Okta Identity Engine release notes (Production)
Version: 2024.11.0
November 2024
Generally Available
Okta LDAP Agent, version 5.22.0
This version of the agent includes the following:
- Agent now uses OAuth 2.0 and OAuth 2.0 Demonstrating Proof-of-Possession (DPoP) to securely communicate with Okta.
- New agents are registered through the OAuth 2.0 device registration flow.
- Agents now operate independently from the accounts used to register them.
- Agents can now be installed by super admins and admins with a custom role that includes agent registration permissions. See LDAP integration prerequisites.
- Linux LDAP agents are now managed using systemd instead of sysvinit. See Manage the Okta LDAP Agent.
Improved user experience for group member counts
Groups now use async counts to determine user membership for groups that exceed 10,000 users. This improves the performance of both the Groups page and the group selector on the Sign-on policy page.
Give access to Okta Support
Admins can now control how members of the Okta Support team access their org. To support this, the Account page provides the following two options:
- Impersonation Grants for Cases: Allows the Okta Support team to sign in to your org as a read-only admin to troubleshoot issues.
- Support User Grants for Self-Assigned Cases: Allows an Okta Support representative to access your org settings after they've opened a case. Using these settings, admins can select the right level of Support access for their org.
YubiKey preregistration
Customer admins were previously unable to enroll and ship YubiKeys as WebAuthn enrollments in a quick and automated way. The YubiKey preregistration feature enables admins to preregister YubiKey factors as WebAuthn enrollments for both staged and existing (active) users using a Workflows and Yubico integration to seamlessly handle the registration and shipment. See Require phishing-resistant authentication with pre-enrolled YubiKey.
Seamless ISV experience for SCIM
Okta now provides a seamless ISV experience to optimize the Okta Integration Network (OIN) submission experience for SCIM integrations. This new experience enables independent software vendors (ISVs) to build and manually test their SCIM integration metadata before submission to the OIN. This reduces the time needed for the OIN team to review and validate that the SCIM integration functions as intended, which shortens the time to publish in the OIN. This experience also incorporates communication processes in Salesforce, enabling improved collaboration internally within Okta teams and externally with ISVs. See Publish an OIN integration overview and Submit an integration with the OIN Wizard guide.
Read-only admin permissions
Read-only admins can now view user profile policies and inline hooks. See Read-only administrators.
New column in Application Usage report
The Application Usage report now provides an Instance Name column. The new column helps users identity which apps the report was generated for.
Improved Access Requests error message
When you navigate to the Access Requests tab for an app, the resulting error message is now clearer.
Updates to User Accounts report
The maximum number of rows in a CSV export has been increased from 1 million to 5 million.
Early Access
IP Exempt Zone
Use this feature to always allow traffic from specific gateway IPs irrespective of any Okta ThreatInsight configurations or network zones that are configured as blocklists. See IP Exempt zone.
OpenID Connect Identity Providers now support group sync
OpenID Connect Identity Providers now support full group sync and adding a user to a group that they don't already belong to. A user who authenticates with an external IdP is added to all available groups when Full sync of groups is enabled. The user is added to any groups that they don't already belong to when Add user to missing groups is enabled. This allows you to specify certain groups that users should be added to.
Create dynamic resource sets with conditions
Resource set conditions help you limit the scope of a role by excluding an admin's access to certain apps. This gives you more granular control over your custom admin roles and helps meet your org's unique security needs. See Resource set conditions.
Seamless and secure authentication with passkey autofill
Passkeys offer a streamlined sign in experience to users by leveraging their browser's existing autofill capabilities. This allows users to quickly and intuitively sign in to an org without typing their credentials or seeing extra prompts. This secure, phishing-resistant solution works seamlessly across devices, delivering both enhanced security and convenience for modern authentication needs. See Configure the FIDO2 (WebAuthn) authenticator.
Secure Partner Access for external partners
Secure Partner Access provides a secure way for external business partners to access your org's resources. It streamlines your partner management tasks, reduces IT workload, and simplifies the process of configuring your org's security requirements. See Manage Secure Partner Access.
Secure SaaS service accounts
This feature enables customers to monitor, manage, and secure access to service accounts in their SaaS apps. This new feature in Okta Privileged Access improves the Okta platform by safeguarding non-federated accounts across an org's apps. See Manage service accounts.
Fixes
-
The user count on the Groups page wasn't displayed correctly. (OKTA-603239)
-
The group picker in the Okta Browser Plugin showed an inaccurate user count. (OKTA-603587)
-
After account recovery was deferred to the Okta account management policy, users still couldn't delete authenticators that were required by the password policy. (OKTA-740130)
-
When the Settings page prompted an end user for reauthentication, the Sign-In Widget sometimes wasn't displayed correctly. (OKTA-793598)
-
Admins couldn't retry failed provisioning tasks. (OKTA-795934)
-
Admins who only had the View applications and their details and Run imports permissions could deactivate apps. (OKTA-798693)
-
SUSPENDED app users weren't supported during a group push. (OKTA-803747)
-
The authenticator enrollment and email notifications for new Okta Verify enrollments on custom domains weren't correctly branded. (OKTA-805671)
-
When the Okta account management policy was configured to control recovery, all selected authenticators in the password policy were cleared. (OKTA-812311)
-
The text overflowed the Application notes for admins field in the General Settings section of the OIDC app page. (OKTA-813866)
-
When an admin clicked Show more tasks on the Tasks page after a Profile Push error occurred, the list of affected users appeared twice. (OKTA-814527)
-
Self-service unlock didn't work if user enumeration prevention was disabled and Show lock out failures was turned on. (OKTA-815680)
-
The security.partner.report.risk and user.session.end events were missing from the user.risk.change System Log event. (OKTA-818603)
-
Sometimes when an admin tried to view the Salesforce app integration, they were prompted to sign in. (OKTA-820465)
-
Sometimes an error occurred when pushing groups without a group description. (OKTA-820782)
-
On the Okta Admin Dashboard, the information in the Tasks widget wasn't aligned correctly. (OKTA-822294)
-
Sometimes there was an unexpected profile sync. You may experience one more unexpected profile sync. (OKTA-822824)
-
On the Edit role page, some role permissions weren't in the correct order. (OKTA-823779)
Okta Integration Network
- Datadog (SAML) is now available. Learn more.
- Diminish (OIDC) is now available. Learn more.
- Docusign by Aquera (SCIM) is now available. Learn more.
- EveryKey SSO (SAML) is now available. Learn more.
- Five9 Identity Service based SSO (SAML) is now available. Learn more.
- Fullstory (SAML) is now available. Learn more.
- getregistered (SCIM) is now available. Learn more.
- GitHub by Tech Prescient (SAML) is now available. Learn more.
- LenelS2 Elements (SCIM) is now available. Learn more.
- Lumos (SCIM) is now available. Learn more.
- Metaphor (SCIM) has a new integration guide.
- Ninth Brain Suite (SAML) is now available. Learn more.
- Poggio (SAML) is now available. Learn more.
- Schoox (SWA) has a new icon.
- SecureTrustZone (SCIM) is now available. Learn more.
- Seesaw (OIDC) is now available. Learn more.
- Spherexx (SAML) has a new icon, description, and integration guide.
- Upaknee Cloud Messaging Stack (OIDC) is now available. Learn more.
Weekly Updates
2024.11.1: Update 1 started deployment on December 2
Generally Available
Device assurance OS version update
The following OS versions are now supported in device assurance policies:
- Android 12, 13, 14, 15 security patch 2024-11-05
- iOS 17.7.1 iOS 18.1
- macOS Ventura 13.7.1
- macOS Sonoma 14.7.1
- macOS Sequoia 15.1
- Windows 10 (10.0.17763.6532, 10.0.19044.5131, 10.0.19045.5131)
- Windows 11 (10.0.22000.3260, 10.0.22631.4460, 10.0.26100.2314)
Sign-In Widget, version 7.25.1
For details about this release, see the Sign-In Widget Release Notes.
For more information about the Widget, see the Okta Sign-In Widget Guide.
Fixes
-
When an admin updated the Configured SAML Attributes for a SAML 2.0 integration, the values weren't reflected in the Admin Console. (OKTA-694781)
-
The minimum OS version required for the Okta Active Directory agent was incorrectly listed as Windows Server 2012. (OKTA-718212)
-
Text on the Edit resource to a standard role dialog was sometimes misaligned. (OKTA-794559)
-
The group picker incorrectly listed Okta Administrators on the New Web App Integration page under . (OKTA-794750)
-
Emails stating that agents were down included an incorrect link to check agent status. (OKTA-797414)
-
SUSPENDED app users weren't supported during a group push. (OKTA-803747)
-
When an Okta AD agent failed to be reactivated because it had no SSWS token in the database, the Admin Console erroneously displayed a message stating that the agent was reactivated. (OKTA-806425)
-
Users created through self-service registration couldn't reset their passwords if they signed out before enrolling more authenticators. (OKTA-812816)
-
There was an issue with the Sync Entitlements button on the Governance tab for the (Header Auth) Governance with SCIM 2.0 app. (OKTA-814934)
-
Some Microsoft Windows 365 Enterprise license names were missing or appeared incorrectly on the Edit Assignment page. (OKTA-817097)
-
Some text strings on the Settings page of the End-User Dashboard had incorrect spacing. (OKTA-820021)
-
Some text strings on the Settings page of the End-User Dashboard weren't translated. (OKTA-821610)
-
The security.partner.report.risk and user.session.end events were missing from the user.risk.change System Log event. (OKTA-825084)
-
The OIDC scopes required to use entitlement management in Okta weren't enabled in Coupa. (OKTA-825558)
-
A GET user request for newly created users in Staged status sometimes returned incorrect activated and statusChangedvalues. (OKTA-827818)
-
The Secure Partner Access app session remained active even when the browser was closed. (OKTA-828148)
-
The realms page for Secure Partner Access incorrectly displayed non-partner realms. (OKTA-829258)
Okta Integration Network
- ADP Next Gen HCM by Aquera (SCIM) is now available. Learn more.
- Analytic Index (OIDC) is now available. Learn more.
- BarRaiser (SAML) is now available. Learn more.
- CB Insights (SAML) is now available. Learn more.
- Chili Piper (SAML) is now available. Learn more.
- Clearout.io (OIDC) is now available. Learn more.
- Cornerstone Core HR by Aquera (SCIM) is now available. Learn more.
- Cyberlift SSO (OIDC) is now available. Learn more.
- CytoTronics Pixel Pro (SAML) is now available. Learn more.
- FastSpring (OIDC) is now available. Learn more.
- Funnel.io (SAML) is now available. Learn more.
- GitHub AE (SCIM) is now available. Learn more.
- Greenhouse Recruiting by Aquera (SCIM) is now available. Learn more.
- Hyperproof (SAML) has a new AIP, SSO URL, Audience URI, and integration guide.
- LawVu (SCIM) now has Group Push, additional attributes, and an updated description.
- LivePreso (SCIM) is now available. Learn more.
- Marker.io (SAML) is now available. Learn more.
- Moveworks (OIDC) has a new integration guide.
- OPTIZMO (SCIM) is now available. Learn more.
- Perimeter 81 (SAML) has an updated ACS URL and Audience URI.
- Perimeter 81 (SCIM) now supports the EU location.
- Sage HR by Aquera (SCIM) is now available. Learn more.
- Secured Signing (OIDC) has a new icon.
- Stripe (SAML) is now available. Learn more.
- Vbrick Rev Cloud (SAML) is now available. Learn more.
Version: 2024.10.0
October 2024
Generally Available
Sign-In Widget, version 7.24.1
For details about this release, see the Sign-In Widget Release Notes.
For more information about the Widget, see the Okta Sign-In Widget Guide.
Hyperspace Agent version 1.5.0
Hyperspace Agent version 1.5.0 is now available. This version uses Microsoft Edge WebView2 Runtime to display Sign-In Widget content. See Okta Hyperspace Agent version history.
JIT provisioning for Smart Card
This feature enables you to provision Just-In-Time (JIT) access to users. You can do this by configuring certificate attribute criteria so that PIV/CAC card holders of other orgs can gain access to the resources they need. See Add a Smart Card Identity Provider.
Enhanced dynamic zones
Use enhanced dynamic network zones to define IP service categories (proxies, VPNs), locations, and Autonomous System Numbers (ASNs) that are allowed or blocked in a zone. See Enhanced dynamic zones.
Device assurance OS version update
The following OS versions are now supported in device assurance policies: -
- Android 15
- iOS 17.7
- macOS 13.7
- macOS 14.7
- Windows 10 (10.0.17763.6293, 10.0.19044.4894, 10.0.19045.4957)
- Windows 11 (10.0.22000.3197, 10.0.22621.4249, 10.0.22631.4249)
Nonce rollout for Content Security Policy
Okta is rolling out nonces for the script-src directive of the Content Security Policy for every endpoint that returns html content. This is a two stage process: first, the nonce is added to the Content-Security-Policy-Report-Only header script-src directive; later, after any unsafe inline scripts are identified and fixed, the nonce is added to the Content-Security-Policy header script-src directive. This update will be gradually applied to all endpoints.
Deprecating provisioning for Confluence (Atlassian)
Provisioning for Confluence (Atlassian) has been deprecated.
UI update on the Brands page
Dropdown menus on the Brands page have been updated to provide a more consistent look and feel.
OIN connector support for Entitlement Management
The following connectors have been updated to support Entitlement Management:
- Coupa
- DocuSign
- WebEx
Group Owner assignments removed
The Group Owner assignment option has been removed from Access Requests for admin roles sequences.
Updated content on Entity Risk Policy page
UI text on the Entity Risk Policy page is updated for clarity and consistency.
New Okta Secure Identity collection in the OIN catalog
A new Okta Secure Identity collection is available in the Okta Integration Network (OIN) catalog. This collection identifies integrations that are part of the Okta Secure Identity commitment. See the OIN catalog for a list of integrations assigned to this collection.
Improved notifications in Admin Console policy
Notifications in the Admin Console authentication policy have been improved for better user experience.
System Log event types and outcome reasons
The user.authentication.auth_via_IDP and user.authentication.auth_via_social System Log event types now indicate whether a successful Identity Provider sign-in attempt was due to JIT provisioning or account linking. See Event types.
OIDC Identity Provider options
OIDC Identity Providers can now have both the Account Link and JIT policies set to disabled.
Event hooks for Identity Provider authentication
You can now use user authentication with Identity Provider events as event hooks. See Event Types for a list of events that you can use with event hooks.
Early Access
Step-up authentication for Office 365
This enhancement enables customers to dynamically prompt for Okta MFA when needed, without having MFA configured in the authentication policy. See Use Okta MFA for Azure Active Directory.
Grace period for device assurance
Occasionally, users' devices might fall out of compliance with security policies due to temporary conditions such as missed software updates or unapproved network connections. Without a grace period, they would be immediately blocked from accessing critical resources, which disrupts productivity and causes frustration. The Grace period for device assurance feature allows you to define a temporary window during which non-compliant devices can still access resources. This gives users time to remediate issues without being locked out, balancing productivity with security standards. See Add a device assurance policy.
Identity Verification with third-party Identity Verification providers
When users take certain actions, Identity Verification enables you to use a third-party Identity Verification provider to verify the identity of your users. Verification requirements and the Identity Verification provider are based on your authentication policies and configurations within your Okta org. Okta supports Persona as a third-party Identity Verification provider. See Add an Identity Verification vendor as Identity Provider.
Same-Device Enrollment for Okta FastPass reactivated
Same-Device Enrollment for Okta FastPass is now available again. The feature had been removed to resolve an Okta Verify enrollment issue. On orgs with Okta FastPass, the Okta Verify enrollment process has been streamlined:
- Users can initiate and complete enrollment on the device they're currently using. Previously, a second device was required for enrollments. Note that enrollment requires 2FA if possible, which may involve a second device.
- Users no longer need to enter their org URL during enrollment.
- The enrollment flow has fewer steps. This feature is supported on Android, iOS, and macOS devices.
To enable it, go to Same-Device Enrollment for Okta FastPass.
and turn onBiometric user verification support in Authentication Method Chain
The Require biometric user verification option is now supported in Authentication Method Chains.
Authenticator actions hidden
Users must satisfy the requirements of an Okta account management policy to reset or remove their existing security methods. If they don't, the authenticator actions are now hidden from their Settings page. See Okta account management policy.
Custom Keep me signed in labels
Admins can now customize the Keep me signed in label on their sign-in page. See Branding.
Design enhancements for OIDC and SAML app integrations
When the Logout section that includes all of the logout settings for the app. See Application Integration Wizard SAML field reference.
feature is enabled, the OIDC and SAML app integration pages now have a singleFixes
-
If an error occurred while performing a group push, the Push Status of the push group was only updated after refreshing the page manually. (OKTA-710642)
-
When managing directories for a group, clicking Next without making any changes resulted in duplicate Previous and Cancel buttons being displayed. (OKTA-735984)
-
Sometimes trying to access a SAML app through a service provider flow resulted in a 500 Internal Server error. (OKTA-739430)
-
Admins couldn't set temporary passwords for users if Self-Service Password Reset was disabled. (OKTA-742231)
-
In orgs that used a custom domain, admins were prompted to enter their username when they performed a protected action. (OKTA-747566)
-
Sometimes, concurrent agentless DSSO JIT operations for a user broke app assignments, which required admin intervention to correct. (OKTA-752118)
-
Some users couldn't enroll in Okta Verify for Desktop using WebAuthn. (OKTA-753346)
-
The ability to view API tokens was incorrectly assigned to the custom admin role permissions for View users and their details. The ability to revoke API tokens was incorrectly assigned to the custom admin role permissions for Edit users' lifecycle states, Suspend users, and Clear users' sessions. (OKTA-801358)
-
User passwords could be updated to match the answer to the recovery question. (OKTA-804681)
-
The phone authenticator description about sending a security token by SMS or voice was misleading. (OKTA-804683)
-
Inactive Identity Verification IdPs were listed in Okta account management policy rules. (OKTA-807331)
-
The number of SAML-capable apps displayed on the Tasks page was incorrect. (OKTA-811744)
-
The Sign-In Widget displayed an error message instead of sign-in fields and MFA challenges. (OKTA-812099)
-
Sometimes, the Sign-In Widget didn't display remediation instructions when the Grace Period value was None. (OKTA-813942)
-
Some admins with a custom role saw an error when they attempted to import user attributes. (OKTA-815012)
-
After signing out of the Okta End-User Dashboard, users on ChromeOS devices couldn't sign back in. (OKTA-816091)
Okta Integration Network
- Bob by Aquera (SCIM) is now available. Learn more.
- Eccentex AppBase (SCIM) is now available. Learn more.
- GitHub Enterprise Server by Aquera (SCIM) is now available. Learn more.
- HPE Aruba Networking SSE - Axis (SAML) is now available. Learn more.
- Jurnee (OIDC) now has an initiate login URI.
- Oracle Cloud HCM by Aquera (SCIM) is now available. Learn more.
- SecureTrustZone (SAML) is now available. Learn more.
- Snowflake by Tech Prescient (SAML) is now available. Learn more.
- Teamgo Visitor Sign-in (SCIM) is now available. Learn more.
Weekly Updates
2024.10.1: Update 1 started deployment on November 4
Generally Available
Sign-In Widget, version 7.24.2
For details about this release, see the Sign-In Widget Release Notes.
For more information about the Widget, see the Okta Sign-In Widget Guide.
New IP service category
The WARP_VPN proxy service is now supported as an IP service category in enhanced dynamic zones. See Supported IP service categories.
Fixes
-
Users couldn't add or edit a factor nickname in
. (OKTA-658434) -
An error occurred when admins attempted to deactivate some devices. (OKTA-715650)
-
The Okta account management policy didn't support device IdP redirects through EL conditions. (OKTA-740746)
-
Deleting a pre-registered YubiKey enrollment didn't send an email notification or register a System Log event. (OKTA-750155)
-
Sometimes an error occurred when reactivating org2org users. (OKTA-755934)
-
When users tried to authenticate using an Identity Provider to activate a device, an error message appeared and the Try again button didn't work. (OKTA-756381)
-
If both email address and username were required during profile enrollment, and the values were different, users didn't know where their email enrollment verification was sent. (OKTA-756516)
-
Deactivated apps sometimes showed an Active status in the Admin Console. (OKTA-799257)
-
Some users were unable to save user attribute settings in Okta groups that were linked to directories. (OKTA-799880)
-
In some cases, AppUser profiles weren't updated when users were provisioned to AD using Okta Groups. (OKTA-800577)
-
Users couldn't click the Skip Profile link to bypass the secondary email prompt. (OKTA-803499)
-
The System Log displayed an incorrect actor when events were triggered by an Activate a factor API request. (OKTA-803794)
-
The app.keys.* System Log events didn't contain the root session ID. (OKTA-808707)
-
Authentication method chain didn't work properly in the Okta Account Management Policy and has been disabled. (OKTA-812749)
-
When the minimum password age was set in the password policy, new users without a password couldn't set their password after they first signed in until the set minimum password age had passed. (OKTA-814032)
-
A successful sign-in event for the PIV Identity Provider displayed information from an old certificate if an existing user used a renewed certificate for authentication. (OKTA-814630)
-
Some text strings on the End-User Settings page weren't translated. (OKTA-815053)
-
After signing out of the Okta End-User Dashboard, users on ChromeOS devices couldn't sign back in. (OKTA-816091)
-
Users could automatically sign in after reloading the grace period sign-in page instead of selecting Continue to the app. (OKTA-816770)
-
Users sometimes received a device remediation grace period although it wasn't applicable according to the authentication policy. (OKTA-817210)
-
The post-authentication Keep me signed in option was displayed in the dialog for Okta account management policy rules, even though it's not supported. (OKTA-818061)
-
Some text strings on the Settings page of the End-User Dashboard weren't translated. (OKTA-818090)
-
When you retrieved a policy rule that denied access and used an empty authentication method chain, a 500 validation error was returned. (OKTA-819217)
-
Users couldn't access a custom push app when the Okta account management policy's self-service unlock rule required one-factor authentication. (OKTA-819868)
-
When Workflows was used to request multiple bundles, some entitlements were missing. (OKTA-819958)
-
An authentication policy rule that was created using the API, and included authentication method chain and reauthentication data, wasn't saved even when the Admin Console displayed Advanced Mode. (OKTA-820653)
Okta Integration Network
- Acronis Cyber Cloud (SCIM) has a new app profile and mappings.
- Acsense (API Service) now has additional scopes.
- Constant Contact by Aquera (SCIM) is now available. Learn more.
- Cyberlift (API Service) now has an additional scope.
- Domo by Aquera (SCIM) is now available. Learn more.
- Eccentex AppBase (SAML) is now available. Learn more.
- Go1 (SCIM) has an updated description.
- Guide (OIDC) is now available. Learn more.
- HPE Aruba Networking SSE (formerly Axis) (SAML) is now available. Learn more.
- LegalOn Cloud (SAML) is now available. Learn more.
- LivePreso (OIDC) is now available. Learn more.
- Metaphor (SCIM) is now available. Learn more.
- Netdata (SCIM) is now available. Learn more.
- OPTIZMO (SAML) is now available. Learn more.
- Scrut Automation (API Service) has a new logo.
- Secured Signing (OIDC) is now available. Learn more.
- Segment (SAML) is now available. Learn more.
- Smallstep (SCIM) has a new logo and description.
- Smartsheet v2 (SAML) now has an ACS URL and Audience URI.
- Snowflake Provisioning Connector by Aquera (SCIM) is now available. Learn more.
Version: 2024.09.0
September 2024
Note: This release will be deployed to the OK14 cell on September 19, 2024 at 3:00 PM PT.
Generally Available
Okta Active Directory Password Sync agent, version 1.6.0
This version of the agent includes security enhancements.
Sign-In Widget, version 7.23.0
For details about this release, see the Sign-In Widget Release Notes.
For more information about the Widget, see the Okta Sign-In Widget Guide.
Okta LDAP Agent automatic update support
Admins can now initiate or schedule automatic updates to Okta LDAP agents from the Admin Console. With agent auto-update functionality, admins no longer need to manually uninstall and then reinstall Okta LDAP agents when a new agent version is released. Agent auto-updates keep your agents up to date and compliant with the Okta support policy, and help ensure your org has the latest Okta features and functionality. Single or multiple agents can be updated on demand, or updates can be scheduled to occur outside of business hours to reduce downtime and disruption to users. See Automatically update Okta LDAP agents.
Trusted App filters
Trusted App filters allow orgs to block applications from invoking Okta FastPass in Windows, and in Google Chrome and Firefox browsers for macOS. See Trusted app filters .
Admin Console Japanese translation
When this feature is enabled, all admin users in the org who use Japanese as their display language will see the Admin Console in Japanese. See Supported display languages.
System Log event updates
In the System Log, the user.risk.detect event now appears instead of the user.risk.change event when Okta detects an entity that's associated with a risk level.
Continuous Access has been renamed to Post auth session. As a part of the change, the following System Log events have been renamed as well:
- policy.continuous_access.evaluate has been renamed to policy.auth_reevaluate.enforce
- policy.continuous_access.action has been renamed to policy.auth_reevaluate.action
Deprecating App Password Health report
The App Password Health report has been deprecated. Use the Sign On Mode filter in the User App Access report to view SWA application password reset dates. The capability to ask users to reset SWA passwords has been removed.
Deprecating Recent Unassignments report
The Recent Unassignments report has been deprecated.
- Use the System Log event application.user_membership.remove to identify users who have been unassigned from an application. See Recently unassigned users.
- Use the User App Access report to identify users currently assigned to applications. See User App Access report.
Updates to App Usage report
The Application Usage report has been updated.
- The maximum number of rows in a CSV is increased to five million.
- The date range field uses the user's local time zone when determining results.
- The report downloads automatically when possible.
Improved JIT performance for directory integrations
JIT-enabled directory integrations now have improved response times for JIT requests.
Require MFA for Admin Console access
You can require multifactor authentication to access the Okta Admin Console. When you enable this feature, all Admin Console authentication policy rules that allow single factor access are updated to require multifactor authentication. See Enable MFA for the Admin Console. This feature will be gradually made available to all orgs.
Okta Personal for Workforce
Okta Personal for Workforce is a set of features that allows admins to separate their users' work data from non-work data. Admins can now offer their end users a free Okta Personal account to store personal data, allow them to switch between accounts, and migrate personal apps from an Okta enterprise tenant to Okta Personal. When Okta Personal for Workforce is enabled, personalized communications are sent to the end users encouraging them to use Okta Personal for personal data and Okta enterprise for work data. See Okta Personal for Workforce.
IP session restrictions for Okta Workflows
Okta super admins can now enable IP session restrictions for Okta Workflows. This feature ensures that all Workflows requests in a session use the same IP address that was logged when the session was created. If the IP address doesn't match any request, the session is terminated and the Workflows admin must sign in again.
Improved security for Microsoft Office 365
Microsoft Office 365 provisioning now eliminates the need for admin credentials by using a secure and modern OAuth-based authentication flow. This update will be gradually made available to all orgs.
Partial Universal Logout indicator in the OIN
The OIN catalog now indicates which apps support partial Universal Logout.
Changes to role permissions that handle API tokens
The following changes have been made to the permissions that handle API tokens:
- The View users and their details permission now includes the View API tokens permission.
- The Edit users' lifecycle states, Suspend users, and Clear users' sessions permissions now include the Manage API tokens permission.
- To view or manage tokens, use the Manage API tokens permission.
See Role permissions.
OIN connector support for Entitlement Management
The Dropbox Business, ServiceNow, SmartRecruiters, and Tableau connectors have been updated to support Entitlement Management. See Provisioning-enabled apps
New System Log events for Device Assurance Policy
New System Log events are generated when a device assurance policy is created, updated, or deleted:
- device.assurance.policy.add
- device.assurance.policy.update
- device.assurance.policy.delete
New System Log events for flow and table changes
The workflows.user.flow.move and workflows.user.table.move Okta Workflows events have been added to the System Log to record the changes that occur due to reorganization of folder-level resources.
New System Log entries for sign-in events
The user.authentication.auth_via_IDP System Log event has been created. This event records occurrences of unknown users attempting to sign in through an Identity Provider.
System Log event update
The user.authentication.auth_unconfigured_identifier System Log event now appears when a user signs in without an admin-configured identifier.
Support for migrating Office 365 apps to Microsoft Graph
You can now migrate your Office 365 Single Sign-On app (WS-Fed Auto) instances to a secure OAuth-based consent flow using Microsoft Graph. See Configure Single Sign-On for Office 365.
Improved API documentation
Our API documentation has a new look and feel! API content in the References section of the Developer Documentation website will be moved after September 30, 2024.
Early Access
Authentication method chain
With this feature, you can require users to verify with multiple authentication methods in a specified sequence. You can create multiple authentication method chains in an authentication policy rule to cater to different use cases and scenarios. See Authentication method chain.
IdP selection for admin resources
This feature gives customers the ability to select and manage the Identity Providers (IdPs) that they want to associate with an admin role. This enhances security by providing granular permissions to roles. See Create a resource set.
Granular configuration for Keep Me Signed In
Admins can now configure the post-authentication prompt for Keep Me Signed In (KMSI) at a granular level in authentication policies. This allows admins to selectively enable post-authentication KMSI on a per-user, per-group, or per-app basis. When enabled, this feature exposes a frequency setting that lets admins control how often the post-authentication prompt is presented to users. The post-authentication prompt text (title, subtitle, accept button, and reject button) is now customizable through the Brands management API. See Keep me signed in and Brands API.
Global token revocation for wizard SAML and OIDC apps
Universal Logout clears sessions and tokens for wizard SAML and OIDC apps. This enhancement extends Universal Logout functionality to more types of apps and provides greater flexibility to admins.
Fixes
-
Okta Behavior Detection sometimes incorrectly marked sign-in requests as new behaviors. (OKTA-664827)
-
HealthInsight showed GitLab as supporting SAML when it only supports SCIM. (OKTA-706224)
-
System Log events for post auth session and entity risk policy entries didn't indicate whether they were executed in enforced or read-only mode. (OKTA-743937)
-
When a user tried to access OneDrive from the app on the Okta End-User Dashboard, an error occurred if there was an active Office 365 session. (OKTA-744748)
-
When an admin selected the Group push mappings encountered errors task for an AD integration, they were directed to a blank tab. (OKTA-753485)
-
Users couldn't launch the ShareFile app. (OKTA-756155)
-
The enrollment date for authenticators didn't appear on the End-User Settings (version 2.0) page. (OKTA-790271)
-
The phone authenticator page didn't render correctly in certain languages if the phone extension field name was too long. (OKTA-790283)
-
On managed iOS 18 devices, an error occurred when some users attempted to authenticate silently with Okta FastPass. (OKTA-791525)
-
The Active Directory sign-in page didn't load correctly if it was embedded using a Trusted Origin. (OKTA-796094)
-
When creating or updating a profile, user first or last names that contained a dot (last.name) triggered malformed field error messages. (OKTA-798884)
-
When the Allow multiple identities matching the criteria option was enabled for Smart Card IdP, suspending a Smart Card/PIV user resulted in an error on the sign-in page. (OKTA-798997)
-
When a user entered the wrong password to sign in to an org using delegated authentication to LDAP, the login cache was cleared. (OKTA-799642)
-
The Okta Usage and Application Usage reports date range selector used 3 months instead of 90 days as the earliest available date. (OKTA-801212)
-
Single Logout (SLO) was unavailable for Salesforce instances in Preview orgs. (OKTA-805013)
-
Some users couldn't open the Okta Access Requests app from their End-User Dashboard, despite the two apps having matching authentication policies. (OKTA-806140)
-
AD imports sometimes failed when Slack had group push mappings configured as the downstream app. (OKTA-806301)
Okta Integration Network
- Briefly AI (OIDC) is now available. Learn more.
- CAASS (SAML) is now available. Learn more.
- Cork (API service) is now available. Learn more.
- Everykey Integration (API service) is now available. Learn more.
- Heropa (SAML) is now available. Learn more.
- kickflow (SAML) is now available. Learn more.
- Nulab Pass (Backlog Cacoo Typetalk) (SAML) has a new integration guide.
- Obsidian Security (SAML) has a new region URL.
- Seismic Learning (SAML) has updated endpoints.
- Seismic Learning (SCIM) has an updated base URL.
- ShareFile (SWA) was updated. (OKTA-756155)
- Spiral (SAML) is now available. Learn more.
- Valence Okta Connector (API service) is now available. Learn more.
- VASTOnline (SAML) is now available. Learn more.
- Visily (SAML) is now available. Learn more.
- WideField Security - Detect (API service) is now available. Learn more.
- Wirespeed (API service) is now available. Learn more.
Weekly Updates
2024.09.1: Update 1 started deployment on September 24
Generally Available
Sign-In Widget, version 7.23.1
For details about this release, see the Sign-In Widget Release Notes.
For more information about the Widget, see the Okta Sign-In Widget Guide.
Fixes
-
Search OUs configured for an Active Directory instance weren't updated in Okta when the corresponding OUs were deleted in AD. (OKTA-686217)
-
Full group names weren't displayed in search results on the Push Groups tab. (OKTA-710044)
-
On the Realm assignment form, the Profile Source and Realm assignment dropdown failed to display the list of available options. (OKTA-710761)
-
Users assigned to an AD or LDAP instance where delegated authentication wasn't enabled had their user login set incorrectly after enabling delegated authentication. (OKTA-711676)
-
Some admins couldn't filter the MFA Enrollment by User report by group. (OKTA-743062)
-
Users who already had the Google Authenticator enrolled saw an unclear error message if they tried to enroll it again. (OKTA-747092)
-
When a user requested a new app from the End-User Dashboard, the action wasn't recorded in the System Log. (OKTA-755410)
-
The Okta Expression Language string evaluation failed when creating a custom attribute in Universal Directory with the variable name timeZone. (OKTA-756071)
-
The Require user interaction and Require PIN or biometric user verification options were displayed in the Authentication Method Chain's policy rule even when user verification was disabled in the org. (OKTA-798034)
-
WebAuth couldn't be enrolled inline if the Authentication Method Chain feature was enabled and the enrollment policy required hardware protection. (OKTA-798371)
-
Same-Device Enrollment for Okta FastPass is now available again. The feature had been removed to resolve an Okta Verify enrollment issue. (OKTA-807716)
Okta Integration Network
- Breezy HR by Aquera (SCIM) is now available. Learn more.
- Ceretax (OIDC) is now available. Learn more.
- DBSnapper (OIDC) is now available. Learn more.
- Envoy (SCIM) has updated endpoints.
- Focal (OIDC) is now available. Learn more.
- Kickbox (OIDC) is now available. Learn more.
- Okta ISPM (API Service) has a new logo.
- Security Journey (SCIM) is now available. Learn more.
- StrongDM now has an AIP for the SCIM/OIDC URL.
- Teamup Calendar (OIDC) is now available. Learn more.
- Vanta (SAML) has updated endpoints.
- Wirespeed (API Service) has an updated description.
2024.09.2: Update 2 started deployment on September 30
Fixes
-
The End All Sessions section of the end-user Settings page didn't appear for some users. (OKTA-652620)
-
When editing a user's assignments, roles with numeric values appeared in the wrong position in the Role dropdown menu. Selecting Not mapped set the role to 629. (OKTA-729800)
-
An outdated Windows logo appeared for various downloads, such as agents. (OKTA-731993)
-
A non-sensitive cookie has been deprecated. (OKTA-733915)
-
Error messages that appeared to end users when they created, updated, or deleted a security method were unclear and not translated. (OKTA-797231)
-
A custom email provider test email couldn't be sent if the email address contained a non-standard domain such as .digital. (OKTA-798388)
-
The System Log event for blocked requests didn't contain ASN in the securityContext section. (OKTA-803219)
-
Single Logout (SLO) was unavailable for Salesforce instances in Preview orgs. (OKTA-805013)
-
Some users couldn't open the Okta Access Requests app from their End-User Dashboard, despite the two apps having matching authentication policies. (OKTA-806140)
-
AD imports sometimes failed when Slack had group push mappings configured as the downstream app. (OKTA-806301)
-
In the
page, the user details incorrectly appeared in the search bar. (OKTA-806750)
Okta Integration Network
- Bumblebee Networks (SAML) is now available. Learn more.
- Go1 (SCIM) is now available. Learn more.
- IDrive e2 (SAML) is now available. Learn more.
- Iris by Cro Metrics (OIDC) is now available. Learn more.
- Okta Identity Security Posture Management SSO (OIDC) is now available. Learn more.
- Nightfall AI (API Service) is now available. Learn more.
- NordLayer (OIDC) has an additional redirect URI.
- StrongDM has an AIP for the SCIM/OIDC URL.
- Syntinels (OIDC) is now available. Learn more.
- WINN.AI (OIDC) was updated. (OKTA-806820)
2024.09.3: Update 3 started deployment on October 7
Generally Available
Sign-In Widget, version 7.32.2
For details about this release, see the Sign-In Widget Release Notes.
For more information about the Widget, see the Okta Sign-In Widget Guide.
Fixes
-
Some System Log event descriptions and display names weren't populated correctly. (OKTA-721947)
-
When using SCIM 2.0 and on-premises provisioning, some attributes weren't being updated during provisioning and import operations. (OKTA-745515)
-
The result summary of the Access Testing Tool for a disabled authenticator didn't match the authenticator enrollment policy. (OKTA-752890)
-
On managed iOS 18 devices, an error occurred when some users attempted to authenticate silently with Okta FastPass. (OKTA-791525)
-
The generic authenticator method wasn't shown if its first instance was inactive. (OKTA-806802)
-
Sometimes an Invalid Phone Number error was incorrectly returned during SMS factor enrollment. (OKTA-807741)
-
The Features page didn't include a link to the documentation for the Workday writeback enhancement Early Access feature. (OKTA-808626)
-
macOS 15 wasn't supported in device assurance policies. (OKTA-811338)
Okta Integration Network
- ADP Workforce Now by Aquera (SCIM) is now available. Learn more.
- AppWork (SAML) is now available. Learn more.
- Ben (SAML) is now available. Learn more.
- Blacksmith InfoSec (SCIM) is now available. Learn more.
- Cockroach Labs (OIDC) is now available. Learn more.
- Cockroach Labs (SAML) is now available. Learn more.
- CultureScience (OIDC) has a new display name, description, and redirect URI.
- Cyberlift (API Service) is now available. Learn more.
- Devolutions Hub Business (SCIM) is now available. Learn more.
- Detexian SSPM (API Service) now has additional scopes.
- DocketAI (SAML) is now available. Learn more.
- Fundraise Up SSO (SAML) is now available. Learn more.
- IELOVE-CLOUD (SAML) is now available. Learn more.
- Middleware (OIDC) is now available. Learn more.
- Middleware (SAML) is now available. Learn more.
- Obsidian Security (API Service) has a new integration guide.
- pclub.io (OIDC) is now available. Learn more.
- Rezonate Security (API Service) now has additional scopes.
- Rivial Cybersecurity Management Platform (SAML) is now available. Learn more.
- Scrut Automation (API Service) is now available. Learn more.
- Sightglass (OIDC) is now available. Learn more.
- T3 Connect (SCIM) has an updated app profile and mapping.
- TalentLMS by Aquera (SCIM) is now available. Learn more.
- WINN.AI (OIDC) has an updated initiate login URI and a new redirect URI.
- Workshop (SAML) has updated endpoints.
- Zoomifier Web App (OIDC) is now available. Learn more.