Sign-In Widget, version 6.4.0

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Sign-In Widget Guide.

Hyperdrive agent, version 1.2.0

Okta for MFA provides more security for Electronic Prescribing for Controlled Substances (EPCS) clinician flows when using the Epic Hyperdrive platform. This plugin is compatible with both Classic Engine and Identity Engine orgs (EPCS clinician flows for customers still using the deprecated Epic Hyperspace platform aren't supported on Identity Engine). See MFA for Electronic Prescribing for Controlled Substances - Hyperdrive and Okta Hyperdrive agent version history.

Okta LDAP agent, version 5.13.0

This version contains:

• An upgraded version of Amazon Corretto

• Security fixes

• Improved handling of exception in poller thread

• Bug fixes

This agent will be gradually made available to all orgs.

See Okta LDAP Agent version history.

JIRA Authenticator Toolkit, version 3.1.9

This version contains:

• Support for Jira 8.22.2

• Bug fixes

See Okta Jira Authenticator Version History.

Okta Browser Plugin, version 6.10.0

This version includes the following fixes:

• Some elements weren't accessible in the Okta Browser Plugin Change password dialog.
• The Okta Browser Plugin briefly displayed a prompt when users opened SWA apps from the dashboard.

See Okta Browser Plugin version history.

Expose groups in the LDAP interface directory information tree (DIT)

To simplify access control decisions for their orgs, admins can now select the groups they want to expose in the LDAP interface directory information tree (DIT). In addition to Okta groups, admins now have the option to view the application groups that are significant to their orgs, including Active Directory (AD) and LDAP groups. See Expose app groups in the LDAP interface directory information tree.

System Log events for telephony rate limit violations

Telephony system.sms.send.* and system.voice.send.* events are now issued with a DENY System Log message when SMS or voice messages are blocked due to telephony operational rate limit violations. The system.operation.rate_limit.violation event is still fired but will be deprecated in the 2022.08.0 release.

Additionally, the way that the MobilePhoneID hash is created for all system.sms.send.* and system.voice.send.* events is changed.

See System Log.

Enhancements to the base OIDC IdP connector

The generic OpenID Connect (OIDC) identity provider (IdP) connector offers PKCE as an additional verification mechanism. You can also define a regular expression to match Okta usernames when authenticating through this connector. See Create an Identity Provider in Okta.

OIN Manager user interface changes

The OIN Manager includes the following updates:

• The App categories field has been renamed to Use cases to be consistent with the OIN catalog.

• Single Sign-On is the default use case.

JWT claim enhancement

For custom JSON Web Token (JWT) claims, the name portion now supports the URI format, including the slash and colon characters. Any name containing a colon character must be a URI.

System Log enhancement for inline hook types

The inline hook type is now included in the debug data for a System Log debug context event.

Unique names enforced for custom admin roles

When a super admin creates a custom admin role with a duplicate role name, the following error message now appears: There is already an admin role with this name. See Custom administrator roles.

Improved text for resource set constraints

On the Create new resource set and Edit resource set pages, the Constrain to all check box labels now include the selected resource type (Constrain to all groups, for example). See Work with the resource set component.

Policy condition text changes

Enhancements were made to the multifactor authentication items on the Okta Sign-On Policy Add Rule modal to improve user experience. See Configure an Okta sign-on policy.

Reschedule your OIE upgrade directly from the Okta Administrator Dashboard

The OIE Upgrade widget that appears on the Administrator Dashboard for orgs with a scheduled OIE upgrade now provides the ability to reschedule the upgrade. When you click the Reschedule my upgrade link on the widget, a dialog opens where you can select a new time and date for the upgrade. See Upgrade to Okta Identity Engine.

Customers can opt for empty mandatory fields

Okta now fails provisioning jobs when it receives an empty or null value in mandatory fields during SCIM integration. Customers can revert to the previous behavior by contacting Okta support.

System Log enhancements for token exchange flow

A ResponseTime field has been added to the System Log to track the performance of the token exchange flow.

OIDC Identity Providers private/public key pair support

Previously, Okta only supported the use of client secret as the client authentication method with an OpenID Connect-based Identity Provider. Okta now supports the use of private/public key pairs (private_key_jwt) with OpenID Connect-based Identity Providers. Additionally, the Signed Request Object now also supports the use of private/public key pairs. See Create an Identity Provider in Okta.

OKTA-402945

Some read-only admins could edit General Security settings.

OKTA-462264

In the Application accounts need deprovisioning task, selecting a single task to rerun caused Okta to rerun all tasks.

OKTA-471339

Creating a new LDAP integration from the App Catalog resulted in a Resource not found error.

OKTA-479711

When a user added or removed from a group with a custom admin role, the System Log displayed a Grant user privilege event.

OKTA-480925

Admins didn’t receive timely email notifications when users locked themselves out of their accounts.

OKTA-481268

Some IP addresses didn’t display GeoLocation data in the System Log.

OKTA-482826

Some users imported from Active Directory were stuck in one-time password mode if they were activated more than once.

OKTA-488912

When a super admin searched for a group on the Edit resources to a standard role page, the search results didn’t appear until the admin typed in at least three characters.

OKTA-489049

When admins clicked the Tasks tab on the End-user Dashboard, the page took too long to load and the web browser became unresponsive if there were a large number of entitlements.

OKTA-489500

VoiceOver screen readers didn’t read the text for the Can’t scan? link on the Setup Options page when users tried to enroll themselves in Okta Verify.

OKTA-491194

Deleting a custom attribute created a job that consistently timed out for orgs with a large number of users.

OKTA-491583

When using an OIDC app with refresh tokens, clients could obtain an access token through an existing refresh token if the user consent to the offline_access scope was revoked.

OKTA-493059

Admins couldn't upload certificate chains in tree format.

OKTA-493075

The Admin Role Assignments report sometimes included duplicate records.

OKTA-496025

The Delete dialog in the LDAP interface was missing a question mark.

OKTA-497498

Some apps deleted the app username during user provisioning.

OKTA-497934

The Group Search endpoint didn't reflect the last membership update.

OKTA-501623

Simultaneous user profile updates and deactivations sometimes resulted in a permanent DEACTIVATING status for the user.

OKTA-501729

When an admin created a new user with the User must change password on first login option selected, the user's status was mistakenly set to ACTIVE instead of PASSWORD_EXPIRED.

OKTA-502404

Users couldn’t temporarily sign in if their org subdomain was changed.

OKTA-502620

In Assign People, users who were removed from the permitted group were still available.

OKTA-503377

Users could use ADSSO to sign in to Okta when delegated authentication was disabled.

OKTA-503378

Users could continue to use the Okta IWA Web agent to sign in to Okta when delegated authentication was disabled.

OKTA-503715

The file sizes and hash values displayed on the Downloads page for the Linux RADIUS installers were incorrect.

OKTA-505960H

Admins who clicked the Resources > Help Center link from the Admin Console weren’t automatically signed into the Okta Help Center.

Okta AD agent, version 3.11.0

This version of the agent contains the following changes:

• Increased minimum .NET version supported to 4.6.2. If the installer doesn't detect .NET 4.6.2 or higher, it won't be installed.

• Security enhancements

• Removed unsupported libraries

See Okta Active Directory agent version history.

Okta ADFS plugin, version 1.7.10

This version of the plugin contains bug fixes and security enhancements. See Okta ADFS Plugin Version History.

Okta RADIUS agent, version 2.17.4

This version of the agent contains bug fixes and security enhancements. See Okta RADIUS Server Agent Version History.

Okta On-Prem MFA agent, version 1.5.0

This version of the agent contains security enhancements. See Okta On-Prem MFA Agent Version History.

Okta Provisioning agent, version 2.0.10

This release of the Okta Provisioning agent contains vulnerability fixes. See Okta Provisioning agent and SDK version history.

Jira Authenticator, version 3.1.8

This release contains bug fixes. See Okta Jira Authenticator Version History.

Okta Resource Center access

The Okta Resource Center is a collection of product tours, step-by-step guides, and announcements that helps you learn about new features and how to perform tasks within the Admin Console. You can launch the Okta Resource Center by clicking the blue icon from anywhere in the Admin Console. See Okta Resource Center.

Use Okta MFA for Azure AD Conditional Access and Windows Hello for Business Enrollment

You can use Okta MFA to:

• Satisfy Azure AD Conditional Access MFA requirements for your federated Office 365 app instance.
• Enroll end users into Windows Hello for Business.

See Use Okta MFA to satisfy Azure AD MFA requirements for Office 365.

Client secret rotation and key management

Rotating client secrets without service or application downtime is a challenge. Additionally, JSON Web Key management can be cumbersome. To make client secret rotation a seamless process and improve JWK management, you can now create overlapping client secrets and manage JWK key pairs in the Admin Console. You can also create JWK key pairs from the admin console without having to use an external tool. See Manage secrets and keys for OIDC apps.

Application SAML Certificates

Separate SAML signing certificates are now assigned when admins create new SAML applications or configure SAML-enabled OIN apps. Okta previously created SAML certificates that were scoped to an entire org. With this feature, SAML certificates are issued and scoped at the application level to provide more fine-grained control and a more secure solution overall. See Create SAML app integrations using AIW.

Okta API access with OAuth 2.0 for Org2Org

Previously, the Org2Org integration only supported token-based access to the Okta API. You can now configure the Org2Org integration to access the Okta API as an OAuth 2.0 client. This increases security by limiting the scope of access and providing a better mechanism to rotate credentials. See Integrate Okta Org2Org with Okta.

PKCE is a verification method for OIDC SPA and Native app integrations

The OIDC App Integration Wizard now identifies that PKCE is not a client authentication method. Instead, for SPA and Native apps, the AIW creates apps listing PKCE as a verification method. See Create OIDC app integrations using AIW.

Add agent permissions to custom admin roles

Custom admins can perform AD agent auto-updates for AD instances they have access to. They can also view the agents dashboard page to see the statuses of all agents associated with app instances they can manage. See Automatically update Okta agents.

Group count tooltip on the Admin Dashboard

On the Admin Dashboard, the Overview section now provides an "Includes only Okta sourced groups and excludes those sourced externally, such as AD groups" tooltip for the Groups count. The new tooltip helps you understand how your groups count is calculated. You can view the tooltip by hovering your cursor over the Groups count on the Overview section. See View your org at a glance.

Okta End-User Dashboard enhancements

• Unread notifications are more visible to users.

• The End-User Dashboard Preview function bar has moved to a separate dialog. See Preview an end user's dashboard.

• The Last sign in link at the bottom of the Okta End-User Dashboard now includes the entire text of the message in the hyperlink.

• The title of the copy password dialog in the Okta End-User Dashboard is more specific.

System Log enhancements for block zone events

• The zone.make_blacklist event in the System Log now encompasses two actions: when an admin creates a blocked network zone, and when an admin marks an existing blocked zone as unblocked. Previously, this event was only recorded when a pre-existing network zone was converted into a block list.

  

• The zone.remove_blacklist System Log event now encompasses two actions: when a network zone is converted into an allow list, and when an admin deletes a blocked zone. Previously, this event was only recorded when a pre-existing network zone was converted to an allow list.

  

System Log enhancement for network zone events

A network zone ID is now added as a target for all network zone events in the System Log.

Enhancements to ThreatInsight

ThreatInsight is improved to further protect rate limit consumption from malicious actors. Requests from actors with a high threat level continue to be logged and/or blocked depending on the org's configuration. Now, additional requests that seem malicious but have a lower threat level no longer count towards org rate limits.

OIN Catalog enhancements

Integrations in the OIN Catalog help end users address issues across a variety of industries. Okta has added the ability to filter integrations by industry to help both prospective and current Okta users identify the OIN integrations that best meet their needs. Additionally, the OIN Catalog interface has been updated with the following enhancements for improved navigation:

• The search interface has been updated and popular search terms can now be selected.

• Details pages for integrations have been updated for usability.

• Navigation breadcrumbs have been added to the OIN Catalog.

• Integrations can now be sorted alphabetically and by recently added.

See Add existing app integrations.

OIN Catalog search functionality and filter updates

• OIN Catalog search results now prioritize complete word matches from the search phrase.

• Integrations in the OIN Catalog can now be filtered by RADIUS functionality.

See Add existing app integrations.

OIN Manager enhancements

The OIN Manager now requires that ISV submissions for SCIM integrations confirm that the integration meets API response timing requirements. See Publish an OIN integration.

Auto-update task no longer requires pip

The device trust enrollment and renewal script on macOS no longer requires the pip package manager to install Python pyOpenSSL packages.

OKTA-386570

If an LDAP interface bind request failed, subsequent searches failed with an internal server error instead of a permissions denied error.

OKTA-435855

Web and SPA app integrations created with an Authorization code or Interaction code grant type incorrectly returned an error if the Login Initiated By Either Okta or App option was selected.

OKTA-472350

Group push mapping for multiple Org2Org applications failed for some customers.

OKTA-476896

On the Administrators page, deactivated users with assigned admin roles were included in the Individually assigned count.

OKTA-477494

Some invalid EL expressions incorrectly passed validation.

OKTA-477634

Some users experienced delays when searching for an app on the Okta End-User Dashboard.

OKTA-481752

When users tried to enroll in Okta Verify, VoiceOver screen readers didn't highlight the mobile device type correctly or allow users to select a device. It also selected the iPhone option even though the Android option was also available.

OKTA-482435

When admins upgraded an app to SAML 2.0, the SAML 2.0 setup instructions used the org-scoped certificate instead of the app-scoped certificate.

OKTA-484366

Admins couldn’t use the objectGuid attribute as a unique identifier when integrating AD LDS LDAP servers with Okta.

OKTA-488233

Parallel JIT requests for the same username created duplicate users.

OKTA-488428

Some users lost the ability to reveal passwords for an app when the app drawer feature was enabled.

OKTA-488663

When Full Featured Code Editor was enabled, the full screen toggle on the error page code editor didn’t change to a minimize icon.

OKTA-489050

Sometimes an error message was displayed when admins viewed applications in the Admin Console.

OKTA-491164

Some admins weren’t assigned the Admin Console when they were added to a group with assigned admin roles.

OKTA-491264

Sometimes when a super admin deleted a custom admin role that contained email notifications, admins couldn’t update their email notification settings.

OKTA-495549

When groups were exposed in the LDAP interface directory information tree, some filters referencing the entryDn attribute returned the incorrect result code if the group wasn’t found.

OKTA-495598

AD-sourced users who reset their passwords in AD had to reset their passwords again when using IWA or ADSSO to sign in to Okta.

App Integration Fix

The following SWA app was not working correctly and is now fixed:

• NDFR/SDU (OKTA-485335)

Sign-In Widget, version 6.2.0

Okta On-Prem MFA Agent, version 1.4.9

This version of the agent contains security enhancements. See Okta On-Prem MFA Agent Version History.

Okta Browser Plugin, version 6.9.0 for all browsers

This version includes the following changes:

• Keyboard navigation didn't work properly when users attempted to switch to a new app list in the plugin popover window. Users were unable to close the plugin popover window with keyboard input.
• Version 6.8.0 of the plugin caused issues for some users when they attempted to sign in to an SWA app in an iframe.

See Okta Browser Plugin version history.

Admin Experience Redesign toggle removed

The toggle that allowed super admins to switch between the Admin Experience Redesign and the old experience has been removed. All Okta admins now benefit from our restyled Okta Admin Dashboard, responsive navigation side bar, and modern look and feel.

Allow or deny custom clients in Office 365 sign-on policy

You can filter specific clients in an Office 365 app sign-on rule to allow or deny them access to Office 365 resources. This filter can be used to deny access to untrusted clients or to only allow trusted clients. See Allow or deny custom clients in Office 365 sign on policy

Improved AD group membership synchronization

The ADAppUser distinguished name field is now updated when a user is added to an Okta group and a matching group exists in AD. When an Okta provisioning request moves a user to a new organizational unit, the change is quickly duplicated in AD. This new functionality helps ensure the accuracy and integrity of AD group membership information. Manage Active Directory users and groups.

New App Drawer

The updated app settings panel on the Okta End-User Dashboard allows end users to see all app details in a single view without having to expand multiple sections. End users can quickly differentiate between SWA apps where they have set a username and password and SAML / OIDC apps that are admin-managed with no additional user settings. The updated app settings panel also provides accessibility improvements with better screen reader support and color contrast. See View the app settings page.

ShareFile REST OAuth

Admins can now upgrade to the latest version of our ShareFile integration. OAuth provides more secure authentication and will be now used for Provisioning and Imports. See Configure ShareFile OAuth and REST integration. This feature is made available to all orgs.

Federation Broker Mode UI improvements

The user interface prompts for Federation Broker Mode have been improved to provide more information about the feature. This feature can also be enabled through the OIDC app creation wizard. See Enable Federation Broker Mode.

Recent activity page link for end users

If Recent Activity is enabled, users can click Last sign in in the footer of the left navigation bar to go directly to the Recent Activity page.

Burst rate limits available on Rate Limit Dashboard

The Rate Limit Dashboard, available from the Admin Console, now includes data on burst limits in your Okta org, in addition to rate limit warnings and violations. The Violations dashboard was renamed Events to acknowledge the increase of scope, and includes the ability to filter on timeline as well as the type of event (warning, burst, and violation). Hovering over the burst rates in the graphs provides more detail and links to the system log for individual endpoint calls. The individual Usage graphs provide details on bursts for the individual API. See Rate limit dashboard and Burst rate limits.

New ThreatInsight enforcement action

If you configure ThreatInsight to log and enforce security based on the threat level detected, ThreatInsight can either limit or block authentication requests from suspicious IP addresses. For example, if a specific IP address is suspected of malicious activity but the threat level is considered low, authentication requests from the IP address are not denied access but might be subjected to a rate limit. See Configure Okta ThreatInsight.

New MFA help link

A new help link appears on Okta-hosted custom Sign-In Widgets. This link directs users to a page where they can learn more about the MFAn options available when they sign in. See Customize text on your sign-in page.

PIV IDP user profile mapping

You can now use idpuser.subjectUid in an Okta user profile when mapping IDP Username for Personal Identity Verification (PIV) IDPs. See Add a Smart Card identity provider.

Custom app logo preview

Admins can now preview a custom logo before applying it to an app. See Customize an application logo.

Updated error message for Microsoft Graph API

An error message for Microsoft Graph API has been updated to include more details and a possible workaround.

Debug logging for token exchange

The following fields have been added to the System Log for assistance in debugging OAuth2 token exchange events:

• requested_token_type
• subject_token_type
• actor_token_type
• resource

Updated SAML setup instructions

Setup instructions for SAML 2.0 apps now use per app SHA2 certificate during the app creation.

Change to the number of free SMS messages allowed

To balance growing costs of SMS usage while maintaining a commitment to developer and free trial orgs, Okta is changing the number of free SMS messages these orgs are allowed each month. Beginning April 4, 2022, orgs may send a maximum of 100 messages per month. For more information about this change, visit the Okta Developer Community.

OKTA-442031

Some Okta Mobile sign-in flows didn’t work for admins when the Okta Admin Console app required step-up authentication.

OKTA-460284

SAP Litmos imports failed with an unexpected error.

OKTA-472816

When app admins selected the Agents tab, the error message “Error rendering agents monitor table” appeared and no agents were listed.

OKTA-473180

Sometimes AssertionId for SAML1.1 assertions was poorly formatted.

OKTA-475767

Sometimes, in the Groups page Description column, an equals sign (=) replaced the forward slash ( / ) in LDAP-sourced group names.

OKTA-475773

Users could continue to use the Okta IWA Web agent to sign in to Okta when delegated authentication was disabled.

OKTA-475774

Users could use ADSSO to sign in to Okta when delegated authentication was disabled.

OKTA-478467

Admins who didn’t have permission to view the Agent monitors page received agent auto-update email notifications.

OKTA-479110

The sender email address on the Customizations > Emails page was inconsistent with the sender email address on individual templates.

OKTA-479701

Admins were shown events that were unrelated to their account in the Security Events section of the Recent Activity page.

OKTA-481319

An attribute for an app couldn't be re-added as a different type with the same variable name.

OKTA-482086

Some admins saw an error if they tried to run a report using resource sets created more than a year ago.

OKTA-482915

Admins were unable to remove unconfirmed imported users.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed:

• MyFonts (OKTA-476809)

• Quickbooks Time Tracker (OKTA-476695)

Sign-In Widget, version 6.1.0

Okta SSO IWA Web App agent, version 1.15.0

This version of the agent contains:

• Security enhancements.

• Making .NET Framework 4.6.2 the minimal supported version. Earlier versions are automatically upgraded during agent installation.

• Okta Military Cloud support.

See Okta SSO IWA Web App version history.

Okta Active Directory Password Sync agent, version 1.5.0

This version of the agent includes:

• Security enhancements.

• Making .NET Framework 4.6.2 the minimal supported version. Earlier versions are automatically upgraded during agent installation.

• Okta Military Cloud support.

See Okta Active Directory Password Sync Agent version history.

Okta AD agent, version 3.10.0

This version of the agent contains:

• Okta Military Cloud support.

• Bug fixes.

See Okta Active Directory agent version history.

Okta LDAP agent, version 5.12.0

This version of the agent contains support for Okta Military Cloud. See Okta LDAP Agent version history.

Okta Provisioning agent, version 2.0.9

This release of the Okta Provisioning agent contains vulnerability fixes.

See Okta Provisioning agent and SDK version history.

Event hooks for custom admin roles

Custom admin role events are now available for use as Event Hooks. This provides more security to admins by ensuring that they have the correct permission to perform tasks. See Event hooks.

Enhanced email macros for email template customization

Enhanced Email Macros updates the email templating engine to use Velocity Templating Language (VTL). This feature unlocks new syntax that provides enhanced conditional logic and access to all attributes in the Okta User Profile object. This allows developers and admins more customizations in their user-facing emails. See Customize email templates (Developer docs) and Customize an email template.

Enforce limit and log per client mode for OAuth 2.0 /authorize and /login/login.htm endpoints

The default client-based rate limit for OAuth 2.0 /authorize and /login/login.htm endpoints is now elevated to Enforce limit and log per client (recommended) mode. This means that if your org’s client-based rate limit was previously set to Do nothing or Log per client, the setting is changed to Enforce limit and log per client (recommended) mode.

Note that based on the email communication sent out on Feb 3, 2022 and Feb 25, 2022, these changes are not applicable to certain orgs. See Default client-based rate limit mode change.

New ThreatInsight enforcement option

ThreatInsight evaluates authentication requests to detect potentially malicious activity from IP addresses exhibiting suspicious behavior. If you enable the Log and enforce security based on threat level option, ThreatInsight can limit or block authentication requests from suspicious IP addresses based on the threat level detected. For example, if a specific IP address is suspected of malicious activity but the threat level is considered low, authentication requests from the IP address are not denied access but might be subjected to a rate limit. The rate limit helps ensure that requests from a suspicious IP address don't overload authentication services and affect legitimate traffic. However, if an IP address is suspected of malicious activity and the threat level detected is high, authentication requests from the IP address are blocked. See Configure Okta ThreatInsight.

Validation for custom message templates

If you customize the default SMS message template, the Admin Console checks the message to determine whether it contains GSM or non-GSM characters and enforces the GSM or non-GSM character limit before saving the message. This check ensures that you don't create custom SMS messages that exceed the GSM or non-GSM character limit for message segments.

If you change existing custom templates, the new restrictions are enforced if your messages contain non-GSM characters.

For more information about customizing SMS templates, see Configure and use telephony.

Copy button updates

In the app settings panel of the Okta End-User Dashboard, the copy buttons for the username and password fields are renamed Copy username and Copy password.

Group assignment priority

If a group rule results in a higher group app assignment priority on an existing app user, the user is now remapped to the higher priority group assignment.

Extensibility for notifications of group push failure circumstances

Group push failure event hooks now allow customers to monitor for failures that won't be retried and use them to trigger automations, such as execution of a flow in Okta Workflows.

Group push notification improvements

Group push failure notifications have been repurposed and improved to provide better error descriptions for customers.

User accounts report

Use this report to view users with accounts in Okta and their profile information. It helps you manage and track user access to resources, meet audit and compliance requirements, and monitor the security of your org. The report is located in the Entitlements and Access section of the Reports page. See User Accounts report

OKTA-404202

All users imported that are not confirmed will be removed using Clear Unconfirmed Users tool.

OKTA-447833

Admins couldn’t set up a custom domain URL with a top-level domain of .inc.

OKTA-455641

The Edit Assignment page for the Box app didn’t handle non-alphabetical characters properly.

OKTA-457771

Some users imported from Active Directory were missing apps assigned through group assignment.

OKTA-460013

Okta will schedule group reconciliation for any assigned user that is operationalized.

OKTA-461371

VoiceOver screen readers didn’t read the descriptions for the options to send Okta Verify activation links using SMS and email.

OKTA-466022

Admins whose custom role contained the Run imports permission couldn’t view their org’s LDAP integrations.

OKTA-468707

The System Log didn't display ThreatSuspected=false for authentication events when no threat evaluation was done.

OKTA-469843

Sign-In Widget polling didn't resume when the network became available.

OKTA-470096

Group membership changes didn’t automatically activate Group Push.

OKTA-471299

When ThreatInsight evaluated sign-in attempts for unknown users, the threat level was incorrectly displayed as threatLevel=UNKNOWN in the System Log.

OKTA-471605H

In SP-initiated flows, users' sessions ended when they closed the browser even if they selected Keep me signed in.

OKTA-471605H

In SP-initiated flows, users' sessions ended when they closed the browser even if they selected Keep me signed in.

OKTA-472304H

Group push for some customers resulted in a timeout error after one minute.

OKTA-473512

When the Custom Admin Roles feature was enabled, super admins were called Super Organization Administrators.

App Integration Fixes

The following SWA app were not working correctly and are now fixed

• Asana (OKTA-467306)
• Dashlane Business (OKTA-466333)
• Guardian Insurance (OKTA-470966)
• Loop11 (OKTA-471181)
• Names & Faces (OKTA-468537)
• Nord Layer (OKTA-469771)
• Optum Health Financial (OKTA-465956)
• QuickBooks (OKTA-467864)
• Twitter (OKTA-470889)

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Okta Sign-In Widget Guide.

OKTA-294735

In the email template editor, the subject was translated to the admin’s display language but the rest of the content remained in English.

OKTA-383630

Macros didn’t render correctly in the subject field for Send test email and Email preview.

OKTA-419837

The warning message for custom code editors referred to Theme builder instead of Branding.

OKTA-419847

On-Prem MFA API tokens contained scopes beyond what was required for agent operation.

OKTA-423419

Some email templates returned errors if Velocity variables weren’t enclosed in brackets. This occurred for orgs with Enhanced Email Macros enabled.

OKTA-430327

Repeatedly assigning and unassigning a user to a group that provisions applications converted that user from a group assignment to an individual assignment.

OKTA-433751

End users received errors when accessing SWA apps through the Okta End-User Dashboard if their app passwords contained ampersands.

OKTA-436486

Some orgs couldn’t save email templates containing Velocity variables. This occurred for orgs with Enhanced Email Macros enabled.

OKTA-442296

Some end users received a 400 error after signing in to the Okta End-User Dashboard.

OKTA-443420

The Admin Console became unresponsive if admins performed a search with an unlimited number of characters on the People page.

OKTA-443777

Admins couldn’t use the objectGuid attribute as a unique identifier when integrating AD LDS LDAP servers with Okta.

OKTA-451206

When admins enabled LDAP real-time synchronization, the system.agent.ad.realtimesync event erroneously appeared in the System Log.

OKTA-455372

If the information required to evaluate behavior was not available, the System Log displayed BAD_REQUEST for rules that included behavior detection.

OKTA-451159

Org2Org attempts to push users sometimes resulted in java.net.SocketTimeoutException: Read timed out errors.

OKTA-455199

Error messages weren’t shown to users who signed in to orgs using passwordless authorization and an Identity Provider from IP addresses outside of the allowed network zone.

OKTA-456690

The View logs option on the People page was available to all users.

OKTA-459571

In the admin console, the status of RADIUS agents randomly changed from Operational to Disrupted.

OKTA-460366

On Security > Networks > Add IP Zone, proxy IP addresses weren't explicitly identified as trusted proxy IP addresses.

OKTA-461015

Event information was missing from the Report Suspicious Activity page after users changed their password in the Sign-In Widget.

OKTA-461198

When the Custom Admin Roles feature was enabled, read-only admins could see the Assign to People, Assign to Groups, and Edit User buttons on the Applications page.

OKTA-461686

The error message DownloadedObjectsProcessJob: null id in com.okta.monolith.platform.groups.db.dto.MembershipOktaGroup appeared after a full import of LDAP attributes.

OKTA-462025

Admins who refreshed a page in the custom URL domain wizard weren’t returned to the correct step.

OKTA-462114

The ${user.login} variable appeared in default email templates.

OKTA-462312

No warning message appeared when an attribute was saved as both sensitive and required in the Profile Editor.

OKTA-462807

Some orgs couldn't provision out-of-sync users.

OKTA-463388

Some valid Philippines phone numbers were identified as invalid and rejected when users tried to enroll in SMS authentication.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

• AppSplit (OKTA-462294)
• Auth0 (OKTA-456042)
• Dockerhub (OKTA-463515)
• FinServ (OKTA-463959)
• LoansPQ (OKTA-462410)
• MeridianLink LoansPQ (OKTA-460940)
• New Relic (OKTA-464710)
• ProtonMail (OKTA-463545)
• Salto Keys (OKTA-464469)
• WePay (OKTA-462296)
• Wikispaces (OKTA-462300)

Sign-In Widget, version 5.16.0

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Sign-In Widget Guide.

Okta Provisioning agent, version 2.0.6

This version of the agent contains security fixes. See Okta Provisioning agent and SDK version history

Okta On-Prem MFA agent, version 1.4.8

This version of the agent contains security fixes. See Okta On-Prem MFA Agent Version History.

Okta Active Directory agent, version 3.8.0

This version of the agent contains:

• Agent auto-update support
• Improved logging functionality to assist with issue resolution
• Bug fixes

See Okta Active Directory agent version history.

Okta RADIUS Server agent, version 2.17.2

This version of the agent contains security fixes. See Okta RADIUS Server Agent Version History.

Delivery status of SMS messages in the System Log

Administrators can now view the delivery status for SMS messages in the System Log. For information about the new event type, see Configure and use telephony.

Feature name change: New Sign-On Notification

The New Device Notification functionality is renamed to New Sign-On Notification in the Admin Dashboard, the email notification title, and elsewhere. It refers to the email notification a user receives when there’s a sign-in event from an unrecognized device.

New permissions for custom admin roles

The following new permissions can now be assigned to a custom admin role:

• Activate users

• Deactivate users

• Suspend users

• Unsuspend user

• Delete users

• Unlock users

• Clear user sessions

• Reset users' authenticators

• Reset users' passwords

• Set users' temporary password

• Run imports.

The new permissions give super admins more granular control over their delegated org permissions. See About role permissions.

Editable Sign-in URL

End users can edit sign-in URLs for their apps on the App Settings page.

Password change notifications for LDAP-sourced users

Password change email notifications may now be sent to LDAP-sourced users.

API token ID displayed in tokens

API token ID is now displayed under API tokens for easy tracking.

SHA type displayed for SAML certificates

SHA type is now displayed for SAML certificates in the Admin Console.

OKTA-379478

The Medallia Mobile application dataAccess attribute wasn't automatically updated after changes were made to a user's group membership.

OKTA-412445

The SAML assertion sent by Okta to AWS exceeded the max character length supported by AWS (100,000 characters).

OKTA-420065

Launch on sign-in apps on the Okta End-User Dashboard launched multiple times after the user signed in.

OKTA-444924

An incorrect error message appeared when admins searched for groups and the Expression Language query included invalid attributes.

OKTA-447750

Users signing in to OIDC apps through Okta-hosted Sign-In Widgets on custom authorization servers received an access error message before they could provide their password.

OKTA-448006

Some branded pages used an org’s previously uploaded logo rather than their new theme logo.

OKTA-453672

When admins created custom language and country code attributes in the Profile Editor, the format property wasn’t updated and submitted.

OKTA-454206

Some admins without super admin permissions could view a link to the Admin role assignments report. This occurred for orgs with the Custom Admin Roles feature enabled.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed:

• Bendigo Bank (OKTA-454211)

• EdgeCast (OKTA-453148)

• Maxwell Health (OKTA-454213)

• My T-Mobile (OKTA-455732)

• Redis (OKTA-454218)