Okta Identity Engine release notes (Production)

Version: 2024.05.0

May 2024

Generally Available

Widget, version 7.18.0

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Okta Sign-In Widget Guide.

Option to enforce profile source priority for Desktop Single Sign On

Enforcing profile source priority for DSSO requires end users to authenticate using their identity from the top prioritized profile source. See Enable delegated authentication.

Microsoft Graph commands for Office 365 Manual Domain Federation

The Manual Domain Federation configuration guide for Microsoft Office 365 now uses Microsoft Graph commands.

Support for Active Directory password complexity requirements

This feature creates an option in the password policy to match the same complexity options as Active Directory (AD). Until now, admins couldn't exactly match Okta password complexity requirements to those of their AD instances. Historically, the password complexity requirements in Okta and AD had different granularities, and the requirements displayed in the Sign-In Widget didn't always reflect the AD requirements. As a result, users were locked out without proper error messages. This feature bridges that gap. See Configure the password authenticator.

Permissions for custom admins to manage agents

Custom admins can now view, register, and manage agents. See Agent permissions.

Improved password reset process for Active Directory-sourced users

Okta now updates user profiles when externaId, DN, or managerDn is updated in AppUser profiles during provisioning. Only attributes that have relevant mappings are affected.

IME support for international characters

Admins can now use an Input Method Editor (IME) to type international characters into the Admin Console.

Support for multiple Okta Verify enrollments

Multiple Okta Verify enrollments are now supported on the Authentication and Factors APIs.

Allow multiple identities on one Smart Card

When you use this feature, you enable your end users to use one Smart Card to identify as different identities and authenticate into corresponding accounts. See Configure the Smart Card authenticator.

Deprecated user profile attributes for Office 365

The following user profile attributes are no longer supported for Office 365:

  • AuthOrig
  • DLMemRejectPerms
  • DLMemSubmitPerms
  • IsTrackingChanges
  • UnauthOrig

See Supported user profile attributes for Office 365 provisioning.

OIN connector support for Entitlement Management

The GitHub Team connector has been updated to support Entitlement Management. See Provisioning-enabled apps.

Universal Logout support for Zoom

Universal Logout in Identity Threat Protection with Okta AI (ITP) now clears Zoom sessions and tokens when triggered by the entity risk policy, Continuous Access, and the Clear user session function. This enhances the security of orgs that use ITP.

Widget (third generation) version pinning

You can now pin the Sign-In Widget third generation (SIW3) version when updating a customized or preview sign-in page. You can pin version 7.8 or later. This ensures that orgs that use custom branding can't pin SIW3 to an incompatible version. See Customize your sign-in page and Sign-In Widget (third generation).

Granular controls for authentication policies

Admins can now disallow or allow individual authentication methods for an authentication policy. This gives admins more granular control over access to apps. This feature is made available to all orgs.

System Log events for Workflows execution history

Three new event types have been added to the System Log for logging Workflows execution history events:

  • workflows.user.flow.execution_history.activate
  • workflows.user.flow.execution_history.deactivate
  • workflows.user.flow.execution_history.delete

See the Event Types API.

System Log event update for global session policies

The policy.lifecycle.update and policy.rule.update events are updated to include more debug data and change details about the updated policy and rule.

System Log event update for Trusted Origins

If a Trusted Origin is updated using an Event Hook, the event hook ID is now displayed in the System Log event.

Early Access

Multiple Identifiers

Today, end users must sign in to Okta with a username or email address only. With the Multiple Identifiers feature, admins can configure identifiers, or user attributes from Universal Directory, that an end user can enter to authenticate. Multiplier identifiers work in sign-on, recovery, self-service registration, and unlock flows. Admins can configure up to three identifiers, including email (which is still a required identifier). See Multiple identifiers.

Skip the verify page and redirect to the IdP authenticator

This feature allows users to skip the verify step in the Sign-In Widget. They are instead redirected to the IdP authenticator for verification. When you enable this feature, end users see the option to skip the Sign-In Widget verification. If your org is configured to remember the last authenticator the user used, then the user is auto-redirected to the IdP authenticator for future sign-in attempts.

Require MFA for Admin Console access

You can require multifactor authentication to access the Okta Admin Console. When you enable this feature, all Admin Console authentication policy rules that allow single factor access are updated to require multifactor authentication. See Enable MFA for the Admin Console.

SSF Transmitter API

Okta uses CAEP to send security-related events and other data-subject signals to Apple, known as the Shared Signal Framework (SSF) receiver. After an SSF stream is configured, Okta sends signals as Security Event Tokens (SETs) to Apple. Use the SSF Transmitter API to manage SSF stream configurations between the SSF receiver and Okta.

Enhancement to protected access to Admin Console

As part of the Require MFA for Protected Actions in the Admin Console feature, step-up authentication is required to modify authentication policies applicable to Admin Console.


  • Failed Group Push operations to ServiceNow weren't displayed on the Tasks page. (OKTA-677484)

  • Provisioning to UKG Pro sometimes failed due to WorkCountryCode. (OKTA-681623)

  • Performing a Push Now operation on an empty push group in Okta failed to reconcile the group in Zendesk. (OKTA-701099)

  • Stuck XaaS executions weren't marked as failed jobs. (OKTA-712091)

  • Users who entered an invalid username into a password-first sign-in flow saw a misleading error message. This behavior occurred only in orgs that enabled the Multiple Identifiers feature and disabled User Enumeration Prevention. (OKTA-713096)

  • Admins who were supposed to have access to the MFA Activity report couldn't access it. (OKTA-714995)

  • When Okta detected a change in an admin’s IP, the caep_session_revoked signal wasn't sent to the SSF receiver. This occurred when the IP binding for admin console setting was enabled. (OKTA-717305)

  • Active Directory incremental imports were converted to full imports when a new OrganizationUnit was added or an existing OrganizationUnit was renamed. (OKTA-718186)

  • The Back to sign in link appeared on the Sign-In Widget (third generation) session expired page. (OKTA-718969)

  • Read-only admins couldn't access the Identity Threat Protection widgets and reports. (OKTA-719582)

  • Super admins with roles assigned through group assignment couldn't enable Direct Authentication grant types in an OIDC app. (OKTA-719756)

  • Some users had to click Sign in with Okta FastPass twice to initiate the enrollment. (OKTA-720029)

  • When running delegated flows from the Okta Admin Console, the event metadata wasn't recorded by the System Log. (OKTA-722302)

  • The error displayed when deleting a realm that had associated realm assignments wasn't translated to match the locale. (OKTA-722814)

  • Smart Card IdP username transformation didn't allow the space characters within the username string. This functionality is only available with custom UD attributes. (OKTA-723152)

  • The Edit button for modifying an SSWS API token's rate limit was disabled instead of hidden for admins who didn't have permission to update the rate limit. (OKTA-724333)

Okta Integration Network

  • DigiCert (SWA) was updated. (OKTA-722381)
  • Foqal Agent (SAML) is now available. Learn more.
  • Kantega SSO (OIDC) is now available. Learn more.
  • Kantega SSO (SAML) is now available. Learn more.
  • Kantega SSO (SCIM) is now available. Learn more.
  • LimbleCMMS (OIDC) now has additional redirect URIs.
  • Netdata (OIDC) is now available. Learn more.
  • Obsidian Security (SAML) now has an option to select the region for the ACS URL.
  • SCIM 1.1 Test App (OAuth Bearer Token) now has SWA and SAML functionality.
  • SCIM 2.0 Test App (OAuth Bearer Token) now has SWA and SAML functionality.
  • SCIM 2.0 with Entitlements Management (Basic Auth) now has SWA and SAML functionality.
  • SCIM 2.0 with Entitlements Management (Header Auth) now has SWA and SAML functionality.
  • SCIM 2.0 with Entitlements Management (OAuth Header Auth) now has SWA and SAML functionality.
  • Vansec (SCIM) now has updated application profile and mappings.

Weekly Updates

Version: 2024.04.0

April 2024

Generally Available

Widget, version 7.17.0

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Okta Sign-In Widget Guide.

Okta MFA Provider for ADFS, version 1.8.0

This release includes vulnerability fixes and a .NET Framework version upgrade.

Content Security Policy for custom domains

The Content Security Policy (CSP) feature lets admins control which URLs may be linked to from customized sign-in and error pages in orgs that use custom domains. Admins add trusted URLs to Okta that link to items such as images and add these links to the code in their sign-in and error pages. This feature enhances security by enabling admins to allow only approved content to appear and prevent the introduction of potentially malicious code to these pages. See Customize the Content Security Policy (CSP) for a custom domain.

SAML Certificate expiration notification feature

This feature notifies admins through task entries in the Admin Console about expired or soon-to-expire certificates for SAML apps. This enhances security and minimizes app downtime caused by expired certificates.

Support case management for admins

Super admins can now assign the View, create, and manage Okta support cases permission and Support Cases resource to a custom admin role. This allows delegated admins to manage the support cases that they’ve opened. See Role permissions.

Okta Usage report enhancements

The Okta Usage report now attempts to download the generated CSV file immediately upon loading, and updates the email template when the report is generated. The CSV file can now contain up to five million rows. These enhancements automate the tasks of downloading and emailing the report, and provide more data to admins.

Direct Authentication

Direct Authentication offers a new set of OAuth 2.0 grants that give app developers greater control over the authentication process. When redirect authentication isn't an option, you can use direct authentication to allow client apps to authenticate users directly, without relying on HTTP redirection through a web browser. This is beneficial when there's a high degree of trust between the user and the app and when browser-based flows aren't feasible, like with mobile apps. See Configure Direct Auth grant types.

Okta Verify user verification with PIN or passcode

The Okta Verify enrollment relies on biometric verification, which presents challenges for users whose devices don’t support biometrics. To address this limitation, Okta Verify now supports user verification with PIN or password in addition to biometrics. This enhancement broadens accessibility, enabling all users to authenticate with Okta Verify and Okta FastPass, regardless of their device capabilities or personal constraints. See Configure Okta Verify options.

Granular API policy authenticator controls

The Authentication Policy API now includes three new constraints object parameters that provide precise control over what specific authenticators and methods are displayed to end users. Previously, some authenticators were mapped to the same authenticator types and methods. The parameters authenticationMethods and excludeAuthenticationMethods now identify (or exclude) the exact authenticator for both knowledge and possession constraints. The required parameter indicates whether the knowledge or possession constraints are required by the assurance. See the Policy API.

Granular controls for authentication policies

You can now disallow or allow individual authentication methods for an authentication policy. This gives admins more granular control over access to apps.

Require possession factor before password during MFA

You can now require users to verify their identity with a possession factor before a password or other knowledge factor during MFA. This helps protect your org against password guessing or spray attacks. See General Security.

New maximum number of connected AWS accounts

Admins can now connect a maximum of 1000 Amazon Web Services accounts to the AWS Account Federation app in Okta. This change helps avoid timeouts when testing API credentials on AWS.

Improved date filter display in reports

The date filter is now standardized and appears inline for the following reports: Telephony usage, Continuous access violation, Entity risk, At-risk user, and MFA events.

Improved Admin Dashboard and Administrators page

The appearance of several UI components (like buttons and dropdown menus) have been improved across the Admin Dashboard and the Administrators page.

Updated documentation links

Documentation links under the Security, Applications, and Customizations menus now redirect to the correct documentation.

End-User Dashboard and unsupported browsers

The End-User Dashboard no longer loads in unsupported browsers, including Internet Explorer 11 or Edge in Internet Explorer mode. This change enhances security by preventing access from browsers that no longer receive updates.

End-User Dashboard branding and accessibility enhancements

The End-User Dashboard now features design changes that provide a consistent brand experience across Okta's app and enhance accessibility for users.

New target added to a System Log event

A new target was added to the user.authentication.auth_via_mfa System Log event. The target shows the type of MFA app that was used to authenticate.

Authentication context System Log event

The new AuthenticationContext System Log event shows who accessed the configuration secrets for ADFS, Windows Credential Provider (RDP), Epic Hyperspace, and Epic Hyperdrive apps.

New DSSO user impersonation System Log event

A System Log event is now logged when a user attempts Desktop Single Sign-On (DSSO) authentication using a profile source that wasn't the highest priority.

Additional CrowdStrike signals

Okta Verify collects additional trust signals from CrowdStrike. You can view these signals in the System Log. When you configure authentication policy rules, you can use the CrowdStrike signals in Expression Language conditions. See EDR signals for custom expressions.

Early Access

Identity Threat Protection with Okta AI

Identity Threat Protection with Okta AI is a powerful risk assessment and response solution that provides post-authentication security to your org. By continuously analyzing risk signals that are native to Okta, risk signals from integrated security partner vendors, and your policy conditions, it safeguards orgs against identity attacks that occur during and outside of a user’s session. When Identity Threat Protection discovers a risk, it can immediately end the user’s sessions, prompt an MFA challenge, or invoke a workflow to restore your org’s security posture. Using intuitive dashboard widgets and reports, you can easily monitor security threats as they happen. See Identity Threat Protection with Okta AI.


  • Users couldn't enroll multiple Smart Cards as security methods from the End User Settings page. (OKTA-581807)

  • When end users enrolled the email authenticator, the Sign-in Widget displayed their email incorrectly. (OKTA-625907)

  • Some Microsoft Windows 365 Enterprise license names weren't displayed correctly on the Edit Assignment page. (OKTA-679276)

  • Admins could delete active network zones. (OKTA-691904)

  • No GovSlack attributes appeared for new app instances. (OKTA-693162)

  • Google Workspace default user schema attributes weren't imported into Okta. (OKTA-697236)

  • On the Configure SAML 2.0 IdP screen, the Account matching with IdP Username section appeared when Factor Only was selected for IdP Usage. (OKTA-698614)

  • When an end user enrolled in Okta Verify from an OIDC app, they received the email notification from noreply@okta.com instead of the custom email domain. (OKTA-701658)

  • When an admin enabled a self-service Early Access feature and an error occurred, a success message appeared. (OKTA-701707)

  • Users received a Bad Request error when they canceled Okta FastPass during authentication. (OKTA-706541)

  • App admins could initiate the refresh app data process for apps to which they didn't have permission. (OKTA-711670)

  • Users were unable to enroll in an authenticator with the inline enrollment prompt when the authentication policy did not contain constraints for the corresponding factor class. (OKTA-715402)

Okta Integration Network

  • Alohi (SAML) is now available. Learn more.
  • Alohi (SCIM) is now available. Learn more.
  • Better Stack (SAML) has a new logo.
  • Candor (OIDC) is now available. Learn more.
  • FAX.PLUS (SAML) has a new logo, description, and display name.
  • Humi (OIDC) is now available. Learn more.
  • Jurnee (SCIM) is now available. Learn more.
  • UMA (OIDC) is now available. Learn more.

Weekly Updates

Version: 2024.03.0

March 2024

Generally Available

Widget, version 7.16.1

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Okta Sign-In Widget Guide.

Okta LDAP agent, version 5.20.0

This version of the agent includes the following:

  • Fixed an LDAP query used by the agent for retrieving group memberships using range attributes.

  • The Okta LDAP Agent service now automatically starts on boot for Red Hat and CentOS platforms.

  • Fixed an issue where some customers experienced slower than expected queries during LDAP authentication.

  • Security enhancements.

See Okta LDAP Agent version history.

Okta Hyperdrive agent, version 1.4.0

This version includes bug fixes and an upgrade of the .NET Framework to version 4.8. See Okta Hyperdrive agent version history.

Okta Hyperspace agent, version 1.4.0

This version includes bug fixes and an upgrade of the .NET Framework to version 4.8. See Okta Hyperspace Agent Version History.

Okta AD agent, version 3.17.0

This version includes fixes for signing executable and DLL files that come with the Active Directory agent. See Okta Active Directory agent version history.

Enhanced Disaster Recovery

This feature enables commercial customers in the North America region (excluding Compliance cells) to recover faster in the event of a disaster or regional outage. See Overview of enhanced disaster recovery.

Admin sessions bound to Autonomous System Number (ASN)

When an admin signs in to Okta, their session is now associated with the ASN they are logging in from. If the ASN changes during the session, the admin is signed out of Okta, and an event appears in the System Log.

Admin sessions bound to IP address

The Security General Organization Security page has a new IP binding for admin console setting that's enabled by default. This setting associates all of the admin sessions in your org with the device IP address. If the IP address changes during the session, the admin is signed out of Okta, and an event appears in the System Log. This setting can be disabled, but Okta recommends keeping it enabled as a security best practice. See General Security.

Verify Zoom users with Okta

Zoom users can now attest and verify a user’s identity between two independent parties using Okta-signed tokens.

Permission conditions for profile attributes

You can now apply conditions to the View users and their details and Edit users' profile attributes custom admin role permissions. Permission conditions help you limit the scope of a role by including or excluding admins' access to individual profile attributes. This gives you more granular control over your custom admin roles and helps meet your org’s unique security needs. See Permission conditions.

Enhanced security of Okta Verify enrollments

The Higher security methods option on the authenticator configuration page ensures that users enroll in Okta Verify in a phishing-resistant manner. With this option, users can't enroll with QR code, email, or SMS link. See Configure Okta Verify options.

Stay signed in

Today, Keep me signed in allows the user to select whether their multifactor authenticators from previous sessions should be remembered. However, the option to select Keep me signed in was only available on the sign-in screen.

To enable Stay signed in for integrated authentication flows, admins can now configure their sign-in experience such that the option to Stay signed in is provided either before the user signs in to Okta or before and after the user completes multifactor authentication. If a user selects Stay signed in, they won't be challenged for MFA the next time they sign in. In addition, users will now be able to sign out of all active Okta sessions from the Okta End-User Dashboard. See Stay signed in.

Granular permissions to manage directories

This feature enables you to assign permissions to view and manage directories as part of a customized admin role. Admins without universal application administrator permissions can handle directory-specific tasks.

Improved password reset process for Active Directory-sourced users

The password reset process sends password update and verification requests to the same Active Directory agent to avoid replication delay.

Device Context using Limited Access in Okta Identity Engine

You can now pass device context using Limited Access in Okta Identity Engine. See Pass Device Context using Limited Access in Okta Identity Engine

Unknown devices detection using fingerprint

Admins can now configure how unknown devices are treated based on the presence of a device fingerprint.

See Block suspicious sign-in attempts from unknown devices.

New requirement for email customizations

To prevent phishing attacks, Okta now requires orgs to have a custom domain to send customized emails. All customized emails currently sent from the Okta domain are disabled, and orgs that use the Okta domain can send default email templates only. This feature is currently enabled by default for new orgs only.

Enhanced System Log Event

The policy.evaluate_sign_on System Log event now shows the assurance policy factor requirement and a list of the available authentication factors for the sign-on event.

Cornerstone OnDemand now uses OAuth for authentication

Cornerstone OnDemand replaced the previous authentication method with OAuth authentication to improve security for provisioning. Create a new Cornerstone OnDemand app instance and configure it to use Oauth credentials. See Configure provisioning for Cornerstone OnDemand.

Styling change for Brands pages

The CustomizationsBrands section of the Admin Console now uses Odyssey UI components. There's no change to functionality, but some of the styling is different.

AAL values for Login.gov IdP

The Login.gov IdP configuration has been updated to include all allowed AAL values. See Create an Identity Provider in Okta.

New System Log information for password policy changes

System Log entries for password policy changes now display the policy settings before and after the update was made.

Improved System Log map view

The System Log map view now includes a reset button and left and right bounds on the zoom function.

New System Log information for MFA enrollment policy changes

System Log entries for MFA enrollment policy changes now display the policy settings before and after the update was made.

IP binding for Admin Console setting

The SecurityGeneralOrganization Security page has a new IP binding for Admin Console setting. When you enable this setting, all of the admin sessions in your org are associated with the system IP address that they signed-in from. If the IP address changes during the session, the admin is signed out of Okta, and an event appears in the System Log. See General Security.

Additional operator for date filter

The date filter is now standardized across all reports and includes the in range operator.

Early Access

Direct End-User Settings access

Users may now access their Settings page through a direct URL in addition to the End-User Dashboard. This feature provides convenience and security for users, gives admins greater flexibility when working with End-User Dashboard access control scenarios, and includes accessibility and UX improvements. See User settings.

Enforce Number Challenge for Desktop MFA

You can now enforce number challenge on all push notifications for Desktop MFA, regardless of the authentication policy. See Configure Desktop MFA policies

Realms for Workforce

Realms allows you to unlock greater flexibility in managing and delegating management of your distinct user populations within a single Okta org. See Manage realms.

Trusted App filters

Trusted App filters allow orgs to block applications from invoking Okta FastPass in Windows, and in Google Chrome and Firefox browsers for macOS. See Trusted app filters .

Google Workspace 1-click federation

Admins can set up SSO to Google Workspace using a simplified integration experience that saves time and reduces the risk of errors.

New HealthInsight task

HealthInsight now includes a recommendation to apply MFA for access to the Admin Console.


  • Sometimes group membership changes in a downstream app weren't reflected upon source app assignment in Okta. (OKTA-647132)

  • When users clicked the X in the upper-right corner of the Edit User Assignment page, the page wasn't restored to the default User Assignment view. (OKTA-651313)

  • The MFA Usage report sometimes displayed L10N_ERROR instead of the MFA factor. (OKTA-658326)

  • Office 365 user licenses were randomly removed. (OKTA-665130)

  • During Okta Verify enrollment, the Scan the QR code option was incorrectly displayed for the requests coming from a mobile device. (OKTA-671029)

  • Users in certain geolocations couldn’t sign in to Okta, even when the org’s policies didn’t block the location. (OKTA-671528)

  • Importing large group membership data failed for orgs using ranged queries. (OKTA-672521)

  • The Jira On-Premises app authenticator didn't include a relay state parameter. (OKTA-673058)

  • Password age validation incorrectly appeared on the new user registration window. (OKTA-673824)

  • The Display application icon in the Okta Mobile app option was incorrectly available for the Application visibility property in the Application Integration Wizard (AIW). (OKTA-674235)

  • During self-service registration, users didn't receive the verification email when enrolling Okta Verify with Push. (OKTA-677750)

  • On the Tasks page, the user search didn't return any results for deactivated users. (OKTA-677822)

  • AD users created through JIT couldn't reset their password even if it was set to change after they first signed in. (OKTA-679679)

  • Google licenses were missing from the Universal Directory profile. (OKTA-684513)

  • During LDAP authentication, orgs with large customer databases experienced slower-than-expected queries. (OKTA-686417)

  • Some links on the Admin Dashboard to Okta Documentation didn't work. (OKTA-693031)

  • Users were prompted to enter a password twice when signing in. (OKTA-699026)

  • Read-only admins could modify the IP restrictions of other users' tokens. (OKTA-700117)

  • Some text was truncated on the Recent Activity page. (OKTA-700858)

  • The locale attribute from the user profile wasn't correctly populated to the telephony inline hook. (OKTA-700928)

  • Admins couldn't enroll or reset FIDO2 authenticators for staged users. (OKTA-701467)

  • An inline hook secured by an OAuth 2.0 token that had no expiry value returned an HTTP 400 Bad Request error. (OKTA-702184)

  • The Cornerstone REST API rate limit wasn't honored. (OKTA-702729)

Okta Integration Network

  • Acronis Cyber Cloud (SCIM) has a new authorize endpoint, display name, SAML attribute, and icon.
  • Dashworks (OIDC) has a new integration guide. Learn more.
  • Dashworks (SCIM) has a new integration guide. Learn more.
  • Modal (SAML) is now available. Learn more.
  • NexHealth (SAML) has a new description and an additional SAML attribute.
  • Onyxia (SAML) is now available. Learn more.
  • Paved (OIDC) is now available. Learn more.
  • Reftab Discovery (API service) is now available. Learn more.
  • Resonance by spiderSilk (SAML) is now available. Learn more.
  • Semana (SAML) is now available. Learn more.
  • SpotDraft (SAML) is now available. Learn more.
  • Vansec (SCIM) is now available. Learn more.

Weekly Updates