Production release notes

Current Upcoming
Production 2023.05.2 2023.05.3 Production release is scheduled to begin deployment on June 12
Preview 2023.05.2

2023.05.3 Preview release is scheduled to begin deployment on June 7

May 2023

2023.05.0: Monthly Production release began deployment on May 15

* Features may not be available in all Okta Product SKUs.

Content

Generally Available Features

Okta AD agent, version 3.15.0

This version of the agent contains the following changes:

  • Bug fixes. Active Directory (AD) agent auto-update health check caused auto-update to fail when upgrading from version 3.13.0 to 3.14.0.

See Okta Active Directory agent version history.

Okta On-Prem MFA agent, version 1.7.0

This version includes support for extended client session timeout. See Install the agent.

Confluence Authenticator, version 3.2.2

This release contains security fixes. See Okta Confluence Authenticator version history.

Okta Jira Authenticator, version 3.2.2

This release contains security fixes. See Okta Jira Authenticator Version History.

Import users to Office 365 using Microsoft Graph API

This feature allows Okta to process imports using the Microsoft Graph API. This background process doesn’t change existing procedures and makes imports more scalable, supporting Microsoft 365 tenants with larger numbers of users, groups, and group memberships. See Import users to Office 365 using Microsoft Graph API. This feature will be gradually made available to all orgs.

OAuth 2.0 On-Behalf-Of Token Exchange

Exchange helps retain the user context in requests to downstream services. It provides a protocol approach to support scenarios where a client can exchange an access token received from an upstream client with a new token by interacting with the authorization server. See Set up OAuth 2.0 On-Behalf-Of Token Exchange.

Okta Expression Language matches operator deprecated

The Okta Expression Language matches operator that is used to evaluate a string against a regular expression is deprecated. This feature is currently enabled by default for new orgs only.

Okta administrators group for all org admins

A default Okta administrators group is now available in every Okta org. The new group allows you to create sign-on policies that automatically apply to all admins in your org. See About groups.

Help links for standard admin roles

In Administrators > Roles, each standard admin role now provides a link to its corresponding help page. This allows admins to quickly and easily locate the documentation that supports their standard role assignments.

Self-Service Okta Identity Engine Upgrades for eligible orgs

Okta is slowly rolling out self-service upgrade functionality to eligible orgs. Using the new self-service upgrade widget, orgs with acknowledgment action items can now review and complete those items, and then schedule their upgrade. When your org becomes eligible for the upgrade, you receive an email confirming your eligibility and the self-service upgrade widget appears on the Admin Dashboard. The upgrade is free, automatic, and has zero downtime. See Upgrade from Okta Classic Engine.

Note that only super admins can view and manage the self-service upgrade widget.

New upgrade warning

For self-service Identity Engine upgrades, a warning message now appears to indicate that the Classic Engine Sessions API isn't supported.

More events eligible for hooks

The following System Log events are now eligible for event hooks:

  • group.application_assignment.add

  • group.application_assignment.remove

  • group.application_assignment.update

New legal disclaimer in Okta Trial accounts

A new legal disclaimer is displayed on the Add Person dialog in Okta trial accounts to prevent sending unsolicited and unauthorized activation emails.

Okta branding changes for the Admin Console

Branding updates to headings, fonts, colors, borders, and logos are now available in the Admin Console.

Additional measures to counter toll fraud

For SMS and voice authentications, additional mitigation measures now help counter phone number-based toll fraud.

Early Access Features

Permission conditions for profile attributes

You can now apply conditions to the View users and their details and Edit users' profile attributes custom admin role permissions. Permission conditions help you limit the scope of a role by including or excluding admins' access to individual profile attributes. This gives you more granular control over your custom admin roles and helps meet your org’s unique security needs. See Permission conditions.

Assign admin roles to an app

Orgs can now assign admin roles to their custom API Service Integrations. Apps with assigned admin roles are constrained to the permissions and resources that are included in the role assignment. This helps ensure that apps only have access to the resources that are needed to perform their tasks, and improves orgs' overall security. See Work with the admin component.

Event hook filters

You can now filter individual events of the same event type based on custom business logic hosted in Okta. These filters reduce the amount of events that trigger hooks, removing an unnecessary load on your external service.

This feature includes an improved creation workflow for event hooks and a new Filters tab that you can use to create event filters with direct Expression Language statements or with a simple UI format.

Using event hook filters significantly reduces the amount of event hook requests and the need for custom code on your respective services. See Edit an event hook filter.

Fixes

  • OKTA-566113

    After changing the display language for an Okta org from English to another language, some text was still displayed in English.

  • OKTA-580684

    In the Okta Expression Language, the isMemberOfGroupNameContains expression couldn't differentiate underscores and hyphens, which caused unexpected user membership assignments.

  • OKTA-595053

    Users who clicked Back to sign in before setting up their security methods were incorrectly notified that their configuration was successful. This occurred only in orgs with custom domains.

  • OKTA-596360

    Locked out users could still authenticate and sign in through Integrated Windows Authentication (IWA).

  • OKTA-596600

    For apps with Group Push enabled, the Application Push Groups tab displayed incorrect dates and times.

  • OKTA-597396

    Pushing groups from Okta to Microsoft Office 365 sometimes failed if an empty group description was updated.

  • OKTA-599408

    GMT timezones couldn't be selected correctly in the System Log.

  • OKTA-600867

    The Yubikey Reports page wasn't properly translated.

  • OKTA-601875

    After a user was deactivated, their remaining tasks resulted in errors.

  • OKTA-603305

    On the Edit resource set page, an error appeared when an admin deleted a resource type and then added it again. This occurred when the redesigned resource editor feature was enabled.

  • OKTA-607249

    Service clients with the correct permissions couldn't modify policies that contained the Okta Administrator Group.

Applications

New Integrations

New SCIM Integration applications

The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog:

SAML for the following Okta Verified applications

OIDC for the following Okta Verified applications

Weekly Updates

Fixes

  • OKTA-588667

    After creating accounts, some users weren't able to complete the sign-in process.

  • OKTA-596446

    Error summary messages weren't written to the System Log when custom errors occurred during an import inline hook operation.

  • OKTA-597490

    The LDAP interface didn't return any result for a deactivated user when the cn value was combined with other filters.

  • OKTA-597959

    Okta users authenticating through Agentless Desktop SSO (ADSSO) were sometimes incorrectly shown a migration-check error message.

  • OKTA-601618

    Email change confirmation notices came from an Okta test account rather than a brand-specific sender.

  • OKTA-603731

    Macros in email subjects weren't processed correctly for some email templates.

  • OKTA-604404

    Imports performed during UltiPro maintenance resulted in inconsistent data being returned.

  • OKTA-604914

    When the redesigned resource editor feature was enabled, admins couldn’t add individual applications to their resource sets.

  • OKTA-609336

    Incorrect descriptions were displayed on the Agents > On-premise tab.

  • OKTA-609390

    During Identity Engine self-service upgrades, admins could see false indications that the Sessions API was in use.

Applications

New Integrations

New SCIM Integration applications

The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog:

SAML for the following Okta Verified applications

OIDC for the following Okta Verified applications

Fixes

  • OKTA-414791

    LDAP requests resulted in an error if the memberOf filter didn't include a Group DN.

  • OKTA-423781

    The Privacy link on the Okta dashboard wasn't translated.

  • OKTA-585123

    When the Full Featured Code Editor was enabled, some admins couldn't edit the Sign-In Widget version or their sign-in page draft changes.

  • OKTA-591228

    Admins with a custom role couldn’t receive user reports of suspicious activity in email notifications.

  • OKTA-599051

    During the Authorization Code flow, claims appeared in the ID token when alwaysIncludeInToken was set to false.

  • OKTA-602635

    Some text on the Administrator assignment by role page wasn’t translated properly.

  • OKTA-602794

    Token inline hooks failed even when a URL claim name was correctly encoded with a JSON pointer.

  • OKTA-604386

    The Edit button disappeared from the Other customizations > User Accounts panel.

  • OKTA-604825

    When an admin added the Manage users permission to a role, any existing permission conditions were removed. Also, admins with restricted profile attributes could edit those attributes on their own profile.

  • OKTA-613226

    Some of the new Okta branding changes weren’t displayed in the Admin Console.

Applications

New Integrations

New SCIM Integration applications

The following partner-built provisioning integration app is now Generally Available in the OIN Catalog:

SAML for the following Okta Verified applications

API service app for the following Okta Verified applications

OIDC for the following Okta Verified applications

April 2023

2023.04.0: Monthly Production release began deployment on April 10

* Features may not be available in all Okta Product SKUs.

Content

Generally Available Features

Sign-In Widget, version 7.5.0

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Okta Sign-In Widget Guide.

Okta AD agent, version 3.14.0

This version of the agent contains the following changes:

  • Security enhancements.

  • Bug fixes.

  • Installer will show a warning if the service account isn't a member of Pre-Windows 2000 Compatible Access.

  • Migration of the Windows installer from Internet Explorer to Edge.

The installer now requires Edge WebView2. WebView2 is downloaded automatically during the agent installation if your machine is connected to the internet. If not, you must manually install it before installing the new agent version. See Okta Active Directory agent version history.

Okta Provisioning agent, version 2.0.14

This version of the agent contains security fixes. See Okta Provisioning agent and SDK version history.

Schedule your Okta Identity Engine upgrade directly from the Admin Dashboard

Okta is slowly rolling out self-service Identity Engine upgrade functionality to eligible orgs. When your org becomes eligible, the new self-service upgrade widget is displayed on the Admin Dashboard. The widget provides a quick and easy way to schedule your org’s upgrade for a more powerful and customizable identity experience. The upgrade is free, automatic, and has zero downtime. See Upgrade from Okta Classic Engine. This feature will be gradually made available to all orgs.

OAuth 2.0 authentication for inline hooks

Okta inline hook calls to third-party external web services previously provided only header-based authentication for security. Although sent with SSL, the header or custom header authentication didn’t meet more stringent security requirements for various clients and industries.

To improve the security of inline hooks, Okta now supports authentication with OAuth 2.0 access tokens. Tokens ensure secure calls to external web services.

When creating inline hooks in the Admin Console (or by API), administrators or developers can now select OAuth 2.0 authentication and choose between two methods of OAuth 2.0: Client Secret or Private Key. A new Key Management API and Admin Console page is also available to create public/private key pairs for use with OAuth 2.0 inline hooks. See Manage keys.

Using the OAuth 2.0 framework provides better security than Basic Authentication, and is less work than setting up an IP allowlisting solution. Clients also have the ability to use access tokens minted by their own custom authorization servers to guarantee that Okta is calling their client web services and it isn't triggered by any external actors. See Add an inline hook

API Service Integrations

Using a more secure OAuth 2.0 connection than access tokens, this integration type uses the Core Okta API to access or modify resources like System Logs, apps, sessions, and policies. See API Service Integrations.

OIN Manager support for Workflow Connector submission

ISV_PORTAL_CONNECTOR_SUBMISSIONS GA PREVIEW 2023.03.0 GA PROD 2023.04.0

Okta Workflows is a no-code, if-this-then-that logic builder that Okta orgs can use to automate custom or complex employee onboarding and offboarding flows in your application. You can now publish Workflow connectors that you create with the [Workflows Connector Builder](connector-builder.htm) in the Okta Integration Network (OIN) catalog. Publishing a Workflows Connector with Okta allows your customers to deeply integrate your product with all other connectors in the catalog. Submit your Workflow Connector by using the OIN Manager. See Submit an integration for Workflows connectors.

Configurable rate limits available for OAuth 2.0 apps

Rate limit violations mainly occur on authenticated endpoints. Currently, it isn't clear which OAuth 2.0 authenticated app consumes all the rate limits for an org. This increases the risk that one app consumes the entire rate limit bucket. To avoid this possibility, Okta admins can now configure how much rate limit capacity an individual OAuth 2.0 app can consume by editing the Application rate limits tab for each app. By setting a capacity on individual OAuth 2.0 apps, Okta admins have a new tool to monitor and investigate rate limit violations, and have the ability to view rate limit traffic generated by individual OAuth 2.0 apps. See Rate limit dashboard bar graph.

Support added for DPoP with service apps

Okta now supports Demonstrating Proof-of-Possession for service apps. However, service apps can provide the same level of security by using private_key_jwt for client authentication. See Configure OAuth 2.0 Demonstrating Proof-of-Possession and Client authentication.

Multiple IdP profiles in Google Workspace

The Google Workspace integration now supports multiple IdP profiles. See How to Configure SAML 2.0 for Google Workspace.

Early Access Features

Demonstrating Proof-of-Possession

OAuth 2.0 Demonstrating Proof-of-Possession (DPoP) is a security feature that adds an extra layer of protection to OAuth 2.0 access tokens. It enables the client to demonstrate that it possesses a particular key or secret associated with the access token. OAuth 2.0 DPoP can help prevent certain attacks, such as token theft or token replay attacks, where an attacker intercepts a legitimate access token and uses it to gain unauthorized access to a protected resource. See Create OIDC app integrations.

Redesigned resource set pages

The Create new resource set and Edit resource set pages that are displayed when an admin creates or edit a resource set now provide a simpler, more intuitive user experience. See Create a resource set.

Okta LDAP Agent automatic update support

Admins can now initiate or schedule automatic updates to Okta LDAP agents from the Admin Console. With agent auto-update functionality, admins no longer need to manually uninstall and then reinstall Okta LDAP agents when a new agent version is released. Agent auto-updates keep your agents up to date and compliant with the Okta support policy, and help ensure your org has the latest Okta features and functionality. Single or multiple agents can be updated on demand, or updates can be scheduled to occur outside of business hours to reduce downtime and disruption to users. See Automatically update Okta LDAP agents.

Import users to Office 365 using Microsoft Graph API

This feature allows Okta to process imports using the Microsoft Graph API. This background process doesn’t change existing procedures and makes imports more scalable, supporting Microsoft 365 tenants with larger numbers of users, groups, and group memberships. See Import users to Office 365 using Microsoft Graph API.

Fixes

OKTA-511637

If users clicked the reveal password icon in the Sign-In Widget before they entered their password, blank spaces were removed upon submission.

OKTA-570362

The End-User Dashboard displayed email confirmation notifications for users who didn't change their primary email.

OKTA-573667

The dates on the Agent auto-update settings page in the Admin Dashboard were missing the year.

OKTA-581516

HTML wasn't formed correctly in SAML responses.

OKTA-586482

Sometimes users couldn't enroll in or set up On-Prem MFA or RSA SecurID.

OKTA-588390

Token Preview for custom authorization servers failed for group claims with more than 100 groups.

OKTA-592588

The Routing rules tab on the Identity Providers page wasn't hidden for users without admin permissions.

OKTA-593452

The Everyone group in Okta couldn't be imported through the Okta Org2Org app.

Applications

New Integrations

SAML for the following Okta Verified applications:

OIDC for the following Okta Verified application:

Weekly Updates

Fixes

  • OKTA-529298

    Renaming an individually selected organizational unit in Active Directory caused it to be unselected in Okta when imported.

  • OKTA-573682

    Some of the widgets on the Admin Dashboard didn’t use the correct date and time format.

  • OKTA-578310

    Some labels and error messages related to assigning applications were untranslated.

  • OKTA-584757

    Sometimes group push operations to ServiceNow failed.

  • OKTA-597224

    Org admins could schedule and manage their org’s Identity Engine upgrade using the OIE Upgrade Hub.

Applications

New Integrations

New SCIM Integration applications:

The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:

SAML for the following Okta Verified application:

OIDC for the following Okta Verified application:

App Integration Fix

The following SWA app wasn't working correctly and is now fixed:

  • Adobe Stock (OKTA-564445)

Generally Available

Sign-In Widget, version 5.7.2

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Sign-In Widget Guide.

Fixes

  • OKTA-475223

    On the Admin Dashboard, the Tasks menu Pending and Complete labels overlapped with the dropdown icon.

  • OKTA-500841

    RADIUS server agent was incorrectly listed among Disconnects and reconnects under System notifications.

  • OKTA-555152

    The shortcut URL /login/default didn't always go to the End User Dashboard.

  • OKTA-564388

    When Multibrand was enabled, orgs couldn’t add an email domain that they’d previously deleted.

  • OKTA-566659

    Pushing group changes to Docusign failed when a member was removed from a group or a group push mapping was removed in Okta.

  • OKTA-568489

    Pushing groups for provisioning to Office 365 failed if the groups already existed.

  • OKTA-568851

    Some URLs on multifactor authentication app pages pointed to incorrect destinations.

  • OKTA-579360

    Users were still active in the hub org after being deactivated in a spoke org.

  • OKTA-581789

    Import completion emails weren't sent to administrators with custom admin roles.

  • OKTA-583585

    Admins were unable to update passwords for SWA apps in orgs with certain configurations.

  • OKTA-585741

    Empty values for attribute statements in SAML assertions didn't remove previously specified values.

  • OKTA-586713

    The variable ${baseURL} in the HTML for some email templates didn't resolve in the browser.

  • OKTA-587325

    After activating their accounts, users who enrolled through the Sign up link received an error if they clicked Set up later on the Security methods page.

  • OKTA-588140

    The Delegated flows page was visible to orgs that hadn't configured any delegable flows.

  • OKTA-588408

    Admins could configure the Maximum Okta session lifetime setting for an Okta sign-on policy rule that denied access.

  • OKTA-591800

    When the sign-in page was edited using the code editor, the event type system.custom_error.update was logged.

  • OKTA-593131

    Some attributes previously added to user profiles from incoming SAML responses weren't cleared when the attribute was later omitted.

  • OKTA-594775

    In some orgs, the Office 365 thick client sign-in page didn’t display the app instance name.

  • OKTA-595042

    A successful MFA that followed unsuccessful MFA attempts mistakenly locked out users.

  • OKTA-596437

    When the API Service Integration feature was disabled, a query for inactive app integrations incorrectly returned a list with revoked API service integrations.

  • OKTA-597697

    When Multibrand was enabled, orgs couldn’t reset the default application for the Sign-In Widget.

  • OKTA-599040

    An extra input field sometimes appeared on the sign-in page for SP-initiated SSO.

  • OKTA-599062

    On the Push Groups to Active Directory page Okta admins were unable to view all the organizational unit.

  • OKTA-599243

    When the redesigned resource editor feature was enabled, admins could save the Add Resource screen without selecting a resource.

  • OKTA-599483

    In orgs with the new authenticator management feature enabled, attempts to create or update an Okta enrollment policy failed.

Applications

New Integrations

New SCIM Integration applications:

The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:

SAML for the following Okta Verified applications:

OIDC for the following Okta Verified applications:

App Integration Fix

The following SWA app wasn't working correctly and is now fixed:

  • Louisiana Medicaid (OKTA-578791)

Fixes

  • OKTA-570851

    Some app provisioning error strings weren't translated.

  • OKTA-586571

    In some orgs, users who successfully reset their passwords were redirected to a custom error page instead of the home page.

  • OKTA-591232

    Logos weren't correctly displayed on email templates.

  • OKTA-599684

    When Active Directory users were added through an import or JIT provisioning, their application groups were retrieved from an incorrect domain. This caused an internal error that prevented users from signing in to Okta.

  • OKTA-604536

    An older library was being used by the toolkit used by Okta Confluence Authenticator and Okta Jira Authenticator. The issue is fixed in version 3.2.2 of the toolkit.

  • OKTA-607199

    ThreatInsight temporarily prevented non-malicious users from accessing Okta.

Applications

New Integrations

New SCIM Integration applications:

The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:

SAML for the following Okta Verified applications:

March 2023

2023.03.0: Monthly Production release began deployment on March 13

* Features may not be available in all Okta Product SKUs.

Content

Generally Available Features

Sign-In Widget, version 7.4.0

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Okta Sign-In Widget Guide.

Okta LDAP agent, version 5.16.0

This version of the agent contains:

  • Use of FIPS 140-2 validated cryptographic security modules
    • bc-fips: Version 1.0.2.3
    • bcpkix-fips: Version 1.0.6
    • bctls-fips: Version 1.0.13
  • Support for LDAP agent auto-update
    • This version allows support for LDAP agent auto-update. Stay tuned for the self-service EA feature within Okta that will enable LDAP agent auto-update when available.
    • Upon agent installation on Linux platforms, we now grant the OktaLDAPService user permission to automatically install the newest agent version using the auto-update feature.
  • Bug fixes
  • Security enhancements

See Okta LDAP Agent version history.

Identity Engine Upgrade Hub

Okta is slowly rolling out self-service Identity Engine upgrade functionality to eligible orgs. When your org becomes eligible, the new OIE Upgrade Hub page displays in the navigation panel under Dashboards. The OIE Upgrade Hub provides a quick and easy way to schedule your org’s OIE upgrade for a more powerful and customizable identity experience. See Upgrade from Okta Classic Engine.

Agents page added to the navigation panel

The operational status of org agents can now be viewed by selecting the Agents page from the navigation panel. See View your org agents' status.

Rate limit increased for Event Hooks

The number of events that can be delivered to Event Hooks is now 400,000 events per org, per day. See Hooks.

Updated Okta logo

New Okta branding is now used for the Admin Console, the sign-in page, and the browser page flavicon.

Manage the Okta loading animation for custom apps

You can now disable the default Okta loading animation (interstitial page) that appears when users are redirected to custom applications. End users are shown a blank interstitial page, instead. This allows you to present a more branded end user experience. For more information, see Customize your Okta org. This feature is being re-released.

SAML logout metadata

SAML app integration metadata details now includes logout URL information when Single Logout is enabled.

OIN Manager enhancements

The OIN Manager now includes text to support API Service integrations.

System Log event

A new System Log event is created when an LDAP interface operation fails because an administrative rate limit was exceeded.

Enhanced Admin Console search

The Admin Console search now displays your search results in a user-friendly drop-down list. The list provides Top results, People, Apps, and Groups filters so you can quickly and easily find what you’re looking for. See Admin Console search.

Optional consent settings for OAuth 2.0 scopes

OAuth 2.0 Optional Consent provides an Optional setting that enables a user to opt in or out of an app's requested OAuth scopes. When Optional is set to true, the user can skip consent for that scope. See Create API access scopes .

SAML setup parameters

More setup parameters are now visible when configuring SAML as a sign-in method for app integrations. See Configure Single Sign-On options.

Log Streaming

While Okta captures and stores its System Log events, many organizations use third-party systems to monitor, aggregate, and act on event data.

Log Streaming enables Okta admins to more easily and securely send System Log events to a specified system such as Amazon Eventbridge in real time with simple, pre-built connectors. They can easily scale without worrying about rate limits, and no admin API token is required. See Log streaming.

OIDC Identity Providers private/public key pair support

Previously, Okta only supported the use of client secret as the client authentication method with an OpenID Connect-based Identity Provider. Okta now supports the use of private/public key pairs (private_key_jwt) with OpenID Connect-based Identity Providers. Additionally, the Signed Request Object now also supports the use of private/public key pairs. See Create an Identity Provider in Okta.

Early Access Features

Verify Zoom users with Okta

Zoom users can now attest and verify a user’s identity between two independent parties using Okta-signed tokens.

Fixes

OKTA-530926

Authentication sometimes failed for LDAP users due to a null pointer exception. The issue is fixed in LDAP agent version 5.16.0.

OKTA-548568

Password validation caused an unexpected error during a self-service password reset.

OKTA-553278

Group memberships didn't update when an Okta user was relinked to Active Directory and then a full import was run.

OKTA-554109

Read-only admins were able to edit application integration pages.

OKTA-561769

A user with a Custom Administrator role could make changes to the End-User Dashboard but couldn't preview the dashboard.

OKTA-562113

Auto-population of non-English variable names in the Profile Editor didn't work as expected.

OKTA-564673

Empty groups caused LDAP delegated authentication testing to fail.

OKTA-578615

Some users could request a new one-time passcode after exceeding the limit for failed MFA attempts.

OKTA-580307

The Sign-in Widget sometimes failed to load for testing LDAP authentication.

OKTA-581530

Missing logos on the Groups page were displayed as broken links.

Applications

New Integrations

New SCIM integration applications:

The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:

SAML for the following Okta Verified application:

  • Wistia (OKTA-561362)

App Integration Fixes

The following SWA apps were not working correctly and are now fixed:

  • Adobe (OKTA-569857)

  • Adobe Stock (OKTA-564445)

  • Brex (OKTA-573146)

  • Criteo (OKTA-577154)

  • CTCC OncoEMR (OKTA-576358)

  • Lucidchart (OKTA-566188)

  • MyFonts (OKTA-566037)

  • Washington Post (OKTA-575907)

Weekly Updates

Generally Available

Fixes

OKTA-464288

SMS customization wasn't restricted in free developer orgs.

OKTA-516653

Group descriptions for AD groups linked to Okta groups weren't pushed.

OKTA-544970

When orgs used email template injection, some internal class information was visible in the message.

OKTA-562755

On the Admin Dashboard, the Total admins and Individually assigned counts were incorrect.

OKTA-567399

A deactivated Identity Provider couldn't be reactivated.

OKTA-567906

Admins were able to configure a multifactor enrollment policy that allowed the Okta Verify Push mode but didn't allow the one-time password mode.

OKTA-570664

BambooHR reported an error when Okta attempted to update a value using the value of a custom attribute.

OKTA-576483

Admins weren't able to add a network zone with the name BlockedIPZone.

OKTA-577014

Some users received inaccurate error messages when they registered their phone number for password reset and account unlock.

OKTA-585800

Some Cornerstone profiles failed to import due to missing information.

OKTA-589114

When orgs used daylight savings time, the Admin Dashboard and the System Log events timestamps were one hour behind.

Applications

Application update

The Front SCIM integration is updated to support group push.

New Integrations

New SCIM Integration application:

The following partner-built provisioning integration app is now Generally Available in the OIN Catalog as partner-built:

OIDC for the following Okta Verified applications:

SAML for the following Okta Verified application:

  • ASP.NET (OKTA-575640)

App Integration Fixes

The following SWA apps weren't working correctly and are now fixed:

  • Acorns (OKTA-579034)

  • GoToMeeting (OKTA-566182)

  • PayPal (OKTA-562742)

Generally Available

Sign-In Widget, version 7.4.1

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Sign-In Widget Guide.

Fixes

OKTA-503099

Admins were able to modify the auth_time claim for an access token using a token inline hook.

OKTA-562337

The options in the dropdown used to filter Admin Dashboard tasks were untranslated.

OKTA-566659

DocuSign group pushes failed when removing users from a group.

OKTA-568170

Some orgs couldn't disable the New Sign-On Notifications email.

OKTA-568376

Users couldn't enroll an IdP as an authentication factor if their username didn't match the case of the username in their IdP profile.

OKTA-579088

In Agents > On-premise, the Description link next to each of the agents was incorrect.

OKTA-584216

A suffix was added to the application label for new Onspring instances.

OKTA-587063

An older version of the OAuth library was included in the Okta Provisioning agent. The issue is fixed in Okta Provisioning agent 2.0.14.

OKTA-588262

The favicons for the Admin Console and End-User Dashboard were misaligned.

Applications

New Integrations

New SCIM Integration applications

The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:

SAML for the following Okta Verified application:

  • Laurel (OKTA-586151)

OIDC for the following Okta Verified application:

App Integration Fix

The following SWA app wasn't working correctly and is now fixed:

  • Poll Everywhere (OKTA-585747))

Fixes

OKTA-576159

On the IdP configuration page, searching for groups under JIT Settings sometimes returned an error.

OKTA-581158

System Log events for manual imports showed that the import was scheduled by Okta.

OKTA-585107

The hidden permissions count on the Edit role page was incorrect.

OKTA-585478

App sign-on events with usernames that exceeded 100 characters weren't always added to the System Log.

OKTA-587347

On mobile devices, users with long email addresses couldn’t see all the options in their settings dropdown menu.

OKTA-592074

Screen readers read apps on the End-User Dashboard as buttons instead of links.

Applications

New Integrations

New SCIM Integration applications

The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:

SAML for the following Okta Verified applications:

  • Bitdefender GravityZone (OKTA-575873 - Okta-hosted instructions)

  • CorporateFitness.app (OKTA-575873 - Okta-hosted instructions)

OIDC for the following Okta Verified applications:

API service app for the following Okta Verified application: