On this page
Okta Classic Engine API release notes (2024)
May
Monthly release 2024.05.0
| Change | Expected in Preview Orgs |
|---|---|
| Seamless ISV experience with integrated testing is GA in Preview | May 8, 2024 |
| PUT requests for an API token network condition is self-service EA | May 8, 2024 |
| Permissions for custom admins to manage agents is GA in Production | May 8, 2024 |
| New System Log API property for target object | May 8, 2024 |
| Developer documentation update in 2024.05.0 | May 8, 2024 |
| Bugs fixed in 2024.05.0 | May 8, 2024 |
Seamless ISV experience with integrated testing is GA in Preview
Okta now provides a seamless ISV experience to optimize the Okta Integration Network (OIN) (opens new window) submission experience for SAML and OIDC integrations. This new experience enables independent software vendors (ISVs) to build and automatically test their integration metadata before submission. This reduces the time needed for the OIN team to review and validate that the integration functions as intended, which shortens the time to publish in the OIN. This experience also incorporates communication processes in Salesforce, enabling improved collaboration internally within Okta teams and externally with ISVs. See Publish an OIN integration overview and Submit an SSO integration with the OIN Wizard guide.
PUT requests for an API token network condition is self-service EA
You can now make PUT requests to the /api-tokens/{apiTokenId} endpoint to update the network condition of an API token.
Permissions for custom admins to manage agents is GA in Production
Custom admins can now view, register, and manage agents. See Permission types.
New System Log API property for target object
Certain system log events now contain a new property called changeDetails in the target object. When this property is populated, it reflects new, changed, or removed attributes of the target resource that has been modified. See changeDetails property.
Developer documentation update in 2024.05.0
The Style the Sign-In Widget (third generation) guide has been updated to describe how the afterRender function works.
Bugs fixed in 2024.05.0
When a large number of users were linked to an Identity Provider, requests to the
/idps/{IdP_ID}/usersendpoint timed out. (OKTA-710934)POST requests to the
/sessions/me/lifecycle/refreshendpoint didn't return asidcookie. (OKTA-716839)If a login pattern (opens new window) failed validation when making a request with the Schemas API, the call dropped the pattern and continued the request. (OKTA-723332)
The Apps API accepted
0as a value for thesamlAssertionLifetimeSecondsparameter. (OKTA-723982)
April
Weekly release 2024.04.3
| Change | Expected in Preview Orgs |
|---|---|
| Bugs fixed in 2024.04.3 | May 01, 2024 |
Bugs fixed in 2024.04.3
GET policy rules (
/v1/policies/{policyId}/rules) and GET a policy rule (/v1/policies/{policyId}/rules/{ruleId}) requests returned a rule with a null value for thecreatedproperty. (OKTA-542919)The Factors API didn't correctly return all
profile.keysparameters for Okta Verify enrollments. (OKTA-694655)Apps API users were able to add duplicate SAML
attributeStatementswhen they created or updated a custom SAML 2.0 app. (OKTA-706474)GET calls to
/iam/rolessometimes didn't return link headers. (OKTA-712212)When the First name and Last name values in a user's profile contained dots, they were clickable in emails. (OKTA-712504)
The
/introspectendpoint response was incorrect for an access token returned by the On-Behalf-Of Token Exchange flow. (OKTA-712602)
Monthly release 2024.04.0
| Change | Expected in Preview Orgs |
|---|---|
| Customize Okta to use the telecommunications provider of your choice is GA in Production | March 7, 2024 |
| Permissions for custom admins to manage agents is GA in Preview | April 3, 2024 |
| Enhanced app API contracts is GA in Production | April 3, 2024 |
| Content Security Policy for custom domains is GA in Production | January 31, 2024 |
| Developer documentation update in 2024.04.0 | April 3, 2024 |
| Bug fixed in 2024.04.0 | April 3, 2024 |
Customize Okta to use the telecommunications provider of your choice is GA in Production
While Okta provides out of the box telephony functionality, many customers need the ability to integrate their existing telecommunications provider with Okta to deliver SMS and Voice messages.
The Telephony Inline Hook allows customers to generate one-time passcodes within Okta and then use their existing telecommunications provider to deliver the messages for MFA enrollment/verification, password reset, and account unlock using SMS or Voice. This allows customers to use their existing telephony solution within Okta, due to the time they've already invested in their existing telephony solution, the need to use a specific regional provider, or simply the desire to maintain flexibility. See Connect to an external telephony service provider (opens new window).
Permissions for custom admins to manage agents is GA in Preview
Custom admins can now view, register, and manage agents. See Permission types.
Enhanced app API contracts is GA in Production
Okta has API documentation on creating instances of custom apps. Yet, it doesn't fully describe the app metadata required for features such as SSO and provisioning for apps installed from the Okta Integration Network (OIN). In an effort to improve the API for apps in the OIN, new app metadata contracts have been added to the Okta management API. Operators and developers can programmatically create instances of popular OIN apps in their ecosystem and set up the provisioning connection.
See OIN app request payloads in the Applications API (opens new window) and the Set up an app provisioning connection guide.
Content Security Policy for custom domains is GA in Production
The Content Security Policy (CSP) feature lets admins control which URLs may be linked to from customized sign-in and error pages in orgs that use custom domains. Admins add trusted URLs to Okta that link to items such as images and add these links to the code in their sign-in and error pages. This feature enhances security by enabling admins to allow only approved content to appear and prevent the introduction of potentially malicious code to these pages. See Content Security Policy (CSP) for your custom domain.
Developer documentation update in 2024.04.0
The OIN QA SCIM test plan file was updated. The following test cases were modified: C9319, C9320, C9321, C9360, and C9361.
Bug fixed in 2024.04.0
Users were able to unselect a saved SSO protocol for an integration submission in the OIN Wizard. (OKTA-710638)
March
Weekly release 2024.03.2
| Change | Expected in Preview Orgs |
|---|---|
| Bugs fixed in 2024.03.2 | March 27, 2024 |
Bugs fixed in 2024.03.2
An admin was able to make a GET Policy request (
/authorizationServers/${authorizationServerId}/policies/${policyId}) to an authorization server with no policies, using a policy ID from another authorization server with policies, and get that policy information returned. (OKTA-684225)Client rate limiting configurations for the
/login/login.htmendpoint were displayed incorrectly in the Rate Limit dashboard and were in an inconsistent state for some orgs. (OKTA-699914)Okta sometimes incorrectly returned an Invalid Phone Number error during SMS factor enrollment. (OKTA-705078)
After an admin deleted a user, an internal server error sometimes occurred when the admin then made a LIST IdP users request (
api/v1/idps/{idpId}/users). (OKTA-708102)
Weekly release 2024.03.1
| Change | Expected in Preview Orgs |
|---|---|
| Bug fixed in 2024.03.1 | March 13, 2024 |
Bug fixed in 2024.03.1
One-time passcodes (OTPs) that were sent using a telephony inline hook weren't subject to rate limits. (OKTA-704319)
Monthly release 2024.03.0
| Change | Expected in Preview Orgs |
|---|---|
| Permission conditions for profile attributes is GA in Production | March 7, 2024 |
| Content Security Policy for custom domains is GA in Preview | March 7, 2024 |
| New mappings property for Policy API is EA in Preview | March 7, 2024 |
| AAL values for Login.gov IdP | March 7, 2024 |
| Externally signed org AS access tokens | March 7, 2024 |
| Support case management for admins is GA in Preview | March 7, 2024 |
| Realms for Workforce | March 7, 2024 |
| Enhanced app API contracts | March 7, 2024 |
| Bugs fixed in 2024.03.0 | March 6, 2024 |
Permission conditions for profile attributes is GA in Production
You can now apply conditions to the View users and their details and Edit users' profile attributes custom admin role permissions. Permission conditions help you limit the scope of a role by including or excluding admins' access to individual profile attributes. This gives you more granular control over your custom admin roles and helps meet your org's unique security needs. See Permission conditions (opens new window).
Content Security Policy for custom domains is GA in Preview
The Content Security Policy (CSP) feature lets admins control which URLs may be linked to from customized sign-in and error pages in orgs that use custom domains. Admins add trusted URLs to Okta that link to items such as images and add these links to the code in their sign-in and error pages. This feature enhances security by enabling admins to allow only approved content to appear and prevent the introduction of potentially malicious code to these pages. See Content Security Policy (CSP) for your custom domain.
New mappings property for Policy API is EA in Preview
A new mappings property is available for the links object in GET /api/v1/policies/${policyId} and GET /api/v1/policies?type=${type} responses. This property displays links to policy mappings. See Policy API.
AAL values for Login.gov IdP
The Login.gov IdP configuration has been updated to include all allowed AAL values.
Externally signed org AS access tokens
Access tokens returned from the org authorization server are now signed using the externally published signing key. These access tokens must still be treated as opaque strings and not be validated or consumed by any application other than Okta.
Support case management for admins is GA in Preview
Super admins can now assign the View, create, and manage Okta support cases permission and Support Cases resource to a custom admin role. This allows delegated admins to manage the support cases that they've opened. See About role permissions (opens new window).
Realms for Workforce
Realms allows you to unlock greater flexibility in managing and delegating management of your distinct user populations within a single Okta org. See the Realms (opens new window) and Realm Assignments (opens new window) APIs.
Enhanced app API contracts
Okta has API documentation on creating instances of custom apps. Yet, it doesn't fully describe the app metadata required for features such as SSO and provisioning for apps installed from the Okta Integration Network (OIN). In an effort to improve the API for apps in the OIN, new app metadata contracts have been added to the Okta management API. Operators and developers can programmatically create instances of popular OIN apps in their ecosystem and set up the provisioning connection. See Set up an app provisioning connection.
Bugs fixed in 2024.03.0
Okta required a
sharedSecretlength of 16 characters when enrolling a Google Authenticator using the Factors API. Okta now acceptssharedSecretlengths between 16 and 32 characters. (OKTA-654920)Some group claims failed if Okta Expression Language was used. (OKTA-660870)
An inline hook secured by an OAuth 2.0 token that had no expiry value returned an HTTP 400 Bad Request error. (OKTA-702184)
February
Weekly release 2024.02.2
| Change | Expected in Preview Orgs |
|---|---|
| Bugs fixed in 2024.02.2 | February 22, 2024 |
Bugs fixed in 2024.02.2
Okta sometimes incorrectly returned an Invalid Phone Number error during SMS factor enrollment. (OKTA-683026)
Sometimes, an OAuth 2.0-secured inline hook that contained a custom domain authorization server in the token URL returned a null pointer exception error, instead of an appropriate error. (OKTA-656265)
User passwords could be updated to match the answer to the recovery question. (OKTA-654993)
Weekly release 2024.02.1
| Change | Expected in Preview Orgs |
|---|---|
| HTTP header filter | February 22, 2024 |
| Bug fixed in 2024.02.1 | February 14, 2024 |
HTTP header filter
To improve the security of your org, Okta now filters and encodes any illegal unicode characters for outgoing HTTP headers.
Bug fixed in 2024.02.1
The List all enrolled Factors endpoint (GET /api/v1/users/{userId}/factors) returned an incorrectly prefixed ID for SMS factors with a PENDING ACTIVATION status. (OKTA-690496)
Monthly release 2024.02.0
| Change | Expected in Preview Orgs |
|---|---|
| Assign admin roles to an app | June 14, 2023 |
| DPoP support for Okta management APIs is GA in Production | December 13, 2023 |
| New attribute to manage SAML app session lifetimes is EA in Preview | February 7, 2024 |
| New function for email templates is EA in Preview | February 7, 2024 |
| POST requests now allowed to the logout endpoint | February 7, 2024 |
| Seamless ISV experience is GA in Production | January 10, 2024 |
| Developer documentation update in 2024.02.0 | February 7, 2024 |
| Bugs fixed in 2024.02.0 | February 7, 2024 |
Assign admin roles to an app
Orgs can now assign admin roles to their custom API Service Integrations. Apps with assigned admin roles are constrained to the permissions and resources that are included in the role assignment. This helps ensure that apps only have access to the resources that are needed to perform their tasks and improves orgs' overall security. See Work with the admin component (opens new window).
DPoP support for Okta management APIs is GA in Production
You can now use OAuth 2.0 Demonstrating Proof-of-Possession (DPoP) access tokens to access Okta management APIs. See Configure OAuth 2.0 Demonstrating Proof-of-Possession.
New attribute to manage SAML app session lifetimes is EA in Preview
The samlAssertionLifetimeSeconds parameter is an optional SAML parameter that allows the IdP to control the session at the SP. This parameter allows users to add samlAssertionLifetimeSeconds as an attribute in the SAML assertion to control the session lifetimes of SP apps using the Okta IdP. See the Settings table in the Add custom SAML application section.
New function for email templates is EA in Preview
You can now use the getTimeDiffHoursNow function in each of the available email notification templates. If you want to add more locales when customizing email templates, you need to use this function instead of the formatTimeDiffHoursNowInUserLocale function. The new function returns only the time value in the specified unit. See Enable additional locales.
POST requests now allowed to the logout endpoint
You can now access the /oauth2/{id}/v1/logout and /oauth2/v1/logout endpoints with a POST request. See POST logout (opens new window).
Seamless ISV experience is GA in Production
Okta now provides a seamless ISV experience to optimize the Okta Integration Network (OIN) (opens new window) submission experience for SAML and OIDC integrations. This new experience enables independent software vendors (ISVs) to build and manually test their integration metadata before submission. This reduces the time needed for the OIN team to review and validate that the integration functions as intended, which shortens the time to publish in the OIN. This experience also incorporates communication processes in Salesforce, enabling improved collaboration internally within Okta teams and externally with ISVs. See Publish an OIN integration (opens new window) overview and Submit an SSO integration with the OIN Wizard (opens new window) guide.
Developer documentation update in 2024.02.0
Instructions for testing Okta REST APIs with Postman have been updated to provide OAuth 2.0 authentication set up and use. OAuth 2.0 is recommended to access Okta management APIs instead of the proprietary SSWS API token to ensure enhanced security.
These instructions are now under References > Test APIs with Postman.
The Self-service registration guide is now easier to read and quicker to complete. All flow diagrams have been updated so they are easier to follow, and configuration instructions now match the current Admin Console.
Bugs fixed in 2024.02.0
Some
callFactor enrollments were left in a pending activation state after enrollment or reset. (OKTA-649508)When users signed in with an external Identity Provider and the multiple matching users error occurred, they were redirected to the sign-in page instead of the error page. (OKTA-658717)
January
Weekly release 2024.01.2
| Change | Expected in Preview Orgs |
|---|---|
| Content Security Policy for custom domains is EA in Preview | January 31, 2024 |
| IP restrictions on tokens | January 31, 2024 |
| Bugs fixed in 2024.01.2 | January 31, 2024 |
Content Security Policy for custom domains is EA in Preview
The Content Security Policy (CSP) feature lets admins control which URLs may be linked to from customized sign-in and error pages in orgs that use custom domains. Admins add trusted URLs to Okta that link to items such as images and add these links to the code in their sign-in and error pages. This feature enhances security by enabling admins to allow only approved content to appear and prevent the introduction of potentially malicious code to these pages. See Content Security Policy (CSP) for your custom domain.
IP restrictions on tokens
Admins can specify allowlisted and blocklisted network zones for static, Single Sign-On Web System (SSWS) API tokens. This strengthens org security by letting them control where calls to Okta APIs can originate from. It also restricts attackers and malware from stealing SSWS tokens or replaying them outside of their IP range to gain unauthorized access.
Bugs fixed in 2024.01.2
POST requests to the
/sessions/me/lifecycle/refreshendpoint didn't return an updated session cookie. (OKTA-665452)System Log events for the access token, ID token, and user SSO grants didn't include
externalSessionId. (OKTA-664370)System Log events for access token and ID token grants didn't include user attributes. (OKTA-674218)
Monthly release 2024.01.0
| Change | Expected in Preview Orgs |
|---|---|
| DPoP support for Okta management APIs is GA in Preview | December 13, 2023 |
| Read-only permission for admin role assignments is GA in Production | November 8, 2023 |
| Seamless ISV experience is GA in Preview | January 10, 2024 |
| System Log events for IdP keystore operations | January 10, 2024 |
| Updated RADIUS authentication prompts | January 10, 2024 |
DPoP support for Okta management APIs is GA in Preview
You can now use OAuth 2.0 Demonstrating Proof-of-Possession (DPoP) access tokens to access Okta management APIs. See Configure OAuth 2.0 Demonstrating Proof-of-Possession.
Read-only permission for admin role assignments is GA in Production
Super admins can now assign the View roles, resources, and admin assignments permission to their delegated admins. This permission gives admins a read-only view of the admin roles, resource sets, and admin assignments in the org. See About role permission (opens new window).
Seamless ISV experience is GA in Preview
Okta now provides a seamless ISV experience to optimize the Okta Integration Network (OIN) (opens new window) submission experience for SAML and OIDC integrations. This new experience enables independent software vendors (ISVs) to build and manually test their integration metadata before submission. This reduces the time needed for the OIN team to review and validate that the integration functions as intended, which shortens the time to publish in the OIN.
This experience also incorporates communication processes in Salesforce, enabling improved collaboration internally within Okta teams and externally with ISVs. See Publish an OIN integration overview and Submit an SSO integration with the OIN Wizard guide.
System Log events for IdP keystore operations
New System Log events are generated for IdP keystore operations:
system.idp.key.create
system.idp.key.update
system.idp.key.delete
Updated RADIUS authentication prompts
RADIUS authentication prompts are updated to be clearer.