On this page

    Identity Engine

    Okta Identity Engine API release notes (2024)

    April

    Weekly release 2024.04.3

    Change Expected in Preview Orgs
    Bugs fixed in 2024.04.3 May 01, 2024

    Bugs fixed in 2024.04.3

    • GET policy rules (/v1/policies/{policyId}/rules) and GET a policy rule (/v1/policies/{policyId}/rules/{ruleId}) requests returned a rule with a null value for the created property. (OKTA-542919)

    • The Factors API didn’t correctly return all profile.keys parameters for Okta Verify enrollments. (OKTA-694655)

    • Apps API users were able to add duplicate SAML attributeStatements when they created or updated a custom SAML 2.0 app. (OKTA-706474)

    • GET calls to /iam/roles sometimes didn't return link headers. (OKTA-712212)

    • The /introspect endpoint response was incorrect for an access token returned by the On-Behalf-Of Token Exchange flow. (OKTA-712602)

    • The /authorize endpoint didn't accept the sessionToken when Stay signed in was set to Before and after users sign in in the Admin Console. (OKTA-713055)

    • The aud claim value must now be the org’s URL in SSF messages. (OKTA-720203)

    Weekly release 2024.04.1

    Change Expected in Preview Orgs
    Bug fixed in 2024.04.1 April 10, 2024

    Bug fixed in 2024.04.1

    Redirects to applications from the Sign-In Widget were blocked in Android browsers. (OKTA-702402)

    Monthly release 2024.04.0

    Change Expected in Preview Orgs
    Permissions for custom admins to manage agents is GA in Preview April 3, 2024
    Okta now supports the NotonOrAfter property for SLO apps April 3, 2024
    Identity Threat Protection with Okta AI is EA in Preview April 3, 2024
    Enhanced app API contracts is GA in Production April 3, 2024
    Direct Authentication is GA in Production March 7, 2024
    Content Security Policy for custom domains is GA in Production January 31, 2024
    Developer documentation update in 2024.04.0 April 3, 2024
    Bugs fixed in 2024.04.0 April 3, 2024

    Permissions for custom admins to manage agents is GA in Preview

    Custom admins can now view, register, and manage agents. See Permission types.

    Okta now supports the NotonOrAfter property for SLO apps

    Logout requests from Okta to participating SLO apps now support the NotonOrAfter property. This property sets a timeframe in which the logout request expires. If a recipient receives a logout request that's past the NotonOrAfter timeframe (five minutes), the user can ignore the logout request from Okta.

    Identity Threat Protection with Okta AI is EA in Preview

    Identity Threat Protection with Okta AI is a powerful risk assessment and response solution that provides post-authentication security to your org. By continuously analyzing risk signals that are native to Okta, risk signals from integrated security partner vendors, and your policy conditions, it safeguards orgs against identity attacks that occur during and outside of a user's session. When Identity Threat Protection discovers a risk, it can immediately end the user's sessions, prompt an MFA challenge, or invoke a workflow to restore your org's security posture. Using intuitive dashboard widgets and reports, you can easily monitor security threats as they happen. See Identity Thread Protection with Okta AI (opens new window).

    See the Shared Signals Framework (SSF) Receiver (opens new window) and SSF SET (opens new window) APIs.

    See also the Entity risk policy and Continuous Access evaluation policy API updates.

    Enhanced app API contracts is GA in Production

    Okta has API documentation on creating instances of custom apps. Yet, it doesn't fully describe the app metadata required for features such as SSO and provisioning for apps installed from the Okta Integration Network (OIN). In an effort to improve the API for apps in the OIN, new app metadata contracts have been added to the Okta management API. Operators and developers can programmatically create instances of popular OIN apps in their ecosystem and set up the provisioning connection.

    See OIN app request payloads in the Applications API (opens new window) and the Set up an app provisioning connection guide.

    Direct Authentication is GA in Production

    Direct Authentication (opens new window) offers a new set of OAuth 2.0 grants that give app developers greater control over the authentication process. When redirect authentication isn't an option, you can use direct authentication to allow client apps to authenticate users directly, without relying on HTTP redirection through a web browser. This is beneficial when there's a high degree of trust between the user and the app and when browser-based flows aren't feasible, like with mobile apps. See Configure Direct Auth grant types.

    Content Security Policy for custom domains is GA in Production

    The Content Security Policy (CSP) feature lets admins control which URLs may be linked to from customized sign-in and error pages in orgs that use custom domains. Admins add trusted URLs to Okta that link to items such as images and add these links to the code in their sign-in and error pages. This feature enhances security by enabling admins to allow only approved content to appear and prevent the introduction of potentially malicious code to these pages. See Content Security Policy (CSP) for your custom domain.

    Developer documentation update in 2024.04.0

    The OIN QA SCIM test plan file was updated. The following test cases were modified: C9319, C9320, C9321, C9360, and C9361.

    Bugs fixed in 2024.04.0

    • The password reset prompt didn't appear for users with expired passwords. (OKTA-670058)

    • Users were able to unselect a saved SSO protocol for an integration submission in the OIN Wizard. (OKTA-710638)

    March

    Weekly release 2024.03.2

    Change Expected in Preview Orgs
    Bugs fixed in 2024.03.2 March 27, 2024

    Bugs fixed in 2024.03.2

    • An admin was able to make a GET Policy request (/authorizationServers/${authorizationServerId}/policies/${policyId}) to an authorization server with no policies, using a policy ID from another authorization server with policies, and get that policy information returned. (OKTA-684225)

    • Okta sometimes incorrectly returned an Invalid Phone Number error during SMS factor enrollment. (OKTA-705078)

    • After an admin deleted a user, an internal server error sometimes occurred when the admin then made a LIST IdP users request (api/v1/idps/{idpId}/users). (OKTA-708102)

    Monthly release 2024.03.0

    Change Expected in Preview Orgs
    Direct Authentication is GA in Preview March 7, 2024
    Permission conditions for profile attributes is GA in Production March 7, 2024
    Content Security Policy for custom domains is GA in Preview March 7, 2024
    New mappings property for Policy API is EA in Preview March 7, 2024
    My Account Authenticators API is GA in Production March 7, 2024
    AAL values for Login.gov IdP March 7, 2024
    Granular API policy authenticator controls is GA in Preview March 7, 2024
    Externally signed org AS access tokens March 7, 2024
    Support case management for admins is GA in Preview March 7, 2023
    Realms for Workforce March 7, 2023
    Enhanced app API contracts March 7, 2024
    Bug fixed in 2024.03.0 March 7, 2024

    Direct Authentication is GA in Preview

    Direct Authentication (opens new window) offers a new set of OAuth 2.0 grants that give app developers greater control over the authentication process. When redirect authentication isn't an option, you can use direct authentication to allow client apps to authenticate users directly, without relying on HTTP redirection through a web browser. This is beneficial when there's a high degree of trust between the user and the app and when browser-based flows aren't feasible, like with mobile apps. See Configure Direct Auth grant types.

    Permission conditions for profile attributes is GA in Production

    You can now apply conditions to the View users and their details and Edit users' profile attributes custom admin role permissions. Permission conditions help you limit the scope of a role by including or excluding admins' access to individual profile attributes. This gives you more granular control over your custom admin roles and helps meet your org's unique security needs. See Permission conditions (opens new window).

    Content Security Policy for custom domains is GA in Preview

    The Content Security Policy (CSP) feature lets admins control which URLs may be linked to from customized sign-in and error pages in orgs that use custom domains. Admins add trusted URLs to Okta that link to items such as images and add these links to the code in their sign-in and error pages. This feature enhances security by enabling admins to allow only approved content to appear and prevent the introduction of potentially malicious code to these pages. See Content Security Policy (CSP) for your custom domain.

    New mappings property for Policy API is EA in Preview

    A new mappings property is available for the links object in GET /api/v1/policies/${policyId} and GET /api/v1/policies?type=${type} responses. This property displays links to policy mappings. See Policy API.

    My Account Authenticators API is GA in Production

    The MyAccounts Authenticators API (/idp/myaccount/authenticators/) enables you to list enrolled and un-enrolled authenticator information. You can also access details of specific authenticators and enrollments.

    AAL values for Login.gov IdP

    The Login.gov IdP configuration has been updated to include all allowed AAL values.

    Granular API policy authenticator controls is GA in Preview

    The Authentication Policy API now includes three new constraints object parameters that provide precise control over what specific authenticators and methods are displayed to end users. Previously, some authenticators were mapped to the same authenticator types and methods. The parameters authenticationMethods and excludeAuthenticationMethods now identify (or exclude) the exact authenticator for both knowledge and possession constraints. The required parameter indicates whether the knowledge or possession constraints are required by the assurance. See the Policy API.

    Externally signed org AS access tokens

    Access tokens returned from the org authorization server are now signed using the externally published signing key. These access tokens must still be treated as opaque strings and not be validated or consumed by any application other than Okta.

    Support case management for admins is GA in Preview

    Super admins can now assign the View, create, and manage Okta support cases permission and Support Cases resource to a custom admin role. This allows delegated admins to manage the support cases that they've opened. See About role permissions (opens new window).

    Realms for Workforce

    Realms allows you to unlock greater flexibility in managing and delegating management of your distinct user populations within a single Okta org. See the Realms (opens new window) and Realm Assignments (opens new window) APIs.

    Enhanced app API contracts

    Okta has API documentation on creating instances of custom apps. Yet, it doesn't fully describe the app metadata required for features such as SSO and provisioning for apps installed from the Okta Integration Network (OIN). In an effort to improve the API for apps in the OIN, new app metadata contracts have been added to the Okta management API. Operators and developers can programmatically create instances of popular OIN apps in their ecosystem and set up the provisioning connection. See Set up an app provisioning connection.

    Bug fixed in 2024.03.0

    Some group claims failed if Okta Expression Language was used. (OKTA-660870)

    February

    Weekly release 2024.02.2

    Change Expected in Preview Orgs
    Bugs fixed in 2024.02.2 February 22, 2024

    Bugs fixed in 2024.02.2

    • Okta sometimes incorrectly returned an Invalid Phone Number error during SMS factor enrollment. (OKTA-683026)

    • Sometimes, an OAuth 2.0-secured inline hook that contained a custom domain authorization server in the token URL returned a null pointer exception error, instead of an appropriate error. (OKTA-656265)

    • User passwords could be updated to match the answer to the recovery question. (OKTA-654993)

    Weekly release 2024.02.1

    Change Expected in Preview Orgs
    HTTP header filter February 22, 2024

    HTTP header filter

    To improve the security of your org, Okta now filters and encodes any illegal unicode characters for outgoing HTTP headers.

    Monthly release 2024.02.0

    Change Expected in Preview Orgs
    Assign admin roles to an app June 14, 2023
    DPoP support for Okta management APIs is GA in Production December 13, 2023
    Dynamic OS version compliance for device assurance June 14, 2023
    New attribute to manage SAML app session lifetimes is EA in Preview February 7, 2024
    New email domain for free trial orgs February 7, 2024
    New function for email templates is EA in Preview February 7, 2024
    POST requests now allowed to the logout endpoint February 7, 2024
    Seamless ISV experience is GA in Production January 10, 2024
    Super admin role now required to update direct authentication grants February 7, 2024
    Developer documentation update in 2024.02.0 February 7, 2024
    Bug fixed in 2024.02.0 February 7, 2024

    Assign admin roles to an app

    Orgs can now assign admin roles to their custom API Service Integrations. Apps with assigned admin roles are constrained to the permissions and resources that are included in the role assignment. This helps ensure that apps only have access to the resources that are needed to perform their tasks and improves orgs' overall security. See Work with the admin component (opens new window).

    DPoP support for Okta management APIs is GA in Production

    You can now use OAuth 2.0 Demonstrating Proof-of-Possession (DPoP) access tokens to access Okta management APIs. See Configure OAuth 2.0 Demonstrating Proof-of-Possession.

    Dynamic OS version compliance for device assurance

    You can configure OS version compliance by using device assurance. However, you have to manually update the policies every time a new OS version or patch is released. With Dynamic OS version compliance, Okta updates device assurance policies with the latest OS versions and patches, eliminating the need for manual updates. With this feature you can ensure OS version compliance in your org without tracking OS releases. See Dynamic OS version compliance (opens new window) and Device Assurance Policies API (opens new window).

    New attribute to manage SAML app session lifetimes is EA in Preview

    The samlAssertionLifetimeSeconds parameter is an optional SAML parameter that allows the IdP to control the session at the SP. This parameter allows users to add samlAssertionLifetimeSeconds as an attribute in the SAML assertion to control the session lifetimes of SP apps using the Okta IdP. See the Settings table in the Add custom SAML application section.

    New email domain for free trial orgs

    When a user requests access to a free trial org, the welcome email now comes from noreply@test-account.dev.

    New function for email templates is EA in Preview

    You can now use the getTimeDiffHoursNow function in each of the available email notification templates. If you want to add more locales when customizing email templates, you need to use this function instead of the formatTimeDiffHoursNowInUserLocale function. The new function returns only the time value in the specified unit. See Enable additional locales.

    POST requests now allowed to the logout endpoint

    You can now access the /oauth2/{id}/v1/logout and /oauth2/v1/logout endpoints with a POST request. See POST logout (opens new window).

    Seamless ISV experience is GA in Production

    Okta now provides a seamless ISV experience to optimize the Okta Integration Network (OIN) (opens new window) submission experience for SAML and OIDC integrations. This new experience enables independent software vendors (ISVs) to build and manually test their integration metadata before submission. This reduces the time needed for the OIN team to review and validate that the integration functions as intended, which shortens the time to publish in the OIN. This experience also incorporates communication processes in Salesforce, enabling improved collaboration internally within Okta teams and externally with ISVs. See Publish an OIN integration (opens new window) overview and Submit an SSO integration with the OIN Wizard (opens new window) guide.

    Super admin role now required to update direct authentication grants

    Super admin permissions are now required to enable or change direct authentication grants for clients.

    Developer documentation update in 2024.02.0

    • Instructions for testing Okta REST APIs with Postman have been updated to provide OAuth 2.0 authentication set up and use. OAuth 2.0 is recommended to access Okta management APIs instead of the proprietary SSWS API token to ensure enhanced security.

      These instructions are now under References > Test APIs with Postman.

    • The Self-service registration guide is now easier to read and quicker to complete. All flow diagrams have been updated so they are easier to follow, and configuration instructions now match the current Admin Console.

    Bug fixed in 2024.02.0

    When users signed in with an external Identity Provider and the multiple matching users error occurred, they were redirected to the sign-in page instead of the error page. (OKTA-658717)

    January

    Weekly release 2024.01.2

    Change Expected in Preview Orgs
    Content Security Policy for custom domains is EA in Preview January 31, 2024
    Granular API policy authenticator controls is self-service EA in Preview January 31, 2024
    IP restrictions on tokens January 31, 2024
    Bugs fixed in 2024.01.2 January 31, 2024

    Content Security Policy for custom domains is EA in Preview

    The Content Security Policy (CSP) feature lets admins control which URLs may be linked to from customized sign-in and error pages in orgs that use custom domains. Admins add trusted URLs to Okta that link to items such as images and add these links to the code in their sign-in and error pages. This feature enhances security by enabling admins to allow only approved content to appear and prevent the introduction of potentially malicious code to these pages. See Content Security Policy (CSP) for your custom domain.

    Granular API policy authenticator controls is self-service EA in Preview

    The Authentication Policy API now includes three new constraints object parameters that provide precise control over what specific authenticators and methods are displayed to end users. Previously, some authenticators were mapped to the same authenticator types and methods. The parameters authenticationMethods and excludeAuthenticationMethods now identify (or exclude) the exact authenticator for both knowledge and possession constraints. The required parameter indicates whether the knowledge or possession constraints are required by the assurance. See the Policy API.

    IP restrictions on tokens

    Admins can specify allowlisted and blocklisted network zones for static, Single Sign-On Web System (SSWS) API tokens. This strengthens org security by letting them control where calls to Okta APIs can originate from. It also restricts attackers and malware from stealing SSWS tokens or replaying them outside of their IP range to gain unauthorized access.

    Bugs fixed in 2024.01.2

    • Some text strings in the Authentication policies page weren't translated. (OKTA-583880)

    • POST requests to the /sessions/me/lifecycle/refresh endpoint didn't return an updated session cookie. (OKTA-665452)

    • System Log events for the access token, ID token, and user SSO grants didn't include externalSessionId. (OKTA-664370)

    • System Log events for access token and ID token grants didn't include user attributes. (OKTA-674218)

    Weekly release 2024.01.1

    Change Expected in Preview Orgs
    Bug fixed in 2024.01.1 January 18, 2024

    Bug fixed in 2024.01.1

    Users could activate their Okta accounts from expired activation email links using the SDKs. (OKTA-666148)

    Monthly release 2024.01.0

    Change Expected in Preview Orgs
    DPoP support for Okta management APIs is GA in Preview December 13, 2023
    Email or password no longer required in authenticator enrollment policy is GA in Preview January 10, 2024
    More properties returned for Devices API user summaries January 10, 2024
    New possession constraint property available for Policy API is GA in Production December 6, 2023
    Read-only permission for admin role assignments is GA in Production November 8, 2023
    Seamless ISV experience is GA in Preview January 10, 2024
    Stay signed in is EA in Preview January 10, 2024
    System Log events for IdP keystore operations January 10, 2024
    Updated RADIUS authentication prompts January 10, 2024
    Use your own email provider is GA in Production December 6, 2023

    DPoP support for Okta management APIs is GA in Preview

    You can now use OAuth 2.0 Demonstrating Proof-of-Possession (DPoP) access tokens to access Okta management APIs. See Configure OAuth 2.0 Demonstrating Proof-of-Possession.

    Email or password no longer required in authenticator enrollment policy is GA in Preview

    Previously, authenticator enrollment policies required either an email or a password even if other authenticators were enabled. Now, you can set email or password authentication to optional or disabled, and require another authenticator instead. This change allows orgs to better secure accounts with stronger authenticators such as Okta Verify, Okta FastPass, or FIDO2 (WebAuthn). See Create an authenticator enrollment policy (opens new window).

    More properties returned for Devices API user summaries

    The List all Devices (opens new window) API operation has been updated to return more user summary properties in the _embedded payload. When the expand=userSummary query parameter (opens new window) is included in the List all Devices request (for example, GET /api/v1/devices?expand=userSummary), the managementStatus and screenLockType properties are returned for each user summary.

    New possession constraint property available for Policy API is GA in Production

    A new userVerification property is available for the constraints object of the Policy API. This setting can ensure the verification of a possession factor through a PIN or biometrics.

    Read-only permission for admin role assignments is GA in Production

    Super admins can now assign the View roles, resources, and admin assignments permission to their delegated admins. This permission gives admins a read-only view of the admin roles, resource sets, and admin assignments in the org. See About role permission (opens new window).

    Seamless ISV experience is GA in Preview

    Okta now provides a seamless ISV experience to optimize the Okta Integration Network (OIN) (opens new window) submission experience for SAML and OIDC integrations. This new experience enables independent software vendors (ISVs) to build and manually test their integration metadata before submission. This reduces the time needed for the OIN team to review and validate that the integration functions as intended, which shortens the time to publish in the OIN.

    This experience also incorporates communication processes in Salesforce, enabling improved collaboration internally within Okta teams and externally with ISVs. See Publish an OIN integration overview and Submit an SSO integration with the OIN Wizard guide.

    Stay signed in is EA in Preview

    Today, Keep me signed in allows the user to select whether their multifactor authenticators from previous sessions should be remembered. However, the option to select Keep me signed in was only available on the sign-in page.

    To enable Stay signed in for integrated authentication flows, admins can now configure their sign-in experience such that the option to Stay signed in is provided either before the user signs in to Okta or before and after the user completes multifactor authentication. If a user selects Stay signed in, they won't be challenged for MFA the next time they sign in. In addition, users will now be able to sign out of all active Okta sessions from the Okta End-User Dashboard. See Organization Security (opens new window).

    System Log events for IdP keystore operations

    New System Log events are generated for IdP keystore operations:

    system.idp.key.create
system.idp.key.update
system.idp.key.delete

    Updated RADIUS authentication prompts

    RADIUS authentication prompts are updated to be clearer.

    Use your own email provider is GA in Production

    The Email Servers API allows you to configure a custom external email provider to send email notifications. By default, notifications such as the welcome email or an account recovery email are sent through an Okta-managed SMTP server. Adding a custom email provider gives you more control over your email delivery. See Email Servers API (opens new window).

    Edit This Page On GitHub