Okta Identity Engine release notes (Preview)
Current release status
|2024.03.0 Production release is scheduled to begin deployment on March 11
|2024.03.0 Preview release is scheduled to begin deployment on March 7
2024.02.0: Monthly Preview release began deployment on February 7
* Features may not be available in all Okta Product SKUs.
Sign-In Widget, version 7.15.1
Okta LDAP agent, version 5.19.1
This version of the agent fixes the expiring signature error that prevented agents from auto-updating to the newest LDAP agent version. See Okta LDAP Agent version history.
Okta Active Directory agent, version 3.16.1
This version of the agent fixes an expiring signature error that prevented agents from auto-updating to the newest Active Directory agent version. See Okta Active Directory agent version history.
Okta MFA Credential Provider for Windows, version 1.4.2
This version includes bug fixes and security enhancements. See Okta MFA Credential Provider for Windows Version History.
Unknown devices detection using fingerprint
Admins can now configure how unknown devices are treated based on the presence of a device fingerprint.
Granular permissions to manage directories
This feature enables you to assign permissions to view and manage directories as part of a customized admin role. Admins without universal application administrator permissions can handle directory-specific tasks.
Device Context using Limited Access in Okta Identity Engine
You can now pass device context using Limited Access in Okta Identity Engine. See Pass Device Context using Limited Access in Okta Identity Engine
Stay signed in
Today, Keep me signed in allows the user to select whether their multifactor authenticators from previous sessions should be remembered. However, the option to select Keep me signed in was only available on the sign-in screen.
To enable Stay signed in for integrated authentication flows, admins can now configure their sign-in experience such that the option to Stay signed in is provided either before the user signs in to Okta or before and after the user completes multifactor authentication. If a user selects Stay signed in, they won't be challenged for MFA the next time they sign in. In addition, users will now be able to sign out of all active Okta sessions from the Okta End-User Dashboard. See Stay signed in.
Enhanced System Log Event
The policy.evaluate_sign_on System Log event now shows the assurance policy factor requirement and a list of the available authentication factors for the sign-on event.
Verify Zoom users with Okta
Zoom users can now attest and verify a user’s identity between two independent parties using Okta-signed tokens.
Reports field update
The operator field of the Reports Edit Filters dialog shows the selected item in the dropdown menu.
Dynamic user schema discovery now available
Dynamic user schema discovery is now available for SCIM app integrations that support user entitlements and Identity Governance.
OIN connector support for Entitlement Management
The PagerDuty and Zendesk connectors have been updated to support Entitlement Management. See Provisioning-enabled apps.
App integration tile now available for Okta Workflows
Users who are assigned to the Okta Workflows app integration now have a dedicated tile on their End-User Dashboard to launch the Okta Workflows Console. See Workflows Console.
API setting now an Admin Console option
The Use Persistent Name ID (Higher Security) checkbox allows more secure account linking. This setting allows Okta to determine the associated user account by matching the Name ID with the External ID. When no match is found, Okta uses the IdP username value for account matching.
New action items for self-service upgrades
The OIE Upgrade Hub displays actions items if orgs have non-writable attributes in their self-service registration policy or a factor enrollment policy set to Do Not Enroll. See Self-service upgrade action items.
New System Log event
There's a new system.mfa.preregister.initiate System Log event. The event appears for event hooks and represents MFA preregistration flow initiation. Currently, it's only available for pre-registered YubiKey enrollments.
UI enhancements to Authenticator Enrollment tab
The Authenticator Enrollment tab has been updated to include information about how the enrollment works.
Super admin role now required to update direct authentication grants
Super admin permissions are now required to enable or change direct authentication grants for clients.
Okta Personal for Workforce
Okta Personal for Workforce is a set of features that allows admins to separate their users' work data from non-work data. Admins can now offer their end users a free Okta Personal account to store personal data, allow them to switch between accounts, and migrate personal apps from Okta enterprise tenant to Okta Personal. When Okta Personal for Workforce is enabled, personalized comms will be sent to the end users encouraging them to use Okta Personal for personal data and Okta enterprise for work data. See Okta Personal for Workforce User Experience.
Content Security Policy for custom domains
The Content Security Policy (CSP) feature lets admins control which URLs may be linked to from customized sign-in and error pages in orgs that use custom domains. Admins add trusted URLs to Okta that link to items such as images and add these links to the code in their sign-in and error pages. This feature enhances security by enabling admins to allow only approved content to appear and prevent the introduction of potentially malicious code to these pages. See Customize the Content Security Policy (CSP) for a custom domain.
Protected actions in the Admin Console
The protected actions feature provides an additional layer of security to your org. It prompts admins for authentication when they perform critical tasks in the Admin Console and helps ensure that only authorized admins can perform these tasks. Super admins can configure the authentication interval for their org. SeeProtected actions in the Admin Console.
SAML Certificate expiration notification feature
This feature notifies admins through task entries in the Admin Console about expired or soon-to-expire certificates for SAML apps. This enhances security and minimizes app downtime caused by expired certificates.
Detect and block requests from anonymizing proxies
Orgs can now detect and block web requests that come from anonymizers. This helps improve the overall security of your org.
Network zone allowlists for SSWS API tokens
Admins can now specify a network zone allowlist for each static (SSWS) API token. These allowlists define the IP addresses or network ranges from where Okta API requests using SSWS API tokens can be made. This restricts attackers and malware from stealing SSWS tokens and replaying them outside of the specified IP range to gain unauthorized access.
Support for Active Directory password complexity requirements
This feature creates an option in the password policy to match the same complexity options as Active Directory (AD). Until now, admins couldn't exactly match Okta password complexity requirements to those of their AD instances. Historically, the password complexity requirements in Okta and AD had different granularities, and the requirements displayed in the Sign-In Widget didn't always reflect the AD requirements. As a result, users were locked out without proper error messages. This feature bridges that gap. See Configure the password authenticator.
Custom languages for email templates
Admins can now customize Okta-generated emails in any BCP47-formatted language. Previously, customizations were limited to 27 Okta-supported languages. This feature allows admins to configure additional locales using Okta’s Brands API. When a new locale is configured, it's available as a new language selection within the Email Templates Editor. See Customized Email Notifications.
Dynamic OS version compliance for device assurance
You can configure OS version compliance by using device assurance. However, you have to manually update the policies every time a new OS version or patch is released. With Dynamic OS version compliance, Okta updates device assurance policies with the latest OS versions and patches, eliminating the need for manual updates. With this feature you can ensure OS version compliance in your org without tracking OS releases. See Add a device assurance policy.
Prevent new single-factor access to the Admin Console
This feature prevents admins from configuring any new single-factor access to the Admin Console. There's no impact to any existing rules that allow single-factor access.
Password rules weren't correctly translated in French.
Assistive technologies couldn't read the Which option do you want to try? label on the Sign-In Widget.
Email notifications that were sent when a password was reset by Okta Support didn't include Support information.
The re-authentication frequency labels on the Authentication Policies page weren't clear.
When an admin was removed from a group that was imported from an app, their user profile still displayed the admin assignments that were granted through the group’s membership.
Some special characters and symbols were displayed incorrectly in the Sign-In Widget (3rd generation).
Voice call to some destinations didn't work when a 7 digit phone number with a 3 digit extension was entered.
The Sign-In Widget displayed the wrong error message to users whose activation token was invalid when they attempted to register with Okta.
The self-service registration form accepted invalid input for the first and last name fields.
Admins couldn't access the Access Testing Tool in some preview orgs.
Voice calls for MFA challenges were not completely translated in Vietnamese when the user's locale was set to Vietnam.
If an admin’s role had a conditioned permission, they couldn’t assign apps to users.
The IssuerDN PIV IDP matching attribute was referencing the wrong value in the certificate.
Unicode characters deemed illegal for HTTP headers were being accepted.
Continuous Access terminated sessions even though users were able to authenticate.
- The Elba SSO app integration has new redirect URIs.
- The Ermetic app integration has been rebranded as Tenable Cloud Security.
- The Ermetic JIT app integration has been rebranded as Tenable Cloud Security JIT.
New Okta Verified app integrations
Redesigned resource set pages
The Create new resource set and Edit resource set pages that are displayed when an admin creates or edit a resource set now provide a simpler, more intuitive user experience. See Create a resource set. This feature is being re-released.
Redesigned admin role pages
The Create a role and Edit role pages for custom admin-role configuration now provide a simpler, more intuitive user experience. See Create a role. This feature is being re-released.
HTTP header filter
To improve the security of your org, Okta now filters and encodes any illegal unicode characters for outgoing HTTP headers.
In orgs configured to perform batch imports for all apps, small batch sizes resulted in slower than expected imports.
The Japanese translation for the Smart Card Authenticator wasn't displayed correctly.
String attributes couldn't be set to an empty string.
Org2Org group push reset custom attributes to undefined.
An error occurred when admins deleted inactive Microsoft Office 365 app instances that were configured to use manual federation.
When an Okta admin session timed out, the Signed out window wasn't displayed correctly and the Sign in button wasn't clickable.
Admins whose custom role contained the Manage customizations permission couldn't preview email templates.
Illegal unicode characters were accepted for HTTP headers.
Continuous Access terminated sessions for users who were able to authenticate.
Users couldn't enter a period (.) in their first or last name during self-service registration.
Admins couldn't enable the Prevent new single-factor access to the Admin Console feature.
Cornerstone OnDemand now uses OAuth for authentication
Cornerstone OnDemand replaced the previous authentication method with OAuth authentication to improve security for provisioning. Create a new Cornerstone OnDemand app instance and configure it to use Oauth credentials. See Configure provisioning for Cornerstone OnDemand.
The Edit Filters dialog of the MFA Enrollment by User report didn't support the operator is set and is not set for the Authenticator type field.
When an admin deleted all groups or users included in a policy, the user/group condition and policy status displayed incorrect values.
Sometimes, an OAuth 2.0-secured inline hook that contained a custom domain authorization server in the token URL returned a null pointer exception error, instead of an appropriate error.
The issuer mode appeared blank on authorization servers when it was set to Custom URL.
Users couldn't unenroll their password in password-optional configurations.
Some preview org admins saw error messages while authenticating or org pages with no menu items.
Content Delivery Network (CDN) resources related to the Sign-In Widget didn't serve the Subresource Integrity (SRI) attributes.
Okta sometimes incorrectly returned an Invalid Phone Number error during SMS factor enrollment.
Admins couldn't automatically provision users to the Cornerstone OnDemand app.
When a user who was assigned an app through a group clicked the link in the activation email, they weren't directed to the app.
The MFA Enrollment by User report displayed Group names instead of Groups in the Edit Filters dialog and in the Users table.
Some devices didn't identify as managed due to mismatched certificate sizes.
Enhanced security of Okta Verify enrollments
The Higher security methods option on the authenticator configuration page ensures that users enroll in Okta Verify in a phishing-resistant manner. With this option, users can't enroll with QR code, email, or SMS link. See Configure Okta Verify options.
Improved password reset process for Active Directory-sourced users
The password reset process sends password update and verification requests to the same Active Directory agent to avoid replication delay.
Support for multiple Okta Verify enrollments
You can now send push notifications to all of a user's devices enrolled in Okta Verify using the Authentication and Factors APIs.
End-user setting for nicknaming factors
End users can now nickname their phone, WebAuthn, and Okta Verify factors. If they have enrolled multiple instances of a factor, giving nicknames helps them identify the factors quickly (for example, “My personal cellphone” or “My office MacBook TouchID”). See the End-User documentation. This is a self-service feature.
Permission conditions for profile attributes
You can now apply conditions to the View users and their details and Edit users' profile attributes custom admin role permissions. Permission conditions help you limit the scope of a role by including or excluding admins' access to individual profile attributes. This gives you more granular control over your custom admin roles and helps meet your org’s unique security needs. See Permission conditions.
IME support for international characters
Admins can now use an Input Method Editor (IME) to type international characters into the Admin Console.
Content security policy enforcement on end-user pages
Content Security Policy is now enforced for end-user pages in orgs with custom domains. Content Security Policy headers help detect attacks such as cross-site scripting and data injection by ensuring browsers know what kind of actions the webpage can execute. Future iterations of the Content Security Policy enforcement for end-user pages will become stricter than this first release. This feature will be gradually made available to all orgs.
Okta ThreatInsight coverage on core Okta API endpoints
Okta ThreatInsight coverage is now available for core Okta API endpoints (OpenID Connect & OAuth 2.0, Okta Management, and MyAccount API). Based on heuristics and machine learning models, Okta ThreatInsight maintains an evolving list of IP addresses that consistently show malicious activity across Okta's customer base. Requests from these bad IP addresses can be blocked or elevated for further analysis when Okta ThreatInsight is enabled for an Okta org.
Previously, Okta ThreatInsight coverage only applied to Okta authentication endpoints (including enrollment and recovery endpoints). With this release, enhanced attack patterns are detected for authentication endpoints and limited attack patterns are also detected for non-authentication endpoints.
There are no changes to the existing Okta ThreatInsight configuration. You can still enable Okta ThreatInsight with log and block mode, log mode, and exempt network zones. A new Negative IP Reputation reason is available for high security.threat.detected events. See System Log events for Okta ThreatInsight.
Application Entitlement Policy
Administrators can now override attribute mapping when assigning apps to individuals or groups. Attributes can also be reverted to their default mappings. See Override application attribute mapping. This feature will be gradually made available to all orgs.
Descriptive System Log events
When Okta identifies a security threat, the resulting security.threat.detected entry now provides a descriptive reason for the event. See System Log.
Improvements to the self-service registration experience
Earlier versions of the self-service registration (SSR) flow used a complicated array of templates to send activation emails to end users. The simplified SSR flow reduces this to only two email templates with customized welcome messages. If your application requires immediate verification of the end user's email address, Okta uses the Registration - Activation template. This template includes a magic link for a smoother sign-in experience. If email verification isn't immediately required to sign in to the application, Okta uses the Registration - Email Verification template. This template includes a link for end users to complete email verification at any time after they successfully sign in to the application. See Customize email notifications and the Okta email (magic link/OTP) integration guide.
New App Drawer
The updated app settings panel on the Okta End-User Dashboard allows end users to see all app details in a single view without having to expand multiple sections. End users can quickly differentiate between SWA apps where they have set a username and password and SAML / OIDC apps that are admin-managed with no additional user settings. The updated app settings panel also provides accessibility improvements with better screen reader support and color contrast. See View the app settings page.
SSO apps dashboard widget
The new SSO apps widget displays the number of user sign-in events across each of your org’s apps over a selected period of time. You can use it to see which apps are used most frequently and to easily monitor the authentication activity across your org. See Monitor your apps.
Improvements to the self-service unlock process
Earlier versions of the self-service unlock (SSU) flow created unnecessary friction in the end user experience. The newly enhanced SSU feature introduces a seamless magic link experience in emails sent out to unlock accounts. Users no longer need to provide consent when using the same browser. In addition, after successfully unlocking their account, clicking the email magic link counts towards the application's assurance policy. After the assurance requirements are met, the user is signed directly in to the application. See Configure the email authenticator.
Toggle password visibility on the Okta Sign-In page
End users can now toggle visibility of their password on the Sign-In Widget, allowing them to check their password before they click Sign In. Note that passwords are visible for 30 seconds and then hidden automatically. See Authentication. See Enable delegated authentication.
Email failure events in the System Log
Admins can now view email delivery failure events in the System Log. This helps admins better monitor the email event activity in their org. See System Log.
Shareable Authentication Policies
Admins can now manage authentication policies using a centralized view. While authentication policies allowed admins the ability to make application access decisions using user, device, and other contextual information, managing these policies across hundreds of applications became challenging and error-prone. On the new Authentication Policies page, admins can create new policies, apply those policies to multiple applications, and assess what application access decisions are impacted by each policy. Two policy name changes are included in this release: app sign-on policy is renamed authentication policy, and Okta sign-on policy is renamed Global Session Policy. See Authentication policies.
Choose additional filters for Office 365 sign-on policy
Filters have been added to enable admins to distinguish between web browsers and Modern Authentication clients when creating an app sign-on policy. See Office 365 sign-on rules options.
Device Authorization grant type
Advancements in internet technology have seen an explosion of smart devices and the Internet of Things. Consumers need to sign in to applications that run on these devices, but the devices either lack support for a web browser or have limited ability for input, such as smart TVs, car consoles, and thermostats. As a result, users resort to insecure authentication solutions that are error-prone and time-consuming.
The Device Authorization grant feature is an OAuth 2.0 grant type that allows users to sign in to input-constrained devices and also to devices that lack web browsers. This feature enables users to use a secondary device, such as a laptop or mobile phone, to complete sign-in to applications that run on such devices. See Configure Device Authorization.
User Verification options for admins
In the Admin Console, admins can now configure whether end users are required to provide biometrics for device enrollment. See Enable Okta FastPass
Manage admin email notification subscriptions using API endpoints
Admins can manage email subscriptions using the Admin Email Subscription API endpoints.
Super admins can configure default subscription settings by admin type.
All admins can manage their own admin email notification subscriptions.
End-User Dashboard and Plugin redesign
The Okta End-User Dashboard and Okta Browser Plugin have been redesigned with a modern look and feel that includes new sidebar navigation, fuzzy search, and sections that replaces tabs.
Admins can enable this new design all at once or by groups. The new experience is 50% faster, more intuitive to use, and more responsive to smaller screens. Design changes also improve accessibility and app discovery for end users.
See Create sign-on policies with Okta Applications.
This feature will gradually be made available to all Preview orgs.
Workflows Templates available
Workflows Templates is now available, providing users with access to a searchable catalog of installable Flows that address many common use cases. See Get started with Workflows Templates.
LDAP password reset option
LDAP delegated authentication settings can now be configured to allow users to reset their passwords. This change reduces the time needed for password management and allows users to reset their passwords quickly and easily. See Enable delegated authentication.
LDAP admin password reset
For orgs integrated with LDAP, admins can now perform password resets for an active individual end user. See Reset a user password.
Incremental Imports for CSV
Incremental imports improve performance by importing only users who were created, updated, or deleted since your last import. See Manage your CSV directory integration. Note that this feature is being re-released having previously been released to Production in 2020.09.0.
Password changed notification email
To eliminate unnecessary email notifications, the Password changed notification email setting is no longer enabled by default on new preview orgs. See Password changed notification for end users.
Office 365 Silent Activation
Using Okta as the Identity Provider, Okta Office 365 Silent Activation allows for a seamless experience for your Microsoft Office 365 end users accessing Office 365 apps on domain joined shared Workstations or VDI environments. Once your end users have logged into a domain-joined Windows machine, no further activation steps are required. See Office 365 Silent Activation: New Implementations.
End-user Welcome emails localized
The ability to localize the Welcome email that Okta sends to new end users by referencing the users' default locale property is now Generally Available. See Configure general customization settings.
People page improvements
The People page has been improved so the people list can be filtered by user type. See Universal Directory custom user types known issues.
Mobile tab available for mobile-capable apps
The Mobile tab available in the Okta Admin Console for mobile-capable OIN apps allows you to publish mobile applications to an App Store and deploy them to your end users.
See Enable access to managed mobile apps
Provisioning page UI element change
Drop-down menus on the Provisioning page (General Settings) were standardized.
UI element change
Drop-down menus on the Provisioning page (General Settings) are standardized. See Provision applications.
Early Access features, auto-enroll
You can now opt to auto-enroll in all Early Access features, instead of having to enable them as they become available.
Connecting Apps to Okta using the LDAP Interface
The LDAP Interface allows you to authenticate legacy LDAP apps to Universal Directory in the cloud. With the LDAP Interface, authentication is done directly against Okta via LDAP, without the need for an on-premise LDAP server. In addition, the LDAP interface supports other LDAP functions like search. See Set up and manage the LDAP Interface.