Fixes

General Fixes

OKTA-394045

The End-User Dashboard wasn't aligned correctly when viewed on mobile browsers.

OKTA-460054

Office 365 nested security groups sometimes failed to synchronize correctly from Okta.

OKTA-522922

Not all users deactivated in an Org2Org spoke tenant were deprovisioned in the hub tenant.

OKTA-527705

When authenticating to Citrix apps with RADIUS, users received multiple notifications in error if they selected No, it's not me in Okta Verify.

OKTA-534291

Samanage/SolarWinds schema discovery didn't display custom attributes.

OKTA-544943

When a user was deactivated in Okta, the Okta Workflows and Okta Workflows OAuth app integrations weren't removed from the user's assigned app integrations.

OKTA-545664

URLs /login/agentlessDsso/interact and /api/internal/v1/agentlessDssoPrecheck were blocked by the browser when executed in an iFrame.

OKTA-547756

An incorrect error message was displayed during self-service registration when an email address that exceeded the maximum length allowed was entered.

OKTA-548390

Enabling Agentless DSSO didn't create a default routing rule if no routing rules existed.

OKTA-550739

Users could request that one-time passwords for SMS, Voice, and Email activation be resent more times than allowed by the rate limit.

OKTA-556056

Group claims failed if a user who belonged to more than 100 groups appeared in the group claims expression results.

OKTA-557873

Enrollment emails weren't sent to users who enrolled in the DUO Security factor.

OKTA-557976

For some users, the profile page didn't display all of their enrolled MFA factors.

OKTA-565041

Group filtering failed when more than 100 groups appeared in the list of results.

OKTA-565899

An incorrect error message appeared when users saved an empty Website URL field in their on the fly app settings.

OKTA-566372

Users were sometimes unable to sign in to several Office 365 apps from Okta.

OKTA-567711

In some orgs, Email Change Confirmed Notification emails were sent unexpectedly. Admins should verify that the recipients lists audience settings are accurate for Change Email Confirmation and Email Change Confirmed Notification.

Applications

New Integrations

Content Security Policy enhancements

Over the next few months we are gradually releasing enhancements to our Content Security Policy (CSP) headers. During this time you may notice an increase in header sizes.

Fixes

General Fixes

OKTA-545622

AD-sourced users received an error when resetting passwords during their Okta account activation.

OKTA-545918

Admin roles that were granted to a user through group membership sometimes didn't appear on the user's People Admin roles tab.

OKTA-551921

When a large number of profile mappings were associated with a user type, updates to the user type could time out.

OKTA-553201

Users who scanned a Google Authenticator one-time passcode with Okta Verify received an error message and couldn't enroll in the Google Authenticator factor.

OKTA-554013

Batch federation of multiple Microsoft Azure domains failed if the batch contained any child domains.

OKTA-566285

A threading issue caused directory imports to fail intermittently.

OKTA-566682

When an admin configured an IdP routing rule that allowed users to access certain apps, the list of available apps was blank.

OKTA-566824

Sometimes super admins encountered a timeout when listing admin users on the Administrators page in the Admin Console.

OKTA-567707

A security issue is fixed, which requires RADIUS agent version 2.18.0.

OKTA-567972

An unclear error message was returned when a group rules API call (create, update, or activate) was made to assign users to read-only groups (for example, Everyone ).

OKTA-567979

Last update information was displayed for API Service Apps and OIDC clients.

OKTA-571393

Users couldn’t enroll YubiKeys with the FIDO2 (WebAuthn) factor and received an error message on Firefox and Embedded Edge browsers.

Applications

New Integrations

Sign-In Widget, version 7.3.1

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Sign-In Widget Guide.

Fixes

General Fixes

OKTA-508580

When the Okta profile mapping was pushed to AD, the event didn’t appear in the System Log and the manager attribute wasn’t pushed.

OKTA-537710

Users on M1 MacBooks were unable to sign in to organizations provisioned with an OS-specific workflow.

OKTA-556133

End users received email notifications of new sign-on events even though such notifications were disabled in the org security settings.

OKTA-561269

The YubiKey Report wasn’t generated when certain report filters were applied.

OKTA-565300

Accessibility issues on the password verification page of the End-User Dashboard prevented screenreaders from reading the text.

OKTA-565984

Case sensitivity caused usernames sent in SAML 2.0 IdP assertions not to match usernames in the destination org if a custom IdP factor was used and the name ID format was unspecified.

OKTA-566892

Sometimes MFA prompts overlapped portions of the browser sign-in pages.

OKTA-572416

The Help Center link on the Resources menu directed users to the wrong URL.

OKTA-574624

In Administrators Roles, the Org Admin description was incorrect.

App Integration Fixes

Applications

New Integrations

Fixes

General Fixes

App Integration Fixes

Applications

New Integrations

Fixes

OKTA-464288

SMS customization wasn't restricted in free developer orgs.

OKTA-516653

Group descriptions for AD groups linked to Okta groups weren't pushed.

OKTA-544970

When orgs used email template injection, some internal class information was visible in the message.

OKTA-562755

On the Admin Dashboard, the Total admins and Individually assigned counts were incorrect.

OKTA-567399

A deactivated Identity Provider couldn't be reactivated.

OKTA-567906

Admins were able to configure a multifactor enrollment policy that allowed the Okta Verify Push mode but didn't allow the one-time password mode.

OKTA-570664

BambooHR reported an error when Okta attempted to update a value using the value of a custom attribute.

OKTA-576483

Admins weren't able to add a network zone with the name BlockedIPZone.

OKTA-577014

Some users received inaccurate error messages when they registered their phone number for password reset and account unlock.

OKTA-585800

Some Cornerstone profiles failed to import due to missing information.

OKTA-589114

When orgs used daylight savings time, the Admin Dashboard and the System Log events timestamps were one hour behind.

Applications

New Integrations

App Integration Fixes

Sign-In Widget, version 7.4.1

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Sign-In Widget Guide.

Fixes

OKTA-503099

Admins were able to modify the auth_time claim for an access token using a token inline hook.

OKTA-562337

The options in the dropdown used to filter Admin Dashboard tasks were untranslated.

OKTA-566659

DocuSign group pushes failed when removing users from a group.

OKTA-568170

Some orgs couldn't disable the New Sign-On Notifications email.

OKTA-568376

Users couldn't enroll an IdP as an authentication factor if their username didn't match the case of the username in their IdP profile.

OKTA-579088

In AgentsOn-premise, the Description link next to each of the agents was incorrect.

OKTA-584216

A suffix was added to the application label for new Onspring instances.

OKTA-587063

An older version of the OAuth library was included in the Okta Provisioning agent. The issue is fixed in Okta Provisioning agent 2.0.14.

OKTA-588262

The favicons for the Admin Console and End-User Dashboard were misaligned.

Applications

New Integrations

App Integration Fix

Fixes

OKTA-576159

On the IdP configuration page, searching for groups under JIT Settings sometimes returned an error.

OKTA-581158

System Log events for manual imports showed that the import was scheduled by Okta.

OKTA-585107

The hidden permissions count on the Edit role page was incorrect.

OKTA-585478

App sign-on events with usernames that exceeded 100 characters weren't always added to the System Log.

OKTA-587347

On mobile devices, users with long email addresses couldn’t see all the options in their settings dropdown menu.

OKTA-592074

Screen readers read apps on the End-User Dashboard as buttons instead of links.

Applications

New Integrations

Fixes

Applications

New Integrations

App Integration Fix

Sign-In Widget, version 5.7.2

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Sign-In Widget Guide.

Fixes

Applications

New Integrations

App Integration Fix

Fixes

• OKTA-570851

  Some app provisioning error strings weren't translated.

• OKTA-586571

  In some orgs, users who successfully reset their passwords were redirected to a custom error page instead of the home page.

• OKTA-591232

  Logos weren't correctly displayed on email templates.

• OKTA-599684

  When Active Directory users were added through an import or JIT provisioning, their application groups were retrieved from an incorrect domain. This caused an internal error that prevented users from signing in to Okta.

• OKTA-604536

  An older library was being used by the toolkit used by Okta Confluence Authenticator and Okta Jira Authenticator. The issue is fixed in version 3.2.2 of the toolkit.

• OKTA-607199

  ThreatInsight temporarily prevented non-malicious users from accessing Okta.

Applications

New Integrations

Fixes

• OKTA-588667

  After creating accounts, some users weren't able to complete the sign-in process.

• OKTA-596446

  Error summary messages weren't written to the System Log when custom errors occurred during an import inline hook operation.

• OKTA-597490

  The LDAP interface didn't return any result for a deactivated user when the cn value was combined with other filters.

• OKTA-597959

  Okta users authenticating through Agentless Desktop SSO (ADSSO) were sometimes incorrectly shown a migration-check error message.

• OKTA-601618

  Email change confirmation notices came from an Okta test account rather than a brand-specific sender.

• OKTA-603731

  Macros in email subjects weren't processed correctly for some email templates.

• OKTA-604404

  Imports performed during UltiPro maintenance resulted in inconsistent data being returned.

• OKTA-604914

  When the redesigned resource editor feature was enabled, admins couldn’t add individual applications to their resource sets.

• OKTA-609336

  Incorrect descriptions were displayed on the AgentsOn-premise tab.

• OKTA-609390

  During Identity Engine self-service upgrades, admins could see false indications that the Sessions API was in use.

Applications

New Integrations

Fixes

• OKTA-414791

  LDAP requests resulted in an error if the memberOf filter didn't include a Group DN.

• OKTA-423781

  The Privacy link on the Okta dashboard wasn't translated.

• OKTA-585123

  When the Full Featured Code Editor was enabled, some admins couldn't edit the Sign-In Widget version or their sign-in page draft changes.

• OKTA-591228

  Admins with a custom role couldn't receive user reports of suspicious activity in email notifications.

• OKTA-602635

  Some text on the Administrator assignment by role page wasn't translated properly.

• OKTA-602794

  Token inline hooks failed even when a URL claim name was correctly encoded with a JSON pointer.

• OKTA-604386

  The Edit button disappeared from the Other customizationsUser Accounts panel.

• OKTA-604825

  When an admin added the Manage users permission to a role, any existing permission conditions were removed. Also, admins with restricted profile attributes could edit those attributes on their own profile.

• OKTA-613226

  Some of the new Okta branding changes weren't displayed in the Admin Console.

Applications

New Integrations

Fixes

• OKTA-516583

  The application logo wasn't displayed on the Groups page for some groups.

• OKTA-566503

  When no tokens were listed on the API Tokens page, the displayed message wasn't translated.

• OKTA-572820

  Deleting large numbers of IdP routing rules with API calls caused System Log discrepancies.

• OKTA-577794

  The destination in SAML responses sometimes didn't match the Assertion Consumer Service URL in signed authentication requests.

• OKTA-583072

  The System Log showed that an MFA reset notification email was sent when that notification option was disabled and no email was sent.

• OKTA-597009

  The Microsoft Team Exploratory licenses weren't imported correctly into Okta, which prevented users from provisioning the correct licenses.

• OKTA-599540

  HTTP replies to SP-initated SAML requests contained two session IDs, which sometimes caused user sessions to expire unexpectedly.

• OKTA-599994

  The Honor Force Authentication SAML setting didn't work with Agentless Desktop Single Sign-on (ADSSO).

• OKTA-602946

  On password hash import, users couldn't change their passwords even after the minimum password age setting period.

• OKTA-604985

  Approvers received duplicate task approval requests when users requested an app from the End-User Dashboard.

• OKTA-605016

  In the Add Dynamic Zone dialog, the Bagmati region of Nepal was missing from the State/Region dropdown menu.

• OKTA-607167

  The search bar in the Groups tab on the user profile page didn't display the placeholder text correctly.

• OKTA-610185

  When the Conditions for Admin Access feature was enabled, restricted profile attributes were visible in User > Profile for imported users.

• OKTA-611867

  The Active User Statuses field didn't appear in some configurations.

• OKTA-612177

  Some users in China didn't receive one-time passwords through SMS.

• OKTA-612312

  Admins couldn't delete a custom email domain if it was used by multiple orgs.

• OKTA-612615

  On the Tasks page, the Edit Assignment button wasn’t translated.

• OKTA-612888

  Sign-on policies didn't persist for the admin group.

• OKTA-612972

  When the redesigned resource editor feature was enabled, large sets of resources were displayed outside of the Add Resource dialog, and the tooltip didn’t specify the resource limit.

• OKTA-613226

  Some of the Okta branding changes weren’t displayed in the Admin Console.

• OKTA-613979

  The Microsoft Office 365 Sign On tab displayed incorrect information in the Metadata details section.

Applications

New Integrations

Sign-In Widget, version 7.7.2

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Sign-In Widget Guide.

Fixes

Applications

New Integrations

Fixes

• OKTA-564847

  Sign-out errors sometimes appeared as raw JSON text rather than triggering an Okta error page.

• OKTA-581464

  The System Log didn't provide user information for an expired password during the Resource Owner Password grant type flow.

• OKTA-581496

  Some apps that had provisioning enabled appeared on the Provisioning Capable Apps reports.

• OKTA-588414

  Users who were removed from an Okta group using an API call were added back to the group because of the group rules.

• OKTA-588559

  The max_age=0 property wasn't treated the same as prompt=login for OAuth 2.0 /authorize requests.

• OKTA-602343

  The System Log didn't display client details for user_claim_evaluation_failure events if a token inline hook was enabled.

• OKTA-602566

  Apps using a custom identity source displayed user and group assignments in the General tab.

• OKTA-604491

  Users were sometimes unable to display authorization server access policies in the Admin Console.

• OKTA-613164

  Some admins could access IdP configuration editing pages without sufficient permissions.

• OKTA-617952

  When the Redesigned Resource Editor feature was enabled, super admins couldn’t preview the resource set assignments for the access requests and access certifications admin roles.

• OKTA-619651

  My Okta didn’t load when the Enable Sync Account Information setting wasn’t selected.

• OKTA-621542

  For SAML IdP configurations, searches for a user group to assign to the app sometimes failed to stop.

• OKTA-627295

  NetSuite couldn't be provisioned to new users.

Applications

New Integrations

App Integration Fixes

Applications

New Integrations

Sign-In Widget, version 7.8.2

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Sign-In Widget Guide.

Fixes

Applications

New Integrations

App Integration Fixes

Fixes

• OKTA-619028

  Read-only admins received user reports of suspicious activity email notifications in error.

• OKTA-632131

  OpenID Connect /token requests using the SAML 2.0 Assertion grant type flow failed if the SAML assertion expiry was greater than 30 days.

• OKTA-632850

  Slack provisioning didn't automatically retry after exceeding rate limits.

• OKTA-633585

  The on-demand auto-update banners for the Active Directory agent displayed updates in a random order.

• OKTA-634923

  Users weren't present in the import queue after being unassigned from an app.

• OKTA-635579

  When a super admin went to the Groups Admin Roles tab, the Edit group assignments button was mislabeled.

• OKTA-636652

  The Administrators page wasn’t translated to Japanese.

Applications

New Integrations

Fixes

• OKTA-601623

  When configuring an API Service Integration (either through the Admin Console or using APIs), admins could set a JWKS URL using HTTP instead of HTTPS.

• OKTA-621253

  Email Change Confirmed Notification messages weren't sent if the audience was set to Admin only.

• OKTA-627175

  Some tasks displayed a greater-than sign (>) instead of the date.

• OKTA-630368

  RADIUS logs showed multiple, repetitious Invalid cookie header warning messages.

• OKTA-634010

  Users who were locked out of Okta but not Active Directory could receive Okta Verify push prompts and sign in to Okta.

• OKTA-639427

  When admins added a new user in Preview orgs, the Realm attribute appeared on the dialog.

Applications

Fixes

• OKTA-620655

  When an error occurred during Identity Engine upgrades, a Customer Config Required message appeared instead of an Okta Assistance Required message.

• OKTA-641043

  Admins could select values from disabled dropdown menus.

Applications

Sign-In Widget, version 7.10.1

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Sign-In Widget Guide.

Content security policy enforcement extended for custom domains

Content Security Policy is now enforced for all non-customizable pages in orgs with custom domains. Content Security Policy headers help detect attacks such as cross-site scripting and data injection by ensuring browsers know what kind of actions the webpage can execute. Future iterations of the Content Security Policy enforcement for all non-customizable pages in orgs with custom domains will become stricter than this first release. This feature will be gradually made available to all orgs.

Enhanced Okta LDAP integrations with Universal Directory

Okta LDAP integrations now feature custom mapping, schema discovery, and a fully extensible attribute schema that allows you to import or update any attribute stored in LDAP. With these enhancements, Okta LDAP matches the schema functionality already available to Active Directory integrations. See Profile Editor. This feature is being re-released. This feature will be gradually made available to all orgs.

Fixes

• OKTA-595549

  IdP users were redirected to an unbranded sign-in page after SSO failure.

• OKTA-614488

  Admins could view only 50 applications in the Default application for the Sign-In Widget dropdown menu when configuring a custom sign-in page.

• OKTA-619163

  When the Universal Distribution List group was pushed to Active Directory, some users' group memberships didn't sync.

• OKTA-627660

  Users whose admin permissions were revoked continued to receive emails with an Admin only audience setting.

• OKTA-628227

  Some SAML-linked accounts in DocuSign couldn't use SWA.

• OKTA-629263

  Email change confirmation notices came from an Okta test account rather than a brand-specific sender.

• OKTA-637801

  Admins without permission to manage apps saw an Edit button for the app’s VPN Notification settings.

• OKTA-638911

  The RSA Authenticator used the old SamAccountName of AD-sourced users after it was changed.

• OKTA-639465

  The LDAP Agent Update service used an unquoted path, which could allow arbitrary code execution. For more information, see the Okta security advisory.

• OKTA-647842

  Okta displayed two different titles for the End-User Dashboard to users whose locale was set to Vietnamese.

Okta Integration Network

App updates

• The Amazon Business SAML app now has a configurable SAML issuer.
• The Amazon Business SCIM app now has a configurable SCIM base URL and Authorize endpoint.
• Application profile and mapping has been updated for the Jostle SCIM app.
• The mobile.dev SAML app has been rebranded as Maestro Cloud.

New Okta Verified app integrations

• Base-B (SAML)
• Base-B (SCIM)
• Comprehensive (OIDC)
• Palo Alto Networks Cloud Identity Engine (API service)
• Palo Alto Networks Cloud Identity Engine (Application-enabled) (API service)
• Rezonate Security (API service)
• supervisor.com (OIDC)
• WorkSchedule.Net (OIDC)

App integration fixes

• American Express Online by Concur (OKTA-642832)

Fixes

• OKTA-619723

  When the Conditions for admin access feature was enabled, admins who were restricted from viewing certain profile attributes couldn’t access the GroupsGroup page.

• OKTA-623635

  Group mappings were unexpectedly pushed to downstream apps after the corresponding app instances were deleted.

• OKTA-627862

  Incorrect values for group metrics, such as the number of groups added and updated, were displayed on the Import Monitoring page.

• OKTA-633507

  The pagination cursor was ignored when requests to the Groups API (api/v1/groups) included the ID of the All Admin group.

• OKTA-641112

  System Log events weren't generated when Active Directory and LDAP users were deactivated during sign-in.

• OKTA-643155

  If an org had configured Duo Security as an MFA factor and also a custom IdP factor named Duo Security, then the org couldn't be upgraded to Identity Engine.

• OKTA-643204

  Active Directory and LDAP users weren't unassigned from applications when they were deactivated during sign-in.

• OKTA-643499

  Sometimes the processing of group rules for smaller groups took longer than expected when other large operations were in progress.

Okta Integration Network

App updates

• The Experience.com OIDC app now has additional redirect URIs.

• The Planview Admin SAML app now has the Audience ID variable.

New Okta Verified app integrations

• Clumio (SCIM)
• Elba (API service)
• innDex (OIDC)
• Sloneek (OIDC)
• Zonka Feedback (SAML)

App integration fixes

• Bloomberg (SWA) (OKTA-642380)
• BlueCross Blueshield of Illinois (SWA) (OKTA-641490)
• Citi Velocity (SWA) (OKTA-637196)
• SAP Concur Solutions (SWA) (OKTA-643965)

Sign-In Widget, version 7.11.2

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Sign-In Widget Guide.

Admin sessions bound to Autonomous System Number (ASN)

When an admin signs in to Okta, their session is now associated with the ASN they are logging in from. If the ASN changes during the session, the admin is signed out of Okta, and an event appears in the System Log.

Fixes

• OKTA-632174

  The Edit User Assignment page showed roles that had already been removed by an admin.

• OKTA-636990

  If an admin attempted to cancel or retry the enrollment of the WebAuth authenticator on behalf of a user, the page closed.

• OKTA-638649

  Field validation didn't work for Trusted Origins URLs.

• OKTA-642760

  Double-clicking the Save button on an app sign-on policy rule caused duplicate migrations when orgs upgraded to Identity Engine.

• OKTA-644143

  Users who were added to a group through group assignments were displayed as manually assigned.

• OKTA-648338

  The Zendesk app integration made API requests using the GET command instead of the POST command.

• OKTA-653489

  Admins couldn’t add custom default Salesforce attributes that had been deleted from the Profile Editor.

• OKTA-655852

  The Okta sign-in flow returned an error for certain URLs.

Okta Integration Network

App updates

• The Extracker app integration has been rebranded as Clearstory.
• The Inflection app integration has new Assertion Consumer Service (ACS) URLs, and a new URI, logo, and integration guide link.
• The Mapiq app integration has a new logo.

• The People Experience Hub app integration no longer has an Encryption Certificate field.

• The Secure Code Warrior app integration has new SSO URLs and a new Instance Region option.
• The Tableau Online app integration has been rebranded as Tableau Cloud. The app has new application profile, custom patch batch size, and website.

New Okta Verified app integrations

• Badge (OIDC)
• Badge (SAML)
• Cisco Webex Identity SCIM 2.09 (SAML)
• Datawiza Access Management Platform for E-Business Suite (EBS) (OIDC)
• Datawiza Access Management Platform for JD Edwards (JDE) (OIDC)
• Deel HR (SCIM)
• dscout (SAML)
• Fletch (SAML)
• Incode Omni (OIDC)
• Q for Sales (OIDC)
• SpiderSense (SAML)
• Voicenter (OIDC)

App integration fixes

• Tableau Cloud (SCIM) (OKTA-625933)

Sign-In Widget, version 7.11.3

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Sign-In Widget Guide.

Fixes

• OKTA-457923

  The browser's back button removed filters set for the MFA Enrollment by User report rather than returning to the Reports page.

• OKTA-559609

  Email notifications for report downloads sometimes didn't refer to the report name correctly.

• OKTA-568355

  When trying to launch the SuccessFactors app, credentials weren't automatically filled, which caused the launch to fail.

• OKTA-578997

  Read-only and helpdesk admins were able to incorrectly install and configure new Active Directory, LDAP, IWA Web, and Okta Provisioning agents.

• OKTA-586764

  On Okta-hosted sign-in pages, some fonts weren't loaded or rendered correctly.

• OKTA-597530

  Admins couldn't delete authorization server clients on the Access Policies page.

• OKTA-599823

  An answer to a security question could include parts of the question.

• OKTA-612507

  Some errors weren't translated.

• OKTA-626459

  When an org attempted to upgrade to Identity Engine, verified event hooks that were subscribed to the system.voice.send_phone_verification_call and system.sms.send_phone_verification_message event types returned warnings or consent requirements.

• OKTA-627678

  An error occurred when the postLogoutReidrectUris value in an OpenID Connect app was more than 65,535 characters.

• OKTA-639311

  When Cloud Identity was selected as the Google Workspace license type, entitlements weren't pushed.

• OKTA-643533

  The Default application for the Sign-In Widget setting was visible to orgs that hadn't enabled the feature.

• OKTA-647442

  Sometimes, a search request would fail if it included a recently created user.

• OKTA-651722

  Clicking Reapply Mappings set unmapped values to empty in orgs with certain configurations.

• OKTA-653019

  Base attributes of new Slack integrations weren't visible.

• OKTA-654857

  Org navigation elements appeared behind app tiles and other user interface elements for some iOS and macOS users.

• OKTA-658729

  Admins sometimes couldn’t reschedule their upgrade to Identity Engine if they had already rescheduled it to more than 30 days into the future.

Okta Integration Network

App updates

• The Cisco Umbrella User Management app integration has been rebranded as Cisco User Management for Secure Access. The app integration has a new logo, description, and URL.
• The Fullview app integration has a new direct URI and a new initiate login URI.
• The YesWeHack app intergration has a new icon.

New Okta Verified app integrations

• Authentic Web (SAML)
• Extic (SAML)
• GoSearch (SAML)
• Kizen (SAML)
• Kno2fy (SAML)
• LeanIX (API service)
• Proofpoint Security Awareness Training (SCIM)
• Summize (OIDC)
• Swayable (SAML)
• Trint (SAML)
• Trint (SCIM)
• ZAMP (OIDC)

App integration fixes

• Adobe (SWA) (OKTA-647811)
• Algolia (SWA) (OKTA-654566)
• American Express (Business) (SWA) (OKTA-649753)
• Application Bank of America CashPro (SWA) (OKTA-648836)
• i-Ready (SWA) (OKTA-644769)
• IMDB Pro (SWA) (OKTA-653918)
• MIT Technology Review (SWA) (OKTA-656622)
• SuccessFactors (SWA) (OKTA-568355)
• Trend Micro Worry-Free Business Security Services (SWA) (OKTA-648083)
• Twilio (SWA) (OKTA-655486)

Sign-In Widget, version 7.12.2

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Sign-In Widget Guide.

Fixes

• OKTA-627327

  Admins couldn't upgrade to Identity Engine if the Embedded Application SSO Step-Up Authentication API feature was enabled.

• OKTA-649293

  Users couldn't be assigned to Box using the Assign Box to People page.

• OKTA-649788

  A tooltip was truncated on the API Tokens page.

• OKTA-651979

  Some custom scopes weren't listed in the search box used for adding scopes to OIDC access policy rules.

• OKTA-657130

  When admin translations were enabled, some users saw an error when they tried to access an app.

• OKTA-657143

  The password expiration prompt wasn't shown to users signing in with the OIDC flow.

• OKTA-658969

  Attributes defined in Okta for ServiceNow failed to sync by default.

• OKTA-661982

  When an import failed for a user, unique attributes for that user were sometimes retained in Okta.

• OKTA-662487

  The Session Management labels on the Global Session Policy rule page were confusing.

• OKTA-663777

  In the Add Resource dialog box, admins couldn’t search for apps with special characters.

• OKTA-666323

  When an admin added a SAML app to an existing resource set, users who were assigned the resource set couldn't access the app.

• OKTA-667106

  Sign-In Widget version 7.12.1 didn't work with Internet Explorer version 11 if the org had passwordless authentication enabled.

Okta Integration Network

New Okta Verified app integrations

• Anzenna (API service)
• businesscards.io (SAML)
• Command Zero (API service)
• Contentstack (SAML)
• CurationHealth (OIDC)
• Datadog (SCIM)
• Datawiza Access Management Platform for Outlook Web Access (OWA) (OIDC)
• Fareharbor (SAML)
• Gem (API service)
• hireEZ (SCIM)
• Justt.ai (OIDC)
• LexPlay (OIDC)
• mula (OIDC)
• Netradyne Driveri (OIDC)
• Opensurvey Dataspace (OIDC)
• Ramp (SCIM)
• Splashtop Secure Workspace (OIDC)
• Splashtop Secure Workspace (SAML)
• Splashtop Secure Workspace (SCIM)
• Standard Metrics (OIDC)
• SVMMARY (SAML)
• XSpecs (SAML)
• Zenlytic (OIDC)

Fixes

• OKTA-607948

  Error messages were unclear when an LDAP query filter was invalid in Active Directory and LDAP integrations.

• OKTA-640503

  Custom admins didn't receive email notifications when the LDAP and Active Directory agent was disconnected or reconnected.

• OKTA-644010

  The System Log didn't log the time when the user was prompted for authenticator enrollment or verification.

• OKTA-662134

  Resetting a user’s security question using the API endpoint didn't generate a System Log entry.

• OKTA-663793

  The System Log didn't capture a failed user authentication during LDAP delegated authentication.

• OKTA-667475

  Updated custom schema values weren't imported from Google.

• OKTA-668140

  Users sometimes received an error message when accessing the Profile Editor from the Admin Dashboard.

• OKTA-669824

  When the display language was set to Polish, the Sign-In Widget wasn’t translated properly.

• OKTA-669999

  Some users weren't imported after being unassigned from a sourcing app.

Okta Integration Network

App updates

• The Blameless app integration has updated endpoints.

New Okta Verified app integrations

• Built (OIDC)
• Built (SCIM)
• GoSearch (SCIM)
• Jellyfish (SAML)
• LeanIX - SaaS Discovery (API service)
• T3 Connect (SCIM)
• Tackle.io (OIDC)

Admin Console session configuration

Admins can now set the session lifetime and idle time for Admin Console users independently of global session limits. This provides greater security control over the Admin Console.

See Configure Admin Console session lifetime.

Fixes

• OKTA-621160

  Some inbound SSO flows failed when a default app was set for the Sign-In Widget.

• OKTA-636560

  When using Okta Expression Language in Identity Engine, the group.profile.name key didn't return exact matches.

• OKTA-646953

  Users couldn't sign in to URLs for custom domains.

• OKTA-651667

  When retrying a batch update of Active Directory agents, agents that had already been updated were marked as updates in progress in the email notification.

• OKTA-657959

  When assigning users to a group using group rules, the group rule evaluation timed out, and users who matched the attributes weren't added to the group.

• OKTA-661907

  Some users on Android 6 devices were erroneously granted access to Okta-protected resources despite the authentication policy rule.

• OKTA-663893

  Users without API access management enabled saw a Create Authorization Server banner on the APIAuthorization Servers page.

• OKTA-668142

  Third-party admin status couldn’t be removed from an admin. This occurred when they belonged to a third-party admin group that no longer had admin privileges.

• OKTA-672678

  Sometimes countdown messages weren't displayed when Admin Console sessions were close to expiring.

• OKTA-675063

  RADIUS agent libraries contained internal security issues. Upgrade to version 2.20.0 to correct those issues.

• OKTA-675938

  Google USB-C/NFC Titan Security Key (K52T) enrollment wasn't supported.

• OKTA-679640

  Admins sometimes received an error when trying to access the Admin Console.

Okta Integration Network

App updates

• The CodeSignal SAML app integration has a new description.
• The HackerRank For Work SCIM app integration now supports user deactivation.
• The Perimeter 81 SCIM app integration now supports group push.
• The Symantec Secure Access Cloud app integration has been rebranded as Symantec ZTNA.
• The WorkRamp app integration now supports EU locations.
• The ZAMP OIDC app integration now has IdP-initiated support.

New Okta Verified app integrations

• AgentNex (SAML)
• AuditNex (SAML)
• ChargeDesk (OIDC)
• Collage HR (OIDC)
• Ethos (OIDC)
• Iterate (OIDC)
• Kertos (API service)
• Kluster (OIDC)
• Liquid & Grit (OIDC)
  
• Lookout Secure Access (SAML)
• OneRange (SAML)
• Promethean AI (OIDC)
• Push Security (API service)
• Re-flow (SAML)
• Routespring (SAML)
• Semplates (OIDC)
• Siit (SAML)
• Siit (API service)
• Skippr OIDC for Organizations (OIDC)
• StackAdapt (OIDC)
• Tabulera (SAML)
• Venue (SCIM)