision Details report has been updated to a System Log report. Use the System Log query to search and filter for deprovisioned users with more context and precision than the previous report. See Deprovision Details report.

Deprecating Current Assignments report

The Current Assignment report has been deprecated. Use the User App Access report to identify users currently assigned to applications. See User App Access report. Use the System Log event application.user_membership.remove to identify users who have been unassigned from an application. See Recently unassigned users.

New View client credentials admin role permission

The new View client credentials permission lets admins view OAuth client secrets. The View applications and their details permission no longer includes this privilege. This enhancement lets admins assign more granular permissions and reduce the risk of creating roles with too many privileges. This feature will be gradually made available to all orgs.

Sign-In Widget account unlock flow

The account unlock flow on the Sign-In Widget now shows the Username field and authenticator selection separately.

MyAccount Management scopes

The MyAccount Management scopes are no longer added to custom authorization servers by default when an authorization server is created.

Enhanced System Log events table

The value of a client IP address, if present, is now shown below the actor in the events table.

Network Zones and API token restrictions

You can no longer update network zones so they're invalid for use with an API token. This applies only to network zones that are used as restrictions to API tokens. You can update network zones if you first remove them from the API token restriction. These zones can't be deactivated, deleted, blocklisted, or made anything other than an active IP zone.

Event hook limit increased

The limit on active event hooks per org has been increased from 10 to 25. See Create an event hook and Workflows System limits.

New System Log events for Workflows subfolder actions

Improved folder organization gives admins the flexibility to drag and drop folders into other folders or move them up to become a top-level folder. See Move a folder into another folder. When this action happens, the new workflows.user.folder.move event type appears in the System Log. See the Event Types API.

Additional System Log event information

The user.account.privilege.grant System Log event now includes information about the assigned role and target, and indicates if it was a group or individual role assignment.

Update to Universal Directory attribute limits

Universal Directory has increased the limit of the number of attributes per org.

Early Access

Entitlement Management with Okta Provisioning Agent with SCIM 2.0 support

This agent supports Entitlements Management for app integrations that have enabled Governance Engine. This allows the provisioning of entitlements between Okta and on-premises apps.

Certificate-based authentication for Office 365

Okta Identity Engine now supports certificate-based authentication for WS-Fed SSO requests. Users can authenticate using Smart/PIV cards to seamlessly access their Windows devices and Office 365 apps.

Fixes

  • When the Okta Identity Engine Upgrade Hub failed to load an org’s upgrade eligibility the maximum number of times, a blank page was displayed to users. (OKTA-670754)

  • System Log events for API token management didn't include the token's network restriction information in the debug context. (OKTA-724469)

  • When editing a user's assignments, roles with numeric values appeared in the wrong position in the Role dropdown menu. Selecting Not mapped set the role to 629. (OKTA-729800)

  • The enrollment instructions on the Google Authenticator page incorrectly mentioned barcode instead of QR code. (OKTA-735775)

  • Errors appeared on a token's page when a network zone that was used by a token was deleted. (OKTA-736539)

  • Push Group jobs that included deleting group memberships failed if their execution time exceed one minute. (OKTA-741405)

  • The Back to Settings button wasn't visible on the End User Settings page. This occurred when managing the user's authenticators if the user completed MFA using a Smart Card or IdP authenticator. (OKTA-743091)

  • The Okta logo was missing from email notifications for protected actions. (OKTA-743776)

  • The Generated Password Health report was incomplete. (OKTA-746008)

  • The number of group members returned from the /api/v1/groups/<group_id>/users API call was inconsistent with the database query count of the same group. (OKTA-747426)

Okta Integration Network

  • Aiven (SCIM) now has sync password support.
  • Lever by Aquera (SCIM) is now available. Learn more.
  • RICOH Smart Integration (SCIM) is now available. Learn more.

Weekly Updates

2024.07.1: Update 1 started deployment on July 17

Generally Available

Sign-In Widget, version 7.20.1

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Okta Sign-In Widget Guide.

New IP service categories added

Additional IP service categories have been added to the enhanced dynamic zones IP service category list. See Supported IP service categories.

Early Access

Role-based access control for Okta Workflows

As Okta Workflows has the ability to make comprehensive changes both within Okta and out to other connected SaaS apps, access to Workflows was restricted to Okta super admins. This limited the number of users, restricted the ability to scale the use of Okta Workflows, and reduced its overall value to customers.

With role-based access control (RBAC), you can assign Workflows privileges to more users without granting unnecessary access.

To support this feature, three new admin roles are now available:

  • Workflows Administrator: For full-access administration only within Okta Workflows
  • Workflows Auditor: For compliance management with read-only access
  • Connection Manager: For securely handling accounts and credentials

This feature allows customers to expand the use of Okta Workflows beyond super admins, enabling more team members to build and manage Workflows securely and efficiently.

To turn on this EA feature for your org, go to SettingsFeatures in the Admin Console and enable these options:

  • Workflows Access Control
  • Workflow Admin Role
  • Workflows Provisioning

See Access Control.

The addition of the RBAC feature includes four new event types to record related actions in Okta Workflows:

  • workflows.user.role.user.add

  • workflows.user.role.user.remove

  • workflows.user.role.group.add

  • workflows.user.role.group.remove

See the Event Types API.

YubiKey preregistration

Customer admins were previously unable to enroll and ship YubiKeys as WebAuthn enrollments in a quick and automated way. The YubiKey preregistration feature enables admins to preregister YubiKey factors as WebAuthn enrollments for both staged and existing (active) users using a Workflows and Yubico integration to seamlessly handle the registration and shipment. See Require phishing-resistant authentication with pre-enrolled YubiKey.

Require MFA for accessing Identity Governance admin apps

If your org uses Okta Identity Governance, you can require MFA for admins who access these first-party apps:

  • Okta Access Certifications
  • Okta Entitlement Management
  • Okta Access Requests Admin

If you have auto-enabled Early Access features in your org, MFA is automatically enforced for those apps. See Enable MFA for the Admin Console.

Fixes

  • Authenticators that were disabled in the authenticator enrollment policy appeared on the new End-User Settings page. (OKTA-718177)

  • Some users were erroneously prompted to authenticate with Okta Verify on unenrolled devices instead of being redirected to a custom device posture IdP. (OKTA-732676)

  • Some text strings on the General Settings page for custom OIDC apps weren't translated. (OKTA-739262)

  • When an X509 authentication request originated from an Okta domain, but the org used a custom domain, the Smart Card IdP didn't redirect the request correctly. (OKTA-741570)

  • When an admin clicked Show more on the Administrator assignment by role page, additional admins with the super admin role didn’t appear. (OKTA-743378)

  • The app store download icons for Okta Verify have been replaced by download links on the Sign-In Widget. (OKTA-744565)

  • When a user tried to access OneDrive from the app on the Okta End-User Dashboard, an error occurred if there was an active Office 365 session. (OKTA-744748)

  • When the display language was set to Japanese, some text on the Deactivate People page wasn’t translated. (OKTA-745642)

  • The Okta Agent Registration App icon sometimes appeared on the Authentication policies page beside the current default policy. (OKTA-746639)

  • The Reset Password modal had a grammatical error. (OKTA-747866)

  • If an API request in Preview contained any malformed syntax within the query string, the request was still processed. (OKTA-748246)

Okta Integration Network

  • Call2Action (OIDC) is now available. Learn more.
  • ClickUp (SCIM) is now available. Learn more.
  • Clutch Security (API service) is now available. Learn more.
  • Cortex (SCIM) is now available. Learn more.
  • Exaforce (API service) is now available. Learn more.
  • LiveEdge Cloud (SAML) is now available. Learn more.
  • MangoApps (SAML) now has configurable domain support for endpoints.
  • MangoApps (SCIM) is now available. Learn more.
  • NinjaOne (SCIM) is now available. Learn more.
  • Pendo (SAML) has a new integration guide.
  • SGNL (CAEP Hub) (API service) is now available. Learn more.
  • Teamgo Visitor Sign-in (SAML) is now available. Learn more.
  • UKG Pro by Aquera (SCIM) is now available. Learn more.
  • Vanta (SCIM) is now available. Learn more.
  • Wundergraph Cosmo (SCIM) is now available. Learn more.

View System Logs for Office 365 authentication events

You can now view authentication events in the System Log when using WS-Fed to authenticate through Office 365 active (WS-Trust-1.2) and username13 (WS-Trust-1.3) endpoints.

Active Directory Bidirectional Group Management

Bidirectional Group Management for Active Directory (AD) allows you to manage AD groups from within Okta. You can add or remove users from groups based on their identity and access requirements. This ensures that changes made to user access in Okta are reflected in AD. When you use Okta Access Certifications to revoke a user's membership to an AD group, the removal is reflected in AD. Okta can only manage group memberships for users and groups imported into Okta using the AD integration. It isn't possible to manage users and groups that weren't imported through AD integration. It's also not possible to manage users and groups that are outside the organizational unit's scope for the integration using this feature. See Bidirectional Group Management with Active Directory.

New browser tab reactivation behavior for the Sign-In Widget

The Sign-In Widget now avoids a full page refresh on custom domains when an inactive tab is reactivated. This change improves compatibility with browser memory saver features. This feature will be gradually made available to all orgs.

ADSSO authentication parameters

When a state token is used, Okta removes the fromURI parameter from the ADSSO authentication POST request.

Sign in with duplicated email authenticators

Previously, users couldn’t sign in if they had the same email enrolled twice as an authenticator. This change checks the status of each email authenticator and allows the user to sign in with the most suitable email authenticator.

Okta Personal for Workforce

Okta Personal for Workforce is a set of features that allows admins to separate their users' work data from non-work data. Admins can now offer their end users a free Okta Personal account to store personal data, allow them to switch between accounts, and migrate personal apps from Okta enterprise tenant to Okta Personal. When Okta Personal for Workforce is enabled, personalized comms will be sent to the end users encouraging them to use Okta Personal for personal data and Okta enterprise for work data. See Okta Personal for Workforce User Experience.

End-user setting for nicknaming factors

End users can now nickname their phone, WebAuthn, and Okta Verify factors. If they have enrolled multiple instances of a factor, giving nicknames helps them identify the factors quickly (for example, “My personal cellphone” or “My office MacBook TouchID”). See the End-User documentation. This is a self-service feature.

Content security policy enforcement on end-user pages

Content Security Policy is now enforced for end-user pages in orgs with custom domains. Content Security Policy headers help detect attacks such as cross-site scripting and data injection by ensuring browsers know what kind of actions the webpage can execute. Future iterations of the Content Security Policy enforcement for end-user pages will become stricter than this first release. This feature will be gradually made available to all orgs.

Okta ThreatInsight coverage on core Okta API endpoints

Okta ThreatInsight coverage is now available for core Okta API endpoints (OpenID Connect & OAuth 2.0, Okta Management, and MyAccount API). Based on heuristics and machine learning models, Okta ThreatInsight maintains an evolving list of IP addresses that consistently show malicious activity across Okta's customer base. Requests from these bad IP addresses can be blocked or elevated for further analysis when Okta ThreatInsight is enabled for an Okta org.

Previously, Okta ThreatInsight coverage only applied to Okta authentication endpoints (including enrollment and recovery endpoints). With this release, enhanced attack patterns are detected for authentication endpoints and limited attack patterns are also detected for non-authentication endpoints.

There are no changes to the existing Okta ThreatInsight configuration. You can still enable Okta ThreatInsight with log and block mode, log mode, and exempt network zones. A new Negative IP Reputation reason is available for high security.threat.detected events. See System Log events for Okta ThreatInsight.

Application Entitlement Policy

Administrators can now override attribute mapping when assigning apps to individuals or groups. Attributes can also be reverted to their default mappings. See Override application attribute mapping. This feature will be gradually made available to all orgs.

Descriptive System Log events

When Okta identifies a security threat, the resulting security.threat.detected entry now provides a descriptive reason for the event. See System Log.

Improvements to the self-service registration experience

Earlier versions of the self-service registration (SSR) flow used a complicated array of templates to send activation emails to end users. The simplified SSR flow reduces this to only two email templates with customized welcome messages. If your application requires immediate verification of the end user's email address, Okta uses the Registration - Activation template. This template includes a magic link for a smoother sign-in experience. If email verification isn't immediately required to sign in to the application, Okta uses the Registration - Email Verification template. This template includes a link for end users to complete email verification at any time after they successfully sign in to the application. See Customize email notifications and the Okta email (magic link/OTP) integration guide.

New App Drawer

The updated app settings panel on the Okta End-User Dashboard allows end users to see all app details in a single view without having to expand multiple sections. End users can quickly differentiate between SWA apps where they have set a username and password and SAML / OIDC apps that are admin-managed with no additional user settings. The updated app settings panel also provides accessibility improvements with better screen reader support and color contrast. See View the app settings page.

SSO apps dashboard widget

The new SSO apps widget displays the number of user sign-in events across each of your org’s apps over a selected period of time. You can use it to see which apps are used most frequently and to easily monitor the authentication activity across your org. See Monitor your apps.

Improvements to the self-service unlock process

Earlier versions of the self-service unlock (SSU) flow created unnecessary friction in the end user experience. The newly enhanced SSU feature introduces a seamless magic link experience in emails sent out to unlock accounts. Users no longer need to provide consent when using the same browser. In addition, after successfully unlocking their account, clicking the email magic link counts towards the application's assurance policy. After the assurance requirements are met, the user is signed directly in to the application. See Configure the email authenticator.

Toggle password visibility on the Okta Sign-In page

End users can now toggle visibility of their password on the Sign-In Widget, allowing them to check their password before they click Sign In. Note that passwords are visible for 30 seconds and then hidden automatically. See Authentication. See Enable delegated authentication for LDAP.

Email failure events in the System Log

Admins can now view email delivery failure events in the System Log. This helps admins better monitor the email event activity in their org. See System Log.

Shareable Authentication Policies

Admins can now manage authentication policies using a centralized view. While authentication policies allowed admins the ability to make application access decisions using user, device, and other contextual information, managing these policies across hundreds of applications became challenging and error-prone. On the new Authentication Policies page, admins can create new policies, apply those policies to multiple applications, and assess what application access decisions are impacted by each policy. Two policy name changes are included in this release: app sign-on policy is renamed authentication policy, and Okta sign-on policy is renamed Global Session Policy. See Authentication policies.

Choose additional filters for Office 365 sign-on policy

Filters have been added to enable admins to distinguish between web browsers and Modern Authentication clients when creating an app sign-on policy. See Office 365 sign-on rules options.

Device Authorization grant type

Advancements in internet technology have seen an explosion of smart devices and the Internet of Things. Consumers need to sign in to applications that run on these devices, but the devices either lack support for a web browser or have limited ability for input, such as smart TVs, car consoles, and thermostats. As a result, users resort to insecure authentication solutions that are error-prone and time-consuming.

The Device Authorization grant feature is an OAuth 2.0 grant type that allows users to sign in to input-constrained devices and also to devices that lack web browsers. This feature enables users to use a secondary device, such as a laptop or mobile phone, to complete sign-in to applications that run on such devices. See Configure Device Authorization.

User Verification options for admins

In the Admin Console, admins can now configure whether end users are required to provide biometrics for device enrollment. See Enable Okta FastPass

Manage admin email notification subscriptions using API endpoints

Admins can manage email subscriptions using the Admin Email Subscription API endpoints.

  • Super admins can configure default subscription settings by admin type.

  • All admins can manage their own admin email notification subscriptions.

End-User Dashboard and Plugin redesign

The Okta End-User Dashboard and Okta Browser Plugin have been redesigned with a modern look and feel that includes new sidebar navigation, fuzzy search, and sections that replaces tabs.

Admins can enable this new design all at once or by groups. The new experience is 50% faster, more intuitive to use, and more responsive to smaller screens. Design changes also improve accessibility and app discovery for end users.

See Create sign-on policies with Okta Applications.

This feature will gradually be made available to all Preview orgs.

LDAP password reset option

LDAP delegated authentication settings can now be configured to allow users to reset their passwords. This change reduces the time needed for password management and allows users to reset their passwords quickly and easily. See Enable delegated authentication for LDAP.

LDAP admin password reset

For orgs integrated with LDAP, admins can now perform password resets for an active individual end user. See Reset a user password.