Okta Identity Engine release notes (Production)

Current release status

Current Upcoming
Production 2024.02.1 2024.02.2 Production release is scheduled to begin deployment on February 26
Preview 2024.02.2 2024.03.0 Preview release is scheduled to begin deployment on March 7

February 2024

2024.02.0: Monthly Production release began deployment on February 12

* Features may not be available in all Okta Product SKUs.

Generally Available Features

Widget, version 7.15.1

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Okta Sign-In Widget Guide.

Okta LDAP agent, version 5.19.1

This version of the agent fixes the expiring signature error that prevented agents from auto-updating to the newest LDAP agent version. See Okta LDAP Agent version history.

Okta Active Directory agent, version 3.16.1

This version of the agent fixes an expiring signature error that prevented agents from auto-updating to the newest Active Directory agent version. See Okta Active Directory agent version history.

Okta MFA Credential Provider for Windows, version 1.4.2

This version includes bug fixes and security enhancements. See Okta MFA Credential Provider for Windows Version History.

Assign admin roles to an app

Orgs can now assign admin roles to their custom API Service Integrations. Apps with assigned admin roles are constrained to the permissions and resources that are included in the role assignment. This helps ensure that apps only have access to the resources that are needed to perform their tasks, and improves orgs' overall security. See Work with the admin component.

Seamless ISV experience

Okta now provides a seamless ISV experience to optimize the Okta Integration Network (OIN) submission experience for SAML and OIDC integrations. This new experience enables independent software vendors (ISVs) to build and manually test their integration metadata before submission. This reduces the time needed for the OIN team to review and validate that the integration functions as intended, which shortens the time to publish in the OIN.

This experience also incorporates communication processes in Salesforce, enabling improved collaboration internally within Okta teams and externally with ISVs. See Publish an OIN integration overview and Submit an SSO integration with the OIN Wizard guide.

Email or password no longer required in authenticator enrollment policy

Currently, the authenticator enrollment policy requires either email or password, even when you’ve enabled another authenticator for authentication. Now you can set email or password as optional or disabled in the policy, and instead require stronger authenticators like Okta Verify, Okta FastPass, and FIDO2 (WebAuthn) for authentication. With this change, passwordless users who initially signed in with an email now receive the activation email. See Create an authenticator enrollment policy.

Force authentication

Orgs now support force authentication for WS-Fed SSO requests. Users must re-authenticate WS-Fed authentication requests that include Wfresh=0.

DPoP support for Okta management API

You can now use OAuth 2.0 Demonstrating Proof-of-Possession (DPoP) access tokens to access Okta management APIs. See Configure OAuth 2.0 Demonstrating Proof-of-Possession.

MFA Activity report

The new MFA Activity report provides insight into the MFA trends in your org. It helps you understand which authentication methods were used to access Okta and Okta-protected apps. The report also provides information about the characteristics of authenticators, helping you measure how phishing resistant your org is. See MFA Activity report.

LDAP real-time synchronization

With real-time synchronization, user profiles, groups, and group memberships can now be updated when LDAP-sourced users sign in to Okta, or when they refresh their People page. Admins no longer need to perform full or incremental imports of user attributes, and user profiles, groups, and group memberships are always up to date. Real-time synchronization also reduces the burden on system resources because user attributes are imported and updated individually and not in large groups. See Manage your LDAP integration. This feature is being re-released.

Reports field update

The operator field of the Reports Edit Filters dialog shows the selected item in the dropdown menu.

Dynamic user schema discovery now available

Dynamic user schema discovery is now available for SCIM app integrations that support user entitlements and Identity Governance.

OIN connector support for Entitlement Management

The PagerDuty and Zendesk connectors have been updated to support Entitlement Management. See Provisioning-enabled apps.

App integration tile now available for Okta Workflows

Users who are assigned to the Okta Workflows app integration now have a dedicated tile on their End-User Dashboard to launch the Okta Workflows Console. See Workflows Console.

API setting now an Admin Console option

The Use Persistent Name ID (Higher Security) checkbox allows more secure account linking. This setting allows Okta to determine the associated user account by matching the Name ID with the External ID. When no match is found, Okta uses the IdP username value for account matching.

New action items for self-service upgrades

The OIE Upgrade Hub displays actions items if orgs have non-writable attributes in their self-service registration policy or a factor enrollment policy set to Do Not Enroll. See Self-service upgrade action items.

New System Log event

There's a new system.mfa.preregister.initiate System Log event. The event appears for event hooks and represents MFA preregistration flow initiation. Currently, it's only available for pre-registered YubiKey enrollments.

UI enhancements to Authenticator Enrollment tab

The Authenticator Enrollment tab has been updated to include information about how the enrollment works.

Super admin role now required to update direct authentication grants

Super admin permissions are now required to enable or change direct authentication grants for clients.

Early Access Features

Okta Personal for Workforce

Okta Personal for Workforce is a set of features that allows admins to separate their users' work data from non-work data. Admins can now offer their end users a free Okta Personal account to store personal data, allow them to switch between accounts, and migrate personal apps from Okta enterprise tenant to Okta Personal. When Okta Personal for Workforce is enabled, personalized comms will be sent to the end users encouraging them to use Okta Personal for personal data and Okta enterprise for work data. See Okta Personal for Workforce User Experience.

Content Security Policy for custom domains

The Content Security Policy (CSP) feature lets admins control which URLs may be linked to from customized sign-in and error pages in orgs that use custom domains. Admins add trusted URLs to Okta that link to items such as images and add these links to the code in their sign-in and error pages. This feature enhances security by enabling admins to allow only approved content to appear and prevent the introduction of potentially malicious code to these pages. See Customize the Content Security Policy (CSP) for a custom domain.

Protected actions in the Admin Console

The protected actions feature provides an additional layer of security to your org. It prompts admins for authentication when they perform critical tasks in the Admin Console and helps ensure that only authorized admins can perform these tasks. Super admins can configure the authentication interval for their org. SeeProtected actions in the Admin Console.

SAML Certificate expiration notification feature

This feature notifies admins through task entries in the Admin Console about expired or soon-to-expire certificates for SAML apps. This enhances security and minimizes app downtime caused by expired certificates.

Detect and block requests from anonymizing proxies

Orgs can now detect and block web requests that come from anonymizers. This helps improve the overall security of your org.

Network zone allowlists for SSWS API tokens

Admins can now specify a network zone allowlist for each static (SSWS) API token. These allowlists define the IP addresses or network ranges from where Okta API requests using SSWS API tokens can be made. This restricts attackers and malware from stealing SSWS tokens and replaying them outside of the specified IP range to gain unauthorized access.

Support for Active Directory password complexity requirements

This feature creates an option in the password policy to match the same complexity options as Active Directory (AD). Until now, admins couldn't exactly match Okta password complexity requirements to those of their AD instances. Historically, the password complexity requirements in Okta and AD had different granularities, and the requirements displayed in the Sign-In Widget didn't always reflect the AD requirements. As a result, users were locked out without proper error messages. This feature bridges that gap. See Configure the password authenticator.

Custom languages for email templates

Admins can now customize Okta-generated emails in any BCP47-formatted language. Previously, customizations were limited to 27 Okta-supported languages. This feature allows admins to configure additional locales using Okta’s Brands API. When a new locale is configured, it's available as a new language selection within the Email Templates Editor. See Customized Email Notifications.

Dynamic OS version compliance for device assurance

You can configure OS version compliance by using device assurance. However, you have to manually update the policies every time a new OS version or patch is released. With Dynamic OS version compliance, Okta updates device assurance policies with the latest OS versions and patches, eliminating the need for manual updates. With this feature you can ensure OS version compliance in your org without tracking OS releases. See Add a device assurance policy.

Prevent new single-factor access to the Admin Console

This feature prevents admins from configuring any new single-factor access to the Admin Console. There's no impact to any existing rules that allow single-factor access.


  • OKTA-649640

    Password rules weren't correctly translated in French.

  • OKTA-664368

    Assistive technologies couldn't read the Which option do you want to try? label on the Sign-In Widget.

  • OKTA-668324

    Email notifications that were sent when a password was reset by Okta Support didn't include Support information.

  • OKTA-668665

    The re-authentication frequency labels on the Authentication Policies page weren't clear.

  • OKTA-669735

    When an admin was removed from a group that was imported from an app, their user profile still displayed the admin assignments that were granted through the group’s membership.

  • OKTA-678416

    Some special characters and symbols were displayed incorrectly in the Sign-In Widget (3rd generation).

  • OKTA-678489

    Voice call to some destinations didn't work when a 7 digit phone number with a 3 digit extension was entered.

  • OKTA-680179

    The Sign-In Widget displayed the wrong error message to users whose activation token was invalid when they attempted to register with Okta.

  • OKTA-680483

    The self-service registration form accepted invalid input for the first and last name fields.

  • OKTA-680795

    Admins couldn't access the Access Testing Tool in some preview orgs.

  • OKTA-681083

    Voice calls for MFA challenges were not completely translated in Vietnamese when the user's locale was set to Vietnam.

  • OKTA-682202

    If an admin’s role had a conditioned permission, they couldn’t assign apps to users.

  • OKTA-689632

    The IssuerDN PIV IDP matching attribute was referencing the wrong value in the certificate.

  • OKTA-690143

    Unicode characters deemed illegal for HTTP headers were being accepted.

  • OKTA-691492

    Continuous Access terminated sessions even though users were able to authenticate.

Okta Integration Network

App updates

  • The Elba SSO app integration has new redirect URIs.
  • The Ermetic app integration has been rebranded as Tenable Cloud Security.
  • The Ermetic JIT app integration has been rebranded as Tenable Cloud Security JIT.

New Okta Verified app integrations

Weekly Updates

January 2024

2024.01.0: Monthly Production release began deployment on January 16

* Features may not be available in all Okta Product SKUs.

Generally Available Features

Widget, version 7.14.0

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Okta Sign-In Widget Guide.

Okta On-Prem MFA Agent, version 1.7.4

This version includes security enhancements. See Okta On-Prem MFA agent version history.

Configure multiple IdP authenticators

You can now configure multiple SAML 2.0 or OIDC Identity Providers as authenticators. See Configure the IdP authenticator.

Read-only permission for admin role assignments

Super admins can now assign the View roles, resources, and admin assignments permission to their delegated admins. This permission gives admins a read-only view of the admin roles, resource sets, and admin assignments in the org. See About role permissions.

New possession constraint available in authentication policies

Admins may now require users to enter a PIN or do biometric verification when they authenticate. This enhancement enables admins to increase the security of their orgs and their authentications.

Use your own email provider

You can now use an external email provider to send email notifications in Okta. By default, email notifications such as the welcome email or an account recovery email are sent through an Okta-managed SMTP server. However, you can configure a third-party email provider in Okta and send these emails through it. Adding a custom email provider gives you more control over your email delivery. See Use your own email provider.

Operating system in the Okta Verify push challenge

The Okta Verify app now displays the correct operating system when the push challenge is initiated.

OIN connector support for Entitlement Management

The following connectors have been updated to support Entitlement Management:

  • Box
  • Google Workspace
  • Microsoft Office 365
  • Netsuite
  • Salesforce

See Provisioning-enabled apps.

System Log events for IdP keystore operations

New System Log events are generated for IdP keystore operations:

  • system.idp.key.create
  • system.idp.key.update
  • system.idp.key.delete

System Log event for GET an IdP

A new System Log event is generated for GET /api/v1/idps[/{idpId}.

Application Entitlement Policy

Admins can now override attribute mapping when assigning apps to individuals or groups. Attributes can also be reverted to their default mappings. See Override application attribute mapping. This feature will be gradually made available to all orgs.

New Smart Card attribute for user matching

A new issuerSnReverseByteOrder attribute has been added to the Smart Card IdP user match.

Google Workspace system roles

Okta now supports Google Workspace system roles.

Updated RADIUS authentication prompts

RADIUS authentication prompts are updated to be clearer.

Early Access Features

Okta Verify user verification with PIN or passcode

The Okta Verify enrollment relies on biometric verification, which presents challenges for users whose devices don’t support biometrics. To address this limitation, Okta Verify now supports user verification with PIN or password in addition to biometrics. This enhancement broadens accessibility, enabling all users to authenticate with Okta Verify and Okta FastPass, regardless of their device capabilities or personal constraints. See Configure Okta Verify options.


  • OKTA-654000

    Users authenticating with Okta FastPass could sign in with authenticators that weren't phishing-resistant even though it wasn't allowed by authentication policies.

  • OKTA-658796

    The Brand name description on the Brand Settings page contained a typo.

  • OKTA-659305

    The IdP Routing Rule page became unresponsive when multiple apps were added to a rule.

  • OKTA-660541

    Information about Integration settings for Chrome Device Trust was missing.

  • OKTA-665773

    The remediation page for Okta Verify enrollment didn't appear for some users.

  • OKTA-667066

    Resetting MFA using support user permissions didn't generate a System Log event.

  • OKTA-673705

    Admins couldn’t condition permissions to include or exclude attributes from multiple user profiles.

  • OKTA-674540

    Users couldn't access Confluence On-Prem using IdP-initiated or SP-initiated flows.

  • OKTA-679833

    Some default attribute mappings for SuccessFactors were incorrect.

  • OKTA-683871

    When the User verification as a possession constraint feature was activated, the If Okta FastPass is used section disappeared from the Authentication policy rule page when admins selected the Any 1 factor type option in User must authenticate with.

Okta Integration Network

App updates

  • The AcquireTM app integration has an additional redirect URI.
  • The CodeSignal app integration has a new logo.
  • The OneRange app integration has a new description.
  • The Peakon SAML app integration has a new display name, logo, website, description, doc link, and endpoints.
  • The Peakon SCIM app integration has a new base URL and help text.
  • The Qatalog app integration has a new logo.

New Okta Verified app integrations

App integration fixes

  • ADP mykplan.com (SWA) (OKTA-669875)
  • Fidelity 401k (SWA) (OKTA-659323)

Weekly Updates

December 2023

2023.12.0: Monthly Production release began deployment on December 11

* Features may not be available in all Okta Product SKUs.

Generally Available Features

Widget, version 7.13.1

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Okta Sign-In Widget Guide.

Okta LDAP agent, version 5.19.0

This version of the agent contains:

  • Security enhancements.
  • Configurable fipsMode setting. Users can now enable or disable FIPS-supported encryption algorithms.

Note: To revert to an older version of the agent, Linux agent users must uninstall version 5.19.0 and then reinstall the older version. See Okta LDAP Agent version history.

Okta MFA Credential Provider for Windows, version 1.4.0

This version includes bug fixes and security enhancements. See Okta MFA Credential Provider for Windows Version History.

New prompts for admins configuring MFA policies

New warning prompts appear if you create weak authentication or authenticator enrollment policies. Prompts also appear if you change a strong policy to a weak one, except for those that enable phishing-resistant settings. This enhances security by helping you prevent the use of weak MFA policies in your org.

Demonstrating Proof-of-Possession

OAuth 2.0 Demonstrating Proof-of-Possession (DPoP) is a security feature that adds an extra layer of protection to OAuth 2.0 access tokens. It enables the client to demonstrate that it possesses a particular key or secret associated with the access token. OAuth 2.0 DPoP can help prevent certain attacks, such as token theft or token replay attacks, where an attacker intercepts a legitimate access token and uses it to gain unauthorized access to a protected resource. See Create OIDC app integrations.

Responsive Admin Dashboard layout

When you resize the Admin Console to 600 x 751 pixels or smaller, the dashboard widgets now stack vertically instead of horizontally.

Improved Product Offers dashboard widget

The appearance and readability of the Product Offers dashboard widget have been improved to provide a better user experience.

Copy System Log events

A copy button is now available for each event listed in the System Log.

Enhancements to the Sign-In Widget for screen readers

The Sign-In Widget now includes enhancements that make it easier for users that rely on screen readers to select sign-in methods.

New attributes available for Smart Card username

Issuer and Serial Number attributes are now available when you configure the IdP username for the Smart Card Identity Provider.

Early Access Features

Early Access features from this release are now Generally Available.


  • OKTA-419477

    There was a typographical error on the Active Directory Import page.

  • OKTA-633269

    The Merge Duplicate Policy feature didn't remove duplicate policies nor populate the Consolidate CSV report with a record of the change.

  • OKTA-633280

    Some org configurations allowed invalid username entries.

  • OKTA-636211

    The footer message in User Activation email templates contained an inaccurate email link.

  • OKTA-642341

    During an SP-initiated sign-in flow, an interstitial page didn't appear in the browser's configured language.

  • OKTA-650686

    Memory cache errors sometimes occurred when admins performed imports on orgs with a large number of app assignments.

  • OKTA-655084

    Some AD provisioning events that failed were shown as successful in the System Log.

  • OKTA-655746

    SSO failed when Authorization-Method References (AMRs) weren't included in SAML assertions.

  • OKTA-657022

    Setting the group owner in Okta sometimes failed when the ManagedBy field from Active Directory was used.

  • OKTA-661591

    When users enabled Keep me signed in, Okta allowed easier access than intended on subsequent sign-in attempts.

  • OKTA-661797

    When a user clicked an app tile on the Okta Dashboard, the Safari browser opened apps in a new window without user interface controls instead of a new tab.

  • OKTA-664847

    Application assignments sometimes failed in orgs that use custom admin roles.

  • OKTA-668354

    An incorrect warning appeared on the Administrator assignment page when a custom admin role was assigned with granular directory permissions and an Active Directory resource set.

  • OKTA-669774

    After upgrading to Identity Engine, admins couldn't access the Authenticators page if the org had a large number of custom OTP authenticator enrollments.

Okta Integration Network

App updates

  • The BombBomb app integration has a new logo.

New Okta Verified app integrations

App integration fixes

  • Bank of America CashPro (SWA) (OKTA-668979)
  • Delta Dental (SWA) (OKTA-664057)
  • HelloFax (SWA) (OKTA-657466)
  • MacStadium (SWA) (OKTA-662973)
  • SendGrid (SWA) (OKTA-657094)
  • Team Gantt (SWA) (OKTA-663418)
  • Unity Ads (SWA) (OKTA-658284)
  • ZipCar (SWA) (OKTA-657448)
  • Zurich Adviser Portal (SWA) (OKTA-662671)

Weekly Updates