Preview release notes

Current | Upcoming | |
---|---|---|
Production | 2023.05.2 | 2023.05.3 Production release is scheduled to begin deployment on June 12 |
Preview | 2023.05.2 |
2023.05.3 Preview release is scheduled to begin deployment on June 7 |
May 2023
2023.05.0: Monthly Preview release began deployment on May 11
* Features may not be available in all Okta Product SKUs.
Generally Available Features
Okta AD agent, version 3.15.0
This version of the agent contains the following changes:
-
Bug fixes. Active Directory (AD) agent auto-update health check caused auto-update to fail when upgrading from version 3.13.0 to 3.14.0.
Okta On-Prem MFA agent, version 1.7.0
This version includes support for extended client session timeout. See Install the agent.
Confluence Authenticator, version 3.2.2
This release contains security fixes. See Okta Confluence Authenticator version history.
Okta Jira Authenticator, version 3.2.2
This release contains security fixes. See Okta Jira Authenticator Version History.
Multibrand customizations
Multibrand customizations allow customers to use one org to manage multiple brands and multiple custom domains. This drastically simplifies multi-tenant architectures where customers create multiple orgs to satisfy branding requirements. Multibrand customizations allow orgs to create up to three custom domains (more upon request), which can be mapped to multiple sign-in pages, multiple sets of emails, error pages, and multiple versions of the End-User Dashboard. See Branding.
Self-Service Okta Identity Engine Upgrades for eligible orgs
Okta is slowly rolling out self-service upgrade functionality to eligible orgs. Using the new self-service upgrade widget, orgs with acknowledgment action items can now review and complete those items, and then schedule their upgrade. When your org becomes eligible for the upgrade, you receive an email confirming your eligibility and the self-service upgrade widget appears on the Admin Dashboard. The upgrade is free, automatic, and has zero downtime. See Upgrade from Okta Classic Engine.
Note that only super admins can view and manage the self-service upgrade widget.
New upgrade warning
For self-service Identity Engine upgrades, a warning message now appears to indicate that the Classic Engine Sessions API isn't supported.
More events eligible for hooks
The following System Log events are now eligible for event hooks:
-
group.application_assignment.add
-
group.application_assignment.remove
-
group.application_assignment.update
New legal disclaimer in Okta Trial accounts
A new legal disclaimer is displayed on the Add Person dialog in Okta trial accounts to prevent sending unsolicited and unauthorized activation emails.
Okta branding changes for the Admin Console
Branding updates to headings, fonts, colors, borders, and logos are now available in the Admin Console.
Additional measures to counter toll fraud
For SMS and voice authentications, additional mitigation measures now help counter phone number-based toll fraud.
Early Access Features
Permission conditions for profile attributes
You can now apply conditions to the View users and their details and Edit users' profile attributes custom admin role permissions. Permission conditions help you limit the scope of a role by including or excluding admins' access to individual profile attributes. This gives you more granular control over your custom admin roles and helps meet your org’s unique security needs. See Permission conditions.
Assign admin roles to an app
Orgs can now assign admin roles to their custom API Service Integrations. Apps with assigned admin roles are constrained to the permissions and resources that are included in the role assignment. This helps ensure that apps only have access to the resources that are needed to perform their tasks, and improves orgs' overall security. See Work with the admin component.
Event hook filters
You can now filter individual events of the same event type based on custom business logic hosted in Okta. These filters reduce the amount of events that trigger hooks, removing an unnecessary load on your external service.
This feature includes an improved creation workflow for event hooks and a new Filters tab that you can use to create event filters with direct Expression Language statements or with a simple UI format.
Using event hook filters significantly reduces the amount of event hook requests and the need for custom code on your respective services. See Edit an event hook filter.
-
OKTA-566113
After changing the display language for an Okta org from English to another language, some text was still displayed in English.
-
OKTA-580684
In the Okta Expression Language, the isMemberOfGroupNameContains expression couldn't differentiate underscores and hyphens, which caused unexpected user membership assignments.
-
OKTA-595053
Users who clicked Back to sign in before setting up their security methods were incorrectly notified that their configuration was successful. This occurred only in orgs with custom domains.
-
OKTA-596360
Locked out users could still authenticate and sign in through Integrated Windows Authentication (IWA).
-
OKTA-596600
For apps with Group Push enabled, the tab displayed incorrect dates and times.
-
OKTA-597396
Pushing groups from Okta to Microsoft Office 365 sometimes failed if an empty group description was updated.
-
OKTA-599408
GMT timezones couldn't be selected correctly in the System Log.
-
OKTA-600867
The Yubikey Reports page wasn't properly translated.
-
OKTA-601875
After a user was deactivated, their remaining tasks resulted in errors.
-
OKTA-603305
On the Edit resource set page, an error appeared when an admin deleted a resource type and then added it again. This occurred when the redesigned resource editor feature was enabled.
-
OKTA-607249
Service clients with the correct permissions couldn't modify policies that contained the Okta Administrator Group.
Applications
New Integrations
New SCIM Integration applications
The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog:
-
360Learning: For configuration information, see OKTA: configuration guide.
-
Forest Admin: For configuration information, see Forest Admin User Guide.
-
Pigeonhole Live: For configuration information, see Configuring Provisioning for Pigeonhole Live.
-
Recurly: For configuration information, see Configuring Provisioning for Mural.
-
Tines: For configuration information, see How to Configure SAML 2.0 for Tines for admins.
SAML for the following Okta Verified applications
-
Demio: For configuration information, see How to Configure SAML 2.0 for Demio.
-
Flagsmith: For configuration information, see Okta Configuration Guide.
- Sendoso (OKTA-543675)
OIDC for the following Okta Verified applications
-
cmBuilder: For configuration information, see Okta Single Sign-On (SSO) - Configuration Guide.
-
Vozzi: For configuration information, see Okta Integration Configuration Guide.
Weekly Updates

Fixes
-
OKTA-588667
After creating accounts, some users weren't able to complete the sign-in process.
-
OKTA-596446
Error summary messages weren't written to the System Log when custom errors occurred during an import inline hook operation.
-
OKTA-597490
The LDAP interface didn't return any result for a deactivated user when the cn value was combined with other filters.
-
OKTA-597959
Okta users authenticating through Agentless Desktop SSO (ADSSO) were sometimes incorrectly shown a migration-check error message.
-
OKTA-601618
Email change confirmation notices came from an Okta test account rather than a brand-specific sender.
-
OKTA-603731
Macros in email subjects weren't processed correctly for some email templates.
-
OKTA-604404
Imports performed during UltiPro maintenance resulted in inconsistent data being returned.
-
OKTA-604914
When the redesigned resource editor feature was enabled, admins couldn’t add individual applications to their resource sets.
-
OKTA-609336
Incorrect descriptions were displayed on the Agents > On-premise tab.
-
OKTA-609390
During Identity Engine self-service upgrades, admins could see false indications that the Sessions API was in use.
Applications
New Integrations
New SCIM Integration applications
The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog:
- Apollo.io: For configuration information, see Configure SCIM User Provisioning in Okta for Your Apollo Account.
- CrashPlan: For configuration information, see How to provision users to CrashPlan from Okta.
SAML for the following Okta Verified applications
- Apollo.io: For configuration information, see Set Up Single Sign-On (SSO) with Okta for Your Apollo Account.
- COSgrid MicroZAccess: For configuration information, see How to Configure SAML 2.0 for COSGrid Networks for admins.
- Digital Pigeon: For configuration information, see Okta SSO Configuration (OIN Guide).
- Kallidus HR: For configuration information, see Kallidus Sapling - Okta Integration Guide.
- Reach Security: For configuration information, see SAML Onboarding (you need to sign in to view this documentation).
- Sauce Labs: For configuration information, see Configuring SSO in Okta.
OIDC for the following Okta Verified applications
- Cledara: For configuration information, see Integrate with Okta.
- DNSimple: For configuration information, see Okta as an Identity Provider.

Fixes
-
OKTA-414791
LDAP requests resulted in an error if the memberOf filter didn't include a Group DN.
-
OKTA-423781
The Privacy link on the Okta dashboard wasn't translated.
-
OKTA-585123
When the Full Featured Code Editor was enabled, some admins couldn't edit the Sign-In Widget version or their sign-in page draft changes.
-
OKTA-591228
Admins with a custom role couldn’t receive user reports of suspicious activity in email notifications.
-
OKTA-602635
Some text on the Administrator assignment by role page wasn’t translated properly.
-
OKTA-602794
Token inline hooks failed even when a URL claim name was correctly encoded with a JSON pointer.
-
OKTA-604386
The Edit button disappeared from the Other customizations > User Accounts panel.
-
OKTA-604825
When an admin added the Manage users permission to a role, any existing permission conditions were removed. Also, admins with restricted profile attributes could edit those attributes on their own profile.
-
OKTA-613226
Some of the new Okta branding changes weren’t displayed in the Admin Console.
Applications
New Integrations
New SCIM Integration applications
The following partner-built provisioning integration app is now Generally Available in the OIN Catalog:
- Dagster Cloud: For configuration information, see Dagster Cloud Okta user provisioning guide with SCIM.
SAML for the following Okta Verified applications
- Amplified: For configuration information, see Okta SAML integration.
- Healthfeed: For configuration information, see Healthfeed Customer Configuration.
API service app for the following Okta Verified applications
- Kandji Device Trust: For configuration information, see Okta Device Trust.
- Sevco Security: For configuration information, see Configure the Sevco Security app in Okta.
OIDC for the following Okta Verified applications
- Amplified: For configuration information, see Okta OIDC SSO integration.
- Debricked OIDC SSO: For configuration information, see Set up Single Sign On (SSO) for Debricked.
- DNSimple: For configuration information, see Okta as an Identity Provider.
- Software Analytics: For configuration information, see Okta Setup.
- Zesty.io: For configuration information, see Okta SSO Configuration Guide.
Facebook at Work integration enhancement
Facebook at Work uses the Okta Expression Language to map the manager attribute. This allows admins to adjust how the manager attribute is stored in the user profile so they can choose between an id field or a name.
Smart Card IdP with Agentless DSSO
Okta can now be configured to allow users to use Agentless DSSO without being prompted when Smart Card IdP is configured.
New App Drawer
The updated app settings panel on the Okta End-User Dashboard allows end users to see all app details in a single view without having to expand multiple sections. End users can quickly differentiate between SWA apps where they have set a username and password and SAML / OIDC apps that are admin-managed with no additional user settings. The updated app settings panel also provides accessibility improvements with better screen reader support and color contrast. See View the app settings page.
SSO apps dashboard widget
The new SSO apps widget displays the number of user sign-in events across each of your org’s apps over a selected period of time. You can use it to see which apps are used most frequently and to easily monitor the authentication activity across your org. See Monitor your apps.
Toggle password visibility on the Okta Sign-In page
End users can now toggle visibility of their password on the Sign-In Widget, allowing them to check their password before they click Sign In. Note that passwords are visible for 30 seconds and then hidden automatically. See Authentication. See Delegated authentication.
Email failure events in the System Log
Admins can now view email delivery failure events in the System Log. This helps admins better monitor the email event activity in their org. See System Log.
Federation Broker Mode
The new Federation Broker Mode allows Okta SSO without the need to pre-assign apps to specific users. Access is managed only by the authentication policy and the authorization rules of each app. This mode can improve import performance and can be helpful for larger-scale orgs that manage many users and apps. See Manage Federation Broker Mode.
User Import Scheduling
When importing users from an app to Okta, you can now schedule imports to occur at hourly, daily, or weekly intervals. Scheduling imports at a time that is convenient for your org reduces the likelihood of service disruptions and eliminates the need to start imports manually. If an application allows incremental imports, you can create both full and incremental import schedules. This is a self-service feature. See Edit app provisioning settings.
Choose additional filters for Office 365 sign-on policy
Filters have been added to enable admins to distinguish between web browsers and Modern Authentication clients when creating an app sign-on policy. See Office 365 sign-on rules options.
Device Authorization grant type
Advancements in internet technology have seen an explosion of smart devices and the Internet of Things. Consumers need to sign in to applications that run on these devices, but the devices either lack support for a web browser or have limited ability for input, such as smart TVs, car consoles, and thermostats. As a result, users resort to insecure authentication solutions that are error-prone and time-consuming.
The Device Authorization grant feature is an OAuth 2.0 grant type that allows users to sign in to input-constrained devices and also to devices that lack web browsers. This feature enables users to use a secondary device, such as a laptop or mobile phone, to complete sign-in to applications that run on such devices. See Configure Device Authorization.
Null values for SCIM provisioning
Null values for any attribute type can now be submitted to Okta when using SCIM provisioning. This change reduces the error messages customers receive and simplifies end user identity management. See Manage profiles.
Manage admin email notification subscriptions using API endpoints
Admins can manage email subscriptions using the Admin Email Subscription API endpoints.
-
Super admins can configure default subscription settings by admin type.
-
All admins can manage their own admin email notification subscriptions.
End-User Dashboard and Plugin redesign
The Okta End-User Dashboard and Okta Browser Plugin have been redesigned with a modern look and feel that includes new sidebar navigation, fuzzy search, and sections that replaces tabs.
Admins can enable this new design all at once or by groups. The new experience is 50% faster, more intuitive to use, and more responsive to smaller screens. Design changes also improve accessibility and app discovery for end users.
See Create sign-on policies with Okta Applications.
This feature will gradually be made available to all Preview orgs.
Workflows Templates available
Workflows Templates is now available, providing users with access to a searchable catalog of installable Flows that address many common use cases. See Get started with Workflows Templates.
LDAP password reset option
LDAP delegated authentication settings can now be configured to allow users to reset their passwords. This change reduces the time needed for password management and allows users to reset their passwords quickly and easily. See Delegated authentication.
LDAP admin password reset
For orgs integrated with LDAP, admins can now perform password resets for an active individual end user. See Reset a user password.
Windows Device Registration Task, version 1.4.1
This release fixed the following issues:
- If there was a space in the sAMAccountName, an error appeared when installing the Okta Device Registration task and the installation completed but didn't function.
- An unknown publisher warning appeared after double-clicking the Okta Device Registration MSI file.
Affected customers should uninstall the registration task and install 1.4.1 or later.
See Enforce Okta Device Trust for managed Windows computers and Device Trust for Windows Desktop Registration Task Version History.
Incremental Imports for CSV
Incremental imports improve performance by importing only users who were created, updated, or deleted since your last import. See Manage your CSV directory integration. Note that this feature is being re-released having previously been released to Production in 2020.09.0.
Password changed notification email
To eliminate unnecessary email notifications, the Password changed notification email setting is no longer enabled by default on new preview orgs. See Password changed notification for end users.
Office 365 Silent Activation
Using Okta as the Identity Provider, Okta Office 365 Silent Activation allows for a seamless experience for your Microsoft Office 365 end users accessing Office 365 apps on domain joined shared Workstations or VDI environments. Once your end users have logged into a domain-joined Windows machine, no further activation steps are required. See Office 365 Silent Activation: New Implementations.
End-user Welcome emails localized
The ability to localize the Welcome email that Okta sends to new end users by referencing the users' default locale property is now Generally Available. See Configure general customization settings.
People page improvements
The People page has been improved so the people list can be filtered by user type. See Universal Directory custom user types known issues.
Mobile tab available for mobile-capable apps
The Mobile tab available in the Okta Admin Console for mobile-capable OIN apps allows you to publish mobile applications to an App Store and deploy them to your end users.
Provisioning page UI element change
Drop-down menus on the Provisioning page (General Settings) were standardized.
UI element change
Drop-down menus on the Provisioning page (General Settings) are standardized. See Provision applications.
Early Access features, auto-enroll
You can now opt to auto-enroll in all Early Access features, instead of having to enable them as they become available. For more information, see Manage Early Access features.
Connecting Apps to Okta using the LDAP Interface
The LDAP Interface allows you to authenticate legacy LDAP apps to Universal Directory in the cloud. With the LDAP Interface, authentication is done directly against Okta via LDAP, without the need for an on-premise LDAP server. In addition, the LDAP interface supports other LDAP functions like search. See Set up and manage the LDAP Interface.