On This Page
|Change||Expected in Preview Orgs|
|Password Import Event eligible for use in Event Hook||June 3, 2020|
|OAuth public metadata endpoint caching||June 3, 2020|
|Issuer identifier in tokens when using Custom URL Domain||June 2, 2020|
|Improved new device behavior detection||June 3, 2020|
|Dynamic authentication context for SAML apps||June 2, 2020|
|New JWKS key length validation||June 3, 2020|
user.import.password event provides information on the outcome of the import of an individual user's password during the Password Import flow. This event is eligible for use in an Event Hook, enabling you to trigger removal of a password from your existing user store when import to Okta is confirmed as successful.
no-cache headers are no longer sent in responses returned by the following OAuth public metadata endpoints:
When the Custom URL Domain feature is enabled and apps are configured to use
CUSTOM_URL as the
issuer_mode, tokens minted during an SP-initiated flow now use the request hostname in the value of the issuer identifier (
iss) claim, while those minted during an IdP-initiated flow use the custom URL. This change currently only applies to new Preview orgs.
When this feature is enabled, stronger signals are used for the detection of new devices. Devices with web browsers that don't store cookies are treated as new, and trusted applications must send a unique identifier for each device as a device token.
You can configure a custom attribute statement for SAML assertions to send user authentication context to SAML apps during the app authentication process. Apps can use this information to limit access to certain app-specific behaviors and calculate the risk profile for the signed-in user.
New client JSON Web Key Sets are now validated and rejected if the key length is less than 2048 bits.