Okta Identity Engine release notes (Production)
Version: 2024.10.0
October 2024
Generally Available
Sign-In Widget, version 7.24.1
For details about this release, see the Sign-In Widget Release Notes.
For more information about the Widget, see the Okta Sign-In Widget Guide.
Hyperspace Agent version 1.5.0
Hyperspace Agent version 1.5.0 is now available. This version uses Microsoft Edge WebView2 Runtime to display Sign-In Widget content. See Okta Hyperspace Agent version history.
JIT provisioning for Smart Card
This feature enables you to provision Just-In-Time (JIT) access to users. You can do this by configuring certificate attribute criteria so that PIV/CAC card holders of other orgs can gain access to the resources they need. See Add a Smart Card Identity Provider.
Enhanced dynamic zones
Use enhanced dynamic network zones to define IP service categories (proxies, VPNs), locations, and Autonomous System Numbers (ASNs) that are allowed or blocked in a zone. See Enhanced dynamic zones.
Device assurance OS version update
The following OS versions are now supported in device assurance policies: -
- Android 15
- iOS 17.7
- macOS 13.7
- macOS 14.7
- Windows 10 (10.0.17763.6293, 10.0.19044.4894, 10.0.19045.4957)
- Windows 11 (10.0.22000.3197, 10.0.22621.4249, 10.0.22631.4249)
Nonce rollout for Content Security Policy
Okta is rolling out nonces for the script-src directive of the Content Security Policy for every endpoint that returns html content. This is a two stage process: first, the nonce is added to the Content-Security-Policy-Report-Only header script-src directive; later, after any unsafe inline scripts are identified and fixed, the nonce is added to the Content-Security-Policy header script-src directive. This update will be gradually applied to all endpoints.
Deprecating provisioning for Confluence (Atlassian)
Provisioning for Confluence (Atlassian) has been deprecated.
UI update on the Brands page
Dropdown menus on the Brands page have been updated to provide a more consistent look and feel.
OIN connector support for Entitlement Management
The following connectors have been updated to support Entitlement Management:
- Coupa
- DocuSign
- WebEx
Group Owner assignments removed
The Group Owner assignment option has been removed from Access Requests for admin roles sequences.
Updated content on Entity Risk Policy page
UI text on the Entity Risk Policy page is updated for clarity and consistency.
New Okta Secure Identity collection in the OIN catalog
A new Okta Secure Identity collection is available in the Okta Integration Network (OIN) catalog. This collection identifies integrations that are part of the Okta Secure Identity commitment. See the OIN catalog for a list of integrations assigned to this collection.
Improved notifications in Admin Console policy
Notifications in the Admin Console authentication policy have been improved for better user experience.
System Log event types and outcome reasons
The user.authentication.auth_via_IDP and user.authentication.auth_via_social System Log event types now indicate whether a successful Identity Provider sign-in attempt was due to JIT provisioning or account linking. See Event types.
OIDC Identity Provider options
OIDC Identity Providers can now have both the Account Link and JIT policies set to disabled.
Event hooks for Identity Provider authentication
You can now use user authentication with Identity Provider events as event hooks. See Event Types for a list of events that you can use with event hooks.
Early Access
Step-up authentication for Office 365
This enhancement enables customers to dynamically prompt for Okta MFA when needed, without having MFA configured in the authentication policy. See Use Okta MFA for Azure Active Directory.
Grace period for device assurance
Occasionally, users' devices might fall out of compliance with security policies due to temporary conditions such as missed software updates or unapproved network connections. Without a grace period, they would be immediately blocked from accessing critical resources, which disrupts productivity and causes frustration. The Grace period for device assurance feature allows you to define a temporary window during which non-compliant devices can still access resources. This gives users time to remediate issues without being locked out, balancing productivity with security standards. See Add a device assurance policy.
Allow or disallow an authenticator instance in an authentication policy rule
You can now specify a custom authenticator instance in the allow or disallow lists of an authentication policy rule. This provides more granular control over which authenticators are available to users. See Add an authentication policy rule.
Identity Verification with third-party Identity Verification providers
When users take certain actions, Identity Verification enables you to use a third-party Identity Verification provider to verify the identity of your users. Verification requirements and the Identity Verification provider are based on your authentication policies and configurations within your Okta org. Okta supports Persona as a third-party Identity Verification provider. See Add an Identity Verification vendor as Identity Provider.
Same-Device Enrollment for Okta FastPass reactivated
Same-Device Enrollment for Okta FastPass is now available again. The feature had been removed to resolve an Okta Verify enrollment issue. On orgs with Okta FastPass, the Okta Verify enrollment process has been streamlined:
- Users can initiate and complete enrollment on the device they're currently using. Previously, a second device was required for enrollments. Note that enrollment requires 2FA if possible, which may involve a second device.
- Users no longer need to enter their org URL during enrollment.
- The enrollment flow has fewer steps. This feature is supported on Android, iOS, and macOS devices.
To enable it, go to Same-Device Enrollment for Okta FastPass.
and turn onBiometric user verification support in Authentication Method Chain
The Require biometric user verification option is now supported in Authentication Method Chains.
Authenticator actions hidden
Users must satisfy the requirements of an Okta account management policy to reset or remove their existing security methods. If they don't, the authenticator actions are now hidden from their Settings page. See Okta account management policy.
Custom Keep me signed in labels
Admins can now customize the Keep me signed in label on their sign-in page. See Branding.
Design enhancements for OIDC and SAML app integrations
When the Logout section that includes all of the logout settings for the app. See Application Integration Wizard SAML field reference.
feature is enabled, the OIDC and SAML app integration pages now have a singleFixes
-
If an error occurred while performing a group push, the Push Status of the push group was only updated after refreshing the page manually. (OKTA-710642)
-
When managing directories for a group, clicking Next without making any changes resulted in duplicate Previous and Cancel buttons being displayed. (OKTA-735984)
-
Sometimes trying to access a SAML app through a service provider flow resulted in a 500 Internal Server error. (OKTA-739430)
-
Admins couldn't set temporary passwords for users if Self-Service Password Reset was disabled. (OKTA-742231)
-
In orgs that used a custom domain, admins were prompted to enter their username when they performed a protected action. (OKTA-747566)
-
Sometimes, concurrent agentless DSSO JIT operations for a user broke app assignments, which required admin intervention to correct. (OKTA-752118)
-
Some users couldn't enroll in Okta Verify for Desktop using WebAuthn. (OKTA-753346)
-
The ability to view API tokens was incorrectly assigned to the custom admin role permissions for View users and their details. The ability to revoke API tokens was incorrectly assigned to the custom admin role permissions for Edit users' lifecycle states, Suspend users, and Clear users' sessions. (OKTA-801358)
-
User passwords could be updated to match the answer to the recovery question. (OKTA-804681)
-
The phone authenticator description about sending a security token by SMS or voice was misleading. (OKTA-804683)
-
Inactive Identity Verification IdPs were listed in Okta account management policy rules. (OKTA-807331)
-
The number of SAML-capable apps displayed on the Tasks page was incorrect. (OKTA-811744)
-
The Sign-In Widget displayed an error message instead of sign-in fields and MFA challenges. (OKTA-812099)
-
Sometimes, the Sign-In Widget didn't display remediation instructions when the Grace Period value was None. (OKTA-813942)
-
Some admins with a custom role saw an error when they attempted to import user attributes. (OKTA-815012)
-
After signing out of the Okta End-User Dashboard, users on ChromeOS devices couldn't sign back in. (OKTA-816091)
Okta Integration Network
- Bob by Aquera (SCIM) is now available. Learn more.
- Eccentex AppBase (SCIM) is now available. Learn more.
- GitHub Enterprise Server by Aquera (SCIM) is now available. Learn more.
- HPE Aruba Networking SSE - Axis (SAML) is now available. Learn more.
- Jurnee (OIDC) now has an initiate login URI.
- Oracle Cloud HCM by Aquera (SCIM) is now available. Learn more.
- SecureTrustZone (SAML) is now available. Learn more.
- Snowflake by Tech Prescient (SAML) is now available. Learn more.
- Teamgo Visitor Sign-in (SCIM) is now available. Learn more.
Version: 2024.09.0
September 2024
Note: This release will be deployed to the OK14 cell on September 19, 2024 at 3:00 PM PT.
Generally Available
Okta Active Directory Password Sync agent, version 1.6.0
This version of the agent includes security enhancements.
Sign-In Widget, version 7.23.0
For details about this release, see the Sign-In Widget Release Notes.
For more information about the Widget, see the Okta Sign-In Widget Guide.
Okta LDAP Agent automatic update support
Admins can now initiate or schedule automatic updates to Okta LDAP agents from the Admin Console. With agent auto-update functionality, admins no longer need to manually uninstall and then reinstall Okta LDAP agents when a new agent version is released. Agent auto-updates keep your agents up to date and compliant with the Okta support policy, and help ensure your org has the latest Okta features and functionality. Single or multiple agents can be updated on demand, or updates can be scheduled to occur outside of business hours to reduce downtime and disruption to users. See Automatically update Okta LDAP agents.
Trusted App filters
Trusted App filters allow orgs to block applications from invoking Okta FastPass in Windows, and in Google Chrome and Firefox browsers for macOS. See Trusted app filters .
Admin Console Japanese translation
When this feature is enabled, all admin users in the org who use Japanese as their display language will see the Admin Console in Japanese. See Supported display languages.
System Log event updates
In the System Log, the user.risk.detect event now appears instead of the user.risk.change event when Okta detects an entity that's associated with a risk level.
Continuous Access has been renamed to Post auth session. As a part of the change, the following System Log events have been renamed as well:
- policy.continuous_access.evaluate has been renamed to policy.auth_reevaluate.enforce
- policy.continuous_access.action has been renamed to policy.auth_reevaluate.action
Deprecating App Password Health report
The App Password Health report has been deprecated. Use the Sign On Mode filter in the User App Access report to view SWA application password reset dates. The capability to ask users to reset SWA passwords has been removed.
Deprecating Recent Unassignments report
The Recent Unassignments report has been deprecated.
- Use the System Log event application.user_membership.remove to identify users who have been unassigned from an application. See Recently unassigned users.
- Use the User App Access report to identify users currently assigned to applications. See User App Access report.
Updates to App Usage report
The Application Usage report has been updated.
- The maximum number of rows in a CSV is increased to five million.
- The date range field uses the user's local time zone when determining results.
- The report downloads automatically when possible.
Improved JIT performance for directory integrations
JIT-enabled directory integrations now have improved response times for JIT requests.
Require MFA for Admin Console access
You can require multifactor authentication to access the Okta Admin Console. When you enable this feature, all Admin Console authentication policy rules that allow single factor access are updated to require multifactor authentication. See Enable MFA for the Admin Console. This feature will be gradually made available to all orgs.
Okta Personal for Workforce
Okta Personal for Workforce is a set of features that allows admins to separate their users' work data from non-work data. Admins can now offer their end users a free Okta Personal account to store personal data, allow them to switch between accounts, and migrate personal apps from an Okta enterprise tenant to Okta Personal. When Okta Personal for Workforce is enabled, personalized communications are sent to the end users encouraging them to use Okta Personal for personal data and Okta enterprise for work data. See Okta Personal for Workforce.
IP session restrictions for Okta Workflows
Okta super admins can now enable IP session restrictions for Okta Workflows. This feature ensures that all Workflows requests in a session use the same IP address that was logged when the session was created. If the IP address doesn't match any request, the session is terminated and the Workflows admin must sign in again.
Improved security for Microsoft Office 365
Microsoft Office 365 provisioning now eliminates the need for admin credentials by using a secure and modern OAuth-based authentication flow. This update will be gradually made available to all orgs.
Partial Universal Logout indicator in the OIN
The OIN catalog now indicates which apps support partial Universal Logout.
Changes to role permissions that handle API tokens
The following changes have been made to the permissions that handle API tokens:
- The View users and their details permission now includes the View API tokens permission.
- The Edit users' lifecycle states, Suspend users, and Clear users' sessions permissions now include the Manage API tokens permission.
- To view or manage tokens, use the Manage API tokens permission.
See Role permissions.
OIN connector support for Entitlement Management
The Dropbox Business, ServiceNow, SmartRecruiters, and Tableau connectors have been updated to support Entitlement Management. See Provisioning-enabled apps
New System Log events for Device Assurance Policy
New System Log events are generated when a device assurance policy is created, updated, or deleted:
- device.assurance.policy.add
- device.assurance.policy.update
- device.assurance.policy.delete
New System Log events for flow and table changes
The workflows.user.flow.move and workflows.user.table.move Okta Workflows events have been added to the System Log to record the changes that occur due to reorganization of folder-level resources.
New System Log entries for sign-in events
The user.authentication.auth_via_IDP System Log event has been created. This event records occurrences of unknown users attempting to sign in through an Identity Provider.
System Log event update
The user.authentication.auth_unconfigured_identifier System Log event now appears when a user signs in without an admin-configured identifier.
Support for migrating Office 365 apps to Microsoft Graph
You can now migrate your Office 365 Single Sign-On app (WS-Fed Auto) instances to a secure OAuth-based consent flow using Microsoft Graph. See Configure Single Sign-On for Office 365.
Improved API documentation
Our API documentation has a new look and feel! API content in the References section of the Developer Documentation website will be moved after September 30, 2024.
Early Access
Authentication method chain
With this feature, you can require users to verify with multiple authentication methods in a specified sequence. You can create multiple authentication method chains in an authentication policy rule to cater to different use cases and scenarios. See Authentication method chain.
IdP selection for admin resources
This feature gives customers the ability to select and manage the Identity Providers (IdPs) that they want to associate with an admin role. This enhances security by providing granular permissions to roles. See Create a resource set.
Granular configuration for Keep Me Signed In
Admins can now configure the post-authentication prompt for Keep Me Signed In (KMSI) at a granular level in authentication policies. This allows admins to selectively enable post-authentication KMSI on a per-user, per-group, or per-app basis. When enabled, this feature exposes a frequency setting that lets admins control how often the post-authentication prompt is presented to users. The post-authentication prompt text (title, subtitle, accept button, and reject button) is now customizable through the Brands management API. See Keep me signed in and Brands API.
Global token revocation for wizard SAML and OIDC apps
Universal Logout clears sessions and tokens for wizard SAML and OIDC apps. This enhancement extends Universal Logout functionality to more types of apps and provides greater flexibility to admins.
Fixes
-
Okta Behavior Detection sometimes incorrectly marked sign-in requests as new behaviors. (OKTA-664827)
-
HealthInsight showed GitLab as supporting SAML when it only supports SCIM. (OKTA-706224)
-
System Log events for post auth session and entity risk policy entries didn't indicate whether they were executed in enforced or read-only mode. (OKTA-743937)
-
When a user tried to access OneDrive from the app on the Okta End-User Dashboard, an error occurred if there was an active Office 365 session. (OKTA-744748)
-
When an admin selected the Group push mappings encountered errors task for an AD integration, they were directed to a blank tab. (OKTA-753485)
-
Users couldn't launch the ShareFile app. (OKTA-756155)
-
The enrollment date for authenticators didn't appear on the End-User Settings (version 2.0) page. (OKTA-790271)
-
The phone authenticator page didn't render correctly in certain languages if the phone extension field name was too long. (OKTA-790283)
-
On managed iOS 18 devices, an error occurred when some users attempted to authenticate silently with Okta FastPass. (OKTA-791525)
-
The Active Directory sign-in page didn't load correctly if it was embedded using a Trusted Origin. (OKTA-796094)
-
When creating or updating a profile, user first or last names that contained a dot (last.name) triggered malformed field error messages. (OKTA-798884)
-
When the Allow multiple identities matching the criteria option was enabled for Smart Card IdP, suspending a Smart Card/PIV user resulted in an error on the sign-in page. (OKTA-798997)
-
When a user entered the wrong password to sign in to an org using delegated authentication to LDAP, the login cache was cleared. (OKTA-799642)
-
The Okta Usage and Application Usage reports date range selector used 3 months instead of 90 days as the earliest available date. (OKTA-801212)
-
Single Logout (SLO) was unavailable for Salesforce instances in Preview orgs. (OKTA-805013)
-
Some users couldn't open the Okta Access Requests app from their End-User Dashboard, despite the two apps having matching authentication policies. (OKTA-806140)
-
AD imports sometimes failed when Slack had group push mappings configured as the downstream app. (OKTA-806301)
Okta Integration Network
- Briefly AI (OIDC) is now available. Learn more.
- CAASS (SAML) is now available. Learn more.
- Cork (API service) is now available. Learn more.
- Everykey Integration (API service) is now available. Learn more.
- Heropa (SAML) is now available. Learn more.
- kickflow (SAML) is now available. Learn more.
- Nulab Pass (Backlog Cacoo Typetalk) (SAML) has a new integration guide.
- Obsidian Security (SAML) has a new region URL.
- Seismic Learning (SAML) has updated endpoints.
- Seismic Learning (SCIM) has an updated base URL.
- ShareFile (SWA) was updated. (OKTA-756155)
- Spiral (SAML) is now available. Learn more.
- Valence Okta Connector (API service) is now available. Learn more.
- VASTOnline (SAML) is now available. Learn more.
- Visily (SAML) is now available. Learn more.
- WideField Security - Detect (API service) is now available. Learn more.
- Wirespeed (API service) is now available. Learn more.
Weekly Updates
2024.09.1: Update 1 started deployment on September 24
Generally Available
Sign-In Widget, version 7.23.1
For details about this release, see the Sign-In Widget Release Notes.
For more information about the Widget, see the Okta Sign-In Widget Guide.
Fixes
-
Search OUs configured for an Active Directory instance weren't updated in Okta when the corresponding OUs were deleted in AD. (OKTA-686217)
-
Full group names weren't displayed in search results on the Push Groups tab. (OKTA-710044)
-
On the Realm assignment form, the Profile Source and Realm assignment dropdown failed to display the list of available options. (OKTA-710761)
-
Users assigned to an AD or LDAP instance where delegated authentication wasn't enabled had their user login set incorrectly after enabling delegated authentication. (OKTA-711676)
-
Some admins couldn't filter the MFA Enrollment by User report by group. (OKTA-743062)
-
Users who already had the Google Authenticator enrolled saw an unclear error message if they tried to enroll it again. (OKTA-747092)
-
When a user requested a new app from the End-User Dashboard, the action wasn't recorded in the System Log. (OKTA-755410)
-
The Okta Expression Language string evaluation failed when creating a custom attribute in Universal Directory with the variable name timeZone. (OKTA-756071)
-
The Require user interaction and Require PIN or biometric user verification options were displayed in the Authentication Method Chain's policy rule even when user verification was disabled in the org. (OKTA-798034)
-
WebAuth couldn't be enrolled inline if the Authentication Method Chain feature was enabled and the enrollment policy required hardware protection. (OKTA-798371)
-
Same-Device Enrollment for Okta FastPass is now available again. The feature had been removed to resolve an Okta Verify enrollment issue. (OKTA-807716)
Okta Integration Network
- Breezy HR by Aquera (SCIM) is now available. Learn more.
- Ceretax (OIDC) is now available. Learn more.
- DBSnapper (OIDC) is now available. Learn more.
- Envoy (SCIM) has updated endpoints.
- Focal (OIDC) is now available. Learn more.
- Kickbox (OIDC) is now available. Learn more.
- Okta ISPM (API Service) has a new logo.
- Security Journey (SCIM) is now available. Learn more.
- StrongDM now has an AIP for the SCIM/OIDC URL.
- Teamup Calendar (OIDC) is now available. Learn more.
- Vanta (SAML) has updated endpoints.
- Wirespeed (API Service) has an updated description.
2024.09.2: Update 2 started deployment on September 30
Fixes
-
The End All Sessions section of the end-user Settings page didn't appear for some users. (OKTA-652620)
-
When editing a user's assignments, roles with numeric values appeared in the wrong position in the Role dropdown menu. Selecting Not mapped set the role to 629. (OKTA-729800)
-
An outdated Windows logo appeared for various downloads, such as agents. (OKTA-731993)
-
A non-sensitive cookie has been deprecated. (OKTA-733915)
-
Error messages that appeared to end users when they created, updated, or deleted a security method were unclear and not translated. (OKTA-797231)
-
A custom email provider test email couldn't be sent if the email address contained a non-standard domain such as .digital. (OKTA-798388)
-
The System Log event for blocked requests didn't contain ASN in the securityContext section. (OKTA-803219)
-
Single Logout (SLO) was unavailable for Salesforce instances in Preview orgs. (OKTA-805013)
-
Some users couldn't open the Okta Access Requests app from their End-User Dashboard, despite the two apps having matching authentication policies. (OKTA-806140)
-
AD imports sometimes failed when Slack had group push mappings configured as the downstream app. (OKTA-806301)
-
In the
page, the user details incorrectly appeared in the search bar. (OKTA-806750)
Okta Integration Network
- Bumblebee Networks (SAML) is now available. Learn more.
- Go1 (SCIM) is now available. Learn more.
- IDrive e2 (SAML) is now available. Learn more.
- Iris by Cro Metrics (OIDC) is now available. Learn more.
- Okta Identity Security Posture Management SSO (OIDC) is now available. Learn more.
- Nightfall AI (API Service) is now available. Learn more.
- NordLayer (OIDC) has an additional redirect URI.
- StrongDM has an AIP for the SCIM/OIDC URL.
- Syntinels (OIDC) is now available. Learn more.
- WINN.AI (OIDC) was updated. (OKTA-806820)
2024.09.3: Update 3 started deployment on October 7
Generally Available
Sign-In Widget, version 7.32.2
For details about this release, see the Sign-In Widget Release Notes.
For more information about the Widget, see the Okta Sign-In Widget Guide.
Fixes
-
Some System Log event descriptions and display names weren't populated correctly. (OKTA-721947)
-
When using SCIM 2.0 and on-premises provisioning, some attributes weren't being updated during provisioning and import operations. (OKTA-745515)
-
The result summary of the Access Testing Tool for a disabled authenticator didn't match the authenticator enrollment policy. (OKTA-752890)
-
On managed iOS 18 devices, an error occurred when some users attempted to authenticate silently with Okta FastPass. (OKTA-791525)
-
The generic authenticator method wasn't shown if its first instance was inactive. (OKTA-806802)
-
Sometimes an Invalid Phone Number error was incorrectly returned during SMS factor enrollment. (OKTA-807741)
-
The Features page didn't include a link to the documentation for the Workday writeback enhancement Early Access feature. (OKTA-808626)
-
macOS 15 wasn't supported in device assurance policies. (OKTA-811338)
Okta Integration Network
- ADP Workforce Now by Aquera (SCIM) is now available. Learn more.
- AppWork (SAML) is now available. Learn more.
- Ben (SAML) is now available. Learn more.
- Blacksmith InfoSec (SCIM) is now available. Learn more.
- Cockroach Labs (OIDC) is now available. Learn more.
- Cockroach Labs (SAML) is now available. Learn more.
- CultureScience (OIDC) has a new display name, description, and redirect URI.
- Cyberlift (API Service) is now available. Learn more.
- Devolutions Hub Business (SCIM) is now available. Learn more.
- Detexian SSPM (API Service) now has additional scopes.
- DocketAI (SAML) is now available. Learn more.
- Fundraise Up SSO (SAML) is now available. Learn more.
- IELOVE-CLOUD (SAML) is now available. Learn more.
- Middleware (OIDC) is now available. Learn more.
- Middleware (SAML) is now available. Learn more.
- Obsidian Security (API Service) has a new integration guide.
- pclub.io (OIDC) is now available. Learn more.
- Rezonate Security (API Service) now has additional scopes.
- Rivial Cybersecurity Management Platform (SAML) is now available. Learn more.
- Scrut Automation (API Service) is now available. Learn more.
- Sightglass (OIDC) is now available. Learn more.
- T3 Connect (SCIM) has an updated app profile and mapping.
- TalentLMS by Aquera (SCIM) is now available. Learn more.
- WINN.AI (OIDC) has an updated initiate login URI and a new redirect URI.
- Workshop (SAML) has updated endpoints.
- Zoomifier Web App (OIDC) is now available. Learn more.
Version: 2024.08.0
August 2024
Generally Available
Sign-In Widget, version 7.21.0
For details about this release, see the Sign-In Widget Release Notes.
For more information about the Widget, see the Okta Sign-In Widget Guide.
Detect and block requests from anonymizing proxies
Orgs can now detect and block web requests that come from anonymizers. This helps improve the overall security of your org. See Enhanced dynamic zones.
New View client credentials admin role permission
The new View client credentials permission lets admins view OAuth client secrets. The View applications and their details permission no longer includes this privilege. This enhancement lets admins assign more granular permissions and reduce the risk of creating roles with too many privileges. This feature will be gradually made available to all orgs.
Network zone allowlists for SSWS API tokens
Admins can now specify a network zone allowlist for each static (SSWS) API token. These allowlists define the IP addresses or network ranges from where Okta API requests using SSWS API tokens can be made. This restricts attackers and malware from stealing SSWS tokens and replaying them outside of the specified IP range to gain unauthorized access.
ADSSO authentication parameters
When a state token is used, Okta removes the fromURI parameter from the ADSSO authentication POST request.
View System Logs for Office 365 authentication events
You can now view authentication events in the System Log when using WS-Fed to authenticate through Office 365 active (WS-Trust-1.2) and username13 (WS-Trust-1.3) endpoints.
Updates to the Suspicious Activity report
The Suspicious Activity report has been updated to a System Log report. Use the System Log query to search and filter for unusual activities in your org. The query allows you to filter events with more precision and provides more information about each event than what the previous report provided. This information can help you better determine the validity of user actions. See Suspicious activity events.
Updates to Deprovisioning Details report
The Deprovision Details report has been updated to a System Log report. Use the System Log query to search and filter for deprovisioned users with more context and precision than the previous report. See Deprovision Details report.
Deprecating Current Assignments report
The Current Assignment report has been deprecated. Use the User App Access report to identify users currently assigned to applications. See User App Access report. Use the System Log event application.user_membership.remove to identify users who have been unassigned from an application. See Recently unassigned users.
Prevent new single-factor access to the Admin Console
This feature prevents admins from configuring any new single-factor access to the Admin Console. This feature will be gradually made available to all orgs.
System Log enhancement
Certain system log events now contain a new property called changeDetails in the target. When this property is populated, it reflects new, changed, or removed attributes of the target resource that has been modified. See changeDetails property.
System Log event updates
The following System Log events are now available:
- application.provision.group_push.deactivate_mapping
- system.agent.register
- security.attack_protection.settings.update
- device.platform.secret_key.reset
- system.self_service.configuration.update
- user.behavior.profile.reset
- security.events.transmitter.create
- security.events.transmitter.update
- security.events.transmitter.delete
- security.events.provider.create
- security.events.provider.update
- security.events.provider.activate
- security.events.provider.deactivate
- security.events.provider.delete
- system.identity_sources.bulk_upsert
- system.identity_sources.bulk_delete
- system.import.schedule
- system.import.user_match.confirm
- system.import.user_match.unignore
- system.import.user_match.update
- The application.lifecycle.update event now has the sessionIdleTimeoutMinutes and sessionMaxLifetimeMinutes fields. These fields add more session details to the event.
See Event types.
System Log event updates for Universal Directory
The following System Log events are now available:
- Linked object created
- Linked object deleted
- User profile updated
- Group owner updated
- Group owner removed
Identity Provider external names
Okta now warns admins if an Identity Provider (IdP) with custom attributes has an empty externalName field. Admins must now update the custom attribute through the API or delete it from the Admin Console and re-add it with the externalName field defined. This ensures that Okta receives the custom attribute when users enroll through Just-In Time provisioning scenarios.
Request throttling for jwks_uri
Okta has decreased the frequency at which it reloads JWKs from a customer's jwks_uri.
Rate limit for telephony inline hook
Okta now enforces by default a rate limit for the telephony inline hook to protect your org from toll-fraud attacks. See Connect to an external telephony service provider.
Universal Logout supported apps
The Surf browser now supports Universal Logout. This enables admins to automatically sign users out of this app when Universal Logout is triggered.
Authorization server default access policy deprecation
The authorization server default access policy is no longer provided in child orgs that are generated from APIs. Users can click Add New Access Policy to add policies. See Create access policies.
Early Access
Require MFA for accessing Identity Governance admin apps
If your org uses Okta Identity Governance, you can require MFA for admins who access these first-party apps:
- Okta Access Certifications
- Okta Entitlement Management
- Okta Access Requests Admin
If you have auto-enabled Early Access features in your org, MFA is automatically enforced for those apps. See Enable MFA for the Admin Console.
OAuth 2.0 security for invoking API endpoints
Okta Workflows users can now securely invoke API endpoints using OAuth 2.0 protocols and their Okta org authorization server. Compared with the existing token authorization option, this feature is more secure while also being easier to implement. Add the okta.workflows.invoke.manage scope to any new or existing app integration to make it eligible to invoke your API endpoint. See Invoke a flow with an API endpoint.
Okta account management policy
The Okta account management policy helps admins easily build phishing resistance into actions such as account unlock, password recovery, and authenticator enrollment. Using the familiar rule-based framework of an authentication policy, admins can now customize which phishing-resistant authenticators are required when users attempt these common self-service actions. All of the configurations in the authentication policies can now be applied for authenticator management. See Okta account management policy.
Biometric user verification in authentication policies
You can now configure authentication policies to require biometric user verification (no passcode). With this feature you ensure that users confirm their biometrics when they authenticate with Okta FastPass or Okta Verify Push. See Biometric user verification in authentication policies.
Fixes
-
When the display language was set to Japanese, some text on the Upgrade Okta Verify with Push window wasn’t translated. (OKTA-658461)
-
Some Identity Providers didn't share custom attributes with Okta when the externalName field was empty. (OKTA-713526)
-
The Sign-In Widget didn't display the correct client ID when a customized client ID was used. (OKTA-722623)
-
Users with a custom admin role that included the View Directory permission were unable to view the Directory Integration page in the Admin Console. (OKTA-733030)
-
In some cases, an Okta org edition couldn't be changed. (OKTA-741688)
-
Admins couldn't edit IP restrictions for tokens created by agents. (OKTA-745048)
-
Some Android, iOS, and iPadOS users couldn't enroll with Okta Verify when the Higher security methods enrollment option was enabled. (OKTA-745318)
-
In some instances, a rate limit was reached when assigning entitlements to a user. (OKTA-746095)
-
The Universal Logout endpoint (oauth2/v1/global-token-revocation) used the incorrect OAuth 2.0 scope. (OKTA-747477)
-
Some users couldn't sign in if the global session policy that applied to them was deleted. (OKTA-754352)
-
System Log events weren't produced when admins changed an app's Radius Authentication Protocol settings. (OKTA-755604)
-
Admins received report emails with links to empty CSV exports. (OKTA-756393)
Okta Integration Network
- BRM (OIDC) is now available. Learn more.
- Getty Images (SAML) now has additional ACS endpoints.
- GitHub Enterprise Server is now called GitHub Enterprise Server (legacy).
- Haystack (SAML) is now available. Learn more.
- IBM AS/400 by Aquera (SCIM) is now available. Learn more.
- INCRMNTAL (OIDC) is now available. Learn more.
- Kuggar (OIDC) is now available. Learn more.
- Pmovel (OIDC) is now available. Learn more.
- Salesforce Social IdP was updated (OKTA-733640).
- UKG Ready by Aquera (SCIM) is now available. Learn more.
- Vinkey (OIDC) is now available. Learn more.
- WebWork Time Tracker (SCIM) is now available. Learn more.
- Wiz (API service) is now available. Learn more.
Weekly Updates
2024.08.1: Update 1 started deployment on August 19
Generally Available
Enforce MFA for Identity Governance admin apps update
The Enforce MFA for Identity Governance admin apps feature is available as a self-service Early Access feature only if the Enforce MFA to access the Admin Console feature is enabled.
Fixes
-
When admins viewed an OAuth client's secrets, Okta didn't trigger a System Log event. (OKTA-692600)
-
A System Log event wasn't always recorded when unlocked, Active Directory-sourced users tried to unlock their account from the Okta Sign-In Widget. (OKTA-724743)
-
The Identity Providers filter was missing from the Profile Editor page for some users in orgs that had the Enable Custom Admin Roles for Identity Providers feature turned on. (OKTA-724750)
-
Super admins who were assigned permissions through a group assignments couldn't see the Password Hash Export option even when it was enabled in the org. (OKTA-736079)
-
Some users couldn't sign in using a password and security question. (OKTA-740646)
-
Users to whom the Device Trust policy was applied received an error when signing in. (OKTA-745480)
-
The Allow Unknown Devices button wasn't visible on the user's profile page. (OKTA-746893)
-
Two Session timeout warning modals appeared when a user's session was about to expire. (OKTA-748766)
-
Admins couldn't search for AuthenticatorContext in the user.authentication.auth_via_mfa event in the System Log. (OKTA-750669)
-
The activation link in the Welcome email didn't always work. (OKTA-752981)
-
On the Roles, Resources, and Admins tabs on the Administrators page and in the Edit resources to a standard role dialog, admins couldn't use an ampersand (&) in their search. (OKTA-753904)
Okta Integration Network
- Anzenna has a new icon.
- Brainier LMS by Aquera (SCIM) is now available. Learn more.
- Cezanne (SCIM) is now available. Learn more.
- CloudAcademy has been rebranded as QA.
- DeleteMe (SCIM) now supports creating and updating users.
- dscout (SCIM) is now available. Learn more.
- Floqast has a new icon.
- IBM AS 400 by Aquera has been rebranded as IBM OS/400 on AS/400 (IBM i on Power Systems) by Aquera.
- Jellyfish (SCIM) has two new default user roles for the roles attribute.
2024.08.2: Update 2 started deployment on August 26
Fixes
-
When two or more OIDC Identity Providers (IdPs) were configured in an org, one of the IdPs' authorization codes could be processed by another IdP. (OKTA-672676)
-
The user icon description on the Sign-In Widget wasn't read by some assistive technologies. (OKTA-684423)
-
A blank warning message appeared when a report was blocked by a browser's pop-up blocker. (OKTA-692566)
-
The Test Delegated Authentication option ran the test flow designed for Classic Engine orgs. (OKTA-714631)
-
In orgs with the Okta account management policy configured for recovery, admins couldn't save the password policy without an authenticator selected. (OKTA-738910)
-
Japanese text wasn't wrapped properly on the Set up Okta Verify page of the Sign-In Widget. (OKTA-745200)
-
Some admins couldn't view the Edit profile and mappings button on the Edit IdP page when the identity provider custom admin role was enabled. (OKTA-747255)
-
App embed links that contained trailing slashes incorrectly redirected to the End-User Dashboard rather than the requested application. (OKTA-753261)
-
Some group admins couldn't use the CSV uploader. (OKTA-756654)
-
SSO IWA appeared on the Downloads page, which is unsupported for Identity Engine orgs. (OKTA-756656)
-
The policy.auth_reevaluate.fail System Log event didn't include a display message. (OKTA-790658)
-
When Authentication Method Reference (AMR) claims were sent as comma-separated values, AMR claims mapping for SAML failed. (OKTA-791512)
-
When the Authentication Method Chain feature was enabled, sometimes the Duo Security Authenticator couldn't be set as a step in the authentication chain. (OKTA-790533)
-
When the Authentication Method Chain feature was enabled with email and password as authenticators, SMS was incorrectly counted as a second factor. (OKTA-792089)
-
The link to the Session Violation Report on the Post auth session page didn't work correctly. (OKTA-793064)
Okta Integration Network
- Acsense (API service) is now available. Learn more.
- Backupta (OIDC) is now available. Learn more.
- Cisco User Management Connector Gov (SCIM) is now available. Learn more.
- Clutch Security (API service) now has the okta.oauthIntegrations.read scope.
- Figma (SCIM) is now available. Learn more.
- Greenhouse Onboarding by Aquera (SCIM) is now available. Learn more.
- myComply (OIDC) is now available. Learn more.
- Pendo (SAML) has a new integration guide.
- Reftab Discovery (API service) now has the okta.logs.read scope.
- Supernormal (SAML) is now available. Learn more.
- Syncly, Inc (OIDC) is now available. Learn more.
2024.08.3: Update 3 started deployment on September 3
Generally Available
Sign-In Widget, version 7.21.2
For details about this release, see the Sign-In Widget Release Notes.
For more information about the Widget, see the Okta Sign-In Widget Guide.
Improved event reporting
The IP reputation data is now reported more frequently in System Log events. You can find this information in the DebugData or SecurityContext sections of the event.
Fixes
-
Admins couldn't create routing rules using the Policy API due to a cache issue. (OKTA-712397)
-
Group membership changes in Okta were sometimes incomplete in ServiceNow when Group Push was used. (OKTA-716692)
-
Policies with deny rules weren't considered duplicates and couldn't be merged. (OKTA-728707)
-
Some users that were running Apple macOS Ventura 13.6.7 couldn't authenticate. (OKTA-733975)
-
When the display language was set to Japanese, some text on the Create new resource set page wasn't translated. (OKTA-742653)
-
Okta didn't check whether operating system versions were greater than or equal to a required version. (OKTA-743658)
-
Provisioning of a user from a source to a target org failed in some Org2Org configurations because the user in the target org was still activating. (OKTA-747231)
-
When the Biometrics-only User Verification feature was disabled, activating or deactivating authentication policy rules with the biometrics-only constraint threw an error. (OKTA-755394)
-
When multiple PIV user identities were enabled, active identities with an expired password didn't show up as an option when a user signed in. (OKTA-791790)
-
The Sign-In Widget failed to prompt users with the last-used security method during the authentication flow. (OKTA-792783)
-
Some users couldn't sign in using a password and security question. (OKTA-793352)
-
When a user entered the wrong password to sign in to an org using delegated authentication to LDAP, the login cache was cleared.(OKTA-799642)
Okta Integration Network
- Adyen by Aquera (SCIM) is now available. Learn more.
- CloudAcademy (SAML) has a new logo, display name, support for additional endpoints.
- Command Zero (API service) now has additional scopes.
- Currents (SCIM) is now available. Learn more.
- DeleteMe now has SCIM functionality.
- Experience.com (OIDC) now has additional redirect URIs.
- TerraTrue (SCIM) now supports group push.
- Summize (SCIM) now has the openid scope.