Okta Classic Engine release notes (2018)
2018 Production Releases

December 2018
2018.12.0: Monthly Production release began deployment on December 10
* Features may not be available in all Okta Product SKUs.
Generally Available Features
New Features
Push Notifications for the Okta RADIUS Agent
The Okta Radius Agent now includes functionality for end users to opt in to receive push notifications for MFA when enrolled with Okta Verify. For information on how to enable this setting, see Autopush for RADIUS.
Okta Windows Credential Provider agent, version 1.1.3
This release contains general bug fixes. For version history, see Okta MFA Credential Provider for Windows Version History.
Profile Editor supports linked objects
You can now add a custom attribute with a linked object data type to the Okta user profile. For details, see Add a linked object to an Okta user profile.
Add Notes to Okta-managed apps
You can now add App Notes to communicate with end users and other admins about apps. In addition to enhancing app deployment and usage, App Notes can also reduce help desk calls, provide troubleshooting assistance, and increase end user self service.
App Notes facilitate the following types of communications:
- Application notes to end users – Allows admins to present helpful information to end users, such as why they've been assigned the app, whom to contact for help, and links to additional information.
- Application notes to admins – Allows admins to share administrative details about apps with other Super, App, Read-only, and Mobile admins.
For more information, see Add notes to an app.
Super admins can choose default email notifications for admins
Super admins have the ability to select which email notifications a specific type of admin receives by default. This allows you to manage the amount of email traffic the different admin roles receive. The new defaults will override existing admin email notifications default settings (see Email Notifications for default settings). This will exclude most admins from receiving most email notifications.
Generally Available Enhancements
Admin Console update
We have updated the release number displayed in the Admin Console to the YYYY.MM.U format that we are officially adopting with the December Monthly Release. For more information, see Release notes.
Okta User Communication improvement
We have improved the Okta User Communication message in Settings > Customization to clarify the scope of end user communication.
Group Push enhancements
Group Push now supports the ability to link to existing groups in the following application integrations:
- Smartsheet
- Facebook at Work
- Org2Org
- Adobe CQ
- JIRA, JIRA On-Prem
- DocuSign
You can centrally manage these apps in Okta. For details, see Enhanced Group Push.
People page performance improvements
The A-to-Z links on the People page have been deprecated as part of efforts to improve the performance and responsiveness of the page in the Admin UI for large orgs. Screenshots:
Before:
After:
Reports enhancement
When generating reports, the earliest start date you can select is now 13 months prior to the current date. For more information about Reports, see Reports.
Early Access Features
Early Access Enhancements
FIPS-mode encryption enhancement
We have updated the Okta Verify configuration UI label for the FIPS-Mode encryption setting. For more information, see Enabling FIPS-mode encryption.
Fixes
General Fixes
OKTA-185031
Recreating group push mappings for previously existing groups would cause group memberships to not be mastered by Okta.
OKTA-187881
An LDAP directory could not be assigned to an Okta group when Sync password was enabled and Create users was disabled.
OKTA-193192
Some end users were still prompted to authenticate with MFA despite successful enrollment with Okta Verify or Duo within the same session.
OKTA-194472
The API Access Management Admin role was not returned for the user when performing a GET on api/v1/users/${userId}/roles endpoint.
OKTA-195092
When using browsers other than Internet Explorer, Agentless Desktop SSO was performing two authentication requests for each user, increasing the authentication time.
OKTA-196220
Push Groups functionality only worked for admins with Super Admin rights.
OKTA-197099
Provisioning operations for the Coupa app failed.
OKTA-197991
The MFA Usage Report listed Okta Verify with Push as an enrolled factor even if the factor was reset by an end user from their dashboard making it no longer enrolled.
OKTA-198258
There was a minor grammatical error in the app approval admin notification message.
OKTA-198556
IdP Discovery rule with a Sharepoint On-Premise specific app instance condition was not routing properly on SP-initiated login flows.
OKTA-198797
After creating an ASN dynamic zone via the API, then viewing via the UI, the default proxy type was Unchecked instead of Any proxy.
OKTA-201054H
SAML IdP flow broke down with a 404 error if the ACS URL was in {{org}}/auth/saml20/{{IdP name}} format.
App Integration Fixes
The following SWA apps were not working correctly and are now fixed
- Alibaba Cloud (Aliyun) (OKTA-198076)
- Anaplan (OKTA-198239)
- Apple Business Manager (OKTA-198241)
- Dell Boomi (OKTA-198237)
- Egencia UK (OKTA-198487)
- Linux Academy (OKTA-198691)
- PacificSource InTouch (OKTA-197597)
- Perfode (OKTA-198238)
- Rival IQ (OKTA-190557)
- Salesforce: Marketing Cloud (OKTA-197948)
- Web Manuals (OKTA-199509)
Applications
Application Updates
The following partner-built provisioning integration app is now Generally Available in the OIN as partner-built:
- LearnCore: For configuration information, see LearnCore's Using Okta for provisioning and SSO in LearnCore.
New Integrations
New SCIM Integration Application
The following partner-built provisioning integration app is now available in the OIN as partner-built Early Access:
- Web Manuals: For configuration information, see Web Manuals' Okta Provisioning Instructions.
SAML for the following Okta Verified applications
- Abstract (OKTA-192587)
- BambooHR (OKTA-199943)
- CloudBees (OKTA-191171)
- SAP Concur Solutions (OKTA-198484)
- Workable (OKTA-198491)
SWA for the following Okta Verified applications
- Acronis Cloud (OKTA-189384)
- Ameriflex Wealth Care Portal (OKTA-197201)
- Autodesk BIM 360 (OKTA-194354)
- buildpulse (OKTA-196661)
- Business Insider PRIME (OKTA-196625)
- Drift (OKTA-192116)
- Forum: Business Online Banking (OKTA-195330)
- HigherGear - (OKTA-196158)
- HomeDepot Vendor Portal (OKTA-190428)
- HP DaaS (OKTA-196207)
- Insperity Premier (OKTA-191066)
- Kayak (OKTA-74699)
- TrendKite (OKTA-197199)
- WealthEngine (OKTA-198240)
- Zywave Home (OKTA-193830)
Weekly Updates

Fixes
General Fixes
OKTA-155477
AD-mastered users logging into Okta with a temporary password were not asked to create a new password.
OKTA-177142
Inbound delegated authentication failed in application when the application username and Okta username were different.
OKTA-182115
As a result of multiple redirects, URLs became too long when a SAML app was used in conjunction with IWA and multifactor authentication.
OKTA-188067
When adding a user to the source user group, if the target user group did not exist, group push mappings did not display an error.
OKTA-189754
The Sign On policy did not show a warning after reaching the limit of 20 rules per policy in the UI. The limit has now been increased to 50 before showing the warning.
OKTA-190684
The OpenID Connect Client ID Token settings form was missing a link to the reference documentation about the groups claim, also the the Sign On mode tab was missing a link to the profile mappings.
OKTA-191321
In some cases, the LDAP search filter did not allow using "<" and ">" simultaneously.
OKTA-191398
The System Log did not include hostname in the Debug Context for Windows events.
OKTA-195890
IdP Discovery routing rules with an application condition and without a user identifier condition were not routing to social IdPs.
OKTA-195916
Resetting the password for one account while a different user was signed into another account in the same browser generated a successful System Log event for the wrong account, and the UI showed a failure message although password reset was successful.
OKTA-196579
The WebEx app did not update sessionType attributes for users.
OKTA-199133
The System Log did not report enrollment failures that occurred when the relevant Device Trust setting was not enabled in the Okta Admin Console.
OKTA-200176
The Application Usage report returned a server error instead of a bad request message when an invalid date was entered to generate the report.
App Integration Fixes
The following SAML app was not working correctly and is now fixed
- IntraLinks (OKTA-198125)
The following SWA apps were not working correctly and are now fixed
- Crunchbase (OKTA-198994)
- Dashlane Business (OKTA-199046)
- Shopify (OKTA-200163)
- Thycotic Force (OKTA-198995)
Applications
New Integrations
The following partner-built provisioning integration app is now available in the OIN as partner-built Early Access:
- OfficeSpace Software: For configuration information, see the OfficeSpace Software Okta - SCIM configuration guide.
SAML for the following Okta Verified applications
- Expiration Reminder (OKTA-200470)
- RecruitBot (OKTA-196618)
SWA for the following Okta Verified applications
- Haivision Support (OKTA-191530)
- ONE by AOL: Video (OKTA-196063)

Fixes
General Fixes
OKTA-71278
The Identity Providers list was missing the Action column header and had alignment issues.
OKTA-154988
Missing fields were not highlighted in the error message displayed when adding a new SAML identity provider.
OKTA-189636
Username changes in Okta for AD-Mastered users were not correctly pushed to the JIRA On-Prem app.
OKTA-190763
Users who had been locked out and then deactivated were still listed as locked out on the Reset Password and Unlock People pages, as well as on dashboard notifications.
OKTA-191917
When the Agentless Desktop SSO flow failed, the FromURI parameter was missing, causing a launched app not to load.
OKTA-193120
Incremental imports did not properly terminate users due to time zone differences.
OKTA-194696
Group membership updates that failed due to the Org2Org rate limit were not retried.
OKTA-197806
For orgs with the EA feature, Advanced Schema for Box enabled, assigning a group to Box sometimes failed.
OKTA-201633
The users/${userId}/factors/catalog endpoint returned email as a supported factor type although Email Authentication had not been enabled for the org in their MFA setting.
OKTA-201799
When searching for a group containing a space character, the text box selection to continue typing was lost and required users to click on the text box again to type next character.
App Integration Fixes
The following SWA apps were not working correctly and are now fixed
-
Aha (OKTA-200921)
-
Amazon DE (OKTA-200178)
-
CarGurus (OKTA-201462)
-
Cintellate by SAI Global (OKTA-201461)
-
GFI Mail Essential Online (OKTA-199274)
-
GTA Travel (OKTA-200126)
-
Gusto (OKTA-199737)
-
Handshake (OKTA-201464)
-
HP Connected (OKTA-200425)
-
MyViverae by Viverae (OKTA-200739)
-
Papertrail (OKTA-199505)
-
Sauce Labs (OKTA-199066)
-
SeamlessWeb (OKTA-201041)
-
The San Diego Union-Tribune (OKTA-201415)
Applications
Application Updates
The following partner-built provisioning integration apps are now Generally Available in the OIN as partner-built:
- Retool: For configuration information, see Retool's Okta Specific Guide.
- Wrike: For configuration information, see Wrike & Okta, User Provisioning.
- Drift: For configuration information, see Drift's Okta SCIM Configuration Guide.
- OfficeSpace Software: For configuration information, see the OfficeSpace SoftwareOkta - SCIM configuration guide.
New Integrations
The following partner-built provisioning integration app is now available in the OIN as partner-built Early Access:
- 4me: For configuration information, see 4me's OKTA configuration instructions.
- Tableau Online: For configuration information, see Tableau Online's Automate User Management through an External Identity Provider.
- CyberArk SCIM Server: For configuration information, see Configuring Provisioning for CyberArk SCIM.
- Workpath: For configuration information, see Workpath's Okta Configuration Guide.
SAML for the following Okta Verified applications
-
Abacus (OKTA-201459)
-
Envoy Global (OKTA-201924)
-
Firstbird (OKTA-202087)
-
Five9 Plus Adapter for Salesforce (OKTA-198492)
-
Imagineer WebVision (OKTA-202327)
-
International Relocation Center (OKTA-200829)
-
iObeya (OKTA-198510)
-
SevenRooms (OKTA-199302)
-
Splash (OKTA-201453)
-
Wootric (OKTA-198958)
-
Zoom SAML (OKTA-200668)
SWA for the following Okta Verified applications
-
Anexia Engine (OKTA-197187)
-
Bloomberg (OKTA-198566)
-
CAPPS Enterprise Portal (OKTA-190371)
-
FHLBank of Dallas (OKTA-189796)
-
Information Management Network (OKTA-199265)
-
Morningstar UK (OKTA-199264)
-
NET-ENTERPRISES.FR (OKTA-190878)
-
PostNL Digital Postage Stamp (OKTA-198257)
-
Quip (OKTA-191534)
-
SonicWall Capture Security Center (OKTA-198693)
-
TxDMV webDEALER (OKTA-192030)
-
Vantiv IQ (OKTA-193087)
Mobile application for use with Okta Mobility Management (OMM) (Android and iOS)
-
LogicMonitor (OKTA-193723)


When you delete a group, the Group Push mappings associated with the group are disabled and the mapping status will show as an error. You can then either deactivate or delete the mappings. For information about Group Push, see Using Group Push.

When you create a rule for an active Identity Provider, you can choose whether to activate the rule and apply it immediately, or else create it in an inactive state. Conversely, when you create a rule for an inactive Identity Provider, the rule cannot be activated and is automatically created in an inactive state. Screenshot:
When you deactivate an Identity Provider with active routing rules, Okta displays a warning that the rules will be deactivated. Screenshot:
For more information about Identity Providers, see Identity Providers.

When configuring network zones, admins can now set Kosovo as a country using country code XK in order to ensure that IP addresses from Kosovo are more accurately defined. For more information about network zones, see Networks.

If an app-to-app mapping includes an invalid expression, profile sync job creates a new System Log event to capture the failure, skips evaluating the expression, and processes the rest of the mapping. Screenshot:

The BambooHR integration now supports OpenID Connect (OIDC). For configuration information, see the BambooHR Provisioning Guide.


The Okta browser plugin for Chrome is updated to version 5.24.1. This version includes the following bug fix:
- App icons did not load in Okta plugin for Google Chrome when the CDN was disabled.
For version history, see Okta Browser Plugin Version History.


The Okta browser plugin for Chrome and Firefox browsers is updated to version 5.24.0. This version includes an update to the end user plugin settings (available in Early Access) and back-end product enhancements. For version history, see Okta Browser Plugin Version History.

Job Title has been added to the list of RingCentral custom attributes that can be added via Schema Discovery. For more information about RingCentral provisioning, see the following provisioning guides:

For SharePoint (On-Premises) app, Expression Language evaluation for Application Attributes now supports sending any OKTA user attributes, including custom OKTA user attributes. For more information, see Adding the SharePoint (On-Premises) App in Okta.

During standard imports, users are sometimes mistakenly imported from 3rd-party apps. The Clear Unconfirmed Users button allows admins to clear all unconfirmed users within an import queue. See Import users.


When generating reports, the earliest start date you can select is now 13 months prior to the current date. For details about Okta reports, see Reports.

Okta has made a new app integration, Microsoft Power BI, available for the Microsoft Office 365 app. You can enable it on the General tab of your org's Microsoft Office 365 app instance. For details, see Enable a Microsoft Office 365 application.


Region codes for China have been updated due to a recent change in the universal ISO standard. To prevent region codes from displaying incorrectly, update your network zone region codes accordingly. For more information, see Network Zones.

Unlinking between an Okta group and the pushed group in downstream application cannot be reversed. A notification has been added to warn the admins that unlinking a group in this way cannot be undone. Screenshot


User Locked Out emails are sent to admins in batches and contain a list of all users who are locked out. The email shows users locked out since the previous email was sent. Previously each admin received one email for each locked out user in real time.

Administration for multifactor authentication is streamlined with a new single page design that improves navigation and usability for enabling and configuring authentication factors. For more information, see Multifactor Authentication.

We’ve added more detail to the user state labels on the People page. Screenshot:
And now provide the action required for users in a pending state on the User Profile page. Screenshot:

This feature enables an administrator to configure a workflow for a self-service app that requires approval. It enables an end user to request access to an app and an approver to approve or deny the request. For more information, see Access Request Workflow > Configure the App Approval Workflow.

The policy for randomly generated passwords for Password Sync can now be defined by Okta, on a per-app basis.
If Okta’s randomly generated password for Password Sync does not meet the password requirements of a specific app, Okta can, upon request, change that app’s password policy. This functionality is now available for all orgs.

Okta now deletes all users' sessions after a successful password reset as part of the forgot password flow.

Admins can configure activation emails with lifetimes of 1, 2, or 4 hours. For more information on the General security options, see General Security. Screenshot

There were no new features in this release. For new apps and bug fixes delivered in this release, select the appropriate tab.

There were no new features in this release. For new apps and bug fixes delivered in this release, select the appropriate tab.


Only a Super Admin can view the self-service menu (Applications > Self Service) for an organization. In the past, both org admins and super admins could access this menu. There is no change to the options on the menu. For more information on roles and permissions, see Administrators.


In an Identity Provider Discovery flow, the username entered as the identifier in the first screen is passed to other Okta orgs. End users do not need to re-enter a username when signing in to any other Okta org to which they are redirected. For more information, see Identity Provider Discovery.

Support for the Norwegian (Bokmål) language for the end user experience is now available to all customers in Beta format. You can select the default language preference for your entire org, and your end users can select a different language preference for their own experience. For more information, see Configure the Display Language.


Super org admins can now download a CSV file containing a list of all admins and their permissions, using the Download CSV button on the Administrator page. For details, see Administrators. Screenshot

Requests to the /token and /authorize endpoints will now accept JWTs signed with a private key. For more information, see the OIDC documentation for the token endpoint and the authorize endpoint.

These email notification types are off by default for admins in new orgs:
- User Deprovision
- App user import status
- User lockouts
Each admin can individually opt in at Administrator > Settings > Account. Admins in existing orgs will be unaffected. For details, see Account Settings. This feature is available for new orgs only.

When enabled, end users will receive a new device notification email when signing in to Okta from a new or unrecognized device. This feature is now generally available to all orgs. For more information about email notifications, refer to the New or Unknown Device Notification Emails section in General Security.

Okta is consolidating where app usernames are configured. Instead of being able to change the app username in the Profile Editor and the app’s Sign On tab, you will be able to edit the Okta to App username mappings only on the app’s Sign On tab.
Note: The following apps will not be changing their behavior: Active Directory, LDAP and SAML Identify Provider.

For the Okta to App flow, you can no longer override username mappings in the Profile Editor.
Username mappings on the Sign On tab
The userName mapping in the app's Sign On tab will be the source of truth for the Okta to App flow. Updating the userName mapping on Create only or Create and Update will also be controlled from the app's Sign On tab. Screenshot:

Super Admins and Org Admins can send all admin emails as BCC so that recipients' email addresses are hidden. For more information, see Global notifications options.Screenshot

You can now disable the default Okta loading animation (interstitial page) that appears when users are redirected to custom applications. End users are shown a blank interstitial page, instead. This allows you to present a more branded end user experience. For more information, see Customizing the Interstitial page>. Screenshot:

This feature streamlines the App Self-Service UI with the Access Request Workflow UI and allows admins to write a note to the end user about the app instance. See Access Request Workflow and Self Service Registration for more details. Screenshot

You can now assign Apps to App Admins at the instance level. This allows for more granular access control. For details, see Administrators.

We have added a new, customizable email template that alerts your end users when someone connects to their Okta account from a new device. This feature protects against silent access to an end user's account. For more about Okta email templates, see Email and SMS Options. This feature is Generally Available for new orgs only.

The Multifactor Factor Types UI has been updated to include U2F activation and enrollment for end users. For more information about U2F enrollment, refer to the Factor Types Configuration section in Multifactor Authentication.


You can integrate Adaptive MFA with your VMware Horizon View , Pulse Connect Secure, BeyondTrust PowerBroker Password Safe, and Check Point clients. Follow these links for more information and complete setup instructions.

The Self Service Registration (SSR) form now supports enum data types of string, numbers, and integers. For more information, see Okta Self-Service Registration.


Admins now receive an email listing all users deactivated during 30 minute periods instead of individual emails for each deactivation.

Okta has made a new app integration, Microsoft Forms, available for the Microsoft Office 365 app. You can enable it on the General tab of your org's Microsoft Office 365 app instance. For details, see Enable a Microsoft Office 365 application. Screenshot


This version contains security enhancements. For version history information, see Okta RADIUS Server Agent Version History.

This version contains security enhancements. For version history information, see Okta On-Prem MFA Agent Version History.


The System Log now reports when requests are denied due to a blacklisted network zone. Screenshot:
For more details about the System Log, see Reports.

The Factor Type for MFA events is moved from the Actor's details to the Event's details in the System Log. Screenshot:
For more details about the System Log, see Reports.

Okta has added the following nine supported languages for Email and SMS Customization: Czech, Greek, Hungarian, Indonesian, Malaysian, Polish, Romanian, Turkish, and Ukrainian. See Supported display languages.

BambooHR now retrieves additional attributes such as department and division for pre-start users.
For more information about BambooHR provisioning, see the BambooHR Provisioning Guide.

An enhancement to the device fingerprint feature has been made so that end users may receive a new device notification email when signing in via an embedded browser. Sign in via embedded browsers can take place in applications such as Microsoft Outlook on Mac OS or Windows and mobile apps. For more information about email notifications see New or Unknown Device Notification Emails.

Admins can now recover the default values of mappings that had been overridden during individual app assignments. This feature also clearly displays default EL expressions, and simplifies overrides with Override and Reset buttons. For more information, see Attribute Mapping Overrides.

When enabled, Okta imports Google custom schemas which you can then map as additional custom properties. Note: In order to have permission to pull custom schema information from Google, Okta requires an additional OAuth scope. This requires you to reauthenticate your app instance in order use this functionality.
For more information about Google schema discovery, see the G Suite Provisioning Guide.

When you create a custom attribute, you can enter a list of enum values. For example, you can create a Shirt size attribute with a list of values including: small, medium, large. For details, see Create Custom Attributes.

This feature allows you to create instances of the Salesforce.com app that can integrate with either a Salesforce Customer Portal or a Salesforce Customer Community. For more details, see the Salesforce Provisioning Guide.

You can configure a custom domain so that email Okta sends to your end users appears to come from an address that you specify instead of the default Okta sender noreply@okta.com. This allows you to present a more branded experience to your end users. For details, see Configure a Custom Email Domain. Screenshot

Okta Mobile supports fingerprint authentication on Android devices and Touch ID/Face ID authentication on iOS devices. For details, see Lock/Unlock the Okta Mobile App. Example Screenshot:

Voice Call Factor authentication is now available as an MFA factor. With this feature enabled, end users will receive a phone call that audibly provides a 5 digit verification code to be entered upon login. This factor can be enabled either on its own or with other factors enabled. For more information about voice call as a factor, see Multifactor Authentication. Screenshot:

The Group member page (Directory > Groups) has the following enhancements:
- The Manage People button is now the Add Members button.
- The Search bar is relocated to the right side of the screen.
- The managed column is now the Added By column to indicate who added the new group member.
Additionally, when searching for a user name, if the number of search results exceeds the page limit, you are prompted to refine your search.

Super Admins have the ability to enable select Early Access (EA) features to which their organization is entitled. There is no need to contact Support to request access to these new features. EA features that require additional configuration will still require assistance from Support to be enabled. For details, see Manage Early Access features.
You can also track availability of EA features on the Product Roadmap available in the Okta Help Center.


In addition to filtering by application, Okta's Application Usage report has an option to include report data from All applications. If you select this option, the data is only available to download as a CSV file (in unaggregated format).
For more details, see Reports. Screenshot

Group Push now supports the ability to link to existing groups in Zendesk. You can centrally manage these apps in Okta. While this option is currently only available for certain apps, Okta will periodically add this functionality to more and more provisioning-enabled apps. This feature is now GA. For details, see Using Group Push.

The System Log now reports when a user has been imported, updated, and deleted through real time sync. Screenshot

The OIN Manager is an Okta portal through which independent software vendor (ISV) partners can submit SSO and provisioning apps to Okta. Once approved, these integrations are included into the Okta Integration Network (OIN).


You can integrate Adaptive MFA with your Sophos VPN clients. For more information, see Configure Sophos UTM to Interoperate with Okta via RADIUS.

We have increased the default number of group membership rules allowed per org from 100 to 2000. For details about Group rules, see About Groups.

If your server policy is set up to deny access to external IP addresses and websites, you must configure a whitelist to enable access as required. The IP whitelist information can be obtained programmatically and can be downloaded in JSON format here: IP whitelist file. To view the current IP ranges, download the .json file. To maintain a history, save successive versions of the file. For more information about Okta IP whitelisting, see Configuring Firewall Whitelisting.

Okta continues to optimize performance in generating reports with a focus on data reliability, quality and self service of report data delivery. To achieve this, certain reports are now delivered asynchronously as a CSV download. For more information about reports, see Reports. Screenshot:

This release includes the following changes:
- The installer will not continue if it cannot use a TLS 1.2 connection to connect to the Okta service. For Windows 2008 R2 TLS 1.2 is disabled by default and needs to be enabled through the registry. For details, see TLS 1.2 registry edits.
- Increased the minimum .NET version supported to 4.5.2. If the installer does not detect .NET 4.5.2 or higher, it will be installed.
For version history, see Active Directory Agent Version History.


U2F is available as an MFA factor. See Factor Types for more information about different MFA types, including U2F. Screenshot:

The Okta browser plugin for the Chrome, Firefox, Internet Explorer, and Safari browsers was updated to version 5.19.0 in release 2018.24. This version provides support for the Okta Account Chooser. For version history, see Browser Plugin Version History.

The Okta System Log and Events APIs filter out any password information that customers might have included in query parameters. This filter is part of our on-going optimizations to scrub sensitive data from logs. Okta always recommends that customers use POST requests, and never use sensitive data in HTTP GET parameters. Screenshot:


Setting multiple enum value attributes on the end user Profile Settings page is now supported. Screenshot:

New Salesforce app instances now come with a reduced set of base attributes:
- username
- firstName
- lastName
- profile
Attributes that used to be in the base schema are moved to custom:
- title
- communityNickname
- mobilePhone
- phone
- street
- city
- state
- postalCode
- employeeNumber
- companyName
- division
- department
- managerId
- role
- salesforceGroups
- featureLicenses
- publicGroups
This change allows admins more fine-grained control over which attributes Okta will sync in the downstream SFDC instance.
For information about Salesforce provisioning, see Okta's Salesforce Provisioning Guide.

Okta supports custom expressions when mapping attributes from Okta to Confluence. For more information about Confluence provisioning, see the Confluence Provisioning Guide.

- Support for custom properties to push and import to/from Google.
- Support for multi-value fields (arrays) for Google Schema Discovery.
For more information about Google schema discovery, see the G Suite Provisioning Guide.
Note: Boolean properties for multi-value fields are not supported by Okta Universal Directory. They are ignored during schema import and are not visible in the Profile Editor.

A confirmation notification is now displayed after resetting or enrolling in a factor. Screenshot:

You can integrate Adaptive MFA with your F5 BigIP APM Edge clients. For complete installation and usage information, see Configure the F5 BigIP APM to Interoperate with Okta via RADIUS.

New message notifications appear when an Authorization Server is activated, deactivated, or deleted. Screenshot:

To address a security vulnerability, end users' primary email address is now populated automatically in the Request Access to Apps dialog box and the Your email field is no longer editable. The dialog box displays when end users click Request an app in the footer of their Okta org. Screenshot:


All admins are being unsubscribed from receiving email notifications for Known Issues and System Outages which is now renamed to Trust incidents and updates. To receive these notifications, go to Settings > Account > Email Notifications. For details, see Email Notifications.

In Settings > Account, under Email Notifications, the Known Issues and System Outages option is renamed to Trust incidents and updates. All new Super admins will be subscribed by default. For details, see Email Notifications.

Some admins can select whether they want to receive emails when a user is deactivated. The admin roles that have this option are: Super Admin, Org Admin, App Admin and Mobile Admin. For details, see Email Notifications.

The following events are added to System Log:
- The feature for supporting multiple network zones is disabled for an org (IWA SSO only).
Screenshot:
- When synchronizing users with a directory, users will be skipped if they match default filter rules.
Screenshot:



The Okta Downloads page contains a new section, MFA Plugins and Agents that replaces the Okta On-Prem MFA Agents section. Screenshot

By default, Okta requires user names to be formatted as email addresses in Okta Universal Directory. Using the Format Restriction control in the Profile Editor, Administrators can remove the email format constraint from the Username attribute in Okta UD or replace it with a specific set of characters that are allowed. This provides additional control over the format for Okta usernames for all users in an Okta org. For more information see Manage profiles.

End users can now switch between multiple Okta accounts easily through the Okta browser plugin. This feature prompts signed-in end users to trust or reject subsequent Okta accounts the first time they access those accounts allowing them full control to choose seamlessly between accounts. For details, see Switch between multiple Okta accounts using the plugin. Screenshot


If there's a problem with the Okta browser plugin, an error message with a Refresh Plugin button now displays allowing end users to refresh the plugin cache. For more, see About the Okta Browser Plugin. Screenshot


The list of Okta-provided email templates is reorganized by template type. This makes it easier for admins to find and evaluate Okta-provided email templates in Settings > Email & SMS. For more information about Okta email templates, see Email and SMS. Screenshot:

Error message text has been modified when assigning non-email formatted values for username attribute.

The System Log contains an entry when a user cannot be unlocked automatically by the nightly batch job due to a read-only event. Screenshot:

Authentication whitelisting and blacklisting (explicitly permitting or denying access) based on network zones is now Generally Available (GA). Network zones are sets of IP address ranges. You can use this feature in policies, application sign on rules, and VPN notifications. This expands the use of Gateway IP Addresses. This feature is now GA for all orgs. For more information, see Network. Screenshot

Custom email templates allow you to send custom Okta-generated email messages to end users in multiple languages. See Customize an email template.
Screenshot

This version disables CDN during install and contains bug fixes. For history, see Okta RADIUS Server Agent Version History.

This version disables CDN during install. For history, see On-Prem MFA Agent Version History.

Okta Verify Auto-Push makes Multifactor Authentication (MFA) even easier. Now, when end users land on the MFA challenge page (with Okta Verify with Push enabled), the challenge is sent automatically with no need to click Send Push. To set up this feature, end users select Send Push Automatically on the authentication screen. For more information, see Okta Verify with Push Authentication. Screenshot:

Support for a cloud access security broker (CASB) is available for all SAML apps. For more information, see the CASB Configuration Guide.

When you customize an Okta-generated email template through the Add Translation dialog box, the text in the body of the template updates automatically into the language you select in the Language list. The Generally Available version of this feature includes updated labels and other minor UI improvements. See Supported display languages. Screenshot


The Litmos integration is updated to support SHA2 cryptographic hash algorithm which utilizes the new Litmos SAML endpoint splogin.
If you are currently using the Litmos SAML integration, Okta highly recommends that you review the steps outlined in the migration section of the Litmos Configuration Guide and switch to SHA2 at your earliest convenience. Screenshot:

You can extend Adaptive MFA to your Fortinet appliance. For complete installation and usage information, see Configure the Fortinet Appliance to Interoperate with Okta via RADIUS.

New device notification email events now appear in the System Log. Screenshot:

We've improved the user experience for U2F-compliant factor enrollment by making the following changes:
- U2F instructions are updated to remove references to specific browsers such as Chrome and Firefox
- Error messages now include more descriptive text
For more information, see MFA Factor Types. Screenshot:

There were no new Production features in this release.


Added the following enhancements to support Rate Limit notifications:
-
Notification banners within Okta for Super administrators when the Rate Limit warning and violation thresholds have been reached within the last 24 hours.
Screenshot
-
Automatic email notifications to Super administrators when the Rate Limit warning and violation thresholds have been reached within the last 24 hours.
Screenshot
-
An Email Notifications setting available in Settings > Account for the Super administrator to turn the email notification on or off. This setting is turned on by default.
Screenshot
-
Syslog entries that track discrete rate limit events for warnings and violations, and that can be queried independently or jointly. This provides you with a full picture of organizational as well as individual client trends.
For example, the following query shows both warnings and violations:
eventType eq "system.org.rate_limit.warning" OR eventType eq "system.org.rate_limit.violation"
Both the notification banner and the email notification contain a link to the query above.
Screenshot
For more information, refer to Rate Limiting at Okta.

The Convert Assignments screen is populated only when there are assignments to convert. When there are no assignments to convert it presents a message. Screenshot.

The Downloads page includes the following changes:
- The agent status is highlighted at the top of the page, indicating whether or not agents are up-to-date.
Screenshot
- Agent status information appears after the first agent of that type is configured.
- For the AD, SSO IWA, On-Prem MFA, Provisioning, and LDAP agents, there is now a status message indicating whether the agent is up-to-date or a new version is available.
- The Connected Agents table displays the host name, the version of the agent that is currently running, whether the agent is TLS 1.2 compliant.
Screenshots
- The AD Password Sync and RADIUS agents information includes a link to the System Log to view the agent version, if applicable.
- The Admin Downloads section moved to the top of the page and similar agents are grouped (for example, all AD agents are together).
- A link to a CSV file containing this information is added to the right-hand sidebar.
Screenshot

ID tokens can now be retrieved using a Refresh Token.


If Okta fails to process an IWA token, you can now redirect end users to a custom error page. This option is useful if you embed Okta into your solution and want to control end-to-end branding to enhance end user experience. For more information, see Login Error Page.
Note: This feature is now Generally Available for all orgs.


You can deactivate Workday mastered users on their last day worked, even if the period of time between that day and the termination exceeds a specified Pre-Start interval. See the Workday Provisioning Guide for more information.

The Workday integration now connects to the latest Human Resources API (v29) and uses the Maintain Contact Information Workday API for email and telephone write back, a more secure web service that some customers prefer. Additionally Okta has improved the pre-start interval functionality by only processing new users being created and ignoring updates within the pre-start interval. There are also some performance enhancements when performing an import from Workday. See the Workday Configuration Guide for details.
This feature is Generally Available for new orgs only.

You can configure Advanced API Access for Office 365 instances by using the admin consent option on the Sign On tab.
Admins needs to leave this checked to complete OAuth authentication flow with O365, which is required for signing into applications such as Yammer, Teams, and CRM. For more information, see Admin Consent for Advanced API Access. Screenshot:

Okta has updated its Workday integration: Workday Real Time Sync (RTS) can now run concurrently with regular imports. Refer to Workday Provisioning Guide to learn more about Workday RTS.


If the org admin revokes the Device Trust certificate through the admin console, the Sys Log for Device Trust Certificate Revocation now identifies the admin. As before, if the certificate is implicitly revoked due to user deactivation, the Actor continues to be shown as Okta System. For details, see Revoke and remove Device Trust certificates.
Screenshot:

The Citrix NetScaler Gateway now integrates with Okta via RADIUS, in addition to SAML and OAuth. For detailed information, see the Citrix Netscaler Gateway Radius Configuration Guide.

Password Reset is available for users who are not yet active. This is to enable users who may have lost their original activation email to request a password reset.

Email addresses enclosed in double quotation marks are supported for Okta logins.

The Account tab on the Customization page is renamed General. For details about options on this tab, see Customization. Screenshot:

Direct links to the documentation for the Okta Windows Credential Provider and the Active Directory Federation Services (ADFS) Plugin are available in the sidebar. Screenshots:


This Generally Available agent update contains the following fixes:
- Locate the correct user when searching for a SamAccountName that is duplicated in a forest
- Include the User-Agent in the header of the request
For history, see AD Password Sync Agent Version History.

This release fixes an issue where the screen appeared blank. For version history see Browser Plugin Version History.

The Forgotten Password Text Message screen offers an option to resend the code to enter for SMS or call again for Voice call. For more information about password reset functionality, see End User Password Reset.
Screenshot:

The PagerDuty app now implements v2 of the PagerDuty API. PagerDuty API v1 is going to be deprecated on April 24, 2018. The change of API should be transparent to customers. For more information, see https://v2.developer.pagerduty.com/. For more information about PagerDuty provisioning, see the PagerDuty Provisioning Guide.

This version provides internal fixes to the installer, including a fix which allows the installer to work behind a firewall.
For history, see On Premises Provisioning Agent and SDK Version History.


You can configure the Okta browser plugin to behave on your custom end user portal exactly as it behaves in the Okta end user dashboard. For details, see Configure your custom end user portals to leverage the Okta browser plugin.

If Okta fails to process an IWA token, you can now redirect end users to a custom error page. This option is useful if you embed Okta into your solution and want to control end-to-end branding to enhance end user experience. For more information, see Login Error Page.
Note: This feature is Generally Available for new orgs.

You can now set the SkipUrls registry key to prevent the Okta Internet Explorer browser plugin from inspecting the pages of specified URLs for the presence of login and change password forms. This allows pages to load faster. For details, see Exempt specified URLs from login form inspection.

When both first and last name attributes are empty, the login name is displayed in the following UI pages:
- User Picker in App Approver picker
- New Group
- Convert individual user back to group in app
- Exclusive user list in group rule
- App User assignment
- API token review
- Yubikey UI
- Spotlight search
First and last names can be null if they are removed in the Profile Editor or changed with the Users API.

This Generally Available release provides the following:
- To improve the security of IWA integrations, we now default to the TLS 1.2 security protocol in orgs running .NET Framework 4.5 or later. Orgs running earlier versions of the .NET Framework continue to use TLS 1.0.
- Fixed an issue that caused an error when accessing the Box desktop app with SSO.
- Internal fixes to the installer.
For history, see IWA Agent Version History.

This Generally Available release provides internal fixes to the installer. For history, see LDAP Agent Version History.

This release provides performance and security enhancements. For version history, see Browser Plugin Version History.

Email notifications sent to users after the detection of a new device or browser at login have improved messaging and now specify Unknown browser and Unknown OS instead of just Unknown.


Okta and Palo Alto Networks interoperate through either RADIUS or SAML 2.0. For each Palo Alto gateway, you can assign one or more authentication providers. Each authentication profile maps to an authentication server, which can be RADIUS, TACAS+, LDAP, etc. Using RADIUS, Okta’s agent translates RADIUS authentication requests from the VPN into Okta API calls. For more information, see Configure the Palo Alto Networks VPN to Interoperate with Okta via RADIUS.

The Client ID field is now populated in the Client Section of the System Log. Screenshot:

System Log entries are now added for the Hipchat and Confluence apps. For details, see the Hipchat and Confluence sections in Provisioning Integration Error Events.

When setting up an Microsoft Office 365 app, the checkbox for Admin Consent on SSO tab is now unchecked by default. For more information on Admin Consent, see Admin Consent for Advanced API Access.

Updated app icons for Okta Verify are available for iPad users. Screenshot:

The Okta ADFS (Active Directory Federaton Services) Plugin version 1.4.0 is available. This version supports load balanced ADFS servers.


The Learn More link in the Attributes Statements (optional) section of the SAML Settings page points to improved information. Screenshot:

In environments where internet traffic is required to go through a proxy, the sign-in flow for the AD agent installer uses the proxy settings specified within the installer. If no proxy settings are specified, the machine defaults are used. Previously,admins had to open up a hole in their data center firewall during installation.
For more information about the AD agent see Okta Active Directory Agent.

An in-product link to the Provisioning Guide for Cornerstone app is added, replacing in-product help text.

This release provides the following:
To improve the security of IWA integrations, we now default to the TLS1.2 security protocol in orgs running .NET Framework 4.5 or later. Orgs running earlier versions of the .NET Framework continue to use TLS1.
For history, see SSO IWA Web App version history.

This new version supports TLS 1.2.
For history, see On-Prem MFA Agent Version History.


Labels and messages in the Customize an email template feature are updated to improve usability.

The Microsoft Office 365 (O365) admin consent flow is now optional and is selected by default on the Sign On tab for the O365 app. Admins needs to leave this checked to complete OAuth authentication flow with O365, which is required for signing into applications such as Yammer, Teams, and CRM. For more information, see Admin Consent for Advanced API Access. Screenshot:

The default scopes included with OAuth Custom Authorization Servers have improved display names and descriptions.

This new version supports TLS 1.2. For history, see Okta RADIUS Server Agent Version History.


When configuring scopes for Identity Providers, whenever a comma, tab, or return is typed, scopes are tokenized. For example, typing "Profile, Email" in the Scopes field in the screenshot below, will result in two scopes, Profile and Email.
For more information, see User Consent for OAuth 2.0 and OpenID Connect Flows.

Okta has defined 31 default base attributes for all users in an org. These base attributes are generally fixed and cannot be modified or removed. There are now two exceptions: First Name and Last Name. These two attributes can now be marked as required or optional for Okta-mastered users only. For details, see Profile Editor.

An enhancement was made for our platform customers using the auto-push feature for Okta Verify. As a result, all product users will need to re-affirm their Okta Verify Auto-Push preference (check the Send Push Automatically checkbox) if it was checked previously. Following this, Okta Verify with Auto-Push will behave as it did originally. For more information about this new parameter, see https://developer.okta.com/docs/api/resources/authn.html#request-parameters-for-verify-push-factor.

This release provides the following:
- Improved IE performance when Browser Help Object (BHO) logging is enabled
- An option to opt out of cert pinning through the registry
- Iimprovements and bug fixes
For version history, see Browser Plugin Version History.

- System Log events are added for the ExactTarget, GitHub, Google, Gotomeeting, Rightscale, Roambi, Samanage, SendWordNow, ServiceNow2, ServiceNow, Smartsheet, SugarCRM, VeevaVault, WebEx, Yammer, and Zendesk provisioning integrations. Previously, the log events were only available using the Okta API. For details, see Provisioning Integration Error Events.
- System Log events are added for the Huddle, Jive45, Litmos, Lotus Domino, MoveIt DMZ, Msbpos, NetSuite, Org2Org, PagerDuty, Postini provisioning integrations. For details, see Provisioning Integration Error Events.

We have added new external Id attribute to the Zendesk provisioning app. Screenshot:

You can now customize the email SAML attribute for the Netsuite app to map to an email or username attribute.

The Enable on-premises provisioning configuration option is removed from RADIUS apps, as it is not supported.

Okta and Cisco ASA interoperate through either RADIUS or SAML 2.0. For each Cisco ASA appliance, you can configure AAA Server groups which can be RADIUS, TACAS+, LDAP, etc. Using RADIUS, Okta’s agent translates RADIUS authentication requests from the VPN into Okta API calls. For more information, see Configure the Cisco ASA VPN to Interoperate with Okta via RADIUS.

Version 2.7.0 of the Okta Sign-In Widget is available. New features include :
- Voice call as an option for Unlock Account
- Display of multiple MFA responses
- Display a warning for beta registrations
For more information, see Okta Sign-In Widget.

The Okta Application Network (OAN) includes more than 5,000 pre-integrated business and consumer apps. As Okta expands beyond SSO and Provisioning, we are extending the network to include new integration types, and updating the catalog name to the Okta Integration Network (OIN). As part of this rebranding, we have changed the UI and documentation to reflect this change—managing and adding your apps and integrations remain the same.
The OIN now includes the following new integrations in addition to previous SSO and Provisioning options:
- F5 BIG-IP APM
- Sumo Logic Okta Activity Log Integration
- ServiceNow - Okta Orchestration Activity Pack
- Splunk Add-on for Okta
- QRadar Device Support Module (DSM)
For details about these new integrations, search and click the Learn More button. Screenshot:
Note: This feature is now Generally Available for all orgs.

The flow of an end user's identity throughout the different stages of access is known as a user’s lifecycle. This release contains several enhancements to define the options that manage this cycle clearly.
- Simplified Import settings: Using a profile master necessitates a clear distinction between new and imported end users to prevent conflicts. Feedback from our users prompted improvements with matching rules, auto-confirmation and auto-activation settings.
- New lifecycle settings: When an end user is deactivated in a profile mastered app, admins can now set whether they are deactivated, suspended, or remain an active user in Okta.
See Profile Mastering and Life Cycle for more details.
Note: This feature is now Generally Available for all orgs.

Secure your APIs with API Access Management, Okta’s implementation of the OAuth 2.0 authorization framework. API Access Management uses the Okta Identity platform to enable powerful control over access to your APIs. API Access Management can be controlled by Okta admins as well as by a rich set of APIs for client, user, and policy management. For details on features available from the Admin console, see API Access Management.

We've improved the text and flow of the Add Rules dialog that is part of the Early Access API Management functionality. For details see, Create Rules for Each Access Policy.

The API Access Management Admin role has the following permissions:
- Create and edit Authorization Servers, Scopes, Claim, and access policies
- Create and edit OAuth/OIDC Client apps
- Assign users and groups to OAuth/OIDC client apps
- View user profiles when assigning users/clients for token preview
For more information, see API Access Management.

An animated transition page now appears when users click app integrations to log into apps:


Integrating Social Login with Okta is improved with redesigned screens, prepopulated IdP username value, and expanded entry options for scopes. Screenshot:

The following message changes apply to either the Okta Org Authorization Server or a Custom Authorization Server including default (which requires API Access Management), or both, as indicated in each section.

The existing messages app.oauth2.authorize_failure, app.oauth2.as.authorize_failure and app.oauth2.as.authorize.scope_denied_failure replace these messages:
- app.oauth2.authorize.access_denied
- app.oauth2.authorize.invalid_client_id
- app.oauth2.authorize.invalid_cache_key
- app.oauth2.authorize.no_existing_session
- app.oauth2.authorize.login_failed
- app.oauth2.authorize.mismatched_user_in_cache_and_session
- app.oauth2.authorize.user_not_assigned
- app.oauth2.authorize.scope_denied
- app.oauth2.as.authorize.warn_failure
- app.oauth2.as.authorize.scope_denied
Details about the nature of the failure are included, so no information has been lost with this simplification.
These System Log changes affect responses from requests that involve either the Okta Org Authorization Server or a Custom Authorization Server including default.

Instead of supplying two different messages for token grant failures on /token, the existing message app.oauth2.as.authorize.token.grant_failure replaces these messages:
- app.oauth2.as.token.grant.warn_failure
- app.oauth2.as.token.grant.scope_denied_failure
This System Log change affects responses from requests that involve a Custom Authorization Server including default.

Instead of supplying a different message for ID token and access token generation, there's just one message for each. The ID token or access token minted is included in the message as it was previously.
- The existing message app.oauth2.authorize.implicit_success replaces:
- app.oauth2.authorize.implicit.id_token_success
- app.oauth2.authorize.implicit.access_token_success
- The existing message app.oauth2.as.authorize.implicit_success replaces:
- app.oauth2.as.authorize.implicit.id_token_success
- app.oauth2.as.authorize.implicit.access_token_success
The _success messages weren’t being written to the System Log previously, but are now.
These System Log changes affect responses from requests that involve either the Okta Org Authorization Server or a Custom Authorization Server including default.

Instead of supplying a different message for ID token and access token generation, there's just one message for each. The ID token or access token minted is included in the message as it was previously.
- The existing message app.oauth2.authorize.implicit replaces:
- app.oauth2.authorize.implicit.id_token
- app.oauth2.authorize.implicit.access_token
- The existing message app.oauth2.as.authorize.implicit
replaces:
- app.oauth2.as.authorize.implicit.id_token
- app.oauth2.as.authorize.implicit.access_token
These System Log changes affect responses from requests that involve either the Okta Org Authorization Server or a Custom Authorization Server, including default.

System Log entries are now added for the GoodData app. For details, see the GoodData section in Provisioning Integration Error Events

Admins can update the second email address on a master user profile when Attribute Mapping is enabled.

The Okta Sign On screen display is improved to display all factors when multiple Multifactor Authentication factors are required.

The header size limit for CSV imports is increased from 1000 to 50,000 characters.


The System Log tracks the following items:
- User authentication via IDP.
Screenshot:
- Country code for SMS and voices.
Screenshot:
- System Log events are added for the Clarizen, CrashPlanPro, Docusign, and Egnyte provisioning integrations. For details, see Provisioning Integration Error Events.

Added validation to API token creation when the maximum character length is exceeded


When creating or updating a rule in the Custom Authorization Server's policy, there is a button to add all default OpenID Connect scopes to the rule condition quickly. Screenshot:
For more information, see Create Rules for Each Access Policy.

Grant types for OAuth 2.0 clients are reorganized for convenience on the General Settings page for an app and in the app creation screen in the developer console. For information on grant types, see App Wizard - Procedures. Screenshot:

The Okta Sign In page supports unlocking an account with a Voice Call. Screenshot:


-
The System Log tracks mass password expiry events.
Screenshot:
-
The System Log tracks events when a user account is unlocked by an Admin, when the primary email for an account is updated, and when behaviors are detected.

When defining custom scopes for an Authorization Server, you can choose whether the metadata for these scopes is included in the public metadata. For more information, see Create Scopes.

Information and error messages are improved for the Access Token Lifetime and Refresh Token Lifetime setting in a policy rule. Screenshot:

Okta’s Privacy Policy, available at https://okta.okta.com/privacy/, was updated on January 18, 2018 in order to comply with new, forthcoming requirements promulgated by Google, and to disclose more precisely the manner in which Okta interoperates with Google's G Suite after the OAuth authentication flow is successfully completed by the admin.


The password policy soft lock feature provides the option to lock Active Directory (AD) mastered users in Okta with password policies. To ensure that users are locked in Okta before they are locked out of their windows accounts, Admins must set a lockout count in Okta that is lower than the lockout count specified in the AD policy.
This feature does not change the current behavior for any organizations. Consequently, when this feature is enabled, the default invalid password lockout count for Active Directory password policies is reset to zero (0). Admins must specify a new lockout count to use this feature which s tracked in the System Log as a policy update event.
Some legacy customers might have non-zero values set in the invalid password lockout count in Okta. When these values are reset to zero with this feature, a System Log event is created to show the old and new values and inform Admins that the lockout is disabled.
For more information, see Group Password Policies.
Import Lockout Status from AD
Lockout status from AD is not imported automatically. To receive these imports, contact Okta Support. Any legacy users who already receive these imports will continue to receive them.
Rollout
This feature is becoming Generally Available and will be enabled in a phased manner across all cells. The feature will be enabled for the majority of customers in Preview and US Cell 1 by January 19th and for the remainder of customers in all other cells by February 2nd.

The button for creating OAuth 2.0 Services (Client Credentials apps) is moved from the applications list into the Add Application Wizard. For more information, see Add OAuth 2.0 Client Application. Screenshot:

During OAuth Token Preview, selections for response type are not visible when the grant type is not IMPLICIT. For more information on token preview, see Test Your Authorization Server Configuration.

The General tab on the app instance screen for OAuth 2.0 clients now displays the Login initiated by dropdown for all grant types with App Only as the default. Screenshot:

System Log entries were enhanced to include events when users were unassigned from group membership. Screenshot:

Admin Managed tabs are not created if there are no apps to display in the tab. For more information, see Manage dashboard tabs for end users.


When admins create a new user they can choose whether to have that user create a password on first sign in or create a password for the user which must be changed on their next sign in. For details, see Add People.

Added support to allow updates to User and AppUser profile schemas. See App User Schema API documentation for more information.

The following User Profile properties have been added to our Netsuite integration:
location, class, notes, salutation, homePhone, officePhone, fax
To use these properties, you can either create a new app instance, or contact Okta Support to manually migrate the User Profile template. For more information about our Netsuite integration, see the Netsuite Provisioning Guide.

In Settings > Customization, fields in the Sign In page section now contain default placeholder text instead of default editable text. This enhancement makes it easier to distinguish fields that contain Okta's default text from fields that contain custom, admin-provided text. Placeholder text disappears when you enter custom text in the field. For more information, see Customize Sign In Page headings, links, labels, and placeholders.

Explanatory text on the Authorization Server are expanded, and also include a direct link to the Authentication Guide topic on the Developer site.

Error messages for permission errors for the password reset dialog are more descriptive and user-friendly.

All new SAML 2.0 apps are bootstrapped with SHA-256 signed public certificates. Existing SAML 2.0 apps are unchanged.

We have added email and phone writeback functionality for UltiPro international employees. For more information about UltiPro provisioning, see UltiPro User Import and Provisioning.
2018 Application Integrations and Updates


The following partner-built provisioning integration app is now Generally Available in the OIN as partner-built:
- Pivotal Tracker: For configuration information, see Tracker SCIM Documentation.


The following partner-built provisioning integration apps are now available in the OIN as partner-built Early Access:
- Retool: For configuration information, see Retool's SCIM User Provisioning - Okta Specific Guide.
- VidCruiter: For configuration information, see VidCruiter's Configuring SCIM with Okta.

-
Freshdesk (OKTA-191125)
-
Numeracy (OKTA-197992)
-
Retool (OKTA-197113)
-
Saba (OKTA-193973)

-
CALXA (OKTA-191701)
-
Dashlane Business (OKTA-188394)
-
FannieMae DUS Disclose (OKTA-193513)
-
Hillgate Travel (OKTA-191141)
-
Jack Henry and Associates (IPAY) (OKTA-194266)
-
Moody's (OKTA-193598)
-
MyToll (OKTA-190867)
-
Ncrunch (OKTA-190531)
-
Nmbrs (OKTA-188157)
-
PrintMail (OKTA-194265)
-
Retargeter (OKTA-191730)


We have updated our Zoom integration to support a new attribute, User Type. This allows customers to set the User Type per user being provisioned from Okta to Zoom to be either Basic, Pro, or Corp.
For users who have set up the Zoom integration and enabled Provisioning before November 8, 2018, follow the migration steps detailed in Zoom's Configuring Okta With Zoom if you want to use the new attribute.


The following partner-built provisioning integration apps are now available in the OIN as partner-built Early Access:
- Pivotal Tracker: For configuration information, see Pivotal Tracker''s Configuration Guide (note you will need to request access to this document.)
-
SpringCM: For configuration information, see SpringCM's Okta SCIM and SAML Integration.

-
Cerner (OKTA-194709)
-
Coralgix (OKTA-195349)
-
Digify (OKTA-193483)
-
eLeaP (OKTA-194168)
-
Mimecast - Admin (OKTA-193270)
-
Mobile Locker (OKTA-194895)
-
SaaSLicense (OKTA-195120)
-
Synthetix (OKTA-189127)

-
Star Station (OKTA-187650)

-
Aha! (OKTA-189385)
-
CorpTrav (OKTA-191634)
-
SAP Jam (SuccessFactors) (OKTA-189112)
-
Speco Technologies (OKTA-195019)



The following partner-built provisioning integration apps are now available in the OIN as partner-built Early Access:
- Brivo Onair: For configuration information, see Brivo Onair's Identity Connector Integration Guide.
-
Rhombus Systems: For configuration information, see Rhombus Systems' How to Configure SCIM 2.0 with Okta.

-
Abstract (OKTA-192943)
-
Clubhouse (OKTA-194685)
-
ExpenseNet (OKTA-194122)

-
Lead Apparel (OKTA-187687)



The following partner-built provisioning integration apps are now available in the OIN as partner-built Early Access:
- Cerner: For configuration information, see Cerner's Publishing Identity Data Using Okta (note that you need a Cerner account to access this documentation).
- Atlassian Cloud: For configuration information, see Atlassian Cloud's Configure User Provisioning with Okta.
- WorkRamp: For configuration information, see WorkRamp's SCIM Configuration Guide.
- AlertMedia: For configuration information, see AlertMedia's How to Configure User Provisioning with Okta (SCIM) (note that you need an AlertMedia account to access this documentation).

-
Aha! (OKTA-193716)
-
Drift (OKTA-193719)
-
Halo Communications (OKTA-192603)
-
Socialbakers (OKTA-193252)
-
UltiPro (OKTA-193804)

-
Abbvie (OKTA-189416)
-
Air Canada Travel Agency (OKTA-189703)
-
Asteron Life (OKTA-185986)
-
ChathamDirect (OKTA-189336)
-
Cloud Conformity (OKTA-189068)
-
Entoro Investor Login (OKTA-187239)
-
NoMachine: Workbench (OKTA-185837)
-
Plivo (OKTA-187847)
-
Sabre Vacations Travel Agency Login (OKTA-186555)
-
XactAnalysis (OKTA-188418)


- The following partner-built provisioning integration app is now Generally Available in the OIN as partner-built:
- Figma: For configuration information, Figma's Configure Okta Provisioning.


The following partner-built provisioning integration apps are now available in the OIN as partner-built Early Access:
- Federated Directory: For configuration information, see Federated Directory's Integrate with Okta.

- Pigeonhole Live (OKTA-191208)
- Slab (OKTA-190334)
- Sunlight (OKTA-190547)
- Twic (OKTA-190548)

- Amazon IT (OKTA-186022)
- AudaExpress (OKTA-187178)
- Citizens Business Bank Online Banking (OKTA-187670)
- Federal Mogul ePresentment for Corporation Statements & Invoices (OKTA-186329)
- WooBoard (OKTA-187152)

- Corporate Travel Management (OKTA-190328)


The Solarwinds SWA integration application has been enhanced to support custom login URL’s.


The following partner-built provisioning integration apps are now available in the OIN as partner-built Early Access
- Tehama: For configuration information, see Tehama's instructions to Create a SCIM-based connected application.
- TextExpander: For configuration information, see the TextExpander Okta SCIM Configuration guide.
- Keeper Password Manager and Digital Vault: For configuration information, see Keeper Password Manager and Digital Vault's Configuring SCIM with Okta.
- Netskope: For configuration information, see Netskope's Provisioning Users and User Groups using OKTA.

-
HubSpot (OKTA-190126)
-
Tines (OKTA-190101)

-
Alamy (OKTA-189545)
-
Citrix Netscaler Gateway (OKTA-185234)
-
HiPay (OKTA-186563)
-
Invisalign (OKTA-186776)
-
LowesLink (OKTA-185180)
-
Meritain (OKTA-186927)
-
Mimecast - Admin (OKTA-185382)
-
Sabre Cruises (OKTA-186554)


The following partner-built provisioning integration app is now Generally Available in the OIN as partner-built:
- Zinc: For configuration information, see Zinc’s Setting up AD Sync with OKTA.


The following partner-built provisioning integration apps are now available in the OIN as partner-built Early Access:
- Forecast: For configuration information, see Forcecast’s Single Sign-On and user provisioning with Okta.
-
Emburse: For configuration information, see the Emburse-Okta SCIM Configuration guide.

- Carbon Black - PSC (OKTA-187929)
- MyWorkDrive (OKTA-189557)
- Seed (OKTA-188581)

-
Air Canada: Corporate Rewards Agent Login (OKTA-185502)
- CommInsure: Adviser (OKTA-185985)
- OnePath Advisor (OKTA-185989)
- Risk Control (OKTA-185533)
- Scribble Maps (OKTA-185677)

- HighGround (OKTA-184805)



The following partner-built provisioning integration app is now available in the OIN as partner-built Early Access:
- Figma: For configuration information, see Figma's Configure Okta Provisioning.

-
Automox (OKTA-189108)
-
Instructure Bridge (OKTA-185486)

-
ABD Insurance and Financial Services (OKTA-183836)
-
Deluxe-Strategic Sourcing (OKTA-186091)
-
GoCompare (OKTA-185231)
-
Google Discover (OKTA-184419)
-
New Voice Media (OKTA-184604)
-
Nitro Cloud (OKTA-186292)
-
Salesforce (force.com) (OKTA-184354)
-
Zlife (OKTA-185988)



-
Figma (OKTA-186594)

-
Boardvantage Meetx/Director (OKTA-183845)
-
McMaster-Carr (OKTA-185177)
-
MyWave Connect (OKTA-183859)
-
Orgill (OKTA-185331)
-
RapidAPI (OKTA-185363)
-
Smallpdf (OKTA-184134)


- The following partner-built provisioning integration app is now Generally Available in the OIN as partner-built:
- 1Password Business: For configuration information, see Connect Okta to the 1Password SCIM bridge.
- Workplace by Facebook now supports Force Authentication. For more information see the Workplace by Facebook SAML setup instructions.


The following partner-built provisioning integration app is now available in the OIN as partner-built Early Access:
- Databricks: For configuration information, see the Okta Databricks Configuration Guide.

-
Avid Secure (OKTA-181718)
-
MyAcademy (OKTA-187155)
-
TopBox (OKTA-179620)
-
Workplace by Facebook (OKTA-185097)

-
Appsulate (OKTA-187156)

-
Brandify (OKTA-183379)
-
G Adventures Sherpa Agency (OKTA-183941)
-
GAMMIS (OKTA-182914)
-
IBM Partner World (OKTA-182930)
-
MIBOR (OKTA-187007)
-
TechPortal (OKTA-182900)
-
Zerto: DRaaS Service Portal (OKTA-180711)


- The following partner-built provisioning integration app is now Generally Available in the OIN as partner-built:
- ScreenSteps: For configuration information, see ScreenSteps' Configuring SCIM with Okta.
- 15Five now supports the following Provisioning feature (in addition to the other provisioning features that it already supports):
- Group Push
Users who have set-up the 15Five integration and enabled Provisioning before August 27, 2018, must follow the steps detailed in the 15Five Configuration Guide if they want to use the new features.


The following partner-built provisioning integration apps are now available in the OIN as partner-built Early Access:
- OpenEye Web Services: For configuration information, see OpenEye Web Services' Configuring Okta Provisioning
- Sharpr: For configuration information, see How to Configure Provisioning for Sharpr.

-
Emburse (OKTA-185748)
-
TestingBot (OKTA-185998)

-
Akamai Enterprise Application Access (OKTA-180151)
-
Creditntell (OKTA-180856)
-
Essendant Solutions Central (OKTA-181089)
-
Exact Online (OKTA-167861)
-
Pure Storage Partners (OKTA-180445)
-
Wombat Security Awareness (OKTA-182578)

-
Zendesk (OKTA-181154)



The following partner-built provisioning integration app is now available in the OIN as partner-built Early Access:
- Meta Networks: For configuration information, see Meta Networks' How to Configure SCIM 2.0 For Meta Networks.

-
DailyPay (OKTA-184138)
-
Fastly SAML (OKTA-184539)
-
Mimeo (OKTA-184146)
-
ProMaster (by Inlogik) (OKTA-184149)
-
Recruiterbox (OKTA-184536)
-
StatusHub Hub SAML (OKTA-180233)
-
TeamViewer (OKTA-183668)

-
EveryoneSocial (OKTA-181223)
-
Hermes Investment Management: EOS (OKTA-179402)
-
IRMLS Indiana Regional MLS - Safemls (OKTA-181470)
-
NatureBridge (OKTA-183752)
-
Polygon (OKTA-183237)



The following partner-built provisioning integration app is now available in the OIN as partner-built Early Access:
- H5mag: For configuration information, see H5mag's Okta Single-Sign-On Integration Guide.

-
Content Insights (OKTA-168880)

-
Adobe Enterprise (OKTA-178641)
-
Amazon Video Partner (OKTA-177266)
-
MassMutual Not-for-Profit Workplace Retirement (OKTA-178022)
-
Nuance (OKTA-180548)
-
Primeiro Pay (OKTA-181176)



- Dovetale (OKTA-183038)
- People.ai (OKTA-180849)
- Workteam (OKTA-182091)

- Imprima iRoom (OKTA-181903)

- Apple Business Manager (OKTA-179326)
- Centrelink (OKTA-180192)
- Decision Lender (OKTA-179129)
- Emburse (OKTA-183553)
- Mobile Health Consumer, Inc.(OKTA-180025)
- MY TELE2 FOR BUSINESS (OKTA-178240)
- United Intranet (OKTA-179628)


Fuze now supports the following Provisioning features (in addition to the other Provisioning features that it already supports):
- Importing Users
- Profile Mastering
Users who have set up the Fuze integration and enabled Provisioning before August 1, 2018, need to follow the migration steps detailed in the Fuze Configuration Guide if they want to use these new features.


The following partner-built provisioning integration app is now available in the OIN as partner-built Early Access:
- Amazon Chime: For configuration information, see Amazon Chime's Connect to Okta SSO instructions.

- 4me (OKTA-180242)
- SendSafely (OKTA-180234)

- AIA (OKTA-179070)
- AirVantage (OKTA-177125)
- Clearview (OKTA-179071)
- Fiscal Unattended Portal (OKTA-178318)
- Looker (OKTA-174927)
- LucidPress (OKTA-177037)
- Thycotic Force (OKTA-181148)
- Vyond: GoAnimate (OKTA-177036)

- LinkedIn Learning (OKTA-177771)


Namely now supports the following Provisioning features (this is in addition to the Profile Master feature that it already supports):
- Create users
- Update user attributes
For users that have set-up the Namely integration and enabled Provisioning before July 23, 2018, they have to follow the migration steps detailed in the Namely Configuration Guide if they want to use the new features.


-
Carbonite Endpoint Protection (OKTA-179619)
-
CipherCloud (OKTA-178258)
-
Omnilert (OKTA-178842)

-
Air Canada Travel Agency (OKTA-176497)
-
Deep Social (OKTA-175548)
-
FastMail (OKTA-173347)
-
FPI Portfolio (OKTA-177374)
-
GTA Travel (OKTA-175171)
-
Health Wise Global (OKTA-175660)
-
IBM Partner World (OKTA-178902)
-
iTunes Podcasts Connect (OKTA-177007)
-
JumpCloud (OKTA-176802)
-
Pinnacle Financial Partners (OKTA-174891)
-
Profitstars (OKTA-179309)
-
Quick Base (OKTA-179540)
-
Revenue NSW (OKTA-179226)
-
SkyKick (OKTA-177199)
-
StiPP (OKTA-177420)

-
Dialpad (OKTA-174331)
-
SwiftKey (OKTA-177039)


The following partner-built provisioning integration app is now Generally Available in the OIN as partner-built:
- ScaleFT: For configuration information, see ScaleFT's Okta SCIM Configuration Guide.


The following partner-built provisioning integration app is now available in the OIN as partner-built Early Access:
- Quick Base. For configuration information, see Configure Okta Provisioning for Quick Base.

-
CloudSaver (OKTA-178376)
-
Fuel Cycle (OKTA-177763)
-
IMIchat (OKTA-172672)
-
Luminate Secure Access Cloud (OKTA-177980)
-
PitchBook (OKTA-178524)
-
Spoke (www.askspoke.com) (OKTA-176635)
-
Ultimo (OKTA-176636)
-
Symsys (OKTA-178538)

-
FrameIO (OKTA-175531)
-
Grove (OKTA-176622)
-
GTA Travel (OKTA-175171)
-
My NS Business (OKTA-176453)
-
Track My Backflow (OKTA-175785)
-
Wire (OKTA-173345)

-
Microsoft Dynamics CRM Online (OKTA-175795)


The following partner-built provisioning integration app is now Generally Available in the OIN as partner-built:
- ProsperWorks: For configuration information, see the ProsperWorks SCIM Setup Guide.


The following partner-built provisioning integration apps are now available in the OIN as partner-built Early Access:
- Telmediq: For configuration information, see the Telmediq Provisioning Guide.
- CGR Foundation: For configuration information, see Configuring SCIM2 with Okta.

-
eFront (OKTA-176299)
-
Federated Directory (OKTA-177196)
-
Process Plan (OKTA-176823)
-
Torii (OKTA-176916)


The following partner-built provisioning integration apps are now available in the OIN as partner-built Early Access:
- ScaleFT: For configuration information, see ScaleFT's Okta SCIM Configuration Guide.
- ScreenSteps: For configuration information, see ScreenSteps' Configuring SCIM with Okta.
- ProsperWorks: For configuration information, see the ProsperWorks SCIM Setup Guide.
- Wrike: For configuration information, see Wrike & Okta: User Provisioning.
The following partner-built provisioning integration app is now Generally Available in the OIN as partner-built:
- Robin: For configuration information, see Robin's SCIM provisioning using Okta's connector app.
- CloudRepo: For configuration information, see the OKTA and CloudRepo Integration Guide.
- Elements.cloud: For configuration information, see Elements.cloud's Configuring User Provisioning with OKTA.
- Comeet: For configuration information, see Comeet's Okta SSO integration instructions.


-
Autotask Endpoint Backup (OKTA-175184)
-
Beneplace G3 (OKTA-173834)
-
Egress (OKTA-174618)
-
Forter (OKTA-174571)
-
getSayDo (OKTA-173822)
-
Mind Tools (OKTA-172557)
-
MockFlow (OKTA-170692)
-
ProsperWorks (OKTA-172832)
-
StatusHub (OKTA-174984)
-
Tiled (OKTA-173560)

-
BeValuedUk (OKTA-175212)
-
Cylance Partner (OKTA-173385)
-
Explorer for ArcGIS (OKTA-166173)
-
MRI Software (OKTA-177190)
-
Symsys Selmore (OKTA-174360)
-
Telmediq (OKTA-177265)


The following partner-built provisioning integration apps are now available in the OIN as partner-built Early Access:
-
Mavenlink: For configuration information, see the Mavenlink OKTA SCIM Application Configuration Guide.
-
Guru: For configuration information, see Guru's SCIM Configuration Guide.
-
Zoom: For configuration information, see Zoom's Okta Configuration Guide.
The following partner-built provisioning integration app is now Generally Available in the OIN as partner-built:
-
LeanKit: For configuration information, see Configuring Provisioning for LeanKit.
We removed support for provisioning for the imeetcentral app.


-
Nvoicepay (OKTA-172287)
-
Sigma (OKTA-174900)
-
TrackVia (OKTA-171562)

-
Carrick Capital Partner (OKTA-173141)
-
Cisco (OKTA-173291)


The following partner-built provisioning integration app is now available in the OIN as partner-built Early Access:
-
ScreenSteps. For configuration information, see Configuring SCIM with Okta.
We support SHA2 for the following integration:
-
Litmos (OKTA-169369)


-
AppDynamics v4.5+ (with SAML Encryption) (OKTA-172601)
-
Mambu (OKTA-171083)

-
Hippo CMMS (OKTA-173145)
-
TruQu (OKTA-172875)


The following partner-built provisioning integration app is now Generally Available in the OIN as partner-built:
-
Academy LMS by Praetorian Digital. For configuration information, see Configuring Provisioning for Academy LMS.


-
Paladin (OKTA-172501)
-
Talkdesk (OKTA-170361)

-
Cadence (OKTA-172519)
-
Guidewire Community (OKTA-171779)
-
Ipreo (OKTA-170892)
-
Mimecast Secure Messaging (OKTA-166261)
-
Portico Property Management (OKTA-171052)
-
Quadient Cloud (OKTA-166195)
-
SecureWorks (OKTA-172818)
-
WebAdvisor (OKTA-167409)
-
Wells Fargo (Commercial Electronic Office) (OKTA-172565)

-
Namely (OKTA-171365)
-
VMware Horizon View VDI (OKTA-171494)

-
Cadence (OKTA-171772)


The following partner-built provisioning integration apps are now available in the OIN as partner-built Early Access:
-
1Password Business. For configuration information, see Automate provisioning with Okta in 1Password Business.
-
Comeet. For configuration information, see Comeet's Okta SSO integration instructions.


-
Built.io Flow (OKTA-170655)
-
Collective Health Employer Portal (OKTA-170658)
-
FOSSA (OKTA-170095)
-
Guru (OKTA-170656)
-
iDeals VDR (OKTA-166918)
-
Korbyt (OKTA-171463)
-
Marvelapp (OKTA-170657)
-
OpenEye Web Services (OKTA-167710)

-
1Password Business (OKTA-172516)
-
Amazon DE (OKTA-167431)
-
Benchmarking (OKTA-168838)
-
Dell Boomi (OKTA-171444)
-
DocsCorp Support (OKTA-168878)
-
Granite Group Advisors Education (OKTA-167734)
-
HP Channel Services Network (OKTA-170175)
-
HP Express Decision Portal (OKTA-166576)
-
IBM MaaS360 (OKTA-167146)
-
ITSupport247 (OKTA-167960)
-
Kronos: SaaShr Payroll (OKTA-169641)
-
LA Times (OKTA-166855)
-
Qlikid (OKTA-171593)
-
Rabobank Internetbankieren (OKTA-171384)
-
Rippe and Kingston LMS (OKTA-168601)
-
SAP Fiori Client (OKTA-170853)
-
ShowClix Organizer Login (OKTA-168649)
-
Spot.IM (OKTA-170306)
-
WebEx (Cisco) (OKTA-165568)
-
WorkFusion Forum (OKTA-168914)
-
xpenditure (OKTA-171605)
-
Yodeck (OKTA-170597)

-
G Suite (OKTA-170627)
-
Palo Alto Networks - GlobalProtect (OKTA-170860)
-
Zoho One (OKTA-171114)

-
Confluence On-Premise SAML (OKTA-168082)


The following partner-built provisioning integration app is now available in the OIN as partner-built Early Access:
- Peakon. For configuration information, see Peakon's Set up user provisioning with Okta.


-
LaunchDarkly (OKTA-169378)
-
Saleshood (OKTA-169149)

-
EOLIS (OKTA-166337)
-
HP Partner First Portal (OKTA-166039)
-
HSB Connect (OKTA-167254)
-
Pandora (OKTA-162880)
-
Samsara (OKTA-166084)


The following partner-built provisioning integration app is now available in the OIN as partner-built Early Access:
- Fuze. For configuration information, see the Fuze-Okta Provisioning Integration guide.
The following partner-built provisioning integration app is now available in the OIN as partner-built Okta Verified:
- Honey. For configuration information, see Honey's How To Configure SSO And User Provisioning Through Okta.


-
BeyondTrust (OKTA-166383)
-
Fivetran (OKTA-168577)
-
SmartDraw (OKTA-168214)

-
Collector (OKTA-168887)
-
Collector for ArcGIS (OKTA-166172)
-
ManageEngine ServiceDesk Plus (OKTA-164522)
-
Onfido (OKTA-168265)
-
Survey123 For ArcGIS (OKTA-166171)

-
G Suite (OKTA-165929)
-
SAP Fiori Client (OKTA-166524)

-
OrgWiki (OKTA-166365)


The following partner-built provisioning integration apps are now available in the OIN as partner-built Early Access:
-
8x8. For configuration information see the 8x8 SCIM Configuration Guide.
-
Zinc. For configuration information see Zinc's Setting up AD Sync with OKTA documentation.


-
Amazon Web Services Redshift (OKTA-165274)
-
Duo Admin Panel (encrypted assertions) (OKTA-167692)
-
Enplug (OKTA-166192)
-
Everlaw (OKTA-167870)
-
SecurityCompass (OKTA-164352)
-
Verkada (OKTA-167421)
-
Xton Access Manager (OKTA-167253)
-
Yodeck (OKTA-166898)

-
Amadeus Selling Platform Connect (OKTA-164289)
-
Amazon JP (OKTA-165793)
-
Braze (OKTA-165681)
-
Cognito Forms (OKTA-165816)
-
Fiserv ServicePoint (OKTA-164827)
-
MasterControl (OKTA-164742)
-
Mercado Pago Chile (OKTA-164690)
-
MileIq (OKTA-166676)
-
Percipio (OKTA-164973)
-
Stampli (OKTA-166043)
-
StormWind Studios (OKTA-163355)
-
The Library (OKTA-165278)
-
Trafalgar (OKTA-164559)

-
Condeco Desk Booking v2 (OKTA-165976)
-
InFlight Mobile (OKTA-165974)
-
InVironMobile (OKTA-165975)
-
INX (OKTA-165973)
-
ProsperWorks (OKTA-165092)


The following partner-built provisioning integration apps are now available in the OIN as Okta Verified:
- Dialpad. For configuration details, see the Dialpad Okta SAML & SCIM Configuration Guide.
- Vivantio ITSM. For configuration details, see the Vivantio ITSM Okta Provisioning Guide.


-
Braze (OKTA-164730)
-
EZRentOut (OKTA-165985)
-
Peakon (OKTA-164574)
-
Podbean (OKTA-165001)
-
ReadCube (OKTA-165511)
-
ScreenSteps (OKTA-166666)
-
Shareworks (OKTA-166193)
-
Visual Paradigm Online (OKTA-164575)
-
Ziflow (OKTA-165510)

-
Columbia Bank: Columbia Connect Login (OKTA-164598)
-
DemandCaster (OKTA-162686)
-
eNett (OKTA-161969)
-
Helpshift (OKTA-164347)
-
Meditta Customer Portal (OKTA-164125)
-
Mood Mix (OKTA-163389)
-
MT Bank: Web InfoPLUS Login (OKTA-163923)
-
Registro.br (OKTA-163594)
-
The Alabama Department of Revenue Motor Vehicle Division (OKTA-164095)

-
Dialpad (OKTA-162928)
-
Sequr (OKTA-165140)



-
CGR Foundation (OKTA-163834)
-
SimpleLegal (OKTA-162488)
-
TradeShift (OKTA-163383)

-
ArcGIS Online (OKTA-163206)

-
Alacriti: OrbiPay Payments (OKTA-162622)
-
Ascensus (OKTA-158493)
-
Bendigo Bank (OKTA-162125)
-
Boxed (OKTA-161706)
-
Colorado CDOT Maps (OKTA-162497)
-
Join Handshake (OKTA-162160)
-
Okta Ice: Gourmet Ice Cream (OKTA-163277)


The following partner-built provisioning integration app is now available in the OIN as partner-built Early Access:
- Vivantio ITSM. For configuration details, see the Vivantio Okta Provisioning Configuration Guide.


-
Givitas (OKTA-163560)
-
SSOGEN (OKTA-163382)
-
Zoom (OKTA-161971)

-
Appsulate (OKTA-162836)

-
Aurilo (OKTA-160566)
-
CBS Helpdesk (OKTA-161425)
-
Creditsafe (OKTA-163255)
-
ESET: License Administrator (OKTA-157798)
-
FamilySearch (OKTA-160772)
-
MYOB Essentials (OKTA-160212)
-
Northpass (OKTA-161830)
-
StatusHub (OKTA-161879)
-
WEXOnline Client Login (OKTA-161332)

-
Impraise SAML (OKTA-163703)
-
Nexus Payables (OKTA-162012)



-
IrisPR (OKTA-161401)
-
LCVista (OKTA-161816)
-
LeanKit (OKTA-161594)
-
LeaseEagle (OKTA-161705)

-
AccessNS (OKTA-161378)
-
AirTriQ (OKTA-159849)
-
Circulation (OKTA-160516)
-
EduServices (OKTA-163277)
-
Fido SSP (OKTA-159156)
-
Go365 (OKTA-160329)
-
Kaseya Virtual System Administrator (OKTA-160565)
-
Kids A-Z Kids Login (OKTA-160556)
-
LumApps (OKTA-160612)
-
Veritas Support (OKTA-160843)

-
G Suite (OKTA-160751)


The following partner-built provisioning integration apps are now available in the OIN as Okta Verified:
- Hootsuite. For configuration details, see the Hootsuite Okta SCIM Configuration Guide.
- MyPolicies. For configuration details, see the MyPolicies + Okta SCIM Employee Provisioning guide.
- Lumpy. For configuration details, see the Okta + Lumity: SCIM Provisioning guide.
- Teamable: For configuration details, see the Configuring provisioning for Teamable guide.
The following partner-built provisioning integration apps are now available in the OIN as partner-built Early Access:
- Airtable. For configuration details, see Airtable's Okta provisioning configuration options guide.
- Appenate. For configuration details, see the Appenate Configuration Guide (note you will need to login to Appenate for access to this doc).
- Atipicia. For configuration details, see Atipicia's Okta user provisioning integration guide.
- Biztera. For configuration details, see Biztera's Configuring Okta Provisioning guide.
- Dialpad. For configuration details, see DIALPAD + OKTA | SAML & SCIM INSTRUCTIONS.
- ProLease. For configuration details, see the ProLease SCIM Setup Guide.
- StarLeaf. For configuration details, see the Starleaf Okta Integration.
- Twebcast. For configuration details, see Setup user provisioning for Twebcast with Okta.
- Vable. For configuration details, see OKTA users provisioning for Vable platform.
- DocSend. For configuration details, see DocSend's Okta SCIM Integration.
- Kudos. For configuration details, see the Kudos Okta SCIM 1.1 configuration guide.
- LearnCore. For configuration details, see LearnCore's SCIM Integration Documentation.
- SchoolKeep. For configuration details, see SchoolKeep's Configuring Okta Provisioning.
- Sequr. For configuration details, see the Sequr + Okta : Employee Provisioning Integration guide.
- Velpic. For configuration details, see Configuring the Velpic App from the OKTA Application Network for SCIM.
- Workboard. For configuration details, see Configuring Provisioning for Workboard.
- Zugata. For configuration details, see Zugata's Sync Users with Okta - SCIM.
- Expensify. For configuration details, see Expensify's Deactivating users with Okta guide.
- ClearStory. For configuration details, see ClearStory's Okta User Provisioning guide.Or Provision
- Cloud Repo. For configuration details, see the OKTA and CloudRepo Integration Guide
- Civis Platform. For configuration details, see Configuring Provisioning for Civis Platform
- Rollbar. For configuration details, see the Rollbar's Okta Configuration guide.


-
Duo Admin Panel (OKTA-157272)
-
Supermood (OKTA-161747)
-
T&E Express (OKTA-161402)
-
TalentWall (OKTA-161809)

-
Allinial Global (OKTA-159690)
-
AnswerForce (OKTA-159091)
-
InstaMed Online for Providers (OKTA-159927)
-
Jive (OKTA-158828)
-
Lucky Mobile OneView (OKTA-159151)
-
OpenX Community (OKTA-159626)
-
Rogers SSP (OKTA-159155)
-
Update OIN App (OKTA-162277)
-
Virgin Mobile OneView (OKTA-159150)

-
Impraise (OKTA-160452)
-
Microsoft Flow (OKTA-158687)
-
Microsoft Planner (OKTA-158691)
-
Microsoft Power BI (OKTA-158690)
-
Microsoft StaffHub (OKTA-158688)
-
Microsoft Sway (OKTA-158686)
-
Microsoft Visio Viewer (OKTA-158846)
-
Names & Faces (OKTA-160449)
-
Office 365 Message Encryption Viewer (OKTA-158847)
-
Office Delve (OKTA-158685)



-
iLobby (OKTA-160231)
-
PROLEAZ (OKTA-159605)
-
Samepage (OKTA-159604)
-
Sonar (OKTA-160236)

-
InstartLogic (OKTA-159557)
-
iNSYNQ (OKTA-156377)
-
San Diego Tribune (OKTA-158974)



-
Bersin (OKTA-158347)
-
CA Technologies Continuous Delivery Director (OKTA-159230)
-
TeamViewer (OKTA-158486)

-
Comcast Business (OKTA-158584)
-
First Republic Bank: Corporate Online Sign In (OKTA-158497)
-
First Tennessee Digital Banking (OKTA-157454)
-
Oakland Public Library Catalog (OKTA-158490)
-
Twenty20 Stock (OKTA-158185)

-
Nine (OKTA-158954)
-
Sonos (OKTA-158254)


- Provisioning is enabled for the Teamable Partner-Built application (OKTA-159394). For details, see the Teamable Provisioning Configuration Guide for details.
- Provisioning is enabled for the Lumity Partner-Built application (OKTA-159171). For details, see the Lumity Provisioning Configuration Guide for details


-
AlertOps (OKTA-158941)
-
Atiim (OKTA-156758)
-
Honey (OKTA-159100)
-
Oktopost (OKTA-158746)
-
PathSavvy (OKTA-159590)
-
Sapling (OKTA-157436)
-
Templafy (OKTA-158476)
-
TextExpander (OKTA-154028)
-
TraceGains (OKTA-157106)

-
AppNexus: Customer Support Portal (OKTA-158053)
-
Associated Bank (OKTA-157218)
-
Bizequity (OKTA-158244)
-
ECP (OKTA-155556)
-
Guidewire Live (OKTA-157445)
-
Humana Military (OKTA-158412)
-
ISOnet (OKTA-158232)
-
Jetstar AgentHub (OKTA-156973)
-
Parker: PHconnect Login (OKTA-158386)
-
Quay (OKTA-156972)
-
VocabularySpellingCity (OKTA-157236)

-
Microsoft Dynamics CRM Online (OKTA-157274)
-
OpenVPN Connect (OKTA-157442)
-
Pocket (OKTA-157815)
-
Virtru (Google Login) (OKTA-157353)



-
CultureHQ (OKTA-156714)
-
Databook (OKTA-157722)
-
InstaCheckin (OKTA-157452)
-
PlanGrid (OKTA-156180)

-
Burgiss: Cash Management (OKTA-154713)
-
DataServ (OKTA-157609)



-
R and D Manage (OKTA-156454)
-
Sharpr (OKTA-156588)
-
Stackla (OKTA-156474)

-
ABN AMRO (OKTA-156308)
-
Everest 7.0 (OKTA-155695)
-
Express VPN: Affiliates (OKTA-156499)
-
Instapage (OKTA-156197)
-
OUI.sncf (OKTA-156191)
-
Phone2Action (OKTA-156595)
-
Sling TV (OKTA-156708)
-
State of Wisconsin DWD: Insurer Reports (OKTA-152447)
-
WordPress.com (OKTA-156182)



-
Civis Platform (OKTA-155135)
-
ContractWorks (OKTA-153656)
-
Givitas (OKTA-155684)
-
Iggy (OKTA-155258)
-
ITProTV (OKTA-155248)
-
Pritunl (OKTA-154499)
-
PurchaseControl (OKTA-152586)
-
Supermood (OKTA-148675)
-
Wordpress by MiniOrange (OKTA-151125)

-
BootcampSpot v2 (OKTA-153220)
-
Crimson Hexagon (OKTA-155976)
-
Delivery Slip (OKTA-155537)
-
EverBank (OKTA-152736)
-
Franklin Synergy Bank (OKTA-152727)
-
Haaretz (OKTA-154551)
-
Leaseplan FleetReporting NL (OKTA-152941)
-
LinkPoint Connect Cloud Edition (OKTA-155230)
-
MassBio (OKTA-155241)
-
Milestone XProtect Smart Client (OKTA-153239)
-
Rapt Brand Fonts (OKTA-152869)
-
ReadyRefresh (OKTA-154418)
-
Salesgenie (OKTA-155096)
-
TPG (OKTA-154455)
-
Vertafore Agency Platform (OKTA-153643)
-
XpertHR (OKTA-155946)
-
Zoho Wiki (OKTA-154570)

-
Gboard (OKTA-154398)
-
NMBRS (OKTA-154804)



-
Arxspan (OKTA-154479)

-
Booking (OKTA-153126)
-
FHA Connection (OKTA-153897)
-
United Fire Group (OKTA-151261)
-
Wayfair (OKTA-152399)

-
Expensewatch (OKTA-154005)



-
Plex Apps (OKTA-153104)
-
Spoke (OKTA-153512)
-
Trustwave SWG Cloud (OKTA-153108)
-
Zoho One (OKTA-153517)

-
Addepar (OKTA-151872)
-
Adobe Stock (OKTA-152449)
-
ANZ Internet Banking Australia (OKTA-152515)
-
Ascensus (OKTA-151756)
-
CAI: Capital (OKTA-152732)
-
Carval: User Portal (OKTA-149880)
-
Health Plans (OKTA-153613)
-
Indiana Association of Realtors (OKTA-152450)
-
Instant Payroll (OKTA-152081)
-
Intuit Developer (OKTA-151109)
-
Kentik (OKTA-152102)
-
MIBOR (OKTA-143980)
-
MyShaw (OKTA-149352)
-
SAFE Credit Union (OKTA-152425)
-
UFG Agent (OKTA-151261)
-
VIA Rail (OKTA-152013)
-
Visionplanner (OKTA-152186)

-
Astea (OKTA-152017)

-
Moo.do (OKTA-152690)
-
Square (OKTA-152355)
-
UltiPro (OKTA-151970)
2018 Bug Fixes

- OKTA-168628 – Self assignment of a Federation Broker Mode app failed without any error message to the user.
- OKTA-187446 – The error message when adding an empty dynamic zone contained minor grammatical mistakes.
- OKTA-188556 – The Android for Work app appeared on Okta end user dashboard even though the app was configured in the Okta Admin console not to display.
- OKTA-189358 – Two Authentication of user via MFA and Evaluation of sign-on policy events were generated in the System Log for each user login.
- OKTA-189803 – When configuring policy assignment for Factor Enrollment, Sign-On, and Password policies, Group searches did not return more than 10 results.
- OKTA-191151 – Norwegian translations in Okta plugin had minor inconsistencies.
- OKTA-192504 – AD-mastered users were able to edit the Secondary Email attribute even when it was set to Read-Only.
- OKTA-193456 – Some Sign-On policies using a behavior rule did not display the correctly used rule in the System Log event.
- OKTA-193955 – User Profile labels were sometimes displayed in languages other than English when an admin tried to view the profile.
- OKTA-194153 – The UTF-8 encoding of the SCIM Server URL in the SCIM App Template was not RFC compliant.
- OKTA-194195 – When all MFA factors in an app Sign-On policy were set to optional, a new user after successfully enrolling in a factor was redirected to the app instead of the enrollment page to enroll in multiple MFA factors.
- OKTA-195093 –If an app had more than 20 instances that appeared above the option to select All <app name> Instances, it was not possible to select that option.
- OKTA-195582 – The interstitial page had an invalid HTML.
- OKTA-195906 – Saving custom email templates for MFA Factor Enrollment and MFA Factor Reset did not display an error when one or more required fields were missing.
- OKTA-197175 – Self service registration error messages displayed in the sign-in widget were not correctly localized.
- OKTA-197256 – The French translation of registration.error.minLength was incorrect.


-
Amplitude (OKTA-197221)
-
AvaTax Admin Console (OKTA-196830)
-
Benelogic (OKTA-197354)
-
ChannelAdvisor Forum (OKTA-196813)
-
Circulation (OKTA-196990)
-
DNSPod (OKTA-196832)
-
EVA Air (OKTA-197596)
-
Lynda.com (OKTA-196839)
-
National Car Rental (OKTA-73276)
-
Okta Org2Org (OKTA-197198)
-
Salesforce: Marketing Cloud (OKTA-196079)
-
SAM.gov (OKTA-197595)
-
Seek (AU) - Employer (OKTA-196831)
-
Swiftype (OKTA-197936)
-
viewfinity (OKTA-197594)

- OKTA-187113 – Emails sent to test a custom email template incorrectly used the default template instead.
- OKTA-188863 – After modifying metadata for a SAML app, URL metadata for the new Identity Provider Certificate in the SAML Setup instructions for the app was not updated.
- OKTA-190755 – On some Windows machines, attempts to open a document through Microsoft SharePoint failed with the error message: This operation has been cancelled due to restrictions in effect on this computer. Please contact your system administrator.
- OKTA-191466 – For orgs that had configured and enabled iOS Device Trust, users on Okta Mobile on iOS accessing a SAML application (with ForceAuthn flag enabled ) were not able to complete the flow.
- OKTA-192955 – In some cases, when the Application Username Format was changed for an app on the Sign On tab, the username did not update accordingly in the app.
-
OKTA-197844H - In some cases, user imports failed with a Resource not found error.
- OKTA-197850H - App icons did not load in Okta Plugin for Google Chrome when the CDN was disabled.


-
Carta (OKTA-195136)
-
CBT Nuggets (OKTA-194884)
-
CH Robinson Navisphere 2.0 (OKTA-193943)
-
eDataSource (OKTA-192665)
-
General Motors GlobalConnect (OKTA-196112)
-
IBM Workspace (OKTA-194887)
-
Inspectlet (OKTA-196109)
-
MassMutual Retirement Access (OKTA-194881)
-
MidFirst Bank iManage Personal Banking (OKTA-194622)
-
Olapic (OKTA-196110)
-
PaloAlto Networks Support (OKTA-196076)
-
Rackspace Admin Control Panel (OKTA-194888)
-
Rubicon Project (OKTA-196217)
-
Safeware (OKTA-194880)
-
SonicWall (OKTA-195177)
-
UPS CampusShip (OKTA-194141)
-
Walmart (OKTA-196204)

- OKTA-150759 – System Log events for the iOS Device Trust did not display CredentialType value.
- OKTA-182989 – Admins could access the deprecated System Log V1 UI by directly pasting the URL in the browser.
- OKTA-191057 – Temporary passwords generated by an admin password reset included hard-to-distinguish characters that could be confusing to users.
- OKTA-189249 – IdP Discovery rule with a Sharepoint On-Premise app condition was not routing properly on SP-initiated login flows.
- OKTA-189512 – Mobile admins did not receive an email notification if a user was deprovisioned from Android For Work or Google apps.
- OKTA-192009 – Enrolling in Okta Verify using SMS on mobile devices resulted in a message Okta Verify Not Detected instead of a message to open the app or to download the app from the relevant app store.
- OKTA-194096 – The MFA Usage report incorrectly listed Okta Verify as an enrolled factor for a user even when the factor was reset and was no longer enrolled for the user.
- OKTA-194735 – The Device Trust message displayed while adding an app sign-on rule did not reflect correct platform names.
- OKTA-194899 – The set of roles allowed access to system log information by the [Events API](/docs/api/resources/events) did not match the set of roles allowed access by the [System Log API](/docs/api/resources/system_log).


-
CGarchitect (OKTA-194273)
-
Check Point (OKTA-194916)
-
Google AdWords (OKTA-195109)
-
IBM Partner World (OKTA-194275)
-
Intouch Tech Data (OKTA-194276)
-
Leaseplan FleetReporting NL (OKTA-194272)
-
Santander (OKTA-194277)
-
ShowingTime (OKTA-194896)

-
FCm Travel Solutions Client Portal (OKTA-195584)

- OKTA-141857 – Some SAML Capable Apps reports incorrectly prompted to convert the app to SAML, even when the app was already using SAML 1.1 or SAML 2.0.
- OKTA-151933 – A race condition caused Group Push Mappings to be re-associated with a deleted Group Push Mapping Rule. This caused the mappings to be hidden from the Group Push UI and prevented changes to Group Push Mappings in case modifications are needed to address failures.
- OKTA-165757 – Changed user attributes in Active Directory sometimes were not properly updated in Okta.
- OKTA-168628 – Self service was not disabled for an implicit app instance, resulting in an error in the logs.
- OKTA-179336 – App Embed Link in the General tab of the Application page was greyed out in Firefox browsers and could not be copied.
- OKTA-182143 – Save and Add Another group in the Group Push UI did not work the first time.
- OKTA-184312 – API integration for a SCIM app failed when the app had no users.
- OKTA-185043 – Custom Authorization Server dialog was too large and hid the Add button when more than 30 clients were added to access policies at a time.
- OKTA-186068 – When looking up System Log entries for a six-month period, an incorrect date error was displayed even when the selected From date was six months away from the To date.
- OKTA-188600 – In some cases, when app provisioning failed, retrying tasks either in bulk or individually on the Task page failed.
- OKTA-190204 – When the MFA for admins feature was enabled, upon signing into support.okta.com, admins were redirected to the Okta admin console instead of support.okta.com.
- OKTA-190313 – In some cases, end users signing into Okta using Integrated Windows Authentication were displayed an incomplete technical contact email address.
- OKTA-190610 – When the MFA for admins feature was enabled and a sign-on policy prevented admins from signing in to Okta, admins configured to be allowed temporary access were still locked out.
- OKTA-191811, OKTA-194143 – When specifying a regex for user matches in an IdP discovery routing rule, the following error was returned: We found some errors. Please review the form and make corrections.
- OKTA-193127 – Running Application Usage reports sometimes failed with a timeout error.
- OKTA-193871 – Pushing the Exchange ActiveSync mail profile to OMM-managed iOS devices failed for AD-mastered users in orgs with Delegated Authentication configured.
- OKTA-194116 – A PUT call did not remove the postalAddress value from the user profile as expected.
- OKTA-194502 – In the System Log, the client IP address displayed did not correctly match the client geo-location when the Dynamic Zones feature is enabled.
- OKTA-194909 – Provisioning a user to Office 365 through User Sync or Universal Sync failed with the error: Got exception Unable to create the DirSync response object ProvisionResponse.
- OKTA-196801H - Attempt to match an imported user to an existing Okta user using the option “Existing Okta user I specify” did not retrieve the desired account even when it existed in Okta.
- OKTA-196665H - Attempt to edit an inactive group rule returned an internal server error.
- OKTA-196612H - Some end users signing into Okta received password hints in another language even when the display language was English.


-
ADP Payline (AU) (OKTA-192607)
-
AliMed (OKTA-192595)
-
Amazon Marketing Services (AMS) (OKTA-194123)
-
Blue Sky Factory (OKTA-192127)
-
Cisco (OKTA-188488)
-
Google Analytics (OKTA-192899)
-
Google Data Studio (OKTA-192135)
-
IBM Cloud (OKTA-192612)
-
Jell (OKTA-192132)
-
LumApps (OKTA-187691)
-
MyCitrix (OKTA-193111)
-
Norex (OKTA-192594)
-
Ravti (OKTA-190349)
-
Salesforce - Marketing Cloud (OKTA-194482)
-
SignNow (OKTA-190434)

- OKTA-151397 – Group admins were erroneously able to view users who were outside the Active Directory groups being managed by them.
- OKTA-174550 – The incorrect password error message displayed for AD-mastered users and Okta-mastered users was inconsistent.
- OKTA-175568 – Messages that were sent to devices using the Factors API sometimes returned a 500 error if the message could not be sent.
- OKTA-176446 – Attempts to complete new user activation using JIT failed for users in a state of Pending Activation.
- OKTA-183303 – The Managed column on the Group Assignment page incorrectly appeared to be sortable/clickable.
- OKTA-184763 – Workday to Okta imports failed for users with Organizations that had a null Organization_Type_Reference.
- OKTA-187876 – Yubikey reports that included deleted users were not fully viewable, and displayed the following error message: Error, Service is in Read Only Mode.
- OKTA-189519 – In rare cases, a custom domain could not be removed using the Restore to Default link.
- OKTA-191750 – When setting up Admin Email Notifications, changing the Notification Preferences For dropdown option from Global Enablement to My Preference failed.


- A Cloud Guru (OKTA-187786)
- ADP Workforce Now (Employee) (OKTA-191089)
- Amazon Marketing Services (AMS) (OKTA-192124)
- Backblaze (OKTA-191414)
- Dun & Bradstreet (OKTA-189723)
- Fusebill (OKTA-189915)
- Instagram (OKTA-192593)
- MURAL (OKTA-192126)
- StatusCake (OKTA-192416)
- TravelCube Pacific (OKTA-190067)
- Zerto: DRaaS Service Portal (OKTA-189985)

- Atlassian Cloud (OKTA-188779)

- OKTA-183216 – When a device enrollment operation failed, the error message was incorrect.
- OKTA-186779 – For the AWS app, credentials verification failed when adding multiple accounts IDs belonging to China AWS region.
- OKTA-188601 – When a user account was deactivated in a provisioned app then imported to Okta and then to AD, the user account was not deprovisioned as expected.
- OKTA- 191753 – System Log query parameters prior to the allowed time range returned an unknown error (HTTP status code 500).


-
Akamai Enterprise Application Access (OKTA-187781)
-
Cisco (OKTA-188488)
-
Cisco Partner Login (OKTA-188281)
-
Integral Ad Science (OKTA-189258)
-
Juice (OKTA-187782)
-
Mapbox (OKTA-188752)
-
MURAL (OKTA-189084)
-
Pingdom (OKTA-190166)
-
PleaseReview (OKTA-187779)
-
Tumblr (OKTA-189894)
-
Verizon Wireless Business (OKTA-189357)

-
Saba (OKTA-164211)

- OKTA-178657 – When multiple attempts were simultaneously made to update a user's phone number for SMS or voice factors, the user was unable to enroll the phone number.
- OKTA-181134 – For Dropbox for Business app, group memberships were not imported while importing users and groups.
- OKTA-182512 – Okta was incorrectly pushing to the SCIM app memberships for users who were not previously provisioned to the app.
- OKTA-182770 – On updating Jira apps on Atlassian Cloud, the API rate limit of Atlassian often prevented pushing groups from Okta to Atlassian.
- OKTA-185451 – When an app admin with permission to administer a specific app attempted to save the app settings using the API Endpoint {{url}}/api/v1/apps/{{AppID}} failed with an insufficient permissions error message.
- OKTA-185620 – The Microsoft Forms app integration on the enduser dashboard did not log in the user automatically when the sign on mode was SWA.
- OKTA-190057 – If Device Trust certificate issuance, enrollment, or renewal failed while the Okta service was in Read Only mode, the failure was not logged in the System Log.


-
Datadog (OKTA-185125)
-
Glassdoor (OKTA-189125)
-
Prezi (OKTA-188694)
-
Salesforce: Marketing Cloud (OKTA-189073)
-
Ascensus: Partner Login (OKTA-184944)

- OKTA-124052 – Profile sync from Okta to third-party apps failed instead of ignoring users not already provisioned to the third-party app.
- OKTA-180603 – The Variable Name for enumerated attributes was not displayed in the user profile.
- OKTA-182976 – Admins could not see all Microsoft Office 365 apps assigned to a user when previewing the end user Dashboard on the Customization page.
- OKTA-184730 – When setting up AWS GovCloud with multiple accounts, testing the API credentials or saving provisioning configuration failed with an invalid client token ID error.
- OKTA-188112 – When multiple attempts were simultaneously made to update a user’s phone number for SMS or voice, an HTTP 500 error occurred intermittently.
- OKTA-188212 – Links to Device Trust version history documents on the Settings > Downloads page were broken.
- OKTA-188697 – The Norwegian language was listed as Bokmål instead of Norsk Bokmål in the Display Language options.
- OKTA-188880 – Admins could not change the username format for OIDC apps in the Profile Mappings editor.
- OKTA-189139 – In some Preview orgs, Symantec VIP settings were not displayed in Internet Explorer 10 and 11 when configuring the factor for MFA.


-
ADP Portal (Admin) (OKTA-188716)
-
Comcast Business (OKTA-188339)
-
eWallet ADP (OKTA-188414)
-
OneSignal (OKTA-188704)
-
Visionplanner (OKTA-188355)
-
VMware Partner Network (OKTA-188299)
-
Wrike (OKTA-188554)

- OKTA-167649 – When configuring an LDAP instance, the text description of when to use the User Attribute field was not clear.
- OKTA-175504 – Kosovo was missing from the Country dropdown list when setting up a phone number for MFA.
- OKTA-179460 – In the Org2Org app, when a user was not activated in the target system, pushing user updates failed.
- OKTA-180472 – The System Log displayed duplicate entries to Org admins for enrolling and auto-activating MFA factors.
- OKTA-181897 – The error message on the Add Person pop-up was not descriptive enough.
- OKTA-184400 – The Activation email link failed for imported AD users, displaying an error message about a non-existent security question.
- OKTA-184613 – When the App admin was assigned an app that included the "|" character in its name, app search did not work.
- OKTA-184982 – The Multifactor page displayed UI elements such as the Edit button to Read Only admins.
- OKTA-185195 – SP-initiated logins for SAML 2.0 apps were not logged in the System Log when access was denied by an App Sign On policy.
- OKTA-185215 – For self service registration, password policy descriptions and error messages were not localized correctly, and defaulted to English.
- OKTA-186200 – Help Desk and Read Only admins received a blank pop-up screen when trying to activate or deactivate an MFA factor type on the Multifactor page.
- OKTA-186269 – The RSA SecurID username format dropdown did not display AD-related options.
- OKTA-186780 – The Reset Password page did not accept some usernames that were not in email format.
- OKTA-187597 – The Feedback button on the admin dashboard directed users to a wrong path.
- OKTA-187720 – If a company name contained the "&" character, the name was only displayed up to the "&" character on the New Account Registration page.
- OKTA-187875 – The download buttons on the Download page were inactive for some admins during maintenance.


-
Dealer Daily Lexus (OKTA-188063)
-
IRMLS Indiana Regional MLS - Safemls (OKTA-186105)
-
Procore (OKTA-187722)

- OKTA-172556 – Technical Contact on the Account Pending Activation page did not appear when staged users tried to log in to Okta.
-
OKTA-185863H – After CLOUD_DESKTOP_SSO was enabled, in certain situations the Allowed Network Zone list in the admin UI was duplicated multiple times. Once the list became too large, IWA began to fail and users were prompted to login.
- OKTA-185863 – Users could not enroll their phone number for Self Service as they were prompted with the error message "Password or factor verification has expired" even when the session was just created.
- OKTA-186848 – Okta Verify push notifications were not displayed immediately on Android devices when the device screen was turned off.
- OKTA-187067 – Subscribed admins did not receive the deactivation email when a user with assigned apps was deactivated through the Okta Admin UI.
-
OKTA-187726H – externalName and externalNamespace fields were missing from the Add Profile Attribute dialog for OIN SCIM apps.


-
Cisco WebEx Meeting Center (OKTA-185731)
-
D2L (OKTA-184842)
-
DeltaSkymiles (OKTA-185635)
-
Kamer van Koophandel (OKTA-187153)
-
Moodlerooms (OKTA-186579)
-
mySonitrol (OKTA-185824)
-
myATT (OKTA-185885)

- OKTA-83725 – The Zendesk app removed the admin role of an admin user required for Zendesk API access.
- OKTA-166236– The Sign In page did not render properly when the user agent was empty.
- OKTA-173065 – On the admin dashboard, the warning dialog displayed active buttons to Read-only admins.
- OKTA-175981 – API Token link reference for the On-Prem MFA Agent was linking to /admin/access/rsa-securid page instead of /admin/access/on-prem page.
- OKTA-181650 – Deprovisioning users from the Workplace by Facebook app failed due to an API rescheduling error if the user's manager could not be imported from AD.
- OKTA-184540 – Changing the list of Network Zones enabled for Desktop SSO did not generate a System Log event as expected.
- OKTA-184731 – In Chromebooks, when IdP Discovery was enabled, users were unable to login to certain IDPs.
- OKTA-185632 – Mapping from a user's primary email to their username was not enforced when the user's primary email was changed by an admin.
- OKTA-185819 – Bulk activate option for onboarding on the People page has been restored. This affects Preview orgs only.


-
Apple Store for Business (OKTA-185638)
-
Codility (OKTA-186038)
-
Factual (OKTA-185681)
-
ManageEngine ServiceDesk Plus (OKTA-185481)
-
MURAL (OKTA-185636)
-
Okta Help Center (OKTA-185639)
-
PR Newswire (OKTA-186572)
-
Siteimprove (OKTA-185464)

-
LogMeIn Central/Pro (OKTA-180957)

- OKTA-163542 – Newly imported Okta users were sometimes not added to an Okta push group in Slack.
- OKTA-169041 – In the Office 365 app, if a user had no licenses assigned, deleting that user during de-provisioning failed.
- OKTA-178599 – JIT Delegated Authentication failed in some cases when Okta was in safe mode.
- OKTA-180070 – In Browser Plugin settings, Enable Okta toolbar for group dropdown had no group selected by default on new orgs causing on-the-fly functionality to fail.
- OKTA-180348 – Linked Object property names were incorrectly allowed to begin with a digit or contain characters other than digits, ASCII letters, and underscores.
- OKTA-180375 – If an externally-mastered user was created by an API and an email factor was required, when the user's email address was updated in the externally-mastered source, the previous email address was still active and authentication codes could still be sent to it.
- OKTA-182523 – If a user had email and another factor enrolled for an app-level MFA policy, selecting email as a second factor in Okta Mobile on iOS 11.4.1 displayed 'L10N error' instead of a localized message.
- OKTA-182572 – Users were blocked when upgrading to Okta Verify Push if there was an app sign-on policy that prompted for MFA but no sign-on policy that prompted for MFA.
- OKTA-182744 – The device trust client could not be installed on domain-joined computers when IdP discovery was enabled and an IdP routing rule was configured.
- OKTA-183830 – When the Okta Sign-In Widget was set to use a language other than English, and configured with IdP Discovery, the Next button in the identity first login form was not translated.
- OKTA-186441H – Users and admins were prompted with an "500 Internal Server Error" whenever they tried to access ServiceNow UD.
- OKTA-186530H – For MS Office apps on iOS devices, the end user flow failed when an App Sign On rule to “Block EAS” was above a Device Trust rule.
- OKTA-187161H – SCIM connectors implemented with new created apps did not work on Preview.


-
Amazon UK (OKTA-183801)
-
Boxed (OKTA-183746)
-
Cisco Partner Login (OKTA-183727)
-
Insightly (OKTA-184701)
-
MIBOR (OKTA-183652)
-
My Jive (OKTA-184864)
-
QuickBooks (OKTA-184915)
-
SHI (OKTA-183447)
-
ThrivePass (OKTA-183453)
-
WorkFusion Forum (OKTA-184843)

-
Micro Focus Connected MX (OKTA-184531)

- OKTA-96203 – The Approvals inbox showed All tasks completed message instead of Nothing to show message when there were no completed tasks.
- OKTA-161648 – IWA authentication failed for users who had the same UPN across multiple AD domains.
- OKTA-177378 – For apps with Provisioning enabled, when the Update application username on field was set to Create Only, it reverted to Create and Update when the page was refreshed.
- OKTA-178803 – Clicking on the U2F factor Setup button for the first time on the end user Settings page displayed a message saying the factor was not supported by the browser but the flow worked normally upon second click.
- OKTA-179236 – If an API PUT request to update a user profile omitted a sensitive property, that sensitive property was not properly removed from the user profile.
- OKTA-179407 – Some error pages containing non-lower ASCII characters were not localized.
- OKTA-179766 – While setting up a phone number for Forgot Password Text Message, users with a Mauritian phone number received an invalid number message at the first attempt but were able to send code to verify the number on the second attempt.
- OKTA-181454 – When a user belonged to an MFA Enrollment policy where the Email factor was Required and the SMS factor was Optional, calling the /api/v1/authn/endpoint (Primary Authentication with Trusted Application) to authenticate the user for the first time resulted in the user being prompted to setup an Optional factor instead of receiving the Email OTP.
- OKTA-182947 – Enabling the Self-Service Registration feature with the Add to Sign-In widget checkbox selected displayed a horizontal scroll bar on the end user Sign In page.
- OKTA-183411 – Active app approval templates were not deactivated when Self Service for the app was disabled.
- OKTA-183667 – Attempts to delete a Group Rule resulted in a 500 error.
- OKTA-183882 – Deactivated admins received user locked out emails.
- OKTA-184762 – IdP Discovery stopped the processing of policy rules for a policy if a rule was being evaluated without a user and the rule contained a user attribute condition.


-
Air Canada Travel Agency (OKTA-182036)
-
AmeriHome Correspondent Connect (OKTA-182918)
-
BetterLesson (OKTA-182740)
-
CitiManager (OKTA-182916)
-
Citrix XenApp (OKTA-182034)
-
Cloudability (OKTA-182781)
-
Critical Mention (OKTA-183368)
-
FileWave (OKTA-183176)
-
Hulu (OKTA-183663)
-
MailGun (OKTA-183490)
-
MedBridge (OKTA-184387)
-
MyRackspace Portal (OKTA-183616)
-
New York Times (OKTA-183479)
-
ProfitStars (OKTA-182311)
-
Verizon Wireless Business (OKTA-182929)
-
Virgin Pulse (OKTA-182902)
-
Yardi (OKTA-182913)
-
ZeroFox (OKTA-182915)

-
NetDocuments (OKTA-181142)

- OKTA-165796 – When the user had both Okta Verify with Push enabled and Duo Security, ignoring auto Push from Okta Verify to switch to Duo Security displayed an error message.
- OKTA-174349 – Applications configured as Administrator sets username and password prevented users from enabling Auto-launch option for that app.
- OKTA-177385 – Okta Expession Language was incorrectly treating the character "_" as a single wildcard character.
- OKTA-177768 – IdP Discovery policy routing rule did not display disabled app instances.
- OKTA-178568 – If an SMS factor was used within 30 seconds of the factor being auto-activated, authentication would fail without displaying an error.
- OKTA-179126 – IdP Discovery policy inactive rules could be re-activated if pointed to an inactive IdP.
- OKTA-179325 – AD-mastered users, who were logging into Okta for the first time and had not used their enrolled MFA factors to log in, were unable to add their phone number for SMS and Voice Call self-service password recovery options on the Welcome page.
- OKTA-165507 – The System Log displayed an incorrect time calculation when the selection included a daylight savings time change.
- OKTA-184793H – With Device Trust enabled and only modern auth client application configured for the Office 365 app, some iOS users whose devices were managed by AirWatch were unable to access O365 from native apps.


- Pantheon (OKTA-181500)

- OKTA-159579 – The San Diego Union-Tribune app had a different login URL in Okta Plugin for Microsoft Edge.
- OKTA-172164 – Invalid EL expressions for attributes and claims in API AM, OIDC, and SAML displayed a 500 error, rather than causing an exception and returning an appropriate error.
- OKTA-173204 – AD-mastered users were unable to edit their Mobile Phone configured with ALM in Okta even when the User Permission for the attribute was set to Read-Write.
- OKTA-174211 – Custom domains and Okta-hosted custom sign-in pages rendered a blank page in Internet Explorer when the domain was added to Compatibility View.
- OKTA-176335 – When configuring a Custom Domain and a Custom Email Sender using the same custom subdomain, the admin was directed to place both CNAME and TXT records to be the same subdomain host, violating RFC 1034 Sec. 3.6.2.
- OKTA-178982 – When assigning apps to a group, next page returned a 500 error if an admin didn't have rights to view all apps.
- OKTA-180364 – Ambiguous dialog box was displayed after a successful MFA transaction.
- OKTA-180642 – Changing the Okta username format from the Active Directory > Settings page in Okta failed to also update existing users' usernames.
- OKTA-182574 – Applying admin-managed tabs to all users did not send emails upon success or failure due to NPEs.
- OKTA-180932 – In rare cases, a del-Auth user appeared to be active when locked out and vice versa.


- 451Research (OKTA-179132)
- BB&T (OKTA-180836)
- BioCentury (OKTA-181201)
- GoGoAir (OKTA-180854)
- Hosting (OKTA-180837)
- Kentik (OKTA-180843)
- MIBOR (OKTA-181155)
- Morgan Stanley ClientServ (OKTA-180844)
- My Atlassian (OKTA-179519)
- Sailthru (OKTA-180418)
- UMR (OKTA-177842)
- US Bank - Pivot (OKTA-181941)
- VerticalResponse (OKTA-180437)
- Wayfair (OKTA-180840)
- WebEx Premium (OKTA-180841)
- Zappos (OKTA-180842)

- Illumio ASP (OKTA-182517)

- OKTA-165762 – AD profile attributes did not write back to UltiPro-mastered user profiles.
- OKTA-166150 – End user names did not display correctly in Dashboard > Tasks if the user account did not include user first and last names.
- OKTA-167437 – Some profile attributes for User Sync provisioning type for Office 365 could only be mapped using group app assignment (scope: Group) as opposed to user app assignment (scope: Personal).
- OKTA-167701, OKTA-170446 – In some cases, the user's manager attribute did not provision to Office 365 when the user's manager DN changed in AD.
- OKTA-170588 – The Timeout for API Calls threshold for Okta On-Premise Provisioning timed out before the set threshold.
- OKTA-170844 – Users received a blank page when logging into the Jonas Premier app using the Okta dashboard.
- OKTA-173525 – SAML docs were sometimes populated with incorrect Signature Algorithm certificates.
- OKTA-175838 – Group admins were unable to create API tokens because the Security tab was missing from the Okta admin dashboard.
- OKTA-178335 – Removed System Logs for granting refresh tokens in token requests with the refresh token grant type. This applies to both API Access Management and OpenID Connect.
- OKTA-178359 – Some group rules did not trigger after users were imported into Okta.
- OKTA-178522 – IDP Discovery routing rules deemed domains containing the special character "-" as invalid.
- OKTA-178978 – Provisioning sometimes failed during Okta service maintenance.
- OKTA-181649H – New users that were mastered in Google Suite, Workday, or Salesforce and subsequently provisioned from Okta into Active Directory, were not enabled in AD when AD password policy required more than 16 characters long passwords.


-
Admin America Participant (OKTA-179417)
-
AI Insight (OKTA-179419)
-
Amadeus Selling Platform Connect (OKTA-177982)
-
Ambassador (OKTA-179233)
-
BNY Mellon - Connect Portal (OKTA-179106)
-
Pond5 (OKTA-180160)
-
PPM Roadmap (OKTA-179413)
-
S&P Capital IQ (OKTA-178570)
-
Spectrum Time Warner Cable (OKTA-179415)
-
Staples NetXpress New Zealand (OKTA-179414)
-
Sysomos (OKTA-179340)
-
The Courier Mail (OKTA-179225)
-
The Economist (OKTA-179108)
-
WebStudy (OKTA-179412)
-
Zeplin (OKTA-179714)

-
Fuel Cycle (OKTA-179998)
-
Illumio ASP (OKTA-179985)
-
Spoke (www.askspoke.com) (OKTA-179597)

- OKTA-90737 – The Permission set for user assignments was not showing up for the Replicon app. For existing Replicon app instances please contact Okta support to upgrade to latest schema.
- OKTA-119389H – Imported users for the Org2Org app had mismatched username and email values.
- OKTA-166720 – Allow administrators to consent for Advanced API Access setting was not saved for O365 app’s API credentials, in cases where WS-Fed was used and set to MANUAL on the Sign On tab.
- OKTA-173411 – Reveal Password did not show the password for SWA apps when the user is logged in by external social login providers.
- OKTA-173928 – When the Do not display application icon to users option was unchecked on the General tab of an On-Prem SAML app, the On-Prem settings on the Provisioning tab disappeared.
- OKTA-174179 – Not all SuccessFactors user attributes were imported into Okta.
- OKTA-176035 – Users that were deleted from a Group that was managed by a rule, still showed up in the Group.
- OKTA-177400 – The Zendesk provisioning API failed and returned a 403 Forbidden error for some customers.
- OKTA-178619 – The API Access Management authorization server token preview resulted in an error when previewing a token for client credentials grant type.
- OKTA-179489H – Admin password reset functionality was disabled for LDA- mastered users when the Group Password Policy feature was enabled.
- OKTA-180446H – Setting up provisioning or imports for a new G Suite app instance failed. Testing API credentials for any existing G Suite instances returned a 503 Service unavailable error.


-
FedEx Canada (OKTA-177987)
-
MIBOR (OKTA-178869)
-
NatureBox (OKTA-177974)
-
VoterVoice (OKTA-177979)
-
WebEx (Cisco) (OKTA-178499)

- OKTA-131104 – For customers with G Suite, duplicate email accounts were configured in Gmail after Android users enrolled their device in OMM (work profile).
- OKTA-159102 – When a user launched an iOS app that uses Okta to log in, the Okta widget displayed Please enter a password as soon as it was tapped.
- OKTA-163843 – Okta unnecessarily provided information about specific browsers on all browsers when end users set up a Security Key (U2F) making the instructions confusing on some browsers.
- OKTA-166582 – When multiple SMS requests for MFA were sent within a 30 second window, the error message returned was SMS recently sent instead of Too many requests.
- OKTA-168180 – The AD Domain or AD Agent fields were missing in AD agent connect and disconnect System Log events.
- OKTA-168338 – The okta-signin-widget did not include the accept-language header when making an API call.
- OKTA-175427H – The IDP Discovery page did not redirect the user to the IDP defined in the Routing Rule on an SP initiated flow.
- OKTA-176556 – During Self Service Registration some user accounts defaulted to Staged instead of Pending user action status as expected.
- OKTA-177435 – Category name in the app list showed L10N_ERROR as a category.
- OKTA-178668 – The Delegated Authentication page did not load properly.


-
Apple Store (OKTA-177813)
-
Atlassian Cloud (OKTA-175339)
-
EdgeCast (OKTA-175363)
-
Qualtrics (OKTA-178233)
-
SallieMae (OKTA-173895)
-
UMR (OKTA-177991)
-
Unicorn HRO Customer Center (OKTA-177995)
-
UsabilityHub (OKTA-177376)
-
WebEx Premium (OKTA-173896)

- OKTA-124352 – It was possible to select an inactive PIV IdP for certificate-based login.
- OKTA-146511 – Attempting to activate Okta Verify by an email link or code after having already attempted activation by SMS link resulted in a 500 error instead of a proper error message.
- OKTA-156179 – The Workplace by Facebook Manager field was only updated following reassignment changes in AD/Okta, not for other changes.
- OKTA-156459 – User reactivation failed for customers using the Graph API provisioning for the Microsoft Office 365 app.
- OKTA-160214 – Attempts to enable provisioning for the JIRA On-Prem app failed with a 500 error.
- OKTA-164208 – Network Zones were not displayed properly under Security -> Delegated Authentication -> Network Zones in IE.
- OKTA-165596 – The Send Push Automatically checkbox was deselected when reopening a new IE browser with Update KB4096040 in Windows 7Pro-32Bit.
- OKTA-165636 – The Help Desk Admin role could incorrectly click the Groups link without receiving an error. However, when clicking on any of the groups listed, the admin would receive a 403 error.
- OKTA-165849 – RSA SecurID MFA enrollment in Okta carried over the FOB token into the PIN field (at the Enter a new PIN having from 4 to 8 digits prompt).
- OKTA-166847 – The Okta plugin continued to fill out forms with stored values for User/Name and Password fields beyond the initial login.
- OKTA-167553 – The text on the interstitial page appeared jumbled when using Firefox browser version 59.0.2.
- OKTA-167623 – Upgrading the IWA agent caused the Network Zones under IWA Settings to be cleared.
- OKTA-168428 – Some users who were deactivated in Okta were not deactivated in Workplace by Facebook.
- OKTA-168629 – Calls to API AM /authorize with an invalid okta_key parameter resulted in a 500 error.
- OKTA-168648 – No error was shown when user activation failed due to a session timeout.
- OKTA-169454 – Desktop - Windows traffic from Microsoft BITS/7.5 (Microsoft Background Intelligent Transfer Service) was incorrectly filtered as non-Windows traffic by Office365 Client Access Policies.
- OKTA-171775 – Admins given the right to only administer one specific app (specific-app admin role) were unable to access the Provisioning tab for that app.
- OKTA-172284 – The SuccessFactors personal email attribute was removed by an Okta Push operation.
- OKTA-172556 – The IWA pending account activation page did not show the Technical Contact email address.
- OKTA-174625 – Users could not be assigned the Silver Partner role in Salesforce.
- OKTA-175748 – Clicking OIDC default scopes in an Authorization Server (AS) policy rule, incorrectly added all scopes for a custom AS.
- OKTA-175919 – For orgs with subdomain names containing mixed cases, the banner prompting users to grant access to apps continued to display even after the user trusts the domain.
- OKTA-175991 – A 500 error was returned when adding more than one hundred network zones.
- OKTA-176329 – The ContactDirSyncMapping event was not recorded in the System Log.
- OKTA-176736 – The enum attribute did not display a zero value correctly in edit mode (Admin > Directory > Profile Editor > Profile > Edit Custom Attribute).
- OKTA-177400H – Zendesk Provisioning threw a 403 error after performing a Cloudfare migration.


-
Amazon DE (OKTA-175408)
-
CareFirst (OKTA-174918)
-
CB Insights (OKTA-175570)
-
Comcast Business (OKTA-176072)
-
CrowdStrike Support Portal (OKTA-176089)
-
GoDaddy (OKTA-175683)
-
IBM Cloud (OKTA-175745)
-
Kaspersky CompanyAccount (OKTA-174914)
-
MB Program Info (OKTA-173889)
-
Nielsen Answers (OKTA-176091)
-
NOW - NetApp (OKTA-173891)
-
OneHealthPort (OKTA-175767)
-
OpenTable (OKTA-173892)
-
Operative.One (OKTA-174243)
-
Peapod (OKTA-173890)
-
Proposify (OKTA-175784)
-
PsPrint (OKTA-173894)
-
Qlik (OKTA-175675)
-
SAP Support Portal (OKTA-176093)
-
Seeking Alpha (OKTA-173893)
-
ST Math (OKTA-175125)
-
trafalgar (OKTA-174916)

-
Clarizen (OKTA-175553)
-
SkyHigh (OKTA-175513)

- OKTA-159705 – Okta did not accept Thawte issued certificates.
- OKTA-162707 – The RADIUS log sometimes showed a NoHttpResponseException entry that was not a real error.
- OKTA-167438 – When users changed their secondary email address, this event did not display in the System Log.
- OKTA-167602 – When a user was deprovisioned from Box, and the file volume was high, the user deactivation failed because the associated file transfer timed out.
- OKTA-171890 – In some cases, when using combined values across groups with the O365 app assigned, removing the last group from a user also removed the O365 license.
- OKTA-171950 – If the redirect_uri limit was exceeded, an HTTP 500 error was returned.
- OKTA-172843H – Custom reports for Workday incremental imports sometimes failed, resulting in null custom attribute values.
- OKTA-174277 – Self-service registration returned an Internal Server Error for users reseting a password using the API activation token.
- OKTA-174659 – Okta to AD Push Groups operations for groups starting with "#" failed to link to AD groups.
- OKTA-175160 – When activating or deactivating the email factor, an event was not generated consistently in the MFA usage report.
- OKTA-175583H – Assigning a new version of an app binary file (.ipa) for a native app failed.


-
Absolute Console (OKTA-173828)
-
Alaska Air Group Credit Union (OKTA-173897)
-
America First Credit Union (OKTA-173877)
-
Benefit Administrator - Ameritas (OKTA-173898)
-
Commission Junction (OKTA-173899)
-
DealerRater (OKTA-173885)
-
Eden (OKTA-174921)
-
Fedex United Kingdom (OKTA-172898)
-
HM Revenue and Customs (HMRC) (OKTA-174740)
-
Hype Machine (OKTA-173886)
-
Jungle Disk (OKTA-173887)
-
McAfee Consumer (OKTA-173888)
-
MetLife Business Insurance (OKTA-174318)
-
MURAL (OKTA-174638)
-
Quickbooks (OKTA-174037)
-
SnapLogic (OKTA-174915)
-
SonicWall (OKTA-173831)
-
UltiPro (OKTA-172729)

-
Netskope (OKTA-170729)

- OKTA-132768 – Pre-activated end users who requested a password reset were not automatically sent an email from Okta advising them to contact their administrator, as expected. (Note: This issue is fixed. It was documented as a feature enhancement in error in 2018.17 release notes.)
- OKTA-156213 – RDP failed to connect to Windows Server 2016.
- OKTA-168217 – When using a voice call factor twice within a 30-second time period, the error message incorrectly displayed a internal server error instead of a Too Many Requests error.
- OKTA-168223 – The System Log did not display OpenID Connect App assignment and un-assignment events.
- OKTA-171665 – When authenticating with U2F, the login screen did not have the option Do not challenge me on this device for the next ....
- OKTA-171675 – When a group associated with the self-service registration policy was deleted, any subsequent attempts to make changes to the registration policy received a This group does not exist error message.
- OKTA-171680, OKTA-171750 – It was possible to create access policy rules that set refresh token inactivity expiration times to Unlimited.
- OKTA-172619 – In some real time sync configurations, Okta was showing duplicate users from Workday in the import tab.


-
Activist Insight (OKTA-172889)
-
Bloomberg (OKTA-173419)
-
CloudHealth (OKTA-172894)
-
Crunchbase (OKTA-173424)
-
eBay (OKTA-172962)
-
Instagram (OKTA-173825)
-
Jitterbit (OKTA-172563)
-
MoneyGram U.S. (OKTA-172893)
-
The Alabama Department of Revenue Motor Vehicle Division (OKTA-168849)
-
Tracker.com (OKTA-172886)
-
WOW! (OKTA-172888)

- OKTA-162610 – Device notification emails defaulted to the Pacific Time Zone in the message regardless of the user profile time zone setting.
- OKTA-162740 – Notification emails triggered when changing an admin's email address were not sent from the configured custom domain.
- OKTA-168452 – When using the Apple Search Ads app on the MSEdge browser, the Okta Plugin did not match the URL correctly.
- OKTA-170357 – When signing keys could not be generated for a new Authorization Server, the error message was not clear.
- OKTA-171394 – When an AD user was deactivated then reactivated from Okta, the user was reactivated in Okta but not in AD as expected.
- OKTA-172487 – Mappings from user.getInternalProperty("id") to the app Username attribute did not save correctly.
- OKTA-173166 – The Reports page did not display the Account Unlock counts in the SMS Usage Report.


-
AirWatch Admin Portal (OKTA-169991)
-
Apple MyAccess (OKTA-168961)
-
Apple MyAccess (OKTA-168961)
-
Capriccio Fuzion (OKTA-168950)
-
Capriccio Fuzion (OKTA-168950)
-
CloudFlare (OKTA-172484)
-
InMobi (OKTA-171429)
-
NetXpress (OKTA-172464)
-
WeightWatchers (OKTA-172465)

- OKTA-93349 – Super Admins were able to change the role of other Super Admins without notifying the affected party.
- OKTA-127830 – Default password policy settings were sometimes incorrectly applied when creating a user with a password.
- OKTA-139641 – The MFA Usage report did not display the date/time in the Last Enrolled tab.
- OKTA-158993 – Some users were prompted for MFA on a device after already selecting Do not challenge me on this device again on that device.
- OKTA-159102 – The Okta login page on iOS displayed a Please enter a password error as soon as users clicked on the password field.
- OKTA-159505 – Some attributes were missing in the RADIUS end user Client IP attributes list.
- OKTA-159631 – The Slack desktop application request for MFA sometimes went into a loop when users configured it to prompt for MFA on every sign-on.
- OKTA-165633 – Password sync was available for Workplace by Facebook which does not support it.
- OKTA-167565 – The password fields were missing from the Okta Welcome page, causing users to be unable to register their accounts.
- OKTA-169341 – Existing users were not prompted to enroll a Security Question and Answer when enabling Self-Service Account Unlock with recovery Security Question enabled.
- OKTA-171056 – Some OAuth 2.0/OIDC refresh tokens would expire early.
- OKTA-171385 – Saving User profiles with App Mastered Numerical Attributes containing a value resulted in a 403 response.
- OKTA-171533 – When more than 20 OIDC apps were added to an org, no more than 20 appeared in the Clients dropdown of the Token Preview screen.
- OKTA-171670 – The Sharepoint on-premises application was not respecting custom interstitial URL settings for the org.
- OKTA-171896 – The JetBrains OIN app was not added to the Okta Dashboard when the account was created on the fly.


-
Akamai EdgeControl (OKTA-170641)
-
American Airlines (OKTA-170444)
-
AppLovin (OKTA-171070)
-
Confluence (Atlassian) (OKTA-171922)
-
CoStar (OKTA-170333)
-
DocSend (OKTA-171575)
-
Email On Acid (OKTA-172478)
-
Freshdesk (OKTA-170270)
-
Goldman Sachs Research (OKTA-169178)
-
Hightail (OKTA-171579)
-
NGP VAN (OKTA-171573)
-
SmartyStreets (OKTA-171843)
-
Stampli (OKTA-170087)
-
United Airlines (OKTA-170452)
-
YouCanBook.me (OKTA-171900)

-
Sisense (OKTA-170701)

- OKTA-159522 – The Application report for the Radius app did not display all users assigned to the app.
- OKTA-161741 – The Billing Contact information in Account Settings could not be edited. This occurred only for Developer Paid editions.
- OKTA-162503 – The Okta Chrome browser plugin caused a DOM exception to appear in the Dev Console when debugging applications on pages that contained sandboxed iFrames.
- OKTA-162664 – Simultaneous updates made by multiple admins to change user membership on Okta mastered groups were overwritten by the last update.
- OKTA-163173 – Group Push: Pushing app Groups to Jive that already exist or already existed in Jive displayed a L10N_ERROR[app.api.error.update.group] error message.
- OKTA-163381 – When imported groups had names or descriptions with 1023 characters or longer, running an import from ServiceNow into Okta failed with a data exception and did not complete the import.
- OKTA-164390 – Group Search queries with underscores returned incorrect results.
- OKTA-166755 – Importing users from Kaleo OIN app through a CSV file failed.
- OKTA-167278 – Events returned from the /logs endpoint when using the until parameter were previously delayed by up to 1 second. To improve the performance of our System Log, queries to the /logs endpoint that include an until parameter may now return results that are delayed up to 10 seconds. When making requests with an until value that is near real-time, ensure that you allow enough of a buffer as to not miss events (e.g. 20s).
- OKTA-169479 – Using the Okta Plugin negatively impacted browser performance in some cases when working with pages that contained many forms.
- OKTA-172049H – A deleted user account could not be recreated.


-
Authorize.Net Merchants (OKTA-169901)
-
Choice Strategies (OKTA-168607)
-
SAP BusinessObjects (OKTA-169481)
-
Windows Dev Center (OKTA-169230)

- OKTA-154726 – Email as an authentication factor produced an error at enrollment for international users.
- OKTA-157884 – Delays were experienced when deleting users. As a result of the fix, one will notice a period of time between when the deletion was initiated and when it completes. During the period, the user will still be visible, but the deletion cannot be reversed.
- OKTA-163626 – During an import into Okta, an event was fired stating that an Okta-mastered group was removed. This event is incorrect, Okta-mastered groups should not be removed during an import and no events should have been fired.
- OKTA-166669 – A secondary domain could not be registered on a fresh install of AD Agent 3.4.12. This issue is fixed by AD Agent release 3.5.0.
- OKTA-167483 – OAuth 2.0 and OIDC requests made with redirect URLs that contained underscores in the domain name would result in an error.
- OKTA-168285 – Group rules only worked when first activated, and subsequently only when they were deactivated and reactivated.
- OKTA-170869H – After an Okta user was deleted in a Preview org, attempts to create an account with same username failed with an 'already exists' error.


-
iCloud (OKTA-168778)
-
S&P Capital IQ (OKTA-169177)
-
The Hive Community (OKTA-166736)

- OKTA-137758 – If the configured default IdP was set to inactive, Okta still used the inactive IdP as the primary endpoint for user authentications.
- OKTA-159216 – When setting up a SAML 2.0 App using the App Integration Wizard, the username defined in the Sign-On tab was overwritten by the default username under the General tab.
- OKTA-162620 – The French translation had errors in the enrollment Password Recovery Security question.
- OKTA-162633 – The German translation had errors in the activation email template.
- OKTA-163276 – Roles were not populated while importing users in the Netsuite app if the user account does not have a location attribute present on it.
- OKTA-164970 – Manual imports from ServiceNow UD failed with following error: Error while downloading all users: could not deserialize the cpc user string. Errors found while setting values for the app user. appUserId=null, errors=com.saasure.framework.validation.util.SimpleErrors: 1 errors Error in object 'appUser': codes [invalidValueTypeForProperty.appUser,invalidValueTypeForProperty]; arguments [company]; default message [Unsupported data type value for given key]. This error means some user has an unknown (new or modified) value for a dropdown list property such as Department, Cost Center, etc. To resolve this issue, click Applications > More > Refresh Application Data, and run the import again.
- OKTA-165675 – The Greek translation had errors on the Okta login screen.
- OKTA-166113 – Users were prompted for MFA for clients in ADFS zones where MFA was not required.
- OKTA-166330 – Some ADFS logins failed and required the user to refresh the page to receive the MFA challenge.
- OKTA-169410H – After new mobile devices are enrolled into OMM, whenever a device reports back device info using update device status api or response to device info command, the update fails due to null pointer exception.


-
Apple Search Ads (OKTA-168085)
-
AppRiver (OKTA-166853)
-
BootcampSpot v2 (OKTA-168448)
-
Envoy (OKTA-168089)
-
Gaggle (OKTA-167422)
-
Oh My Green (OKTA-168122)
-
ServiceNow UD (OKTA-166665)

-
Achievers.com (OKTA-167722)

- OKTA-19371 – The SAML RelayState app path contained an extra forward slash.
- OKTA-134551 – The attribute msExchHideFromAddressLists was not synchronized correctly from Active Directory.
- OKTA-151741 – For customers using the EA feature Graph API provisioning for Microsoft Office 365, provisioning users to the Microsoft Office 365 app failed with the error Unrecognized field "odata.metadata" (Class com.saasure.application.office365.msgraphapi.objects.api.User), not marked as ignorable.
- OKTA-155207 – After an admin was unable to create a user profile in Microsoft Office 365 for a user, the user could not be assigned to the supporting group.
- OKTA-156396 – When uploading an unexpired IdP certificate in Microsoft Internet Explorer 11, the message this certificate is expired displayed. The certificate worked as expected.
- OKTA-156475 – The Okta Browser Plugin froze when authenticating without a session. This was fixed by removing an extra slash in the URL path.
- OKTA-158355 – There were minor grammatical errors in the sign in message.
- OKTA-159022 – After provisioning users to the AWS SAML app, users did not have the AWS app integration on their Dashboards.
- OKTA-159631 – Multifactor Authentication challenges were incorrectly repeated after a successful completion for the Slack Desktop app.
- OKTA-159745 – Group Push to the ServiceNow app failed for large groups containing thousands of users.
- OKTA-161715/OKTA-162648 – Using the Okta Plugin negatively impacted browser performance when working with forms that contained many password fields.
- OKTA-162796 – Setting the Sign On method to Users share a single username and password set by administrator caused a 400 bad request error on user assignment.
- OKTA-162952 – The Adobe Experience Manager app prompted for a new password suggestion instead of sign in information during a SP-initiated flow.
- OKTA-163013 – Internet Explorer did not display Group and Network Zone information in App level Sign On Rules section when editing.
- OKTA-163122 – Duplicate events were fired from a single profile push update.
- OKTA-163152 – When a user was removed from an Okta group and deactivated, then assigned to a different Okta group and reactivated, the reactivated user would still be a member of the OU associated to the original group in spite of the prior deletion from the group.
- OKTA-163408 – The footer on the Activation Failure page incorrectly displayed on two lines.
- OKTA-163411 – The Activation page was not correctly translated for the Japanese language.
- OKTA-165493 – A scheduled Group Push to the Slack app using a rule failed for large groups.
- OKTA-165624 – The welcome email for the Okta Developer Platform contained a broken link for an image.
- OKTA-165637 – Importing users from the Box app with no group memberships failed intermittently with a NullPointerException error.
- OKTA-165749 – The Multifactor page was blank in some customers' preview orgs.
- OKTA-166721 – The Edit button was not visible when customizing a SMS multifactor authentication factor in preview organizations.
- OKTA-166777 – On the Tasks page, provisioning tasks did not display correctly until the Filter button was clicked.


-
Adobe Licensing Website (OKTA-167246)
-
Apple ID (OKTA-167247)
-
Associated Bank (OKTA-166530)
-
In Honda (OKTA-165909)
-
iTunes Connect (OKTA-166342)
-
National Life Group Customers Login (OKTA-166528)
-
Premium Beat (OKTA-166550)
-
Ramp (OKTA-166533)
-
SchoolDude (OKTA-166531)
-
Societe Francaise du Radiotelephone (OKTA-167244)
-
SproutSocial (OKTA-167248)

- OKTA-88738 – Read-only admins were able to access email template settings and admin notification functions.
- OKTA-146365 – The Duo multifactor authentication factor was enforced when the factor enrollment rule was set to first time user is challenged for MFA even though the sign-on policy was set to Do not prompt for MFA.
- OKTA-152483 – App admins assigned to the RADIUS app only could not edit Settings in the RADIUS app Sign On tab. Admins assigned to all apps were not affected.
- OKTA-160718 – Okta MFA did not work during sign on for the Airwatch Admin Portal SAML app on iOS Mobile only.
- OKTA-162352 – Users logging in through ADFS login received an error if the ADFS app was configured for MFA with the default policy and with all factors as optional.
- OKTA-163379 – Token Preview incorrectly showed Refresh Token as a grant type option, when it is not a valid grant type.
- OKTA-163525 – In the Advanced Sign-On Settings for the Dropbox app, the instructions for the Silent Provisioning option incorrectly stated that Dropbox support always needed to be contacted to verify your domain.
- OKTA-163584 – Repushing a group that contains a member that already exists in the Jira On-Prem or the Jira Cloud apps, resulted in an End of File exception.
- OKTA-163667 – When one deprovisioning task was manually cleared for a user, all tasks for that user were also cleared.
- OKTA-165355 – After customizing the end user dashboard, admins did not receive an email confirmation that changes were activated, as indicated in the screen text.
- OKTA-165473 – Reauthentication failed for the SAML apps if IWA was configured.
- OKTA-166715H – The URL to sign on to the Salesforce app with MFA exceeded the maximum character length.


-
Barracuda MSP Online Backup (OKTA-164607)
-
Commuter Check Direct (OKTA-164137)
-
Egencia DE (OKTA-165131)
-
Egencia Ireland (OKTA-164381)
-
Egencia UK (OKTA-165133)
-
FunctionFox (OKTA-164382)
-
HelpSpot Userscape (OKTA-164385)
-
Prey (OKTA-164614)
-
Spirit Airlines (OKTA-164383)

-
Robin (OKTA-163897)

- OKTA-116182 – Provisioning to Atlassian Jira failed if the Base URL on the General tab contained spaces in the Jira Cloud and Jira On-Prem apps in Okta.
- OKTA-156901 – Custom magnification levels were reset to the default 100% in Microsoft Internet Explorer 11 after clicking the Web Version link in the Okta toolbar.
- OKTA-159593 – Imports of over 6000 users from SuccessFactors to the SuccessFactors app in Okta failed.
- OKTA-159681 – The State (state), Supervisory Organization (supervisoryOrg) and Business Unit (businessUnit) attributes were not imported from Workday into Okta.
- OKTA-159692 – App sign on rules to deny access to modern auth clients were not enforced on Microsoft Windows 10 operating systems, build 16299.64 and above.
- OKTA-160653 – Unnecessary System Log events appeared with null worker references when processing group memberships during Workday import.
- OKTA-160881 – With Enhanced Group Push, existing group members from linked groups were not correctly mastered by Okta.
- OKTA-162107 – New Active Directory-mastered users were not prompted to enroll in voice call option for recovery during their first sign in.
- OKTA-162752 – Imports for the SuccessFactors app failed with a null pointer exception.
- OKTA-163222 – Enabling provisioning for the GoToMeeting app failed with an HTTP error 400.

The following SWA apps were not working correctly and are now fixed.
-
Amazon CA (OKTA-163946)
-
Creditsafe NL (OKTA-163690)
-
Creditsafe UK (OKTA-163692)
-
Financial Times (OKTA-163576)
-
FINRA IARD (OKTA-163579)
-
FullContact Developer Portal (OKTA-162151)
-
OPP (OKTA-163577)
-
SunTrust - Enterprise Spend Platform (OKTA-163940)
-
Travitor (OKTA-163968)
-
Unity Ads (OKTA-161838)
-
Wrike (OKTA-161802)