Production release notes

  Current Upcoming
Production 2022.05.2 2022.05.3 Production release is scheduled to begin deployment on May 31
Preview 2022.05.3

2022.06.0 Preview release is scheduled to begin deployment on June 8

May 2022

2022.05.0: Monthly Production release began deployment on May 9

* Features may not be available in all Okta Product SKUs.

Content

Generally Available Features

New Features

Okta AD agent, version 3.11.0

This version of the agent contains the following changes:

  • Increased minimum .NET version supported to 4.6.2. If the installer doesn't detect .NET 4.6.2 or higher, it won't be installed.

  • Security enhancements

  • Removed unsupported libraries

See Okta Active Directory agent version history.

Okta ADFS plugin, version 1.7.10

This version of the plugin contains bug fixes and security enhancements. See Okta ADFS Plugin Version History.

Okta RADIUS agent, version 2.17.4

This version of the agent contains bug fixes and security enhancements. See Okta RADIUS Server Agent Version History.

Okta On-Prem MFA agent, version 1.5.0

This version of the agent contains security enhancements. See Okta On-Prem MFA Agent Version History.

Okta Provisioning agent, version 2.0.10

This release of the Okta Provisioning agent contains vulnerability fixes. See Okta Provisioning agent and SDK version history.

Jira Authenticator, version 3.1.8

This release contains bug fixes. See Okta Jira Authenticator Version History.

Okta Resource Center access

The Okta Resource Center is a collection of product tours, step-by-step guides, and announcements that helps you learn about new features and how to perform tasks within the Admin Console. You can launch the Okta Resource Center by clicking the blue icon from anywhere in the Admin Console. See Okta Resource Center.

Use Okta MFA for Azure AD Conditional Access and Windows Hello for Business Enrollment

You can use Okta MFA to:

  • Satisfy Azure AD Conditional Access MFA requirements for your federated Office 365 app instance.
  • Enroll end users into Windows Hello for Business.

See Use Okta MFA to satisfy Azure AD MFA requirements for Office 365.

Client secret rotation and key management

Rotating client secrets without service or application downtime is a challenge. Additionally, JSON Web Key management can be cumbersome. To make client secret rotation a seamless process and improve JWK management, you can now create overlapping client secrets and manage JWK key pairs in the Admin Console. You can also create JWK key pairs from the admin console without having to use an external tool. See Manage secrets and keys for OIDC apps.

Application SAML Certificates

Separate SAML signing certificates are now assigned when admins create new SAML applications or configure SAML-enabled OIN apps. Okta previously created SAML certificates that were scoped to an entire org. With this feature, SAML certificates are issued and scoped at the application level to provide more fine-grained control and a more secure solution overall. See Create SAML app integrations using AIW.

Okta API access with OAuth 2.0 for Org2Org

Previously, the Org2Org integration only supported token-based access to the Okta API. You can now configure the Org2Org integration to access the Okta API as an OAuth 2.0 client. This increases security by limiting the scope of access and providing a better mechanism to rotate credentials. See Integrate Okta Org2Org with Okta.

Enhancements

PKCE is a verification method for OIDC SPA and Native app integrations

The OIDC App Integration Wizard now identifies that PKCE is not a client authentication method. Instead, for SPA and Native apps, the AIW creates apps listing PKCE as a verification method. See Create OIDC app integrations using AIW.

Add agent permissions to custom admin roles

Custom admins can perform AD agent auto-updates for AD instances they have access to. They can also view the agents dashboard page to see the statuses of all agents associated with app instances they can manage. See Automatically update Okta agents.

Group count tooltip on the Admin Dashboard

On the Admin Dashboard, the Overview section now provides an "Includes only Okta sourced groups and excludes those sourced externally, such as AD groups" tooltip for the Groups count. The new tooltip helps you understand how your groups count is calculated. You can view the tooltip by hovering your cursor over the Groups count on the Overview section. See View your org at a glance.

Okta End-User Dashboard enhancements

  • Unread notifications are more visible to users.

  • The End-User Dashboard Preview function bar has moved to a separate dialog. See Preview an end user's dashboard.

  • The Last sign in link at the bottom of the Okta End-User Dashboard now includes the entire text of the message in the hyperlink.

  • The title of the copy password dialog in the Okta End-User Dashboard is more specific.

System Log enhancements for block zone events

  • The zone.make_blacklist event in the System Log now encompasses two actions: when an admin creates a blocked network zone, and when an admin marks an existing blocked zone as unblocked. Previously, this event was only recorded when a pre-existing network zone was converted into a block list.

  • The zone.remove_blacklist System Log event now encompasses two actions: when a network zone is converted into an allow list, and when an admin deletes a blocked zone. Previously, this event was only recorded when a pre-existing network zone was converted to an allow list.

System Log enhancement for network zone events

A network zone ID is now added as a target for all network zone events in the System Log.

Enhancements to ThreatInsight

ThreatInsight is improved to further protect rate limit consumption from malicious actors. Requests from actors with a high threat level continue to be logged and/or blocked depending on the org's configuration. Now, additional requests that seem malicious but have a lower threat level no longer count towards org rate limits.

OIN Catalog enhancements

Integrations in the OIN Catalog help end users address issues across a variety of industries. Okta has added the ability to filter integrations by industry to help both prospective and current Okta users identify the OIN integrations that best meet their needs. Additionally, the OIN Catalog interface has been updated with the following enhancements for improved navigation:

  • The search interface has been updated and popular search terms can now be selected.

  • Details pages for integrations have been updated for usability.

  • Navigation breadcrumbs have been added to the OIN Catalog.

  • Integrations can now be sorted alphabetically and by recently added.

See Add existing app integrations.

OIN Catalog search functionality and filter updates

  • OIN Catalog search results now prioritize complete word matches from the search phrase.

  • Integrations in the OIN Catalog can now be filtered by RADIUS functionality.

See Add existing app integrations.

OIN Manager enhancements

The OIN Manager now requires that ISV submissions for SCIM integrations confirm that the integration meets API response timing requirements. See Publish an OIN integration.

Auto-update task no longer requires pip

The device trust enrollment and renewal script on macOS no longer requires the pip package manager to install Python pyOpenSSL packages.

Early Access Features

New Features

Trusted Origins for iFrame embedding

You can now choose which origins can embed Okta sign-in pages and Okta End-User Dashboard using Trusted Origins for iFrame embedding. This feature offers a granular control over iFrame embedding compared to the existing embedding option in Customization, which doesn't let you distinguish between secure and non-secure origins. Trusted Origins under Security > API allows you to selectively configure the origins you trust. It also provides enhanced security as it uses a more secure frame-ancestors directive in Content Security Policy that protects your data from web attacks such as clickjacking. See Trusted Origins for iFrame embedding.

New permissions for custom admin roles

Super admins can now assign these new permissions to their custom admin roles:

  • Manage authorization server

  • View authorization server

  • Manage customizations

  • View customizations

The authorization server permissions can be scoped to all or to a subset of the org’s authorization servers. With these new permissions, super admins can now create custom admin roles with more granular permissions for managing their org’s customizations and authorization servers. See About role permissions.

Additional resource and entitlements reports

Reports help your Okta org manage and track user access to resources, meet audit and compliance requirements, and monitor organizational security. The following reports are now available:

  • Group Membership report: Lists individual members of a group and how membership was granted.

  • User App Access report: Lists which users can access an application and how access was granted.

See Entitlements and Access Reports.

Fixes

General Fixes

OKTA-386570

If an LDAP interface bind request failed, subsequent searches failed with an internal server error instead of a permissions denied error.

OKTA-435855

Web and SPA app integrations created with an Authorization code or Interaction code grant type incorrectly returned an error if the Login Initiated By Either Okta or App option was selected.

OKTA-472350

Group push mapping for multiple Org2Org applications failed for some customers.

OKTA-476896

On the Administrators page, deactivated users with assigned admin roles were included in the Individually assigned count.

OKTA-477494

Some invalid EL expressions incorrectly passed validation.

OKTA-477634

Some users experienced delays when searching for an app on the Okta End-User Dashboard.

OKTA-481752

When users tried to enroll in Okta Verify, VoiceOver screen readers didn't highlight the mobile device type correctly or allow users to select a device. It also selected the iPhone option even though the Android option was also available.

OKTA-482435

When admins upgraded an app to SAML 2.0, the SAML 2.0 setup instructions used the org-scoped certificate instead of the app-scoped certificate.

OKTA-484366

Admins couldn’t use the objectGuid attribute as a unique identifier when integrating AD LDS LDAP servers with Okta.

OKTA-488233

Parallel JIT requests for the same username created duplicate users.

OKTA-488428

Some users lost the ability to reveal passwords for an app when the app drawer feature was enabled.

OKTA-488663

When Full Featured Code Editor was enabled, the full screen toggle on the error page code editor didn’t change to a minimize icon.

OKTA-489050

Sometimes an error message was displayed when admins viewed applications in the Admin Console.

OKTA-491164

Some admins weren’t assigned the Admin Console when they were added to a group with assigned admin roles.

OKTA-491264

Sometimes when a super admin deleted a custom admin role that contained email notifications, admins couldn’t update their email notification settings.

OKTA-495549

When groups were exposed in the LDAP interface directory information tree, some filters referencing the entryDn attribute returned the incorrect result code if the group wasn’t found.

OKTA-495598

AD-sourced users who reset their passwords in AD had to reset their passwords again when using IWA or ADSSO to sign in to Okta.

App Integration Fix

The following SWA app was not working correctly and is now fixed:

  • NDFR/SDU (OKTA-485335)

Applications

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:

SAML for the following Okta Verified applications

  • Common Room (OKTA-483683)

  • Datto Workplace (OKTA-487599)

  • Sounding Board (OKTA-489395)

Weekly Updates

Fixes

General Fixes

OKTA-385107

When User Profile Mappings were configured with invalid EL expressions, the validity check returned unwanted text.

OKTA-468575

Attempting to upload a new or replacement certificate to an existing RADIUS application resulted in an error.

OKTA-469428

Users could set their username as an answer to a security question if the case of at least one character was different.

OKTA-478259

When a super admin assigned an admin role to an ineligible group, the resulting error message was unclear.

OKTA-478844

Token endpoint events weren’t logged as expected by the System Log and Splunk.

OKTA-482807

Admins received a ${request.date} is required error when they tried to add a translation for the New Sign-On Notification email template.

OKTA-485981

Admins were able to save a Global Session Policy rule to deny sign-in attempts from specified zones even though no zones were selected.

OKTA-491554

The Client Secret UI didn’t render properly when users switched between authentication methods in an app instance.

OKTA-493632

A hyphen was incorrectly added to an app's tooltip when an end user hovered over the app on the End User Dashboard.

OKTA-496728

Client-side access tokens and ID tokens weren't revoked and cleared from an Okta domain’s localStorage when a user signed out from a custom OIDC application.

OKTA-498263H

The Activate/Deactivate button for Password Policy didn’t work.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed:

  • CUES (OKTA-486595)

  • GetFeedback (OKTA-488495)

Applications

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:

SAML for the following Okta Verified applications:

  • Britive (OKTA-487233)

  • OpsLevel (OKTA-484506)

  • Planview ID (OKTA-487235)

Generally Available

Sign-In Widget, version 6.3.2

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Sign-In Widget Guide.

Fixes

General Fixes

OKTA-477341

On some pages, the help text incorrectly showed Manage people and Manage apps instead of Assign people and Assign apps.

OKTA-489341

Customers couldn’t deactivate agents that hadn't completed the configuration process.

OKTA-494778

If a user tried to remove a read-only group from their profile page, an error resulted but no error message was shown.

OKTA-497940

When a custom OIDC app integration was created with the Login flow set to Redirect to app to initiate login, sign-in attempts returned an access denied error instead of directing the user to the correct Initiate login URI.

App Integration Fixes

The following SWA apps weren't working correctly and are now fixed:

  • Indeed (OKTA-489451)

  • Mutual of Omaha (OKTA-489714)

  • Telus Mobility (OKTA-489114)

Applications

Application Update:

  • Amazon AWS: The OIDC Client ID for CLI access property is now available in the default version of the Amazon AWS app in Preview orgs.

New Integrations

New SCIM Integration applications:

The following partner-built provisioning integration app is now Generally Available in the OIN Catalog as partner-built:

SAML for the following Okta Verified application:

  • eLearnPOSH (OKTA-491201)

April 2022

2022.04.0: Monthly Production release began deployment on April 4

* Features may not be available in all Okta Product SKUs.

Content

Generally Available Features

New Features

Sign-In Widget, version 6.2.0

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Okta Sign-In Widget Guide.

Okta On-Prem MFA Agent, version 1.4.9

This version of the agent contains security enhancements. See Okta On-Prem MFA Agent Version History.

Okta Browser Plugin, version 6.9.0 for all browsers

This version includes the following changes:

  • Keyboard navigation didn't work properly when users attempted to switch to a new app list in the plugin popover window. Users were unable to close the plugin popover window with keyboard input.
  • Version 6.8.0 of the plugin caused issues for some users when they attempted to sign in to an SWA app in an iframe.

See Okta Browser Plugin version history.

Admin Experience Redesign toggle removed

The toggle that allowed super admins to switch between the Admin Experience Redesign and the old experience has been removed. All Okta admins now benefit from our restyled Okta Admin Dashboard, responsive navigation side bar, and modern look and feel.

Allow or deny custom clients in Office 365 sign-on policy

You can filter specific clients in an Office 365 app sign-on rule to allow or deny them access to Office 365 resources. This filter can be used to deny access to untrusted clients or to only allow trusted clients. See Allow or deny custom clients in Office 365 sign on policy

Improved AD group membership synchronization

The ADAppUser distinguished name field is now updated when a user is added to an Okta group and a matching group exists in AD. When an Okta provisioning request moves a user to a new organizational unit, the change is quickly duplicated in AD. This new functionality helps ensure the accuracy and integrity of AD group membership information. Manage Active Directory users and groups.

New App Drawer

The updated app settings panel on the Okta End-User Dashboard allows end users to see all app details in a single view without having to expand multiple sections. End users can quickly differentiate between SWA apps where they have set a username and password and SAML / OIDC apps that are admin-managed with no additional user settings. The updated app settings panel also provides accessibility improvements with better screen reader support and color contrast. See View the app settings page.

ShareFile REST OAuth

Admins can now upgrade to the latest version of our ShareFile integration. OAuth provides more secure authentication and will be now used for Provisioning and Imports. See Configure ShareFile OAuth and REST integration. This feature is made available to all orgs.

Enhancements

Federation Broker Mode UI improvements

The user interface prompts for Federation Broker Mode have been improved to provide more information about the feature. This feature can also be enabled through the OIDC app creation wizard. See Enable Federation Broker Mode.

Recent activity page link for end users

If Recent Activity is enabled, users can click Last sign in in the footer of the left navigation bar to go directly to the Recent Activity page.

Burst rate limits available on Rate Limit Dashboard

The Rate Limit Dashboard, available from the Admin Console, now includes data on burst limits in your Okta org, in addition to rate limit warnings and violations. The Violations dashboard was renamed Events to acknowledge the increase of scope, and includes the ability to filter on timeline as well as the type of event (warning, burst, and violation). Hovering over the burst rates in the graphs provides more detail and links to the system log for individual endpoint calls. The individual Usage graphs provide details on bursts for the individual API. See Rate limit dashboard and Burst rate limits.

New ThreatInsight enforcement action

If you configure ThreatInsight to log and enforce security based on the threat level detected, ThreatInsight can either limit or block authentication requests from suspicious IP addresses. For example, if a specific IP address is suspected of malicious activity but the threat level is considered low, authentication requests from the IP address are not denied access but might be subjected to a rate limit. See Configure Okta ThreatInsight.

New MFA help link

A new help link appears on Okta-hosted custom Sign-In Widgets. This link directs users to a page where they can learn more about the MFAn options available when they sign in. See Customize text on your sign-in page.

PIV IDP user profile mapping

You can now use idpuser.subjectUid in an Okta user profile when mapping IDP Username for Personal Identity Verification (PIV) IDPs. See Add a Smart Card identity provider.

Custom app logo preview

Admins can now preview a custom logo before applying it to an app. See Customize an application logo.

Updated error message for Microsoft Graph API

An error message for Microsoft Graph API has been updated to include more details and a possible workaround.

Debug logging for token exchange

The following fields have been added to the System Log for assistance in debugging OAuth2 token exchange events:

  • requested_token_type
  • subject_token_type
  • actor_token_type
  • resource

Updated SAML setup instructions

Setup instructions for SAML 2.0 apps now use per app SHA2 certificate during the app creation.

Change to the number of free SMS messages allowed

To balance growing costs of SMS usage while maintaining a commitment to developer and free trial orgs, Okta is changing the number of free SMS messages these orgs are allowed each month. Beginning April 4, 2022, orgs may send a maximum of 100 messages per month. For more information about this change, visit the Okta Developer Community.

Early Access Features

Enhancement

Splunk available for Log Streaming

Many organizations use third-party systems to monitor, aggregate, and act on the event data in Okta System Log events.

Log Streaming enables Okta admins to more easily and securely send System Log events to a specified system such as the Splunk Cloud in near real time with simple, pre-built connectors. Log streaming scales well even with high event volume, and unlike many existing System Log event collectors, it doesn't require a third-party system to store an Okta Admin API token. See Log Streaming.

Fixes

General Fixes

OKTA-442031

Some Okta Mobile sign-in flows didn’t work for admins when the Okta Admin Console app required step-up authentication.

OKTA-460284

SAP Litmos imports failed with an unexpected error.

OKTA-472816

When app admins selected the Agents tab, the error message “Error rendering agents monitor table” appeared and no agents were listed.

OKTA-473180

Sometimes AssertionId for SAML1.1 assertions was poorly formatted.

OKTA-475767

Sometimes, in the Groups page Description column, an equals sign (=) replaced the forward slash ( / ) in LDAP-sourced group names.

OKTA-475773

Users could continue to use the Okta IWA Web agent to sign in to Okta when delegated authentication was disabled.

OKTA-475774

Users could use ADSSO to sign in to Okta when delegated authentication was disabled.

OKTA-478467

Admins who didn’t have permission to view the Agent monitors page received agent auto-update email notifications.

OKTA-479110

The sender email address on the Customizations > Emails page was inconsistent with the sender email address on individual templates.

OKTA-479701

Admins were shown events that were unrelated to their account in the Security Events section of the Recent Activity page.

OKTA-481319

An attribute for an app couldn't be re-added as a different type with the same variable name.

OKTA-482086

Some admins saw an error if they tried to run a report using resource sets created more than a year ago.

OKTA-482915

Admins were unable to remove unconfirmed imported users.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed:

  • MyFonts (OKTA-476809)

  • Quickbooks Time Tracker (OKTA-476695)

Applications

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:

SAML for the following Okta Verified applications:

  • Atomic Console (OKTA-479344)

  • Intra-mart Accel Platform (OKTA-476864)

  • Mulesoft - Anypoint Platform (OKTA-461170)

  • OfficeTogether (OKTA-476827)

  • QTAKE Cloud (OKTA-480924)

OIDC for the following Okta Verified application:

Weekly Updates

Generally Available

Fixes

General Fixes

OKTA-482299

When a super admin removed all admin role assignments from a user, a time-out error sometimes appeared.

OKTA-482472

Admins with view permissions could see the Edit button in the User Account section of Customizations > Other.

OKTA-483335

When users signed in to Salesforce with the OAuth app, they weren't prompted to Allow Access. This only occurred if the Salesforce app was configured and the user already had an active session.

OKTA-483338

When users signed in to Google with the OAuth app, they weren't prompted to Allow Access. This only occurred if the Google app was configured and the user already had an active session.

OKTA-484416

In orgs that included OMM apps, Okta RADIUS agents weren’t able to service authentication requests after restart.

OKTA-484971

The Recent Activity section of the Okta End-User Dashboard didn't load properly for Internet Explorer users.

OKTA-484981

Due to a race condition and its exception handling, some users synced through imports received Access Forbidden errors for some applications.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed:

  • A Bead Store (OKTA-481911)

  • Adobe (OKTA-479001)

  • Adobe Stock (OKTA-483342)

  • American Express Business (OKTA-482556)

  • Mutual of Omaha (OKTA-481802)

Applications

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:

SAML for the following Okta Verified applications:

  • CardinalOps (OKTA-482262)

  • Curator by InterWorks (OKTA-481345)

  • ModernLoop (OKTA-482260)

Generally Available

Fixes

General Fixes

OKTA-389310

The nonce length for WebAuthn challenges didn't have enough characters for the recommended level of entropy.

OKTA-461412

Reactivating some users reassigned them to deleted apps.

OKTA-473141

The Enable Provisioning link from group push led to a blank Provisioning tab.

OKTA-479938

Okta IWA agent Desktop Single Sign-on (DSSO) occasionally failed to authenticate a legitimate user when Okta was operating in safe or read-only mode.

OKTA-483618

Some app users lost static attribute mappings during a scheduled org-wide reconciliation.

OKTA-484245

Deleting a group sometimes resulted in 404 errors when admins searched for a policy.

OKTA-488985

The setup instructions for a manual WS-Federation configuration for Office 365 incorrectly displayed an SHA-2 certificate instead of the SHA-1 org-scoped certificate.

Applications

New Integrations

New SCIM Integration application:

The following partner-built provisioning integration app is now Generally Available in the OIN Catalog as partner-built:

SAML for the following Okta Verified applications:

  • Axiad Cloud (OKTA-465658)

  • BizLibrary (OKTA-438712)

  • Greene King (OKTA-480468)

  • SendGrid (OKTA-485059)

  • SourceWhale (OKTA-472980)

  • TestRigor (OKTA-486166)

Generally Available

Sign-In Widget, version 6.2.1

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Sign-In Widget Guide.

Fixes

General Fixes

OKTA-468644

When a super admin scoped a standard role to a group or app and then saved the resource set, any unsaved role assignments were removed from the Administrator assignment by role page.

OKTA-477295

When an admin deleted a user who was excluded in a group rule, the error message Failure to activate the rule appeared.

OKTA-483742

When admins deleted Okta AD agents, scheduled agent auto-updates continued and caused exception errors.

OKTA-484482

The iframeControlHideCatalog option didn't hide the Add Apps link when the Okta End-User Dashboard was embedded.

OKTA-485860

Admins whose custom admin role contained the Edit users' authenticator operations and Edit users' lifecycle states permissions could create API tokens.

OKTA-486474

Some imports hit a roadblock when import safeguards were turned off.

OKTA-487293

SAML inline hooks with an AuthNRequest sometimes failed.

OKTA-487334

The SWA copy password window on the Okta End-User dashboard contained UI issues for Internet Explorer users.

OKTA-487453

Deleted users were reindexed in Elasticsearch when admins deleted user data.

OKTA-488616

The doctype declaration wasn’t displayed in the default template for error pages code editor.

OKTA-493627

Because of a change to the cryptographic libraries in macOS 12.3 (Monterey), Okta Device Registration Task, version 1.3.2, failed to enroll or renew certificates.

OKTA-495596H

Admins couldn't customize the End-User Dashboard layout.

OKTA-495695H

A Classic Engine org couldn't upgrade to Identity Engine if its users were enrolled in Okta Mobile.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • Carta (OKTA-486196)

  • Chartbeat (OKTA-485773)

  • Rippe and Kingston LMS (OKTA-482602)

Applications

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN catalog as partner-built:

SAML for the following Okta Verified applications

  • Heap Analytics (OKTA-486230)

  • Secure Code Warrior (OKTA-476859)

March 2022

2022.03.0: Monthly Production release began deployment on March 7

* Features may not be available in all Okta Product SKUs.

Content

Generally Available Features

New Features

Sign-In Widget, version 6.1.0

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Okta Sign-In Widget Guide.

Okta SSO IWA Web App agent, version 1.15.0

This version of the agent contains:

  • Security enhancements.

  • Making .NET Framework 4.6.2 the minimal supported version. Earlier versions are automatically upgraded during agent installation.

  • Okta Military Cloud support.

See Okta SSO IWA Web App version history.

Okta Active Directory Password Sync agent, version 1.5.0

This version of the agent includes:

  • Security enhancements.

  • Making .NET Framework 4.6.2 the minimal supported version. Earlier versions are automatically upgraded during agent installation.

  • Okta Military Cloud support.

See Okta Active Directory Password Sync Agent version history.

Okta AD agent, version 3.10.0

This version of the agent contains:

  • Okta Military Cloud support.

  • Bug fixes.

See Okta Active Directory agent version history.

Okta LDAP agent, version 5.12.0

This version of the agent contains support for Okta Military Cloud. See Okta LDAP Agent version history.

Okta Provisioning agent, version 2.0.9

This release of the Okta Provisioning agent contains vulnerability fixes.

See Okta Provisioning agent and SDK version history.

Event hooks for custom admin roles

Custom admin role events are now available for use as Event Hooks. This provides more security to admins by ensuring that they have the correct permission to perform tasks. See Event Hooks.

Enhanced email macros for email template customization

Enhanced Email Macros updates the email templating engine to use Velocity Templating Language (VTL). This feature unlocks new syntax that provides enhanced conditional logic and access to all attributes in the Okta User Profile object. This allows developers and admins more customizations in their user-facing emails. See Customize email templates (Developer docs) and Customize an email template.

Enforce limit and log per client mode for OAuth 2.0 /authorize and /login/login.htm endpoints

The default client-based rate limit for OAuth 2.0 /authorize and /login/login.htm endpoints is now elevated to Enforce limit and log per client (recommended) mode. This means that if your org’s client-based rate limit was previously set to Do nothing or Log per client, the setting is changed to Enforce limit and log per client (recommended) mode.

Note that based on the email communication sent out on Feb 3, 2022 and Feb 25, 2022, these changes are not applicable to certain orgs. See Default client-based rate limit mode change.

New ThreatInsight enforcement option

ThreatInsight evaluates authentication requests to detect potentially malicious activity from IP addresses exhibiting suspicious behavior. If you enable the Log and enforce security based on threat level option, ThreatInsight can limit or block authentication requests from suspicious IP addresses based on the threat level detected. For example, if a specific IP address is suspected of malicious activity but the threat level is considered low, authentication requests from the IP address are not denied access but might be subjected to a rate limit. The rate limit helps ensure that requests from a suspicious IP address don't overload authentication services and affect legitimate traffic. However, if an IP address is suspected of malicious activity and the threat level detected is high, authentication requests from the IP address are blocked. See Configure Okta ThreatInsight.

Validation for custom message templates

If you customize the default SMS message template, the Admin Console checks the message to determine whether it contains GSM or non-GSM characters and enforces the GSM or non-GSM character limit before saving the message. This check ensures that you don't create custom SMS messages that exceed the GSM or non-GSM character limit for message segments.

If you change existing custom templates, the new restrictions are enforced if your messages contain non-GSM characters.

For more information about customizing SMS templates, see Configure and use telephony.

Custom Administrator Roles

The standard admin roles available today don’t always meet all the granular delegated administration requirements, which may result in admins having either more or less permissions than they need.

The Custom Administrator Roles feature allows super admins to:

  • Create admin assignments with granular roles, which include specific user, group, and application permissions.

  • Constrain these admin assignments to resource sets.

Use Custom Administrators Roles to:

  • Increase admin productivity.

  • Decentralize the span of access that any one admin has.

  • Grant autonomy to different business units for self-management.

Some important things to note:

  • The Administrators page has been updated with a new, more intuitive interface for managing roles and permissions. See About the Administrators page.

  • Your pre-existing roles are referred to as “standard roles”. The standard role functionality is the same as earlier but the UI is different. See Use standard roles.

  • You can continue using the pre-existing roles and your existing assignments remain the same.

  • You can also assign custom roles to users who have standard roles assigned.

See Custom administrator roles and Best practices for creating a custom role assignment.

System Log events for group app assignments

When an admin role is assigned to a group, the Okta Admin Console is now assigned to the group members much faster, and an Add assigned application to group event (group.application_assignment.add) appears in the System Log. This helps super admins monitor the event activity in their org. See System Log.

Immutable unique data types for Okta LDAP and AD agent actions

Immutable unique data types can now be used with Okta LDAP and AD agent actions. The use of immutable unique data types lets admins locate users when a username is updated, or when the user is moved to another OU. Immutable unique data type support reduces the time admins spend managing users and makes sure they can always locate user profiles after an update or when a username changes. See Directory integrations.

ShareFile REST OAuth

Admins can now upgrade to the latest version of our ShareFile integration. OAuth provides more secure authentication and will be now used for Provisioning and Imports. See Configure ShareFile OAuth and REST integration. This feature is currently available for new orgs only.

Group Push enhancements

Group Push now supports the ability to link to existing groups in NetSuite. You can centrally manage these apps in Okta. This is important because it allows you to set up and push Okta groups into NetSuite instead of recreating them in NetSuite. See About Group Push.

Support for additional social Identity Providers

Social login is a form of SSO that uses existing information from a service such as Facebook, Twitter, or Google to sign in, instead of creating a new account specifically for a third-party website. Social Identity Provider (IdP) popularity varies by industry and region. We're making it easy for Okta admins to add new IdPs with out-of-the-box integrations for GitHub, GitLab, Salesforce, and Amazon, with more to come. These integrations add to our existing social IdP catalog in the OIN, allowing users to quickly sign up or sign in to your application without entering their email or creating a new password. See External Identity Providers.

Risk and behavior evaluation

To improve the visibility of risk scoring and behavior detection, all sign-in requests are evaluated for risk factors and changes in behavior. Impacted orgs can view the results of the evaluation in the System Log. See Identity providers.

Enhancements

Copy button updates

In the app settings panel of the Okta End-User Dashboard, the copy buttons for the username and password fields are renamed Copy username and Copy password.

Group assignment priority

If a group rule results in a higher group app assignment priority on an existing app user, the user is now remapped to the higher priority group assignment.

Extensibility for notifications of group push failure circumstances

Group push failure event hooks now allow customers to monitor for failures that won't be retried and use them to trigger automations, such as execution of a flow in Okta Workflows.

Group push notification improvements

Group push failure notifications have been repurposed and improved to provide better error descriptions for customers.

Early Access Features

New Features

Group search in the Admin Console

Admins can now use the Search bar to quickly find groups, in addition to users and apps. See Admin Console search.

Automatically update public keys in the Admin Console

Using private_key_jwt as your app's client authentication method requires that you upload public keys to Okta and then use the private keys to sign the assertion. Then, you must update the client configuration each time you rotate the key pairs. This is time-consuming and error-prone. To seamlessly use key pairs and rotate them frequently, you can now configure private_key_jwt client authentication in the Admin Console for OAuth clients by specifying the URI where you store your public keys. See Manage secrets and keys for OIDC apps.

User accounts report

Use this report to view users with accounts in Okta and their profile information. It helps you manage and track user access to resources, meet audit and compliance requirements, and monitor the security of your org. The report is located in the Entitlements and Access section of the Reports page. See User Accounts report

Enhancements

Incremental Imports for the Org2Org app

Okta now supports incremental imports for the Org2Org app. Incremental imports improve performance by only importing users that were created, updated, or deleted since your last import. See Okta Org2Org.

Fixes

General Fixes

OKTA-404202

All users imported that are not confirmed will be removed using Clear Unconfirmed Users tool.

OKTA-447833

Admins couldn’t set up a custom domain URL with a top-level domain of .inc.

OKTA-455641

The Edit Assignment page for the Box app didn’t handle non-alphabetical characters properly.

OKTA-457771

Some users imported from Active Directory were missing apps assigned through group assignment.

OKTA-460013

Okta will schedule group reconciliation for any assigned user that is operationalized.

OKTA-461371

VoiceOver screen readers didn’t read the descriptions for the options to send Okta Verify activation links using SMS and email.

OKTA-466022

Admins whose custom role contained the Run imports permission couldn’t view their org’s LDAP integrations.

OKTA-468707

The System Log didn't display ThreatSuspected=false for authentication events when no threat evaluation was done.

OKTA-469843

Sign-In Widget polling didn't resume when the network became available.

OKTA-470096

Group membership changes didn’t automatically activate Group Push.

OKTA-471299

When ThreatInsight evaluated sign-in attempts for unknown users, the threat level was incorrectly displayed as threatLevel=UNKNOWN in the System Log.

OKTA-471605H

In SP-initiated flows, users' sessions ended when they closed the browser even if they selected Keep me signed in.

OKTA-471605H

In SP-initiated flows, users' sessions ended when they closed the browser even if they selected Keep me signed in.

OKTA-472304H

Group push for some customers resulted in a timeout error after one minute.

OKTA-473512

When the Custom Admin Roles feature was enabled, super admins were called Super Organization Administrators.

App Integration Fixes

The following SWA app were not working correctly and are now fixed

  • Asana (OKTA-467306)
  • Dashlane Business (OKTA-466333)
  • Guardian Insurance (OKTA-470966)
  • Loop11 (OKTA-471181)
  • Names & Faces (OKTA-468537)
  • Nord Layer (OKTA-469771)
  • Optum Health Financial (OKTA-465956)
  • QuickBooks (OKTA-467864)
  • Twitter (OKTA-470889)

Applications

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:

SAML for the following Okta Verified applications:

  • Happeo (OKTA-461895)

  • ScreenMeet (OKTA-466613)

  • Shortcut (OKTA-461249)

  • Wonderwerk (OKTA-454149)

  • Zero Networks (OKTA-472331)

OIDC for the following Okta Verified applications:

Weekly Updates

Generally Available

Sign-In Widget, version 6.1.1

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Sign-In Widget Guide.

Fixes

General Fixes

OKTA-374857

When admins searched for groups in the new LDAP interface, results weren’t returned if the search query contained all lowercase characters.

OKTA-375035

The error message “The operation is not allowed” appeared to users who entered their new password during self-service password recovery even though the new password was saved and could be used for authentication.

OKTA-440514

Sensitive attributes were exposed when Identity Provider routing rules contained Boolean expressions.

OKTA-452618

Admins whose custom role contained the Edit users' lifecycle states permission but not the View users and their details permission could view the Profile tab on the user page.

OKTA-457354

Updating an access policy rule through the Admin Console sometimes resulted in a browser error. This occurred if the rule was created using the Authorization Server API without an include array in the User Condition object.

OKTA-459720

Some apps that require admin configuration appeared on the App Catalog page of the End-User Dashboard.

OKTA-464002

Admins with two active Okta orgs linked together by the same company name were unable to sign in to the OIN Manager portal.

OKTA-470268

If tasks were pending, users experienced slow or unresponsive web browsers after navigating to the Tasks page of the End-User Dashboard.

OKTA-470378

Confirmation messages shown when app assignments were removed or when groups were removed from app instances were inconsistent and unclear.

OKTA-470384

Screen readers didn't properly read text in the App Settings page the when user set focus on Username or Password fields.

OKTA-470541

Sometimes importing from the SuccessFactors app integration failed after timing out.

OKTA-470701

Keyboard navigation and screen readers occasionally lost focus while in the App Settings page of the End-User Dashboard.

OKTA-471079

Users with iOS 15.3.1 devices weren’t able to change their passwords in Okta Mobile 6.29.1-14.

OKTA-472593

When the Custom Admin Roles feature was enabled, the Administrator assignment by admin, Edit resources to a standard role, and Edit resource set pages didn’t display group details for imported AD/LDAP groups.

OKTA-473963

VoiceOver screen readers didn’t read the descriptions for the options in drop-down lists on Okta Verify.

OKTA-474143

A new public key was displayed in the UI despite the new key generation operation being canceled.

OKTA-476453

Displaying the App Catalog in List View on the End-User Dashboard caused UI errors in Internet Explorer browsers.

OKTA-477943H

Admins couldn’t change the version of the Sign-In Widget for custom domains.

OKTA-478421H

When AD/LDAP users were imported into groups with assigned admin roles, the resulting admin role updates were delayed, and the Grant user privilege event didn’t appear in the System Log.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • Data.ai (OKTA-472317)

  • Google Play (OKTA-470657)

  • Zenefit (OKTA-472199)

Applications

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:

OIDC for the following Okta Verified applications:

Generally Available

Sign-In Widget, version 6.1.2

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Sign-In Widget Guide.

Fixes

General Fixes

OKTA-411070

Some administrator roles were incorrectly given access to Okta Management device and setting endpoints.

OKTA-414109

Admins who only had the View application and their details permission could see the Self Service section on the Application > Assignments tab.

OKTA-417477

Making valid changes to the device_sso or online_access scopes in the Edit Scope dialog incorrectly returned an error message.

OKTA-441233

When a super admin saved the email notification settings for a role without making any changes, the settings weren’t restored to their default values for existing admins with that role.

OKTA-457226

Some text strings on the Multifactor page weren't translated.

OKTA-463551

Lengthy app names weren't fully listed in the search index of the Okta End-User Dashboard.

OKTA-464002

Sometimes a user was unable to access app integrations in OIN Manager when the account that submitted the integration had been disabled.

OKTA-464217

Onboarding guides were still shown to new users after admins disabled the feature in Customizations > Other > Display Options.

OKTA-466304

Messages weren't descriptive for errors that occurred during SCIM integration for custom SAML apps.

OKTA-469449

Admins couldn’t change their custom sign-in page, and the wrong error message was displayed.

OKTA-469451

Send test email failed with a 500 error for some email templates.

OKTA-471670

The ThreatSuspected field was missing in the user.session.start event for Radius sign-in requests.

OKTA-473387

Variables didn’t work in the subject lines of some email templates.

OKTA-476019

Unsaved edits appeared in the read-only view of Identity Provider routing rules.

OKTA-478605

During OAuth app creation, EC public keys weren't recognized and couldn't be validated.

OKTA-479004

Some Preview orgs experienced Office 365 import failures with the error message, “An error occurred while creating the Azure Active Directory Graph API client.”

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • MyAtt (OKTA-473277)

  • Nationwide Financial (OKTA-473149)

Applications

New Integrations

New SCIM Integration application:

The following partner-built provisioning integration app is now Generally Available in the OIN Catalog as partner-built:

SAML for the following Okta Verified application:

  • Ashby (OKTA-470597)

Generally Available

Fixes

General Fixes

OKTA-409838

When the Custom Admin Roles feature was enabled, admins without the View users and their details permission could see the Profile tab on the user page.

OKTA-448751

The Admin Dashboard sometimes displayed an inaccurate number of user groups.

OKTA-448946

Updating a Salesforce app username created a new user instead of pushing a profile update.

OKTA-456820

If users authenticated with a custom IdP factor, their client details weren't captured in the System Log.

OKTA-461147

The Remember My Last Used Factor functionality didn’t display all available factors, and the factor that was automatically selected hadn't been previously used.

OKTA-469698

The Office 365 Tasks app didn't take users to the Tasks tab of the Outlook web app.

OKTA-472294

When using Branding or Custom Domain features, admins who clicked a button multiple times received an error even though the action completed successfully.

OKTA-472467

Screen readers couldn't tell whether Password input field was hidden or revealed.

OKTA-474997

The Registration - Email Verification email template didn't support translated text.

OKTA-479799

When the Custom Admin Roles feature was enabled, some admins couldn’t view groups on the Administrators > Admins tab.

OKTA-479983

The Client Secret page didn't render the UI correctly for orgs with the Client Secrets Management feature enabled.

OKTA-480151

Some Expression Language variables still appeared in automated emails.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • Angie's List (OKTA-477233)

  • FortiCloud (OKTA-478241)

  • Lutron (OKTA-476161)

  • Tableau (OKTA-471013)

Applications

New Integrations

New SCIM Integration applications:

The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:

SAML for the following Okta Verified application:

  • Perdoo (OKTA-472102)

OIDC for the following Okta Verified application:

February 2022

2022.02.0: Monthly Production release began deployment on February 7

* Features may not be available in all Okta Product SKUs.

Content

Generally Available Features

New Features

Sign-In Widget, version 6.0.0

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Okta Sign-In Widget Guide.

Okta AD agent, version 3.9.0

This version of the agent contains bug fixes. See Okta Active Directory agent version history.

Okta LDAP agent, version 5.11.0

This version of the agent contains:

  • Support for Proxy Authorization Control version 2 (2.16.840.1.113730.3.4.18). Users who are required to change their password after it is reset by an admin are no longer prompted twice for their password when accessing the End-User Dashboard. This new functionality is available only with LDAP services that support Proxy Authorization Control version 2. To enable this feature, contact Okta Support.

  • Internal improvements and bug fixes.

See Okta LDAP Agent version history.

Burst rate limits for authentication and authorization flows

Burst rate limits provide peace of mind by ensuring an unplanned spike doesn't negatively affect the end user's experience. See Burst rate limits.

OIN catalog replaces categories with use cases

Integrations in the OIN catalog address multiple use cases beyond SSO, such as LCM, social login, and identity proofing. Okta helps prospective and current orgs identify the OIN integrations that best meet their needs by highlighting the use cases that the integrations address and the functionality that the integrations use. This information is provided on both the OIN Catalog landing page and the integration details page. Okta also provides calls to action to help users immediately find value with these integrations across the Okta product platform. Use cases and functionalities replace app categories and filters, which were previously used to sort integrations. This feature will be gradually made available to all orgs.

See Add existing app integrations.

Provisioning to Office 365 now requires Admin Consent for Microsoft Graph API

Admins are now required to grant consent for Okta to call Microsoft Graph API to enable provisioning features for Office 365 app instances. This change prepares Okta to migrate provisioning operations to Microsoft Graph API in 2022, which will improve performance and reliability for Office 365 provisioning operations. It also enhances security for Okta customers by limiting Okta's permissions in the customer's Azure Active Directory to only those operations which are required for provisioning. Okta customers who previously configured provisioning to Office 365 are required to grant admin consent in order to make any changes to their existing provisioning settings. See Provide Microsoft admin consent for Okta.

Configure a custom error page

You can customize the text and the look and feel of error pages using an embedded HTML editor. When used together with a custom URL domain (required) and a custom Okta-hosted sign-in page, this feature offers a fully customized error page. For details, see Configure a custom error page.

Configure a custom Okta-hosted sign-in page

You can customize the text and the look and feel of the Okta-hosted sign-in page using form controls and an embedded HTML editor. When used together with a custom URL domain (required) and a custom Okta-hosted error page, this feature offers a fully customized end user sign-in experience hosted by Okta. For details, see Configure a custom Okta-hosted sign-in page.

Custom domains with Okta-managed certificates

When you customize an Okta URL domain, your Okta-hosted pages are branded with your own URL. Okta-managed certificates automatically renew through a Let’s Encrypt integration, a free certificate authority. Okta-managed certificate renewals lower customer developer maintenance costs and reduce the high risk of a site outage when certificates expire. See Customize the Okta URL domain.

Secondary email option for LDAP-sourced users

Admins can now enable a secondary email option for LDAP-sourced users in new orgs. When the secondary email option is enabled, LDAP-sourced users who haven’t previously provided a secondary email are now prompted to provide it on the Okta Welcome page. The prompt continues to appear until a secondary email is provided.

A secondary email helps reduce support calls by providing LDAP-sourced users with another option to recover their password when their primary email is unavailable. See Configure optional user account fields.

Password expiry for AD LDS-sourced users

Admins can now expire the passwords of AD Lightweight Directory Services-sourced users. Forcing users to change their password when they next sign in to Okta keeps passwords updated and enhances org security. See AD LDS LDAP integration reference.

Improved password status accuracy for LDAP-sourced users

The status of LDAP-sourced users is now accurately displayed on the user’s profile page. Previously, the user status incorrectly displayed Password Reset when a password was active. This update reduces the time admins need to spend monitoring and managing user passwords. See About user account status.

New features for HealthInsight

  • Administrators can now enable end user email notifications when an end user changes or resets their password. See General Security and HealthInsight.
  • HealthInsight now includes a recommendation for admins to enable Password Changed email notifications if the notification isn't yet enabled for the org. See Password changed notification for end users.
  • HealthInsight now displays a suspicious sign-in count within the recommendation that users enable ThreatInsight in block mode. See Okta ThreatInsight

Risk scoring improvements

Risk scoring has been improved to detect suspicious sign-in attempts based on additional IP signals. See Risk scoring.

Enhancements

Custom URL domain certificate expiration reminders

Email reminders for custom URL domain certificate expiration are now sent to super admins and org admins only.

OIN Manager enhancements

Users can now select a maximum of five app categories for ISV submissions. If an app category isn't selected, the app is placed in the all integrations category. See App information.

Error message and logging improvements

An error message for group push mapping to alert that a group is not active or not found has been added. Error logging has also been improved.

Email and SMS notification renamed

The New Device Notification email and SMS messages have been renamed New sign-on notification.

New behavior for Custom User Profile link

When users click the Custom User Profile link, the page now opens in a new browser tab or window.

New System Log event when user signs in

Admins now see the user.authentication.verify event in the System Log. This event is triggered when a user successfully signs in to their account. This feature is made available to all orgs.

App notes

App notes written by an admin are now displayed for users who hover over the app on the Okta End-User Dashboard.

Masking for eight digit phone numbers

The masking algorithm now reveals fewer digits for shorter phone numbers. For example, if the phone number has eight digits, the first five digits are masked and the final three digits are visible.

Early Access Features

New Features

Additional Okta username formats for LDAP-sourced users

Three additional Okta username formats are now available for LDAP-sourced users. In addition to the existing options, admins can now select Employee Number, Common Name, and Choose from schema to form the Okta username. These new options allow admins to use both delegated authentication and Just-In-Time (JIT) provisioning with LDAP directory services. With these new provisioning options, it is now easier for admins to integrate their LDAP servers with Okta. See Configure LDAP integration settings.

Okta Epic Hyperspace agent, version 1.3.2

This EA version of the agent contains security enhancements. See Okta Hyperspace Agent Version History.

Fixes

General Fixes

OKTA-294735

In the email template editor, the subject was translated to the admin’s display language but the rest of the content remained in English.

OKTA-383630

Macros didn’t render correctly in the subject field for Send test email and Email preview.

OKTA-419837

The warning message for custom code editors referred to Theme builder instead of Branding.

OKTA-419847

On-Prem MFA API tokens contained scopes beyond what was required for agent operation.

OKTA-423419

Some email templates returned errors if Velocity variables weren’t enclosed in brackets. This occurred for orgs with Enhanced Email Macros enabled.

OKTA-430327

Repeatedly assigning and unassigning a user to a group that provisions applications converted that user from a group assignment to an individual assignment.

OKTA-433751

End users received errors when accessing SWA apps through the Okta End-User Dashboard if their app passwords contained ampersands.

OKTA-436486

Some orgs couldn’t save email templates containing Velocity variables. This occurred for orgs with Enhanced Email Macros enabled.

OKTA-442296

Some end users received a 400 error after signing in to the Okta End-User Dashboard.

OKTA-443420

The Admin Console became unresponsive if admins performed a search with an unlimited number of characters on the People page.

OKTA-443777

Admins couldn’t use the objectGuid attribute as a unique identifier when integrating AD LDS LDAP servers with Okta.

OKTA-451206

When admins enabled LDAP real-time synchronization, the system.agent.ad.realtimesync event erroneously appeared in the System Log.

OKTA-455372

If the information required to evaluate behavior was not available, the System Log displayed BAD_REQUEST for rules that included behavior detection.

OKTA-451159

Org2Org attempts to push users sometimes resulted in java.net.SocketTimeoutException: Read timed out errors.

OKTA-455199

Error messages weren’t shown to users who signed in to orgs using passwordless authorization and an Identity Provider from IP addresses outside of the allowed network zone.

OKTA-456690

The View logs option on the People page was available to all users.

OKTA-459571

In the admin console, the status of RADIUS agents randomly changed from Operational to Disrupted.

OKTA-460366

On Security > Networks > Add IP Zone, proxy IP addresses weren't explicitly identified as trusted proxy IP addresses.

OKTA-461015

Event information was missing from the Report Suspicious Activity page after users changed their password in the Sign-In Widget.

OKTA-461198

When the Custom Admin Roles feature was enabled, read-only admins could see the Assign to People, Assign to Groups, and Edit User buttons on the Applications page.

OKTA-461686

The error message DownloadedObjectsProcessJob: null id in com.okta.monolith.platform.groups.db.dto.MembershipOktaGroup appeared after a full import of LDAP attributes.

OKTA-462025

Admins who refreshed a page in the custom URL domain wizard weren’t returned to the correct step.

OKTA-462114

The ${user.login} variable appeared in default email templates.

OKTA-462312

No warning message appeared when an attribute was saved as both sensitive and required in the Profile Editor.

OKTA-462807

Some orgs couldn't provision out-of-sync users.

OKTA-463388

Some valid Philippines phone numbers were identified as invalid and rejected when users tried to enroll in SMS authentication.

OKTA-467470H

When the Okta Browser Plugin was installed, applications opened from the new End-User Dashboard into pop-up windows instead of regular browser tabs. This occurred for Internet Explorer users only.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • AppSplit (OKTA-462294)
  • Auth0 (OKTA-456042)
  • Dockerhub (OKTA-463515)
  • FinServ (OKTA-463959)
  • LoansPQ (OKTA-462410)
  • MeridianLink LoansPQ (OKTA-460940)
  • New Relic (OKTA-464710)
  • ProtonMail (OKTA-463545)
  • Salto Keys (OKTA-464469)
  • WePay (OKTA-462296)
  • Wikispaces (OKTA-462300)

Applications

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:

SAML for the following Okta Verified applications:

  • Compliance Genie (OKTA-456834)

  • SecureCodeWarrior (OKTA-455728)

OIDC for the following Okta Verified application:

Weekly Updates

Fixes

General Fixes

OKTA-422710

When the Custom Admin Roles feature was enabled, admins who didn’t have the Manage groups permission could view the Actions drop-down menu on the Groups > Rules tab.

OKTA-439826

Windows Server 2008 R2 was identified as a supported operating system on the Set Up Active Directory page.

OKTA-447818

Admins could remove users from a group on the Group Profile page but couldn't remove the group membership on the User Profile page.

OKTA-452937

Admins experienced page scrolling errors when approving requests for Salesforce apps.

OKTA-455572

End users were unable to see their existing password when editing sign-in information for an SWA app.

OKTA-456429

On the App Access Locked page, the contact your administrator link was broken.

OKTA-458310

The Groups page displayed the Admin roles tab for non-AD/LDAP groups. This occurred for orgs with the Custom Admin Roles feature enabled.

OKTA-460374

When a default application was configured for the Sign-In Widget, no banner indicated to users which app they were signing in to.

OKTA-460647

UI elements for app settings on the Okta End-User Dashboard were inconsistent for admins and end users.

OKTA-460719

The Add Log Stream and Add Identity Provider pages were improperly rendered in Internet Explorer 11.

OKTA-461134

Tooltips didn't wrap properly on the Okta End-User Dashboard.

OKTA-461604

The Username field was missing for admins in the self-service app request workflow.

OKTA-462025

Admins who refreshed a page in the custom URL domain wizard weren’t returned to the correct step.

OKTA-462639

Some international SMS messages had the wrong country code displayed in the System Log.

OKTA-463346

In Internet Explorer 11, apps on the Okta End-User Dashboard displayed incorrect titles.

OKTA-463905

Super admins didn't receive an error if they saved the Administrator assignment by resource set or Administrator assignment by role page without selecting a resource set/role. This occurred for orgs with the Custom Admin Role feature enabled.

OKTA-465050

The app settings drawer incorrectly displayed a password field for SAML apps.

OKTA-466901

Custom attributes identified as cn (Common Name) were automatically mapped as username in Okta.

OKTA-471193H

Group push from Okta to Office 365 didn’t work.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed:

  • Schwab Retirement Plan Center (OKTA-464739)
  • SquareSpace (OKTA-466252)

Applications

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:

SAML for the following Okta Verified application:

  • CloudAlly (OKTA-453596)

Generally Available

Sign-In Widget, version 6.0.1

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Sign-In Widget Guide.

Fixes

General Fixes

OKTA-449722

There was a spelling error in the Help link (Optional) section of the Settings > Account > End User Information page.

OKTA-456339

Admins whose custom admin role contained the Run imports permission couldn't click Back to Applications on the Applications page.

OKTA-456831

For self-service registered users, verification emails sent using the Resend Verification Email button didn’t appear in the System Log.

OKTA-461740

VoiceOver screen readers read the wrong description for the Okta Verify enrollment QR code.

OKTA-463803

Group push didn't work for orgs configured with a required custom attribute.

OKTA-464251

End users incorrectly received prompts to sign in again when nearing the end of their session lifetime.

OKTA-465665

End users saw a blank page if they signed in to the Okta End-User Dashboard with a custom domain that ended with com.com.

OKTA-466301

The following issues occurred in the OIN App Catalog on Internet Explorer 11:

  • The app details page wasn’t shown when an app was selected from the Browse Integration Catalog search results.
  • App details pages didn’t render correctly.
  • Users weren't able to use the up and down arrow keys to navigate search results.

OKTA-466425

On the Okta End-User Dashboard, the app setting drawer's Reveal password wasn't accessible by keyboard commands.

OKTA-468607

When the Custom Admin Roles feature was enabled, newly added admins didn’t always appear on the Administrators page.

OKTA-469099

When orgs enabled both Branding and Custom Domain URL, the default domain displayed customized error pages.

January 2022

2022.01.0: Monthly Production release began deployment on January 10

* Features may not be available in all Okta Product SKUs.

Content

Generally Available Features

New Features

Sign-In Widget, version 5.16.0

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Sign-In Widget Guide.

Okta Provisioning agent, version 2.0.6

This version of the agent contains security fixes. See Okta Provisioning agent and SDK version history

Okta On-Prem MFA agent, version 1.4.8

This version of the agent contains security fixes. See Okta On-Prem MFA Agent Version History.

Okta Active Directory agent, version 3.8.0

This version of the agent contains:

  • Agent auto-update support
  • Improved logging functionality to assist with issue resolution
  • Bug fixes

See Okta Active Directory agent version history.

Okta RADIUS Server agent, version 2.17.2

This version of the agent contains security fixes. See Okta RADIUS Server Agent Version History.

Delivery status of SMS messages in the System Log

Administrators can now view the delivery status for SMS messages in the System Log. For information about the new event type, see Configure and use telephony.

Feature name change: New Sign-On Notification

The New Device Notification functionality is renamed to New Sign-On Notification in the Admin Dashboard, the email notification title, and elsewhere. It refers to the email notification a user receives when there’s a sign-in event from an unrecognized device.

New permissions for custom admin roles

The following new permissions can now be assigned to a custom admin role:

  • Activate users

  • Deactivate users

  • Suspend users

  • Unsuspend user

  • Delete users

  • Unlock users

  • Clear user sessions

  • Reset users' authenticators

  • Reset users' passwords

  • Set users' temporary password

  • Run imports.

The new permissions give super admins more granular control over their delegated org permissions. See About role permissions.

Editable Sign-in URL

End users can edit sign-in URLs for their apps on the App Settings page.

Service Principal Name functionality improvement

New Service Principal Name (SPN) functionality allows Agentless Desktop Single Sign-on (ADSSO) authentication to continue without interruption when an SPN is updated. A service account and an SPN are required for ADSSO Kerberos authentication. With this change, you can now update the SPN frequently as an additional security precaution. See Create a service account and configure a Service Principal Name.

OAuth Dynamic Issuer option

An authorization server’s issuer URL can be used to validate whether tokens are issued by the correct authorization server. You can configure the issuer URL to be either the Okta subdomain (such as company.okta.com) or a custom domain (such as sso.company.com). See Create the Authorization Server.

When there are applications that use Okta’s subdomain and other applications that use the custom domain, the issuer validation breaks because the value is hard-coded to one domain or the other.

With Dynamic Issuer Mode, the issuer value in minted tokens is dynamically updated based on the URL that is used to initiate the original authorize request.

For example, if the authorize request is https://sso.company.com/api/v1/authorize, the issuer value is https://sso.company.com.

Dynamic Issuer Mode helps with:

  • Split deployment use cases

  • Migration use cases when customers migrate from the Okta domain to a custom domain

  • Support with multiple custom domains

Rate limit dashboard

The new rate limit dashboard helps you investigate the cause of rate limit warnings and violations. You can also use it to view historical data and top consumers by their IP address.

This helps you:

  • Isolate outliers

  • Prevent issues in response to alerts

  • Find and address the root cause of rate limit violations

You can access the dashboard using the link provided in the rate limit violation event in the System Log. See Rate limit dashboard.

You can also open the dashboard in the Admin Console to monitor API usage over a period of time, change rate limit settings, and customize the warning threshold. See Rate limit monitoring.

Error response updated for malicious IP address sign-in requests

If you block suspicious traffic and ThreatInsight detects that a sign-in request comes from a malicious IP address, Okta automatically denies the user access to the organization. The user receives an error in response to the request. From the user’s perspective, the blocked request can’t be identified as the result of ThreatInsight having identified the IP address as malicious.

Make Okta the source for Group Push groups

Admins can now make Okta the profile source for all members of a group that is used for Group Push. When this feature is enabled, integrated apps can't change app group memberships. This functionality allows admins to maintain the accuracy of app group membership and prevents changes to group membership after a push. See Manage Group Push.

Password change notifications for LDAP-sourced users

Password change email notifications may now be sent to LDAP-sourced users.

LDAP-sourced users secondary email prompt on first sign in

Admins now have the option to prompt LDAP-sourced users for a secondary email when they sign in to Okta for the first time. When a secondary email is provided, password reset and activation notifications are sent to the user’s primary and secondary email addresses. Duplicating these notifications increases the likelihood they are seen by users and reduces support requests. See Configure optional user account fields.

Directory Debugger for Okta AD and LDAP agents

Admins can now enable the Directory Debugger to provide Okta Support with access to Okta AD and LDAP agent diagnostic data. This new diagnostic and troubleshooting tool accelerates issue resolution by eliminating delays collecting data and improves communication between orgs and Okta. See Enable the Directories Debugger.

Enhancements

Improved SIW error messages

The Sign-In Widget now has improved JIT error messages.

OIN Manager enhancements

The OIN Manager includes the following updates for ISV submissions:

  • It clarifies that OID and SAML integrations must support multi-tenancy.

  • It clarifies that only one OIDC mode can be selected for an OID integration.

  • It allows the format ${app.domain}/redirect_url for URIs.

  • It no longer allows ISV submissions for the Social Login and Log Streaming categories. See OIN App Integration Catalog.

  • It allows the use of app instance properties when configuring single logout (SLO) for SAML app integrations.

  • It requires that ISV submissions specify one or more use cases. Existing submissions may need to be updated to change from previous categories to the new use cases.

Updated interstitial page animation

A new animation is displayed on a loading page when users sign in to an app from Okta.

API token ID displayed in tokens

API token ID is now displayed under API tokens for easy tracking.

SHA type displayed for SAML certificates

SHA type is now displayed for SAML certificates in the Admin Console.

Early Access Features

This release does not have any Early Access features.

Fixes

General Fixes

OKTA-379478

The Medallia Mobile application dataAccess attribute wasn't automatically updated after changes were made to a user's group membership.

OKTA-412445

The SAML assertion sent by Okta to AWS exceeded the max character length supported by AWS (100,000 characters).

OKTA-420065

Launch on sign-in apps on the Okta End-User Dashboard launched multiple times after the user signed in.

OKTA-444924

An incorrect error message appeared when admins searched for groups and the Expression Language query included invalid attributes.

OKTA-447750

Users signing in to OIDC apps through Okta-hosted Sign-In Widgets on custom authorization servers received an access error message before they could provide their password.

OKTA-448006

Some branded pages used an org’s previously uploaded logo rather than their new theme logo.

OKTA-453672

When admins created custom language and country code attributes in the Profile Editor, the format property wasn’t updated and submitted.

OKTA-454206

Some admins without super admin permissions could view a link to the Admin role assignments report. This occurred for orgs with the Custom Admin Roles feature enabled.

OKTA-456082

Mitigation of CSV Injection wasn't provided in all Okta-generated CSV reports.

OKTA-456084H

Admins received a 500 Internal Server Error when attempting to delete a YubiKey in blocked status.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed:

  • Bendigo Bank (OKTA-454211)

  • EdgeCast (OKTA-453148)

  • Maxwell Health (OKTA-454213)

  • My T-Mobile (OKTA-455732)

  • Redis (OKTA-454218)

Applications

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:

SAML for the following Okta Verified application:

  • Regal Voice (OKTA-448791)

Weekly Updates

Fixes

General Fixes

OKTA-427502

After a Smart Card IDP was deactivated, the PIV button continued to appear when users signed in.

OKTA-443601

In the User Accounts section of the Customizations page, the incorrect term User Identity Master was used instead of User Identity Source.

OKTA-445110

Admins couldn’t search for suspended users on the Groups > People page.

OKTA-450647

When the Custom Admin Roles feature was enabled, the Admin role assignments report included deactivated admins.

OKTA-454965

Admins couldn’t unsubscribe from Okta AD agent auto-update email notifications because the Agent auto-update notifications: AD agent checkbox wasn’t available in the System notifications area of the Settings page.

OKTA-458760H

When the New Social Identity Provider integrations feature was enabled, IdP profiles weren't always saved and the Redirect Domain field wasn't available.

OKTA-461273H

Some Smartcard/PIV users were unable to sign in due to inaccessible Certificate Revocation Lists (CRL).

App Integration Fixes

The following SWA apps were not working correctly and are now fixed:

  • Circulation (OKTA-456780)

  • CWT (OKTA-455733)

  • Key Bank (OKTA-455731)

  • MyFitnessPal (OKTA-455735)

  • Shutterstock (OKTA-456777)

  • The Hartford EBC (OKTA-454220)

  • TimeLog (OKTA-457372)

  • Verizon Wireless Business (OKTA-455729)

  • Xfinity (OKTA-457369)

Applications

New Integrations

SAML for the following Okta Verified applications:

  • Blingby Live (OKTA-455293)

  • BrightHire (OKTA-456906)

  • Jones (OKTA-453595)

  • TrackJS (OKTA-456630)

Generally Available

Sign-In Widget, version 5.16.1

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Sign-In Widget Guide.

Fixes

General Fixes

OKTA-288443

Links from an expired session didn't redirect users to the Okta End-User Dashboard when they signed in.

OKTA-332414

The All apps filter in the Okta End-User Dashboard catalog was incorrectly translated.

OKTA-412803

An incorrect warning message containing a user’s ID appeared when OpenLDAP-sourced users attempted to sign in to Okta.

OKTA-414419

Admins with the View application and their details permission could view the Push Status drop-down menu and the Push Groups, Refresh App Groups, and Bulk Edit buttons on the Application > Push Groups tab. This occurred for orgs with the Custom Admin Roles feature enabled.

OKTA-416052

The Sort Apps button and its drop-down menu were covered by the left navigation bar on mobile devices.

OKTA-419846

RADIUS agent API tokens contained scopes beyond what was required for agent operation.

OKTA-433758

Some users created in AD and imported into Okta were missing external IDs when automatically assigned to apps.

OKTA-441218

When the Custom Admin Roles feature was enabled, third-party admins could view their admin email notification settings.

OKTA-443467

Admins were unable to sign in to the Admin Console if they had first signed in with a non-admin user account.

OKTA-446224, OKTA-455268

New admins weren’t always provisioned for Salesforce Help Center.

OKTA-446449

Memberships to Salesforce Public Groups were removed from Salesforce when group memberships were updated in Okta.

OKTA-447069

Some users were unable to access their bookmark apps after migrating to the new Okta End-User Dashboard.

OKTA-447114

Okta sent MFA reset email notifications even though the factor deactivation didn’t take effect.

OKTA-447813

Sometimes, admins were unable to remove apps from the Create a resource set page. This occurred for orgs with the Custom Admin Roles feature enabled.

OKTA-454385

Password change email notifications were incorrectly sent to end users in orgs with URLs containing api/v1/user.

OKTA-457233

The default zone name for legacy IP zones was hardcoded in English and displayed in the Admin Console as a text string that could not be localized.

OKTA-457592

On the Admin assignment by admin and Admin assignment by role pages, an error sometimes appeared when the admin removed an existing standard role from the assignment and replaced it with another role. This occurred for orgs with the Custom Admin Roles feature enabled.

OKTA-458302

When admins enabled LDAP interface app group support, the Directory Information Tree (DIT) included app instances that users couldn’t access.

OKTA-460597

When the Custom Admin Roles and CSV Directory features were enabled, admins with the Manage applications permission couldn’t access the Directory Integrations page.

OKTA-460636

When the Custom Admin Roles and Application Entitlement Policy features were enabled, admins with the Edit application's user assignments permission couldn’t assign apps to users.

OKTA-460767

Admins could click Finish multiple times after adding or updating a custom domain certificate. This resulted in duplicate API calls.

OKTA-460908

Some lengthy app names caused UI errors on the Okta End-User Dashboard.

OKTA-462342

When a user copied their username in the app drawer, they were incorrectly notified that the app's password was copied to the clipboard.

OKTA-466809H

A script error occurred when users with an embedded Internet Explorer browser attempted to sign in to Okta.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed:

  • Allegra (OKTA-449137)

  • Clio (OKTA-458076)

  • DocuSign (OKTA-456094)

  • Expedia (OKTA-455734)

  • FreeAgent (OKTA-454216)

  • Go to Connect (OKTA-454638)

  • QuickBooks (OKTA-457705)

  • SuccessFactors (OKTA-449132)

  • TeamPassword (OKTA-456778)

Applications

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:

SAML for the following Okta Verified applications:

  • Almanac (OKTA-456412)

  • Observe (OKTA-455308)

  • ReviewInc (OKTA-457711)

  • Spherexx (OKTA-453592)

  • Transform (OKTA-457712)

  • VidCruiter (OKTA-461233)

OIDC for the following Okta Verified applications:

December 2021

2021.12.0: Monthly Production release began deployment on December 13

* Features may not be available in all Okta Product SKUs.

Content

Generally Available Features

New Features

Sign-In Widget, version 5.14.0

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Okta Sign-In Widget Guide.

Choose client types for Office 365 sign-on policy

When creating app sign-on policy rules to manage access to Office 365 apps, you can now specify client types such as web browser, modern auth, or Exchange ActiveSync. This allows you to apply Office 365 sign-on policies to granular use-cases. See Office 365 sign-on rules options.

Branding now available in the Admin Console

This UI release provides admins and developers with an Admin Console UI to upload brand assets to customize their Okta-hosted pages. The Customizations tab in the Admin Console is also now moved to a top-level menu item in the left-hand navigation, and Branding-related controls have all been moved under it. The Settings > Appearance tab has also been removed, and functionality moved under the Customizations tab for ease of use. See Branding.

Admin Experience Redesign toggle removed

The toggle that allowed super admins to switch between the Admin Experience Redesign and the old experience has been removed. All Okta admins now benefit from our restyled Okta Admin Dashboard, responsive navigation side bar, and modern look and feel. If you need more time to adapt to the new user experience, you can revert to the old experience by contacting Okta Support until April 2022.

Upload Logo for org deprecated

The Upload Logo for Org endpoint (api/v1/org/logo) is deprecated. Use the Upload Theme Logo (/api/v1/brands/${brandId}/themes/${themeId}/logo) endpoint instead.

Policy rule events now eligible for event hooks

The following policy rule events are now eligible for event hooks:

  • policy.rule.activate

  • policy.rule.delete

See Event Hooks.

Salesforce Federated ID REST OAuth

Admins can now upgrade to the latest version of our Salesforce Federated ID integration. OAuth provides enhanced security and is now used for Provisioning and Imports authentication. This feature is currently available for new orgs only. See Configure OAuth and REST integration.

Localized SAML setup instructions

To achieve its objective of becoming the leader in identity and access management, Okta is actively expanding to numerous countries. To better serve this diverse market, Okta has begun localizing its customer-facing products to improve usability. To facilitate this process for SAML setup instructions, Okta will automatically provide the instructions in the user's chosen display language, if a translated version is available. Currently, a limited number of SAML setup instructions are now available in Japanese. See End users: set up display language.

Okta MFA Credential Provider for Windows, version 1.3.5

This version of the agent contains:

  • Security enhancements

  • Internal fixes

See Okta MFA Credential Provider for Windows Version History.

Okta On-Prem MFA agent, version 1.4.6

This version of the agent contains updates for certain security vulnerabilities.

See Okta On-Prem MFA Agent Version History.

Okta RADIUS Server agent, version 2.17.0

This version of the agent contains updates for certain security vulnerabilities.

See Okta RADIUS Server Agent Version History.

Okta Browser Plugin, version 6.6.0 for all browsers

This version includes minor bug fixes and improvements. See Okta Browser Plugin version history.

Enhancements

Org setting to disable device token binding

For compatibility purposes, orgs can now disable device binding. Device binding ensures that state tokens are used only by the actor who initiated the authentication flow. See General Security.

SharePoint (On-Premises) instructions updated

SharePoint (On-Premises) instructions have been updated to remove SharePoint 2010 from the Downloads page.

Early Access Features

Enhancement

Admins may now enable the Recent Activity feature

The Recent Activity functionality may now be enabled or disabled by admins. Recent Activity displays recent sign-in events and associated security events so admins can track suspicious activity and keep their environment safe. See Recent Activity and Security Events.

Fixes

General Fixes

OKTA-372730

Org admins couldn't add social Identity Providers.

OKTA-393284

UI errors occurred when users hovered over a locked app on the Okta End-User Dashboard.

OKTA-416595

The spinner stayed visible after a sign-in error in some orgs with security image disabled.

OKTA-430797

Password push events were not showing in the System Log when multiple domains were federated in the same Office 365 app.

OKTA-433327

App usernames weren't updated automatically on non-provisioning enabled apps.

OKTA-438888

The Client drop-down menu wasn't displayed properly when admins added a new access policy for Authorization Servers using Internet Explorer.

OKTA-439104

Random users were unassigned from applications when imported and assigned by group.

OKTA-439327

Applying admin-managed tabs to end users occasionally completed much later, after the changes were initially made.

OKTA-441168

Users were directed to the wrong step of the Log Stream creation wizard when they clicked a link to create a specific type of Log Stream.

OKTA-443459

Some users who accessed the Okta End-User Dashboard saw a blank screen.

OKTA-449400

The text field for an app’s alternative name was missing from the app drawer.

OKTA-450158

In orgs with a custom domain URL and self-service registration enabled, users who went directly to the registration link saw a 404 error.

OKTA-450543

Users weren't prompted to correct their device’s time if their device was behind the server’s time by more than five minutes or ahead by more than 65 minutes.

OKTA-450896

The search bar on the Okta End-User Dashboard produced results that were inaccessible for screen readers.

OKTA-450927

Two scrollbars were displayed for mobile users.

OKTA-457787H

Apps on the Okta End User Dashboard on Internet Explorer opened as a pop-up window instead of a new tab.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • Amplitude (OKTA-449138)

  • Australian Financial Review (OKTA-450189)

  • Boxed (OKTA-449140)

  • Google Tag Manager (OKTA-448703)

  • HireFire (OKTA-448711)

  • Instacart Canada (OKTA-442943)

  • International SOS Assistance (OKTA-447156)

  • LinkedIn (OKTA-443788)

  • Mural (OKTA-443063)

  • Payroll Relief (OKTA-447159)

  • Safari Online Learning (OKTA-448707)

  • The Hartford EBC (OKTA-448956)

  • Twitter (OKTA-448961)

  • XpertHR (OKTA-449721)

Applications

Application Update

The Jive application integration is rebranded as Go To Connect.

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:

SAML for the following Okta Verified applications:

  • Chatwork (OKTA-449761)

  • ContractS CLM (OKTA-446453)

  • Elate (OKTA-448860)

  • WAN-Sign (OKTA-448922)

OIDC for the following Okta Verified applications:

Weekly Updates

Generally Available

Sign-In Widget, version 5.14.1

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Sign-In Widget Guide.

Fixes

General Fixes

OKTA-328461

The footer in some email templates contained an incorrect link to Okta.

OKTA-410446

DebugData in the System Log didn’t include ClientSecret information.

OKTA-428685

Errors occurred when admins attempted to assign DocuSign to users.

OKTA-440608

Some admins couldn't view groups that were assigned to an app, even though their custom role had permission to view them.

OKTA-447471

Duplicate reactivation requests for the Org2Org app caused 400 errors in the System Log.

OKTA-447916

Admins received the wrong error message when they attempted to delete a custom domain.

OKTA-448321

When the Custom Admin Roles feature was enabled, groups with “#” in the group name couldn’t be assigned to a role.

OKTA-449880

When Enhanced Email Macros was enabled, the text in some default email templates was incorrect.

OKTA-451075

Security fix for the Okta Provisioning Agent. For this fix, download Okta Provisioning Agent version 2.0.6.

OKTA-451868

In new developer orgs, admins weren’t provisioned for Salesforce Help.

OKTA-452041

Attempts to sign in to the Admin Console using Safari on an iOS device were prevented by the popup blocker.

OKTA-452099

The QR verification form in the device authentication flow wasn’t pre-filled with the user code.

OKTA-454767H

Some app labels were missing in the redesigned OIN App Catalog.

App Integration Fix

The following SWA app was not working correctly and is now fixed:

  • GoDaddy (OKTA-449141)

Applications

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:

Fixes

General Fixes

OKTA-441896

Group attribute statements added in a SAML 2.0 integration app (AIW) didn’t appear in the Preview the SAML Assertion section.

OKTA-444246

Some SAML doc links in the Admin Console didn’t work.

OKTA-447069

End-users encountered a 403 error when accessing a bookmark app after being migrated to the new Okta End-User Dashboard.

OKTA-447885

When adding a custom domain, admins received the wrong error message if they left the Domain field blank.

OKTA-448560

New users received an activation email with Velocity macros instead of their name. This occurred if the org’s profile enrollment policy didn’t require first and last names.

OKTA-448936

The Create a new resource set page couldn't display groups with & in the group name. This occurred for orgs with the Custom Admin Roles feature enabled.

OKTA-448940

The Edit resources to a standard role page displayed an error when admins searched for a group. This occurred for orgs with the Custom Admin Roles feature enabled.

OKTA-451345

The Velocity parsing engine failed when email templates contained a variable that was followed by (.

OKTA-452680

Application usage reports created asynchronously for specific groups included users that didn’t belong to the groups selected for the reports.

OKTA-454197

On the Add domain page, the Next, Remove, and Verify DNS buttons were clickable while the addition was in progress.

OKTA-456383H

CSV imports failed when using Okta Provisioning Agent, version 2.0.6. For this fix, download Okta Provisioning Agent, version 2.0.7.

OKTA-458089H

Some Netsuite imports into Okta failed with the following error failure: A SOAP message cannot contain entity references because it must not have a DTD.

Applications

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration app is now Generally Available in the OIN Catalog as partner-built:

SAML for the following Okta Verified applications:

  • Imprivata Privileged Access Management (OKTA-450222)

  • Lucca (OKTA-450219)

  • PowerDMS (OKTA-454504)

  • Rybbon (OKTA-451438)

November 2021

2021.11.0: Monthly Production release began deployment on November 8

* Features may not be available in all Okta Product SKUs.

Content

Generally Available Features

New Features

Sign-In Widget, version 5.13.0

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Okta Sign-In Widget Guide.

Okta LDAP agent, version 5.10.0

This version of the agent contains:

  • Range attribute retrieval for group membership attributes (full support will be available in a future release)

  • Real-time synchronization for user profiles, groups, and group memberships (full support will be available in a future release)

  • Expired password reset support for the eDirectory LDAP service (Okta Identity Engine)

  • Bug fixes

See Okta LDAP Agent version history.

Okta RADIUS Server agent, version 2.16.0

This version of the agent contains:

  • Government Community Cloud support

  • Internal and security fixes

See Okta RADIUS Server Agent Version History.

Okta MFA Credential Provider for Windows, version 1.3.4

This version of the agent contains:

  • Government Community Cloud support

  • Internal fixes

See Okta MFA Credential Provider for Windows Version History.

Okta ADFS Plugin, version 1.7.9

This version of the agent contains:

  • Government Community Cloud support

  • Internal fixes

See Okta ADFS Plugin Version History.

Okta On-Prem MFA agent, version 1.4.5

This version of the agent contains:

  • Government Community Cloud support

  • Internal fixes

See Okta On-Prem MFA Agent Version History.

Okta Browser Plugin, version 6.5.0 for all browsers

Internet Explorer local storage size for the Okta Browser Plugin has been increased. See Okta Browser Plugin version history.

Brands API support for auto-detecting contrast colors

The Brands API Theme object properties primaryColorContrastHex and secondaryColorContrastHex automatically optimize the contrast between font color and the background or button color. The auto-detection feature can be disabled by updating either property value with an accepted contrast hex value. See Brands.

New default selection for MFA enrollment policies

For MFA enrollment policy rules, the Any application that supports MFA enrollment option is now selected by default. See Configure an MFA enrollment policy.

New error page macros for themed templates

Custom error page templates include new macros to customize the URL (href) in addition to the button text for themed templates. See Use macros.

Custom domain SSL certification expiration warnings

To prevent service disruptions, Okta now sends admins a warning email 30, 15, and 7 days before their custom domain’s SSL certificate expires. If no action is taken, an expiration notice is sent when the certificate expires.

See Configure a custom URL domain.

Token-based SSO between native apps

Single Sign-On (SSO) between browser-based web applications is achieved by leveraging shared cookies. Unlike web applications, native applications can’t use web cookies. With Native SSO, Okta offers a token-based approach to achieve SSO between native applications.

Native SSO allows you to protect native OpenID Connect applications, such as desktop apps and mobile apps, and achieve SSO and Single Logout (SLO) between these applications. See Configure SSO for native apps.

Wildcards for OAuth redirect subdomains

Developers can now use the Apps API to set multiple redirect URI subdomains with a single parameter using the asterisk * wildcard. This feature provides convenience and flexibility in cases where subdomains vary by only a few characters. For example: https://subdomain*.example.com/oidc/redirect may be used to represent subdomain1, subdomain2, and subdomain3.

Sort applications on End-User Dashboard

End users can now sort applications alphabetically or by last added on the new Okta End-User Dashboard.

Asynchronous Application Reports

When enabled, this feature turns the generation of the Application Usage and the Application Password Health reports into an asynchronous process. Okta generates a report with the results and sends an email to the admin containing a download link for the CSV file. This enhancement is ideal for orgs with large amounts of user activity, as the generated reports can cover a greater range without timing out. See Application Usage report and App Password Health report.

Risk scoring improvements

Risk scoring improvements are being slowly deployed to all organizations. See Risk scoring.

Password expiry warning for LDAP group password policies

You can now configure an LDAP group password policy to provide users with a password expiry warning when their LDAP password is about to expire. Providing a password expiry warning in advance prevents users from losing access to shared resources and reduces the likelihood that you’ll need to reset passwords. See Configure a password policy.

Create and manage group profiles

You now have the flexibility to manage the default profile for Okta groups in the Profile Editor. This new functionality simplifies group management and lets you quickly add, edit, or remove custom profile attributes to groups. See Work with profiles and attributes. This feature will be gradually made available to all orgs.

Litmos supports Advanced Custom Attributes

We’ve enriched our Litmos integration to support Advanced Custom Attributes for the user profile. This allows you to add fields into the Okta user profile. See Litmos Provisioning Guide.

AES-GCM encryption support for SAML assertions

To secure SAML assertions from attacks and to adopt a stronger security mechanism, Okta now supports AES128-GCM and AES256-GCM encryptions modes in addition to AES-128 and AES-256 for SAML applications.

Enhancements

New System Log events for custom domain setup

The following events are added to the System Log:

system.custom_url_domain.cert_renew 3

system.custom_url_domain.delete

Existing events now include CustomDomainCertificateSourceType.

OIN App Catalog user interface changes

The following text has been updated for consistency:

  • FILTERS is now Capabilities

  • Apps is now All Integrations

  • Featured is now Featured Integrations

  • OpenID Connect is now OIDC

  • Secure Web Authentication is now SWA

See Add existing app integrations.

Hash marks added to hex code fields

On the Branding page, hash marks are automatically added to the hex codes in the Primary color and Secondary color fields.

Event Hooks daily limit

The maximum allowable daily limit of Event Hooks for all orgs has increased from 100,000 to 200,000. A higher daily allocation of Event Hooks reduces the likelihood orgs will exceed their daily limits. See Workflows system limits.

Improved Branding preview

Branding previews now display correct text colors.

Sign-In Widget button colors standardized

To comply with accessibility contrast ratios, the default variant colors for buttons on Okta sign-in and error page have been standardized to use the Okta design system.

On-Prem MFA application logo

The On-Prem MFA app logo for SecurID has been updated.

Early Access Features

New Features

Log Streaming

While Okta captures and stores its System Log events, many organizations use third-party systems to monitor, aggregate, and act on event data.

Log Streaming enables Okta admins to more easily and securely send System Log events to a specified system such as Amazon Eventbridge in real time with simple, pre-built connectors. They can easily scale without worrying about rate limits, and no admin API token is required. See Log Streaming.

Enhancements

Edit resource assignments for standard roles

Super admins can now quickly and easily search for, add, and remove the resource assignments for a standard role. See Edit resources for a standard role assignment.

Manage email notifications for custom admin roles

Super admins can configure the system notifications and Okta communications for custom admin roles. Configuring the email notifications helps ensure admins receive all of the communications that are relevant to their role. See Configure email notifications for an admin role.

New Velocity email templates

Orgs with Enhanced Email Macros enabled can now customize Factor Reset and Factor Enrollment email templates with Velocity Template Language. See Customize an email template.

Fixes

General Fixes

OKTA-243898

When multiple factors were required in the MFA for Active Directory Federation Services (ADFS) enrollment flow, only a single factor was enrolled before the user was allowed to sign in.

OKTA-409578

After the Microsoft ADFS (MFA) app Sign-On setting was changed to MFA as a Service, the app no longer appeared on the end-user home page.

OKTA-411306

Users weren't instructed to sign out and then sign in again when the mobile device management (MDM) remediation screen appeared during Intune setup.

OKTA-412100

The Identity Provider factor name wasn’t updated when the admin changed the Identity Provider name.

OKTA-412459

The YubiKey report didn’t list all YubiKeys when the user sorted the entries by Status.

OKTA-417499

When the Remove Group endpoint was called with an invalid group profile attribute, the group wasn't removed.

OKTA-418219

Sometimes when a super admin assigned several standard roles to a group at a time, some of those roles didn’t appear on the Groups page.

OKTA-422328

Screen Readers didn't interact properly with the search bar on the Okta End-User Dashboard.

OKTA-422586

On the Suspicious Activity User Report, the Login field was incorrectly labeled Email and didn't display the primary email address of the user who reported the activity.

OKTA-425318

Admins weren't able to use the Expression Language to compare a user's status to a string.

OKTA-428079

Admins weren’t able to add multiple custom attributes to an app on the Okta End-User Dashboard.

OKTA-430675

When the super org admin role was revoked from a user, the resulting email notification didn’t include the org name or URL.

OKTA-432942

Selecting the ellipses on an app card on the Okta End-User Dashboard incorrectly opened the app instead of accessing its settings.

OKTA-434233

Users attempting to enroll an MFA factor while signing in to an OIDC app received server error messages and couldn’t complete the enrollment.

OKTA-440551

The Sort Apps function didn't work when the Okta End-User Dashboard was displayed in Dutch, Brazilian, Portugese, Simplified Chinese, or Traditional Chinese.

OKTA-440618

For some orgs with Branding enabled, the theme was reset after an admin’s role changed.

OKTA-440816

Sometimes, when deactivated LDAP-sourced users attempted to sign in to Okta, an incorrect message appeared.

OKTA-440695

Some users saw an error when signing in to the new End-User Dashboard or OIDC apps for the first time.

App Integration Fixes

The following SAML app was not working correctly and is now fixed

  • Cloze (OKTA-440336)

Applications

Application Updates

  • The configuration guide for the Vable SCIM integration is updated: Okta Users Provisioning For The Vable Platform.

  • The American Express Work was a duplicate integration and has been removed from the OIN Catalog. Customers should use the American Express - Work integration.

New Integrations

New SCIM Integration Application:

The following partner-built provisioning integration app is now Generally Available in the OIN as partner-built:

OIDC for the following Okta Verified applications:

Weekly Updates

Early Access

Okta Provisioning agent, version 2.0.4

This release of the Okta Provisioning agent contains vulnerability fixes. See Okta Provisioning agent and SDK version history.

Fixes

General Fixes

OKTA-429081

When an admin deleted an app with Federation Broker Mode enabled, users could continue to sign in to the app.

OKTA-429782

Sometimes when the app group membership for a user was deactivated, any role assignments that were revoked from that user still appeared on the Administrators page.

OKTA-429868

API tokens for group admins didn't have the role displayed in the Security > API > Token section.

OKTA-431083

An error occurred when admins attempted to upload an IPA file to the Upload Mobile App page.

OKTA-434925

Email address change notifications were incorrectly sent to the new email address and not the old email address.

OKTA-435431

On the new Okta End-User Dashboard, end users were still able to request apps after an admin had disabled the app request feature.

OKTA-436761

End users were incorrectly prompted to copy password credentials to their clipboard when accessing SWA apps that were shared between users with admin-controlled passwords.

OKTA-439047

Sometimes, the System Log displayed Grant user privilege success events for admins when there were no changes to their privileges.

OKTA-439196

The Okta End-User Dashboard displayed a blank screen to users whose clocks were incorrectly set.

OKTA-441222

When a super admin changed the role notification settings for an admin, some third-party admins with that role were included in the notification subscription.

OKTA-441434

The View Setup Instructions link was broken on the Add Identity Provider page.

OKTA-444012

Branding features weren’t visible in the navigation menu of the legacy Admin Console.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed:

  • Alibaba Cloud (Aliyun) (OKTA-439430)

  • Apple Store for Business (OKTA-439233)

  • ID90 Travel (OKTA-435212)

  • MessageBird (NL) (OKTA-440295)

  • Screen Leap (OKTA-440292)

  • TD Ameritrade (OKTA-436146)

Applications

New Integrations

SAML for the following Okta Verified applications:

  • Agencyzoom (OKTA-436124)

  • Altruistiq (OKTA-440339)

  • Auvik (OKTA-435860)

  • Ceresa (OKTA-437597)

  • Clumio (OKTA-440285)

  • Workstream (OKTA-441160)

SWA for the following Okta Verified application:

  • Greene King (OKTA-441236)

OIDC for the following Okta Verified application:

  • Luma Brighter Learning: For configuration information, see Okta/Luma SSO.

Fixes

General Fixes

OKTA-419946

When an admin assigned an app to a user, the Edit User Assignments window appeared too small.

OKTA-428017

When the Custom Admin Roles feature was enabled and an admin searched for a group to assign to a role, the list of groups didn’t display their respective app logos.

OKTA-436016

In orgs with deleted groups, admins couldn't run the Admin role assignments report.

OKTA-438793

On the Admin Dashboard, the Overview section displayed an incorrect Updated at time between 12:00 AM and 1:00 AM.

OKTA-441161

When a super admin edited the User Account customization settings, an error occurred after they verified their password.

OKTA-443995

End users were unable to add org-managed apps to the Okta End-User Dashboard after admins had enabled self-service.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • HelpSpot Userscape (OKTA-440296)

  • Instacart Canada (OKTA-442946)

  • Moffi (OKTA-442915)

Applications

New Integrations

SAML for the following Okta Verified applications:

  • Autodesk (OKTA-425911)

  • YesWeHack (OKTA-443624)

OIDC for the following Okta Verified applications:

Generally Available

Sign-In Widget, version 5.13.1

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Sign-In Widget Guide.

Fixes

General Fixes

OKTA-373558

App approval forms incorrectly listed deactivation options and available licenses for Google Workspace.

OKTA-414394

On the Applications page, some admins with a custom role could view the buttons for actions that they didn’t have permission to perform.

OKTA-414517

Users who self-registered but hadn’t completed activation were deactivated if they attempted to sign in with a Google IdP.

OKTA-424842

On the Select assignments to convert page, eligible users didn't appear in the user list.

OKTA-424897

When using the Self-Service Registration feature, users with slower internet connections could click Register again while the account was being created.

OKTA-431945

Sometimes when a third-party admin role was assigned though the public API, the admin's status didn't change in the Okta Help Center.

OKTA-433439

Push Profile updates sometimes failed due to a missing Effective Date value.

OKTA-434556

In Try Okta Free orgs, the Days left in your trial banner didn’t always display the correct number of days.

OKTA-434789

When Veeva Vault was provisioned, the authentication rate limit was incorrectly applied to bulk operations.

OKTA-435148

Unique attributes were retained when admins used a CSV file to import user attributes and the import was unsuccessful.

OKTA-438657

When a custom admin role had the View application and their details permission, admins with that role couldn’t access OIDC applications.

OKTA-441490

When previously deactivated users with expired passwords were reactivated and allowed to sign in using their Personal Identity Verification (PIV) cards, they were required to reset their passwords.

OKTA-442991

When the Custom admin roles feature was enabled, the Administrator assignment by admin and Administrator assignment by role pages displayed the Edit button for admin roles that couldn’t be constrained to a resource.

OKTA-443494

When MFA for Active Directory Federation Services (ADFS) was in OIDC mode and two users were assigned the same custom name, an incorrect error was returned.

OKTA-445826

The help link was incorrect for Settings > Customization > Configure a custom URL domain.

OKTA-453056H

When accessing reports, report admins received a 403 error.

OKTA-453535H

An older library for the RSA and RADIUS agents caused potential security issues in certain situations.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed:

  • American Funds Advisor Client Login (OKTA-442550)

  • Bank of America CashPro (OKTA-444481)

  • M&T Bank - Commercial Services (OKTA-447154)

  • Nimble (OKTA-444703)

  • The Trade Desk (OKTA-445291)

Applications

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:

SAML for the following Okta Verified applications:

  • ParkOffice (OKTA-445142)

  • SecZetta (OKTA-446467)

October 2021

2021.10.0: Monthly Production release began deployment on October 11

* Features may not be available in all Okta Product SKUs.

Content

Generally Available Features

New Features

Sign-In Widget, version 5.12.0

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Sign-In Widget Guide.

Okta Active Directory agent, version 3.7.0

This version of the agent contains:

  • Government Community Cloud support

  • Improved logging functionality to assist with issue resolution

  • Bug fixes

See Okta Active Directory agent version history.

Okta LDAP agent, version 5.9.0

This version of the agent contains:

  • Government Community Cloud support

See Okta LDAP Agent version history.

Okta SSO IWA Web App agent, version 1.14.0

This version of the agent contains:

  • Government Community Cloud support

  • Internal fixes

See Okta SSO IWA Web App version history.

Okta Active Directory Password Sync agent, version 1.4.0

This version of the agent contains:

  • Government Community Cloud support

  • Security enhancements

  • Internal fixes

See Okta Active Directory Password Sync Agent version history.

Okta Browser Plugin, version 6.4.0 for all browsers

  • For orgs that enable this feature through self-service EA, end users can now generate passwords from the Okta Browser Plugin pop-up window.

  • For orgs that enable this feature through self-service EA, the Okta Browser Plugin now recommends strong passwords during SWA app sign-up.

  • Plugin extension architecture for Safari has been updated to WebExtension.

See Okta Browser Plugin version history.

SAML 2.0 Assertion grant flow

You can use the SAML 2.0 Assertion flow to request an access token when you want to use an existing trust relationship without a direct user approval step at the authorization server. The flow enables a client app to reuse an authorization by supplying a valid, signed SAML assertion to the authorization server in exchange for an access token. This flow is often used in migration scenarios from legacy Identity Providers that don't support OAuth. See Create Rules for Each Access Policy.

Password management on the new Okta End-User Dashboard

Users who access the new Okta End-User Dashboard from mobile or desktop can now show and copy passwords for their apps to their clipboard. They can also use a new password management modal to edit the username or password fields for their apps.

Okta Provisioning agent incremental imports

The option to incrementally import user data is now available for the Okta Provisioning agent. Incremental imports reduce the time required for synchronization by only downloading user information that has changed since the last successful import. See Okta Provisioning Agent incremental import.

Schemas API unique attributes

The Schemas API now includes unique attributes for custom properties in Okta user profiles and the Okta group profile. You can declare a maximum of five unique properties for each user type and five unique properties in the Okta group profile. This feature helps prevent the duplication of data and ensures data integrity.

Org Under Attack for ThreatInsight

Okta ThreatInsight now has enhanced attack detection capability. “Org under attack” establishes a base line traffic pattern and adjusts based on legitimate changes in traffic patterns. When a threat is detected, the algorithms are optimized to block all malicious requests while creating a System Log event to alert on the attack. After the attack subsides, threatInsight returns into its normal mode of operation. This capability enables quick blocking action during an attack. See About Okta ThreatInsight. This feature will be gradually made available to all orgs.

Enhancements

Custom footer enhancement

With Branding enabled, admins can now hide the Powered by Okta message in the footer of their Okta-hosted sign-in page and End-User Dashboard. See Configure the footer for your org.

Routing Rules performance enhancements

Performance enhancements on the Routing Rules page include optimized adding, editing, dragging, and deactivating of rules, and improved loading when the number of rules exceeds 1,000. See Configure Identity Provider routing rules.

Log per client mode for client-based rate limits

Client-based rate limits are now in Log per client mode for all orgs for both OAuth 2.0 /authorize and /login/login.htm endpoints. This offers additional isolation to prevent frequent rate limit violations.

Early Access Feature

Early Access features from this release are now Generally Available.

Fixes

General Fixes

OKTA-325592

When LDAP delegated authentication was enabled, an incorrect event type was used to process user profile updates.

OKTA-372064, OKTA-430527, OKTA-431382

Accessibility issues occurred on the new Okta End-User Dashboard.

OKTA-420524

A password change notification email wasn’t sent to users after their password was changed by an administrator.

OKTA-421812

A Download Latest button wasn’t available for Okta LDAP agents on the Admin Console Downloads page.

OKTA-426923

When users were deleted asynchronously, the entries associated with the user weren't removed from the UniqueEntityProperty table.

OKTA-427016

When Self-Service Registration was enabled, a change to a user's email address in their profile source caused their UPN (user principal name) in Okta to also change, despite it being mapped to the username.

OKTA-427932

When Branding was enabled, the Sign-In Widget was distorted on custom sign-in pages.

OKTA-428268

When an LDAP interface (LDAPi) client had Custom Admin Roles enabled, time-out errors sometimes occurred during group member queries.

OKTA-431349

Translated versions of AD and LDAP configuration validation messages weren’t provided.

OKTA-431868

In the UI for the SuccessFactors app, options for Active User Statuses weren't displayed.

OKTA-432400

Some dialogs didn't appear on the new Okta End-User Dashboard for some users.

App Integration Fixes

The following SWA app was not working correctly and is now fixed

  • Amplitute (OKTA-429432)

Applications

Updates

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:

OIDC for the following Okta Verified application:

  • Extole: For configuration information see Okta Instructions.

Weekly Updates

Fixes

General Fixes

OKTA-383501

When a custom admin role was assigned to an existing group with standard roles, the System Log displayed duplicate Grant user privilege events for the members of the group.

OKTA-399667

Provisioning to Zendesk failed when a user with the same email already existed in Zendesk.

OKTA-414295

For orgs with Custom Administrator Roles enabled, the page filters on the Roles, Resources, and Admins tabs of the Administrators page were labeled incorrectly.

OKTA-414339

Org2Org Push Groups sometimes failed.

OKTA-415370

On OIDC app creation, if no locale was specified, it defaulted to an invalid value (en-US).

OKTA-423420

After Branding was enabled, admins could still navigate to original Settings > Customization pages.

OKTA-426692

Provisioning (create/update) users to NetSuite failed with a Null Pointer Exception (NPE).

OKTA-427646

Group rule Okta Expression Language IF statements couldn’t include integer array attributes.

OKTA-429330

Sometimes, when an org used the Okta IWA Web Agent for Desktop Single Sign-on (DSSO), a missing objectGUID caused a 500 Internal Server Error when users attempted to sign in to Okta.

OKTA-431920

Clicking ASN Lookup when configuring a dynamic zone in the Admin Console didn't open a valid autonomous system number (ASN) lookup service.

OKTA-433981

When an admin role was constrained to a group, users with that role sometimes experienced time-out errors on the People page.

Applications

Application Updates

New Integrations

New SCIM Integration Application:

The following partner-built provisioning integration app is now Generally Available in the OIN Catalog as partner-built:

SAML for the following Okta Verified applications:

  • Docutrax (OKTA-433521)

  • Testsigma (OKTA-405606)

OIDC for the following Okta Verified applications:

Generally Available

Sign-In Widget, version 5.12.2

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Sign-In Widget Guide.

Fixes

General Fixes

OKTA-329002

The Custom Administrator Roles Early Access feature wasn’t available for Developer orgs.

OKTA-335217

OAuth applications granted authorization tokens on accounts for which users had not yet completed registration.

OKTA-419163

Some admins who were assigned a custom role could convert app assignments for users they weren’t constrained to.

OKTA-419532

The System Log didn’t display Client IP for user.lifecycle.create events from users created through self-service registration.

OKTA-421451

Permission attributes for the Dropbox application weren’t displayed correctly.

OKTA-421698

Password-reset failures due to sign-in policy violations didn't appear in the System Log.

OKTA-425798

The endUserDashboardTouchPointVariant property on the Brands API Theme object didn’t include a variant for LOGO_ON_FULL_WHITE_BACKGROUND.

OKTA-425804

Admins who viewed completed tasks on the new Okta End-User Dashboard couldn't see who approved or rejected the tasks.

OKTA-426548

A 500 Internal Server error appeared when sensitive attributes were included in attribute search results.

OKTA-428163

When using the Firefox browser, users were unable to edit the Forgot Password Text Message section of the Settings page.

OKTA-428329

Some admins who were assigned more than one custom role could manage the app assignments for users and groups they weren’t constrained to.

OKTA-431377

End users couldn't customize how long pop-ups were displayed on the new Okta End-User Dashboard.

OKTA-431675

When admins used the Add Person dialog in the new Admin Console to add users, automatic resizing of the dialog resulted in a "The field cannot be left blank" error message.

OKTA-431879

If admins edited their Branding theme after it had been applied to an Okta page, the changes weren’t applied until they performed a hard refresh.

OKTA-432829

With Enhanced Email Macros enabled, email templates that were previously customized or translated with Expression Language (EL) couldn’t be edited and saved due to invalid EL expressions.

OKTA-433352

Some end users lost access to the Pressbox and Genny apps when accessing them from the new Okta End-User Dashboard.

OKTA-434859

SAML Org2Org didn't work on the new Okta End-User Dashboard.

OKTA-435293

After Branding was enabled, admins couldn’t use their org logo on a white background for the End-User Dashboard.

OKTA-436513

After Branding was enabled, some orgs were unable to update their existing subdomain names.

OKTA-436732

After the MFA Factor Enrolled email template was customized with Enhanced Email Macros, its default template continued to be sent to users.

OKTA-436949

The Recently Used Apps section wasn't translated on the Settings page of the new Okta End-User Dashboard until the page was refreshed.

OKTA-437664

An Event Hook for group-based privilege change events sometimes didn't include the Okta subdomain events in the JSON response.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • Alabama Power (OKTA-437660)

  • Ally Bank (OKTA-435214)

  • American Express - Work (OKTA-438301)

  • Azure Portal Login (OKTA-436740)

  • Booking Admin (OKTA-436792)

  • Cat SIS (OKTA-436148)

  • Cronitor (OKTA-438303)

  • Exact Online (OKTA-435209)

  • Grove (OKTA-438304)

  • Key Bank (OKTA-438305)

  • Redis Labs (OKTA-436147)

  • SiteGround (OKTA-437897)

  • UBS (OKTA-436149)

  • Vitality (OKTA-436145)

Applications

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:

SAML for the following Okta Verified applications

  • Level AI (OKTA-435557)

  • Loom (OKTA-398082)

  • Pima.app (OKTA-435601)

  • Polytomic (OKTA-435605)

  • Smarp (OKTA-415875)

OIDC for the following Okta Verified applications

September 2021

2021.09.0: Monthly Production release began deployment on September 7

* Features may not be available in all Okta Product SKUs.

Content

Generally Available Features

New Features

Sign-In Widget, version 5.10.1

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Okta Sign-In Widget Guide.

MFA Credential Provider for Windows, version 1.3.3

This version includes hardening around certain security vulnerabilities. See Okta MFA Credential Provider for Windows Version History.

Improved new device behavior detection

Stronger signals are now used for the detection of new devices. Devices with web browsers that don't store cookies are treated as new and trusted applications must send a unique identifier for each device as a device token. See Behavior detection and evaluation. This feature is made available to all orgs.

Enhancements

ThreatInsight default mode for new orgs

For new orgs, the default mode for ThreatInsight is now set to Audit mode. Previously, with no mode set by default, events weren't logged unless Audit mode or Block mode was enabled manually. Now with Audit mode set by default for new orgs, the security.threat.detected event is logged once a malicious request is detected. See Okta ThreatInsight.

OIN Manager enhancements

  • The UI text has been clarified for the group patch batching process in the OIN Manager for SCIM submissions. See the Submit an app integration guide.
  • Partners can now provide multiple support contacts, such as email addresses, support URLs, and phone numbers for customers who need assistance when installing or configuring their app integration. This information is shared with users through the app integration’s details page in the OIN catalog. See the Submit an app integration guide.

PagerDuty SSO Domain Support

Base URL is now used instead of Organization Subdomain for PagerDuty SSO configuration. This enables customers with EU domains to input their URL when they set up SSO.

Updated End-User Dashboard icon for mobile users

The End-User Dashboard icon has been updated for mobile users.

Updated Delete Person and Delete Group dialogs

The Delete Person and Delete Group dialogs now include statements to clarify what is removed when a person or group is deleted. This can include application assignments, sign-on policies, routing rules, and user profiles. This change helps admins better understand the ramifications of deleting people and groups. See Deactivate and delete user accounts and Manage groups.

Early Access Features

Enhancements

New grant type for native SSO

A new grant type, Token Exchange, is available for Authorization Server configuration. Admins can select the grant type to enable SSO for native apps. For more information see Configure SSO for Native apps.

Fixes

General Fixes

OKTA-364848, OKTA-364849, OKTA-364921, OKTA-382725, OKTA-382848, OKTA-382907

Some accessibility issues occurred on the Okta End-User Dashboard.

OKTA-386820

Group Push tasks weren't displayed on the Admin Dashboard.

OKTA-391032

Custom admins with Manage group permissions could view the Add Rule button on the Groups > Rules tab.

OKTA-393077

The View IDP Metadata link incorrectly required an active session when application-specific certificates were enabled.

OKTA-408184

A gap between the deactivation of a contractor and the activation of that user to a full-time employee caused incremental imports for Workday to fail.

OKTA-408562

On the Directory > Groups page, an icon didn’t appear for the Zendesk application.

OKTA-409182

Translations weren't provided for some unsuccessful LDAP password update error messages.

OKTA-409388

Users weren't added to groups when the locale attribute filter was set to equals in the group rule.

OKTA-411252

If an admin added an app integration but didn't complete the process and subsequently assigned it to a group, then clicking the link for the app integration through the Groups directory opened the Add app integration process instead of the settings page for that app integration.

OKTA-416414

Sign-in redirect URI requests failed due to wrapping of the designated URI in the Admin Console.

OKTA-416671

Wildcard OAuth redirect URIs failed if subdomains included underscores.

OKTA-417982

During an OAuth client lifecycle event, the debug data section of the System Log logged incorrect client IDs.

OKTA-420534

While loading, the side navigation on the new Okta End-User Dashboard was misaligned.

OKTA-421801

Some users with a custom domain URL couldn't add or edit resource sets for custom admin roles.

OKTA-421951

Adding an expiration date macro to the Password Reset email template resulted in an Invalid Expression error.

OKTA-422282

End users were able to add bookmark apps after their admins configured the App Catalog Setting to allow org-managed apps only.

OKTA-422340

The number of groups displayed in the Admin Dashboard Overview differed from the correct number of groups reported on the Directory > Groups page.

OKTA-422782

Text didn't wrap properly in the Note for requester field for app approval requests.

OKTA-425921H, OKTA-425993H

Sometimes, when users signed in to Okta and Agentless Desktop Single Sign-on (ADSSO) was enabled, groups outside of the selected organizational units were retrieved.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed:

  • Avalara (OKTA-415081)

  • Fisher Scientific (OKTA-422646)

  • Microsoft Volume Licensing (OKTA-420160)

  • Quadient Cloud (OKTA-422635)

  • RescueAssist (OKTA-422643)

  • WeWork (OKTA-423570)

Applications

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:

SAML for the following Okta Verified applications:

  • Anomalo (OKTA-421527)

  • Paradime (OKTA-420444)

OIDC for the following Okta Verified application:

Weekly Updates

Fixes

General Fixes

OKTA-407869

Some error messages in the Sign-In Widget were translated from English to other languages when the user's language was English.

OKTA-417450

LDAP-sourced users weren’t able to sign in to the Okta Admin Console when their passwords expired and a password policy allowed passwords to be updated.

OKTA-418723, OKTA-420397

New Okta branding didn’t appear on some default error page templates.

OKTA-421227

On the Administrator assignment by admin page, the Copy groups and Paste groups buttons didn’t appear for standard roles that were constrained to one or more groups.

OKTA-421767

The User Profile > Admin roles tab was visible for deactivated users. For active users with no assigned roles, the button to add privileges was mislabeled Edit individual admin privileges.

OKTA-422485

Searches in the LDAP Interface didn’t return results when the search terms were capitalized.

OKTA-423616

The Push Groups page became unresponsive when admins created new group push mappings.

OKTA-424357

ThreatInsight didn't always block IP addresses that were identified as the source of password spray attacks.

Applications

New Integrations

New SCIM Integration Application

The following partner-built provisioning integration app is now Generally Available in the OIN Catalog as partner-built:

SAML for the following Okta Verified application:

  • Wiz (OKTA-422626)

Fixes

General Fixes

OKTA-399959

Session timeout policy wasn't enforced during IdP-initiated login to the Admin Console.

OKTA-412102

If an admin added a rule to an app sign-on policy and named it Default sign on rule, they were unable to edit or delete the rule.

OKTA-414089

Admins with the Manage Applications custom admin permission couldn’t access the Profile Editor, Directory Integrations, or Profile Sources pages.

OKTA-414564

A Sign-in Widget message was translated into Russian incorrectly.

OKTA-420154

If client-based rate limiting was enabled, end users were sometimes presented with a 429 error instead of the sign-in page when their session expired or they signed out.

OKTA-421356

LDAP-sourced user profiles weren’t updated when an admin changed the user profile status from suspended to unsuspended.

OKTA-423419

When Enhanced Email Macros was enabled, using required variables without brackets resulted in a validation error.

OKTA-423470

Org logos on the new Okta End-User Dashboard were sometimes oversized.

OKTA-424330

Some Preview org customers received an error when accessing end-user pages after they changed their browser language to Chinese-Traditional.

OKTA-425588

Rate limit enforcement for Voice-based MFA was not mitigating certain toll fraud attacks.

OKTA-427137

DocuSign deprovisioning sometimes failed with the following error: “Adding entity to http method DELETE is not supported.”

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • 3Rivers (OKTA-424892)

  • Adobe Enterprise (OKTA-424893)

  • CallTower (OKTA-424894)

  • Parse.ly (OKTA-422625)

Applications

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:

  • KnowBe4: For configuration information, see here (you need to sign in to KnowBe4 to access their documentation).

SAML for the following Okta Verified application

  • Code Climate Velocity (OKTA-424882)

OIDC for the following Okta Verified applications

Generally Available

Sign-In Widget, version 5.11.0

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Sign-In Widget Guide.

Fixes

General Fixes

OKTA-393693

If an app sign-on policy required re-authentication every 0 minutes, some users were unable to reset their passwords.

OKTA-419837

When Branding was enabled, custom code editor pages displayed an incorrect warning.

OKTA-423586

Function names that include blank spaces didn’t work with Enhanced Email Macros.

OKTA-425232

When Branding was enabled, the Go to Homepage button on the Okta error page didn’t use the default Okta variant color.

OKTA-425425

When a super admin tried to generate a Current Assignment report, Okta Admin Console didn’t appear as an available application.

OKTA-426446

When a third-party admin role was assigned, the admin's status didn't change in Salesforce and the Exclude admin from receiving all admin-related communications rule wasn't enforced.

OKTA-430127

When Branding was enabled and later disabled, the sign-in and error pages that were customized with HTML code editors during the enabled period could be reset to their defaults.

OKTA-430524

The default password policy was sometimes being evaluated for users instead of the configured password policy.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • Frame.io (OKTA-427018)

  • Google Play Developer Console (OKTA-425775)

  • PNC Borrower Insight (OKTA-426061)

  • Tech Data (OKTA-427022)

Applications

New Integrations

SAML for the following Okta Verified applications

  • Blue Ocean Brain (OKTA-426050)

  • Kintone.com (OKTA-421223)

  • Skypher (OKTA-426992)

OIDC for the following Okta Verified applications

Generally Available

Sign-In Widget, version 5.11.1

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Sign-In Widget Guide.

Fixes

General Fixes

OKTA-327544

An HTTP 500 Internal Server Error message appeared when users attempted to sign in to Okta and their username included an asterisk (*).

OKTA-417936

During an IdP Discovery flow, routing rules were no longer observed if users clicked Back to sign in from the MFA prompt.

OKTA-420946

When admins customized the MFA Factor Enrolled or MFA Factor Reset email templates, the default template was sent to users.

OKTA-423578

Admins could create ADSSO IdP routing rules when ADSSO functionality was enabled and then disabled.

OKTA-425321

When an admin had a custom role with the Manage users and Edit users' authenticator operations permissions, they couldn’t enroll users in the YubiKey factor.

OKTA-427145

When the Admin role assignments report was filtered by a group, it didn’t include group membership admins who were constrained to that group.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • Autotask (OKTA-429728)
  • Contract Express (OKTA-429434)
  • DocsCorp Support (OKTA-425176)
  • Google Play Developer Console (OKTA-425775)
  • SAP Concur Solutions (OKTA-427469)
  • Shipwire (OKTA-426103)
  • Twitter (OKTA-430242)

Applications

New Integrations

New SCIM Integration Application

The following partner-built provisioning integration app is now Generally Available in the OIN Catalog as partner-built:

SAML for the following Okta Verified applications

  • Jooto (OKTA-429135)
  • Merge (OKTA-430337)

OIDC for the following Okta Verified applications

August 2021

2021.08.0: Monthly Production release began deployment on August 9

* Features may not be available in all Okta Product SKUs.

Content

Generally Available Features

New Features

Sign-In Widget, version 5.9.0

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Okta Sign-In Widget Guide.

Okta solution visible in footer

To help admins identify their Okta solution, the version number in the footer of the Admin Console is now appended with C for Classic Engine orgs and E for Identity Engine orgs. See Identify your Okta solution.

On-Prem MFA agent, version 1.4.4

This version includes bug fixes, security enhancements, and a new version of the Log4J library. See Okta On-Prem MFA Agent Version History.

ADFS Plugin, version 1.7.8

This version includes bug fixes and security enhancements. See Okta ADFS Plugin Version History.

Root signed PIV certificate support

Certificates signed directly from a root CA certificate, with no intermediates, can now be used for Personal Identity Verification (PIV) authentication.

Multiple active user statuses for SuccessFactors integration

Support for multiple active user statuses: When importing users from SuccessFactors into Okta, admins can now select more than one active user status, such as Leave of Absence. See Learn about SAP SuccessFactors Employee Central data provisioning.

Deleted schema property scrubber

All existing data associated with a schema property is now removed when a schema property is deleted. To prevent data corruption, the property cannot be recreated until the existing data is fully removed. Previous data is no longer restored when recreating a deleted schema property with the same definition. This new functionality prevents the corruption of profile data and the associated Elastic search issues. See Add or remove custom directory schema attributes.

This feature will be gradually made available to all orgs.

 

LDAP agent, version 5.8.0

This version of the agent contains:

  • Password expiry warning support for Oracle Directory Server Enterprise Edition (ODSEE), Oracle Unified Directory (OUD), OpenDJ, and SunOne 5.2 LDAP directory services

See Okta LDAP Agent version history.

Enhancements

New warning for excessive IP addresses

A warning now appears if a gateway or proxy has an IP range with more than 5 million addresses. See Create zones for IP addresses.

Start time and end time of rate limit windows

The Rate Limit Dashboard now displays the start time and end time of the rate limit window for each data point. This helps you analyze each data point with more granularity. See Rate limit dashboard.

End-User Dashboard styling

On the new Okta End-User Dashboard, text color in the side navigation has been updated. See Control access to the Okta End-User Dashboard.

OIN Manager enhancements

The Apps for Good category has been added to the selectable categories list. Also, other category names have been adjusted to match those shown in the OIN App Catalog.

OIN App Catalog UI improvements

If available, support contact information now appears on the details page for app integrations.

Early Access Features

New Features

Third-Party Risk

Okta Risk Eco-System API / Third-Party Risk enables security teams to integrate IP-based risk signals to analyze and orchestrate risk-based access using the authentication layer. Practitioners can step up, reduce friction or block the user based on risk signals across the customer’s security stack. Apart from improving security efficacy, this feature also enhances the user experience by reducing friction for good users based on positive user signals. See Risk scoring.

Okta Brands API

The Okta Brands API allows customization of the look and feel of pages and templates. It allows you to upload your own brand assets (colors, background image, logo, and favicon) to replace Okta's default brand assets. You can then publish these assets directly to the Okta-hosted Sign-In Page, error pages, email templates, and the Okta End-User Dashboard. See Customize your Okta experience with the Brands API.

Fixes

General Fixes

OKTA-381874

On the Agents page, admins couldn't remove deleted RADIUS agents or hide the ones that weren't in use.

OKTA-386797

Users were able to make too many attempts to enter an SMS one-time passcode when performing a self-service unlock.

OKTA-388903

Using an Office 365 thick client to open documents from the SharePoint Server didn't work consistently.

OKTA-399414

A link was broken on the OIDC Identity Provider profile mapping page.

OKTA-404612

When updating the provisioning settings for an app integration, some admins had to reload the page because the Admin Console showed a verification message and then stopped responding.

OKTA-404620

Workflow URLs with the okta-emea subdomain weren’t automatically verified when used as an Event Hook URL.

OKTA-406499

On the Admin Console Tasks page, the first 10 tasks were duplicated when Show more tasks was selected and 10 or more tasks were already listed.

OKTA-409514

If an app integration with provisioning enabled was upgraded to support the Push Groups feature, admins were repeatedly prompted to enable provisioning.

OKTA-415772

The Tasks view was missing from the new Okta End-User Dashboard.

App Integration Fixes

The following SWA apps weren't working correctly and are now fixed:

  • Azure Portal Login (OKTA-411455)

  • Cisco WebEx Meeting Center - Enterprise (OKTA-411543)

  • Matrix Teams (OKTA-415413)

Applications

New Integrations

New SCIM Integration Application

The following partner-built provisioning integration app is now Generally Available in the OIN catalog as partner-built:

SAML for the following Okta Verified application:

  • Neptune (OKTA-393740)

Weekly Updates

Generally Available

Sign-In Widget, version 5.9.4

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Sign-In Widget Guide.

Fixes

General Fixes

OKTA-386084

Error page templates were inconsistently formatted.

OKTA-409142

The Registration Inline Hook didn’t correctly display error messages to the user during user self-registration.

OKTA-411448

Users who enrolled in multifactor authentication using the Active Directory Federation Services integration were unable to download the Okta Verify app from the Apple App Store and the Google Play store during enrollment.

OKTA-415642

Theme colors weren’t applied to custom pages in Internet Explorer 11.

OKTA-416292

The password management modal was incorrectly minimized on the new Okta End-User Dashboard after an end user responded to the copy confirmation modal.

OKTA-417651

When admins attempted to delete or revoke a YubiKey from the Okta Admin Console, the Done button didn’t appear upon completion.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • Fannie Mae Desktop Underwriter (OKTA-416904)

  • Frame.io (OKTA-416896)

  • i-Ready (OKTA-416899)

  • InternationalSOS (OKTA-415410)

  • LifeLock (OKTA-413854)

  • Milestone Xprotect Smart Client (OKTA-416893)

  • SDGE (OKTA-416903)

  • ShipStation (OKTA-416897)

  • Simple Sales Tracking (OKTA-416906)

  • Washington Post (OKTA-416908)

  • Yodeck (OKTA-415411)

Applications

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN catalog as partner-built:

SAML for the following Okta Verified application

  • Hiretual (OKTA-413861)

OIDC for the following Okta Verified application

Fixes

General Fixes

OKTA-309646

The scroll bar didn't function as expected while adding a new access policy to an authorization server.

OKTA-364838

Some accessibility issues occurred on the Okta End-User Dashboard.

OKTA-392409

Office 365 silent activation sometimes failed if the sign-on policy required re-authentication.

OKTA-407591

Prompts initiated by an admin to reset an end user’s password for an SWA app weren't displayed on the Okta End-User Dashboard.

OKTA-410027

When a user was deleted, the AlternateId field in the System Log displayed the user’s Okta identification number and not their email address.

OKTA-412526

The Note for requester field within the self-service app request approval settings didn't properly display messages.

OKTA-414136

The Office 365 integration in the Okta App Catalog showed a Group Linking option that wasn't available for Office 365.

OKTA-414387

End users who attempted to use a custom sign out URL were presented with a blank page on Internet Explorer 11.

OKTA-418656

Users weren’t prompted for additional authenticators after self-service password resets even though their sign-on policy required them.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed:

  • Alerus (OKTA-418805)

  • BenXcel (OKTA-418794)

  • Inbox by Gmail (OKTA-412080)

  • IBM MaaS360 (OKTA-418799)

  • Redis Labs (OKTA-418789)

Applications

Application Updates

  • We have added the userType attribute to the Slab SCIM schema. For details see the Slab Okta SCIM Integration Guide.

  • The FIS Global Client integration is deprecated from the OIN Catalog.

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:

SAML for the following Okta Verified applications:

  • Blingby Inline (OKTA-410691)

  • Panzura Data Services (OKTA-419287)

  • RudderStack (OKTA-413572)

OIDC for the following Okta Verified applications:

Fixes

General Fixes

OKTA-295856

Buttons and text were misaligned on the API > Trusted Origins tab.

OKTA-382908

A confirmation message wasn’t displayed when an admin removed the last resource from a resource set or the last permission from a role.

OKTA-385343

Group attributes weren't pushed from Okta to Active Directory (AD) as expected.

OKTA-387007

When an admin clicked Custom roles from the Overview section on the Administrators page, the Roles tab opened with the incorrect filters applied.

OKTA-402814

Users didn't receive a verification email after updating a secondary email address.

OKTA-402856

In the redesigned Admin Console, import safeguard warning messages didn’t appear on the Dashboard.

OKTA-412025

Users didn't receive a verification email after they were activated on the People page.

OKTA-413954

Certain YubiKey device make and model names didn't appear correctly on the Okta End-User and Admin Dashboards.

OKTA-417326

Some tabs and buttons on the user and group profile pages of the Custom Administrator Roles user interface were labeled incorrectly. Also, the Admin role assignment report page was called Custom reporting.

OKTA-418039

Enhanced email macros didn’t work with Branding.

OKTA-418150

On the People page, the last user with super admin permissions could be deleted without generating an error.

OKTA-418922

When a user was deleted on the People page, the PostDeleteUserEvent event type was Initiated and not Completed.

OKTA-420122

In the redesigned Admin Console, the Actions drop-down menu for SAML app certifications didn’t expand correctly.

OKTA-420740

When a theme was applied to the Okta-hosted sign-in page, the Sign in button didn’t change to the selected primary color.

OKTA-421446

The Administrator assignment by admin page didn’t load properly when the delegated admin had a standard role that was constrained to specific apps or groups.

OKTA-421481

Some Expression Language email templates didn’t work with Branding.

App Integration Fixes

The following SWA app was not working correctly and is now fixed:

  • Vitality (OKTA-420790)

Applications

Application Update

The following integrations are deprecated from the OIN Catalog: 

  • Hiveed

  • BenXcel

  • FIS Global

  • Nanigans

New Integrations

SAML for the following Okta Verified applications:

  • Blingby Programmatic (OKTA-421181)

  • Perimeter 81 (OKTA-415079)

  • Snackmagic (OKTA-419393)

  • Suveryapp (OKTA-420053)

SWA for the following Okta Verified application:

  • Integromat (OKTA-420293)

OIDC for the following Okta Verified application:

July 2021

2021.07.0: Monthly Production release began deployment on July 12

* Features may not be available in all Okta Product SKUs.

Content

Generally Available Features

New Features

Dedicated help sites for Okta products

Three of Okta’s products — Access Gateway, Advanced Server Access, and Workflows — now have their own dedicated help sites:

This enhancement offers direct access to independent online help sites for these products from help.okta.com. The new sites provide several benefits:

  • Compactly designed, product-centric content
  • Streamlined navigation
  • More efficient content updates and responsiveness to customer feedback

Okta Device Registration Task, version 1.3.2

This release includes internal code refactoring. You can download this version from the Settings > Downloads section of the Admin Console.

New Domains API response properties available

The Domains API includes the new response object properties of certificateSourcetype and expiration. The certificateSourcetype is a required property that indicates whether the Certificate is provided by the user. The accepted value is Manual. The expiration property on the DNSrecord object is an optional property that defines the TXT record expiration. See Domains API.

Default end-user experience

New orgs, including those created through the org creator API or the developer.okta.com website, will have the new end-user experience enabled by default in preparation for the old end-user experience deprecation starting on October 13. Learn more about this migration and other frequently asked questions in our support article.

Disable Import Groups per SCIM integration

Admins can now choose whether or not to import groups with all SCIM integrations. This new option is available when you set up provisioning for a SCIM integration.

Note that you can't disable group imports for an app if:

  • Import New Users and Profile Updates isn't enabled.

  • App Assignments based on Group exist.

  • Group policy rules exist.

  • Group Push mappings exist.

In these cases, an error is displayed.

Nutanix support

Okta Access Gateway customers can now download and deploy the Access Gateway virtual appliance on Nutanix Acropolis Hypervisor (or Nutanix AHV), a hyper-converged infrastructure platform popular among larger organizations. This provides customers with more options for infrastructure services supported by Access Gateway, including AWS, OCI, VMWare, and now Nutanix.

Remove the ability to disable Admin Experience Redesign

You can no longer disable the Admin Experience Redesign feature for your orgs.

Note: This is not applicable for orgs that didn't have Admin Experience Redesign enabled and used the legacy experience until 2021.06.4.

Windows Hello as an MFA factor is not supported for new orgs

Windows Hello as an MFA factor is no longer supported for new orgs. Existing orgs already using this feature can continue using it.

Test custom email templates

Admins can send themselves a test email to see how their custom email templates will look and function. This allows them to validate macro attributes and translations in the customized template and to see how the template will render in different email environments. Sending the test email to their primary email address eliminates their need to create a real end-to-end workflow to test customization. For more information, see Test a customized email template .

Create LDAP group password policies

You can now create group password policies for LDAP sourced users. This gives you the flexibility to provide users with the same password policy requirements as your local LDAP directory, easing the user experience of an LDAP integration with Okta. See About group password policies and Sign-on policies.

Event Hook preview

Event Hook preview lets admins easily test and troubleshoot their Event Hooks, as well as send sample requests without manually triggering an actual event. This means admins can preview the payload of a specific Event Hook type and make sure that it's what they need to move forward before a full deployment to production. See Event Hook Preview.

Enhancements

Workplace by Facebook new custom attribute

Okta now supports the is_frontline custom attribute in Workplace from Facebook. Supporting user type designations enables access for frontline and deskless workers.

OIN App Catalog UI improvements

For each app integration in the OIN App Catalog, the details page has been updated to use tabs that display the overview and the specific capabilities of the app integration. The details page also shows the Capabilities in the side navigation. Clicking a specific capability returns the administrator to the main Add Application page with that capability pre-selected in the filter. When an admin searches for app integrations, the filter is now persistent through category changes or when they refresh the page.

OIN Manager category selections

For app submissions in the OIN Manager, the category designations have been updated to match the categories available in the OIN App Catalog.

Changes to group assignment options for OIDC apps

Admins can create new OIDC applications without assigning them to a group. See Create OIDC app integrations using AIW.

HTML sanitizer for email templates

Velocity-based email templates are now processed by an HTML sanitizer. Templates that don’t conform to the rules of the sanitizer are corrected before they are sent. See Customize an email template.

Email template events

The creation and deletion of email templates are now logged as events in the System Log.

Rate limit violation event logging

Session-user and User rate violation events are now logged as operation-level events instead of org-wide events. This allows you to distinguish between rate limit violations at an org level and individual level.

Updated branding for End-User Dashboard

Okta branding on the Okta End-User Dashboard has been updated.

Early Access Features

New Feature

FIPS compliance for iOS or Android devices

Federal Information Processing Standards (FIPS) compliance is now available for iOS or Android devices. FIPS can be enabled on the Okta Verify configuration page. When FIPS compliance is enabled, admins can be confident that only FIPS-compliant software is used. See About FIPS-mode encryption.

Enhancement

OAuth redirect URI wildcards

Admins can now use a wildcard for multiple redirect URI subdomains when configuring OIDC applications. See Create OIDC app integrations using AIW.

Fixes

General Fixes

OKTA-274754

When an admin attempted to add an app integration to their org for which the org was not entitled, the error message didn't display the org's edition name.

OKTA-380653

A user-created on-the-fly app incorrectly appeared on the Tasks page under Number of apps that can have provisioning enabled.

OKTA-397607

Sometimes the failed-sign-in counter didn’t reset to zero after an end user successfully signed in, which resulted in improper lockouts.

OKTA-400220

When OpenLDAP was used with delegated authentication, an error message containing unnecessary information appeared if users attempted to change their password and it didn't meet the LDAP complexity requirements.

OKTA-401490

LDAP import schedules weren't updated when Relative Distinguished Name (RDN) attribute mapping from Okta to LDAP was missing.

OKTA-402247

New device notifications weren't sent during passwordless sign-in flows.

OKTA-404865

Group Push for Slack caused group members to be reset and gradually re-added, during which time group members couldn't access the app.

OKTA-405351

Some deactivated SAML IdP users whose attributes were updated with Just-in-time Provisioning were activated even though the reactivation JIT setting wasn't selected.

OKTA-407292

Some users were deactivated instead of deleted in Automations.

OKTA-408802

Sometimes, during SAML app configuration, the metadata link improperly required a sign-in session.

App Integration Fixes

The following SWA app was not working correctly and is now fixed

  • San Diego Gas and Electric (OKTA-407572)

Applications

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN as partner-built:

SWA for the following Okta Verified applications

  • Headspace (OKTA-403509)

  • Redprint (OKTA-394718)

  • SCOPE (OKTA-405791)

OIDC for the following Okta Verified applications

Weekly Updates

Generally Available

Sign-In Widget, version 5.8.2

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Sign-In Widget Guide.

Fixes

General Fixes