Okta Verify for Android 3.6.0 is now available as an APK file on the Downloads page (Settings > Downloads). This release is also available in the Google Play Store. In addition to the availability as an APK file, it contains support for TLS 1.1 and bug fixes. For more information on APK files, see Distributing Okta Android Apps in China.

The size limit on the CSV download of the System Log is increased from 100K to 200K.

Configuring an application or integration to use OpenID Connect ID tokens or Oauth 2.0 access tokens with the Early Access API Management feature can take a lot of trial-and-error. Okta has made it easier to choose configuration settings and see the resulting tokens in the Token Preview tab of the Authorization Server page.

Add values on the left side to see how they would affect the token on the right. All the fields are selection boxes except User. For User, type in the first few letters to see a choice of user names.

You can try out different combinations of values, and see the resulting tokens (or error messages). Once you've got the right combination, it's easy to configure your authorization server and other components. For more information see Test Your Authorization Server Configuration.

The following legacy events are now available in the System Log:

• app.auth.slo.with_reason
• app.auth.slo.saml.malformed_request.invalid_type
• app.keys.clone_legacy
• app.keys.generate_legacy
• app.keys.rotate_legacy

When creating or editing an OpenID Connect app, there is a now button to copy the client credentials to the clipboard. For more information, see The OpenID Connect Wizard.

Profile Master and User Life Cycle Management enhancements are Generally Available for all EMEA Cell 1 and US Cell 5 organizations and all new production organizations. This feature is available as Early Access for all remaining organizations and will be Generally Available for all organizations in February 2018. For details see Profile Master and User Lifecycle Management.

The Okta Application Network (OAN) includes more than 5,000 pre-integrated business and consumer apps. As Okta expands our integrations beyond Single Sign-on and Provisioning we are adding new integration types to the catalog, now named the Okta Integration Network (OIN). While the new OIN still provides apps, it now includes advanced application integrations.

When adding or editing a claim to an authorization server, the Include in Token Type options are updated. The new values are Always and Userinfo / id_token request. The default is Always for id tokens. For more information on these options, see Create Claims.

Version 5.16.2 is available from the Edge store. This version fixes the following issues:

• After navigating to the login page and entering a username, the security image was not displayed
• Per-app MFA did not work through the plugin. The system kept prompting for MFA.

For history, see Browser Plugin Version History.

This update supports TLS version 1.2 encryption protocol to align with industry best practices and standards for security and data integrity.

For more information about the SharePoint People Picker, including requirements, see the Microsoft SharePoint On-Premises Deployment Guide. For history, see Sharepoint People Picker Agent Version History.

This Generally Available version of the Password Sync agent includes the following:

• Updates the minimum supported TLS version to 1.2
• Updates the minimum Windows Server version to Window Server 2008
• Changes to the default settings

For history, see Password Sync Version History.

Attribute mapping enhances the existing profile editor, by allowing you to manage individual attributes. You can use the attribute mapping screens exclusively or combined with the existing profile, as desired. This feature is now GA.

Attribute mapping contains the following enhancements:

• Individual mapping
• Support for enumerations
• A sample value appears automatically
• Warnings
• The fields are sorted
• A link to profile editor
• A Force Sync button that applies the mappings
• Delete and edit buttons for each attribute mapping

For detailed information, see Attribute Mapping.

You can automatically send your users an email if their account becomes locked due to too many failed sign-in attempts. You can insert a link in the email to let users unlock their account. This feature is now GA.

For details, see Configure lockout settings.

We have switched the provisioning endpoints for GoToMeeting in anticipation of their API changes scheduled for December 5, 2017.

There are three new sub-menus on the Provisioning page for an application. After enabling provisioning, there are groupings for To App, To Okta, and API Integration, as shown below. Previously, these pages were combined on one page. For details, see Provisioning and Deprovisioning.

This version supports the following:

• Support for adding Remember me cookie during JIRA logins.
• Fix for new sessions not being created for Jira and Confluence apps when an already logged in user re-authenticates with a new SAML assertion.
• SP-initiated flows are disabled for Confluence users that are not present in Okta.

For version history, see Confluence Authenticator Toolkit Version History and JIRA Authenticator Toolkit Version History.

Instance Level Del Auth moves Del Auth enablement from the org level (Security > Delegated Authentication) to the instance level (Directory > Directory Integrations). While preserving current Del Auth functionality, instance-level Del Auth is optimized for use in environments with multiple AD instances. It allows admins to delegate authentication on a per AD-instance level to support more granular authentication scenarios.

SuccessFactors can now be used as a Profile Master. Additionally, there are multiple fixes including improved incremental import support and pulling value names instead of ids for attribute values.

Admins now only receive notifications about locked-out users who are in the group, or groups that the Admin manages.

LDAP agent version 5.4.2 is now available. This version provides:

• Support for customers using Oracle Internet Directory
• Bug fixes
• Optimizations to:
  • Incremental imports
  • Agent installation
• Updated LDAP Agent default settings.

For agent upgrades, your current state of enablement is preserved.

For the version history, see Okta Java LDAP Agent Version History.

The System Log now tracks the following information for network zones:

• IP addresses
• IP ranges
• Blacklist status

Primary and secondary email addresses can be the same email id for a user.

Support for the Hungarian, Indonesian, Malaysian, Polish, Romanian, and Turkish languages for the email customization is now available to all customers in Beta format. For more information, see Configure the Display Language.

Okta Verify for Android 3.2.1 is now available as an APK file on the Downloads page. For more information, see Distributing Okta Android Apps in China.

• Active Directory Agent, version 3.4.9 provides the following:
• All the fixes and enhancements provided by Early Access (EA) versions from 3.4.4 to 3.4.8.
• Updating the minimum Windows Server version to 2008.
• Providing a fix for AD-mastered users that had issues signing in with passwords containing unicode characters.
• Updated AD Agent default settings. For agent upgrades, your current state of enablement is preserved.

For details see, Okta Active Directory Agent version history.

Now an error message appears if you try to verify when the Okta Verify passcode field is empty.

Selecting the information icon or clicking the rule name in API Access Management polices displays the users and groups the rule applies to, as well as the scopes that are granted to those users and groups. For more information, see Create Access Policies. .

The Okta Password Sync Agent supports Transport Layer Security (TLS) v1.2.

Validation for the correct number of parameters is improved in functions in the Okta Expression Language.

DocuSign app now uses OAuth 2.0 for authentication instead of username/password authentication performed via X-DocuSign-Authentication header.

Updated translation in Push Verify Activation email templates.

Certificate issuance, enrollment, and revocation events for Okta Device Trust for Windows are now written to the System Log.

System logs now report the Subject in API Access Management and OpenID Connect access token and refresh token events in addition to clientId and orgId.

The Network tab is now the Networks tab.

Users with numerous apps can find an app more easily with the new Search bar that accepts app names and app instances. You can also complete more tasks directly on the page, such as assigning users and groups. Additionally, you can copy embedded links straight to the clipboard from specific apps—no need to hunt through the app list to capture them. This feature is now GA. This feature is available in Production for new orgs only.

Group Push now supports the ability to link to existing groups in Box, G Suite, Jive and Active Directory. You can centrally manage these apps in Okta. While this option is currently only available for the listed 4 apps, Okta will periodically add this functionality to more and more provisioning-enabled apps. This feature is now GA. This feature is available in production for new orgs only.

The Private App Store for Android (AfW) and iOS devices is now Generally Available. This feature allows admins to upload internally-developed native apps to Okta and distribute them to end users via Okta Mobility Management (OMM).

The flow of an end user's identity throughout the different stages of access is known as a user's lifecycle. This release contains several enhancements to define the options that manage this cycle clearly.

• Simplified Import settings: Using a profile master necessitates a clear distinction between new and imported end users to prevent conflicts. Feedback from our users prompted improvements with matching rules, auto-confirmation and auto-activation settings.
• New lifecycle settings: When an end user is deactivated in a profile mastered app, admins can now set whether they are deactivated, suspended, or remain an active user in Okta.

This feature is now GA. This feature is available in production for new orgs only.

This version includes internal updates and minor fixes. For agent version history, see SSO IWA Web App Version History.

The Microsoft Edge browser is supported by Okta with the Okta Secure Web Authentication Plug-in v5.16.0. The plugin is available on the end-user Dashboard and the Admin Downloads page. For version history, see Browser Plugin Version History.

Firefox plugin version 5.15.3 is now GA for all orgs.

This version provides support for the latest Firefox web extension framework. There is no UI impact for customers; however, they must have this version installed as of Firefox version 57 (released on November 14, 2017).

Note: When the Okta plugin version 5.15.3 is installed, Firefox version 53 or earlier does not support single sign-on to apps through Basic Authentication. If you have any questions or concerns following the upgrade, contact Okta Support. For version history, see Browser Plugin Version History.

System Log entries related to refresh tokens in API Access Management and OpenID Connect now correctly log the clientIds and the number of tokens which were revoked.

Okta Device Trust for Windows authentication events are now written to the System Log.

The Workplace by Facebook integration is enabled for Universal Directory and is enhanced by additional properties in the User Profile. See Workplace by Facebook Provisioning Guide.

We have added the ${recoveryToken} variable to the Password Reset by Admin email template. See Customizing Email Templates for more information about email templates.

The option to change a linked group in one operation is no longer available. You must first unlink the group and then recreate the link to a different group.

Support for the Greek language for the end user experience is now available to all customers in Beta format. You can select the default language preference for your entire org, and your end users can select a different language preference for their own experience. The end user's preference overrides the language set for the org. For more information, see Configure the Display Language.

Admins can unlink a pushed group and remove any Group Push mappings that were created by Group Push rules. For more information, see Using Group Push.

When using Group Push, you can relink to a group that you previously deleted with the leave the group in the target app option without reimporting the group from the target app.

There are additional System Log descriptions for app approval workflow events. For a list of these events, see System Log Entries.

We now allow admins to provide unique SP Entity ID and ACS URL values when configuring SAML for Atlassian Cloud (Atlassian Jira and Confluence). This is done in preparation for upcoming SAML related changes from Atlassian; for more details on the changes please refer to our Atlassian Cloud SAML Configuration Guide.

You can now configure the RADIUS application to allow end users to submit a password and a second MFA factor, such as a security token, in a single request. The password and the second MFA factor are separated by a comma. For information on setting up and using this feature, see Advanced RADIUS Settings.

Several labels and messages localized in the Italian language have been improved.

Group processing errors are tracked in the System Log. If a group rule evaluation results in an exception for a user, it's tracked in the log.

The maximum configured SAML attribute value is increased to 1024 characters.

The password complexity requirements are more fully explained on the Sign In screen.

Administrators can exclude first names, last names, or both as a password complexity requirement by checking options in the Password Settings section for a policy on the Authentication page. For more information, see Complexity Requirements.

Legacy event types and log messages for authorization, token grants, authorization server lifecycle operations, scope, and claim operations are tracked in System Log v1. These events are already tracked in System Log v2.

In order to protect the service for all customers, Okta enforces concurrent rate limits starting with this release. Concurrent limits are distinct from the org-wide, per-minute API rate limits.

For concurrent rate limits, traffic is measured in three different areas. Counts in one area aren't included in counts for the other two:

• For agent traffic, Okta measured each org's traffic and set the limit above the highest usage in the last four weeks.
• For Office 365 traffic, the limit is 75 concurrent transactions per org.
• For all other traffic including API requests, the limit is 75 concurrent transactions per org.

Okta has verified that these limits are sufficient based on current usage or grandfathered higher limits for those orgs that have historically exceeded this limit.

The first request to exceed the concurrent limit returns an HTTP 429 error, and the first error every 60 seconds is written to the log. Reporting concurrent rate limits once a minute keeps log volume manageable.

For details on the limits, see Concurrent Rate Limits. The Okta System Log includes entries for errors resulting from too many concurrent requests.

Okta enforces a maximum subdomain length of 57 characters when creating new Okta orgs.

To improve clarity, minor changes were made to the email that Okta automatically sends when end users sign into Okta from a new or unrecognized device.

Okta has made the following enhancements to the System Log:

• Authentication failures are recorded when an app requires MFA and a user doesn't have any MFA factors set.
• When an end user tries to access an app that has not been assigned to them, the System Log now records the app name as a target.

The union of group assignments allows you to take advantage of group prioritization and the attributes they contain. For end users belonging to multiple groups, their attributes can either be combined from string array values across groups, or set to honor the highest priority group. This feature is now Generally Available (GA). For more information, see Combine Values across Groups.

OpenID Connect scopes are returned from requests to `/api/v1/authorizationServers/:authorizationServerID/scopes'. You can edit scope descriptions in the Okta user interface or via the API. For more information on scopes, see Create Scopes. For information on using the Okta API with an authorization server, see OAuth 2.0 API.

Admins can reset passwords for AD-mastered users with the same easy process already in place for Okta-mastered users. For details, see Manage self-service password reset.

The new Help Desk Administrator role is now Generally Available. This role can perform common help desk actions. This role has a reduced set of permissions and promotes good security practices by not granting unnecessary permissions to help desk personnel.

Note that you cannot assign permissions to the Help Desk administrator role selectively. Instead, it has these fixed permissions:

• Reset Password
• Reset Multifactor Authentication
• Unlock Account
• Clear User Session

For more information, see Help Desk Administrator role.

You can now configure Advanced API Access for Office 365 instances by using the Sign On tab. This feature enables more robust provisioning functionality, and in the future will support new types of app integrations and functionality for Office 365.

• To allow you to scan System Log events faster, the 20-character alphanumeric ID attribute for the actor and target fields of an event is no longer displayed. You can still access ID attributes by expanding individual events.
• The checkOSXAccessEligibility event is no longer logged to the System Log.

All group rules are processed for a user, even if one or more rules fail.

Support for the Turkish language for the end user experience is now available to all customers in Beta format. You can select the default language preference for your entire org, and your end users can select a different language preference for their own experience. The end user's preference overrides the language set for the org. For more information, see Configure the Display Language.

Until now, the reset password link in the Password Reset by Admin email redirected end users to the previous version (deprecated) of the Okta Sign In page. Now the link redirects end users to the current Okta Sign In screen if the template has not been customized. If the template was customized, you must update the link URL to ${resetPasswordLink} if you want to ensure that end users are redirected to the current Sign In page.

Note: A previous version of this announcement specified an incorrect link URL. The URL shown above is correct.

The text in standard Okta email templates that specifies when links expire now displays in the language set by the end user's locale attribute. To change custom templates to match this behavior, see Functions. Also, for consistency, all standard templates use the same function for temporary links.

Okta People Picker for Sharepoint agent version 2.2 is now available. This release includes the following:

• Fixes an issue where users were unable to create a SharePoint site after People Picker for Sharepoint version 2.0 was installed.

• Includes a PowerShell script to create the Sharepoint trusted token issuer in the downloadable Okta People Picker for Sharepoint packages.

• Includes updated setup instructions for the SharePoint (On-Premise) application to indicate that the PowerShell script is now available inside the downloadable Sharepoint package.

For version history, see Sharepoint People Picker Agent history.

This feature is now Generally Available. Admins now have more options for specifying the mobile client types allowed to access Microsoft Office 365 Exchange ActiveSync from native applications.

For details, see Configuring Rules for Office 365 Client Access Policies.

You can disable the use of email for initiating account recovery flows. At least one group password policy is required to make this specification.

There is now a link from a User Profile page (Directory > People > <username>) that takes you directly to the System Log with a prepopulated search query for all events related to that user. :

When a user logs in from OWA or any Office 365 web app, they are redirected to Okta to login. The user does not have to type their username as it is now automatically populated with the Okta username resolved from Office 365. Note that the username is only populated after a user has successfully authenticated at least once on the device. This feature is now Generally Available.

We have improved the performance of our Okta Usage Report by removing the detailed Preview section of the UI. Simply enter your filter criteria, then click Download CSV to download your data and view the report. For details about Okta Reports, see Reports.

You can now customize the email template for Self-Service Unlock when Account is not Locked. For more information, see Customize the text of an email template.

Incremental imports improve performance by only importing users that were created, updated, or deleted since your last import.

Okta now supports incremental imports for the following application integrations:

• SuccessFactors
• ServiceNow UD
• SmartRecruiters

The option for enabling LDAP Profile mastering is now on the LDAP Settings > Import Settings page.

The IWA Web agent 1.10.3 is now Generally Available. This version restores support for Windows Server 2008. Please refer to IWA Web App Version History for more details about the change and Configuring Desktop SSO documentation for a complete list of supported platforms.

Okta sign in now uses version 2.6 of the Duo SDK. For more information on Duo, see Configuring Duo Security.

The Okta RADIUS server agent version 2.7.0 is now Generally Available. This version contains better logging, improved queue management, packet duplication fixes, and many performance optimizations. Windows event logs are not created by default. This version supports the RADIUS Generic App and Amazon Workspace App. For the version history, see Okta RADIUS Server Agent Version History.

Okta has improved the messages returned with some error codes for OpenID Connect and OAuth 2.0 client apps using the [/oauth2/v1/clients](/docs/api/resources/oauth-clients.html) and [/api/v1/apps](/docs/api/resources/apps.html) endpoints.

Okta plugin version 5.14.0 for the Chrome browser includes improvements to help prevent memory leaks. For version history, see Browser Plugin Version History.

Okta provides a pre­configured Custom Authorization Server named default. This default authorization server includes a basic access policy and rule, which you can edit to control access. It allows you to specify default instead of the authorizationServerId in requests to it:

• https://{YourOktaOrg}}/api/v1/authorizationServers/default for a default Authorization Server
• https://{YourOktaOrg}}/api/v1/authorizationServers/:authorizationServerId for other Custom Authorization Servers

For more information, see API Access Management.

OpenID Connect, which uses the Okta Authorization Server, can retrieve application groups for use in tokens. Previously, application groups could only be retrieved with the Custom Authorization Server.

You can use the Okta Expression Language getFilteredGroups to retrieve application groups.

OAuth 2.0 clients now support configuration of the web application type to use a client_credential grant type. This allows you to use one client_id for an application that needs to make user­-specific calls and back­end calls for data. For information on grant types, see App Wizard - Procedures.

The debug section of the System Log v2 now contains a list of the names of changed properties.

SAML forceAuthN reauthentication flows always prompt for both the user name and password.

There is a new LDAP agent version 5.3.12 with updated default settings. For agent version history, see LDAP agent history.

The simplified Android for Work setup wizard that removes the dependency on G Suite accounts is now Generally Available. For more information, see Setting up Android for Work in Okta.

Beginning with Okta Mobile for Android 2.16.0, we introduced an improved Okta Mobility Management (OMM) enrollment flow that clarifies which type of data is private and which is company-accessible. This enrollment flow is now Generally Available.

The ability to customize expired password flows to redirect end users to a specified website instead of the default Okta expired password form is now Generally Available.

For details, see Expired Password.

The ability to generate a certificate with a specified validity period (see the Apps API and IdentityProviders API ) is now Generally Available. OpenID Connect and API Access Management are built on this feature.

OpenID Connect is a simple identity layer on top of the OAuth 2.0 protocol, which allows computing clients to verify the identity of an end user based on the authentication performed by an authorization server, as well as to obtain basic profile information about the end user in an interoperable and RESTlike manner. In technical terms, OpenID Connect specifies a RESTful HTTP API, using JSON as a data format.

OpenID Connect allows a range of clients, including Web-based, mobile, and JavaScript clients, to request and receive information about authenticated sessions and end users. The specification suite is extensible, supporting optional features such as encryption of identity data, discovery of OpenID Providers, and session management.

Okta is certified for OpenID Connect. For more information, see OpenID Connect and Okta.

To improve performance with long lists in the Zendesk SAML app, the Edit Group Assignment page now supports paging.

You can now blacklist entire zones to deny clients from these zones access to any URL for the org. This feature is Generally Available. For more information, see Network.

We have enhanced our Workday integration to support Profile Updates. For more information about Workday provisioning, see the Workday Provisioning Guide.

The maximum number of network zones is increased to 5000 legacy network zones. For more information, see Network Zones.

The agent status indicator on the Settings page for an agent now refreshes every 30 seconds instead of every 5 seconds. This applies to Active Directory and LDAP agents.

The message that displays when an end user enters an invalid password now includes password age violations.

Bug fix for agent installation failure when an Internet Explorer proxy was in use. For version history, see On Premises Provisioning Agent and SDK Version History.

We've enhanced our System Log to take advantage of our new Network Zones feature. Admins can now hover over an IP address that's part of an event and navigate through the series of menus to add that IP address to either the gateway or proxy list of IP addresses.

Through mobile policy rules for iOS and OS X devices (Devices > Mobile Policies), you can now disable the Wipe All Device Data option located on the Device Attributes page. Devices that are already enrolled in OMM are not affected by changes to this setting. For details, see Disable Device Wipe permission.

New Okta Security menus, redesigned based on your feedback, are now available in Preview. The new menu architecture provides a more intuitive configuration and management experience.

SAML support for Amazon Web Services (AWS) with multiple accounts allows you to set up a single app integration to access multiple AWS accounts. You no longer have to set up multiple AWS app integrations in Okta for your end users. For details, see the AWS SAML Guide.

When adding a SAML app, you can configure multiple ACS URLs to support apps capable of choosing where the SAML response is sent. This feature is now Generally Available. For more information, see Using the App Integration Wizard.

Our Universal Directory integration with ServiceNow is now Generally Available. For details, see the ServiceNow Provisioning Guide.

You can now specify the minimum age of end-user passwords in Active Directory Group Password policies.

A new Teams app integration is available under the General tab for the Microsoft Office 365 app. To enable this app integration, see Enable Microsoft Office Applications:

The Application Page contains usability improvements based on customer feedback. We've refined our Search to use app instance names. The page default app list is now sorted by name; previously, it was sorted by app type and name. For more details about search, see The Applications Page.

• The event log for OMM commands displays user, device, and policy information related to the command.
• SysLog 1.0 and 2.0 track key rotation, key generation, and key cloning.

You can now customize the placeholder text that appears in dialog boxes when end users click account recovery links on the Sign-In page. For details, see Customize the placeholder text in account recovery dialog boxes.

You can now customize the text of the help link on the Sign-In page. Clicking the link reveals account recovery options. For details, see Customize Sign-In page headings and links.

The Mobile Policies and Wifi config security options are now only available on the Devices menu, as shown below. Previously, they were also available on the Security menu.

To allow Okta to grant authorization requests to apps that do not specify scopes on an authorization request, you can now configure scopes as defaults. If the client omits the scope parameter in an authorization request, Okta returns all default scopes in the Access Token that are permitted by the access policy rule. For details, see Create Scopes.

The wizard for creating an OpenID Connect app has been improved and consolidatedonto a single screen.

The Settings Page for AD-mastered users matches the Settings Page for Okta-mastered users to show the security question whether or not password reset or self-service unlock is available.

Okta plugin version 5.12.0 is GA for the Chrome browser. This version updates how we describe the plugin in the Chrome web store, and provides several internal improvements. For version history, see Browser Plugin Version History.

Query string is now supported in the definition of an IdP Login URL:

• The IDP Login URL field in the Add/Edit Endpoint wizard.
• The IdP Single Sign-On URL for Inbound SAML. Reserved SAML parameters (SAMLRequest, RelayState, SigAlg, Signature) in the query strings are ignored.

Buttons on the People page for individuals are consolidated. If one or more actions are available, individual buttons appear. If three or more actions are available, a single button for a primary action appears adjacent to a More Actions button containing other available actions.

The Okta Java LDAP agent version 5.3.10 is Generally Available. This version provides various improvements to the agent log, as well as fixes to the following issues:

• Imports from LDAP failed in some orgs due to way the Okta LDAP agent handled unicode characters.
• Imports from LDAP failed in some orgs due to randomly dropped connections between the LDAP agent and Okta.

1. We have finished migrating all customers to our enhanced System Log as part of our on-going GA rollout. With this release, when navigating to the System Log in your Okta Administrator Dashboard, all orgs will now see the new System Log.
2. We have enhanced our System Log by logging an event (security.session.detect_client_roaming) when a session roaming event is detected.
3. The Okta Expression Language function getFilteredGroups events can be tracked with the /api/v1/events call, in addition to tracking in System Log v2.
4. There is additional logging for an invalid OAuth 2.0 client. If we detect five or more consecutive authentication attempts with the wrong client secret, Okta logs the events as suspicious:
   • The requests may be to any OAuth 2.0 endpoint that accepts client credentials.
   • The counter resets after 14 days of no invalid authentication attempts, or after a successful authentication..
   • The message is Multiple requests with invalid client secret for client id.

When configuring an LDAP provisioning group, you must now enter a DN attribute in the Provisioning Destination DN field to specify the container in which new users are created in LDAP (Directory > Groups > LDAP > Manage Directories). Before this change, leaving this field unpopulated meant that Okta automatically created new users in the container specified in the User Search Base field (Directory > Directory Integrations > LDAP > Settings > LDAP Configuration). This fallback method may have produced unexpected results. For more information, see Groups.

When configuring an authorization server, you can now specify when ID token claims are included in ID tokens sent from an authorization server. For details, see Create Claims.

The Okta screens contain additional links. There is a link to the Okta Trust page from the bottom of the screen and the word Okta at the left of the menu bar is now a link to the Dashboard. Additionally, any links from an Admin banner page open in a new window by default.

The word Okta is a link.

The Group Password Policy feature is now GA. For details, see Security Policies.

The Group Administrator role, previously known as the User Administrator role, is Generally Available. This role provides granular people management features and has enhanced capabilities for managing users within groups to which they are scoped. Super Admins can assign this role to isolate control over certain groups and teams within their organization. For details, see The Group Admin Role.

We are switching from the SHA-1 signature algorithm to the SHA-256 algorithm for signing assertions used to sign in to Microsoft Office apps, both for browser-based and thick client use cases.

Note: This is a phased rollout to Production that is expected to be complete by 2017.26.

Our powerful new Universal Directory (UD) integration with NetSuite is now GA. For details, see the NetSuite Provisioning Guide.

The enhanced Application Page Search is now GA. If your org has 50+ apps, you can now use a Search bar that accepts app names and instances. You can also complete more tasks directly on the page, such as assigning users and groups. Finally, you can copy embedded links straight to the clipboard from specific apps without the need to scroll through the app list to find them.

An enhanced app assignment screen is available for all preview orgs. You can toggle between people and groups on the same screen, view an error message if an assignment cannot be completed, and select Assign to people or Assign to groups from the Assign button, as shown below. For details, see Assign Applications on the Using the Applications Page.

You can unlock your user accounts in bulk in the same way that you can reset passwords and MFA in bulk.

Our new provisioning integration with SmartRecruiters is now GA and supports the following features:

• Import New Users
• Push New Users
• Push Profile Updates
• Push User Deactivation
• Reactivate Users

For details, see the SmartRecruiters Provisioning Guide.

Authentication whitelisting and blacklisting based on Network zones is now Generally Available (GA). Network zones are sets of IP address ranges. You can use this feature in policies, application sign-in rules, and VPN notifications. This expands the use of Gateway IP Addresses. For more information, see Network.

You can now disable the various methods your end users can use to request apps. For details, see Access Request Workflow.

The following message now displays in the end users' Display Language setting if they have not specified a language preference.

We have updated the Okta Confluence Authenticator to version 2.0.5. This version adds support for custom base URLs (for example, http://confluence.onprem.com/my-confluence). For version history, see the Okta Confluence Authenticator Version History.

As both the JIRA Authenticator and the Confluence Authenticator are built on the Okta SAML Toolkit for Java, all three components are incremented to version 2.0.5 to maintain version consistency. For more details on these integrations, see Using the Confluence On Premises SAML App and Using the JIRA On-Premises SAML App. We strongly recommend that customers download and upgrade the latest SAML toolkit and the relevant Jira or Confluence authenticators. You can access all of these tools from Settings > Downloads.

Use the Okta Expression Language function getFilteredGroups to create a list of groups to which the current member belongs. With such a list you can, for example, create claims in Access Tokens and ID Tokens based on the groups. For details, see Group Functions.

The requirement that the Universal Directory locale property can only contain ISO/SCIM locale values is enforced for all new app instances. For details of this requirement, see UD Enforcement of ISO-compliant Locale Values.

You can use the login_hint property on the OAuth 2.0 API (/oauth2/:authorizationServerId/v1/authorize) to populate a username when prompting for authentication.

We have updated the following Okta authenticators:

• Okta JIRA Authenticator to version 1.0.15 for the JIRA On-Premises app version 6.x.x.
• Okta JIRA Authenticator to version 2.0.4 for the JIRA On-Premises app version 7.x.x
• Okta Confluence Authenticator to version 2.0.4 for the Confluence On-Premises SAML app
• Okta SAML Toolkit for Java to version 2.0.4

We strongly recommend that you download and upgrade to the latest SAML toolkit and the necessary Jira or Confluence authenticators. You can access all of these tools from the Okta Downloads page (Settings > Downloads). For version history, see Version History Tables.

You can now use an HTTP redirect for SAML single log-out requests.

The ServiceNow SAML application now supports Single Logout (SLO). This is an optional feature, and it is not enabled by default. To set up SLO for ServiceNow, follow the steps in the ServiceNow SAML guide.

We have updated our Jira and Confluence Cloud provisioning integrations to match with Atlassian's new identity structure using Atlassian Accounts. As part of this update, we have disabled/removed Sync Password and Update User Attributes functionality because Atlassian no longer supports them.

Atlassian is migrating all JIRA Cloud and Confluence Cloud customers by May 26th, 2017 to a new single identity called Atlassian Account. When you are ready, contact Atlassian to have your account migrated. If you do not contact Atlassian your account will be migrated automatically starting May 29th, 2017.

For details, see Migration to Atlassian Account for Jira Cloud and Confluence Cloud Customers for details.

We are migrating a significant number of our customers to our enhanced System Log as a part of our on-going GA rollout. In the next release, you may see the new System Log when navigating to Security System Log in your Okta Administrator Dashboard.

We have an enhancement for admins using .csv templates for user app assignments in lieu of provisioning. Along with importing users with Base attributes using a .csv template, you can import users with Custom attributes defined in the Profile Editor.

If a task is created from a group app assignment, you can change it to an individual assignment. All group assignment tasks contain an option for this permanent conversion. For details, see the Tasks Page section in The Administrator Dashboard.

The User Administrator role is now GA, including the people management features. This role has enhanced capabilities for managing groups. Super Admins can assign this role to isolate control over certain groups and teams within their organization.

To support our Concur integration, we now support TLS v1.2.

We have updated Egnyte provisioning so that once a user is provisioned into Egnyte by Okta and assigned the SSO authentication type, no further email validation is required. If you still want to receive a validation email from Egnyte for new SSO users, check the Send Egnyte Validation Email for SSO users box under the Provisioning tab.

We have added a new set of reports to our Reports page.

Auth Troubleshooting reports provide links to pre-defined queries in our System Log about the following authentication events:

• Okta Logins (Total, Failed)
• SSO Attempts
• Auths Via AD Agent (Total, Failed)

We've updated the visual progress indicators that appear in the Okta platform (spinners, progress bars).

Authentication whitelisting and blacklisting based on Network zones is now Generally Available (GA). Network zones are sets of IP address ranges. You can use this feature in policies, application sign-in rules, and VPN notifications. This expands the use of Gateway IP Addresses. For more information, see Network.

Okta plugin version 5.11.0 is GA for Chrome, Firefox, Internet Explorer (IE), and Safari browsers. This version provides recent performance and security enhancements. For more information, see Browser Plugin Version History.

Okta is enabling two features, macOS MDM and Android for Work, for OMM customers that have not switched to our SKU packaging. For OMM customers with SKU packaging, these features are already enabled.

The Welcome email that Okta sends to new end users is localized in the language in the users' default locale property (if specified) instead of the display language configured for your org (if different). For more information, see Configure the display language.

Admins can now examine the System Log to determine (in many cases) whether a given app login was initiated through the user's dashboard or through the browser plugin. For more information, see Reports.

Group Password Policy is now Generally Available for all Preview orgs. It is still an Early Access feature for Production orgs.

Okta Admins can upload their own SAML certificates to sign the assertion for Outbound SAML apps and to sign the AuthNRequest and decrypt the assertion for Inbound SAML. For more information, see the Bring Your Own SAML App Certificate guide.

Version 1.11.0 of the Okta Sign-In Widget is available for Preview orgs. For more information, see Okta Sign-In Widget.

Okta now supports TLS v1.2 communication between Okta and the Jira-On Premises server. We recommend updating your server as soon as possible, in accordance with security best practice.

We have updated the On­-Premises Provisioning (OPP) agent to version 1.01.00. This update adds an http option and makes UTF-8 encoding the default. Previously the default encoding was the one set on the OS/system on which the OPP agent was installed. After upgrading the agent, the default encoding becomes UTF-8, unless you override the default.

We have enhanced our System Log to now log the actual raw user agent string in the RawUserAgent string field.

• We have updated the On-Premises Provisioning (OPP) agent to version 1.0.13. This allows the OPP agent to use the TLS v1.2 protocol, and deprecates TLSv1.0. We recommend updating your OPP agent as soon as possible, as TLSv1.0 is no longer considered secure.

• Click Expand All to expand the left side event categories. This link then toggles to Collapse All.

• More information about an event is now displayed when the category is collapsed. The following additional details are displayed (if available):

  • Actor: user id
  • Client: ip address
  • Event: transaction id
  • Target: target resource type and target resource id

• In addition to displaying the Outcome of an event, when the Outcome is failure, we now also display the reason why

We have introduced a new Atlassian Cloud app integration that supports SAML for both JIRA Cloud and Confluence Cloud. In order to use SAML you will need to:

• Switch your JIRA/Confluence Cloud tenants to Atlassian Account.

• Switch to the Atlassian Cloud app integration in Okta.

For details, see How to Configure SAML 2.0 for Atlassian Cloud.

As part of Okta's Section 508 Compliance, links and buttons in certain areas of the Okta service are now illuminated when they're in focus. For more information about focus changes, see Testing HTML for Section 508 Compliance.

To harmonize with Google's plans to EOL the Divide Productivity app suite, we are now pre-configuring Gmail for Android for Work profiles on OMM-enrolled devices. For more information, see here.

Changes to the platform for this release are published in the Platform Release Notes on http://developer.okta.com.

Our Universal Directory-enabled provisioning integrations for British Telecom (BT) Cloud Phone Production and BT Cloud Phone User Acceptance Testing (UAT) environments are now Generally Available (GA) (note that the UAT app is available in Preview orgs only). The BT Cloud Phone applications support attribute-level mastering, which allows BT Cloud Phone to act as a master for users ' direct and extension numbers while other attributes are mastered by a different source, such as Active Directory (AD). For details, see British Telecom Cloud Phone configuration guide.

Our Universal Directory-enabled provisioning integrations for RingCentral Office @ Hand for AT&T Production and RingCentral Office @ Hand for AT&T User Acceptance Testing (UAT) environments are now GA (note that the UAT app is available in Preview orgs only). The RingCentral Office @ Hand for AT&T applications support attribute-level mastering, which allows Office @ Hand for AT&T to act as a master for users ' direct and extension numbers while other attributes are mastered by a different source, such as Active Directory. For details, see RingCentral Office @ Hand for AT&T configuration guide.

When deprovisioning users, you can now do the following:

• Remove or suspend a user in Dropbox.

• Wipe data from users ' linked devices.

• Transfer user files to other team member.

  For more details, see Dropbox Business configuration guide.

Essentially, an end user can sign into SAML apps without re-entering their Okta credentials on their mobile device. This feature can be disabled if you'd rather not allow seamless SAML access to Safari. For details, see Okta Mobile SafariExtension.

We have added a new option to our current list of VPN profiles viaOMM. Admins can now provision Pulse Connect Secure as a VPN client. For details, see Configuring VPN Profiles. This feature is currently only available for iOS devices.

The cell in which your org is running now appears at the bottom of the page. A cell is an independent collection of multi-tiered, redundant hardware and software designed to effectively manage service traffic and requests for a subset of Okta tenants. Okta is comprised of multiple cells strategically deployed across several geographic regions. You may be asked to provide your cell number whenever you contact Okta Support.

As part of Okta 's 508 Compliance, input text fields are now illuminated when they 're in focus.

For more information about focus changes, see here.

As with Domain local and Global groups, you can now push Universal groups to Active Directory.

When creating a new OpenID Connect app and configuring an Implicit grant type, you can now specify whether to include ID Tokens, Access Tokens, or both.

Per SAML standards, we now send Universal Directory (UD) array attributes in SAML 1.1 assertions as multi attribute values.

We have enhanced our System Log to now include more granular Microsoft Office 365 events.

You can configure an end-user fingerprint request that appears after the initial MFA challenge. If the user's device is lost or stolen, no one else can gain access to it. This feature is currently available only for iOS devices. For details, see Okta Verify with Touch ID.

We have improved text in the end user Welcome screen and Settings page in the Japanese language.

In addition to the index, we now support requesting the SAML ACS Endpoint by URL. For information about allowing apps to request other URLs, see Using the App Integration Wizard.

You can set an authorization server to manually rotate keys. Keys are rotated automatically by default. For more information, see API Access Management.

Important: Automatic key rotation is more secure than manual. Use manual key rotation only if you can't use automatic.

You can now search on the exact name of an authorization server or resource URI from the Authorization Servers tab (Security > API).

We have enhanced the Amazon Web Services SAML SSO to allow setting of a configurable AWS ACS URL and AWS API URL. These fields are optional, and give the you added control over the app configuration. Note that if you already have an Amazon Web Services app configured, it will continue to work as-is. (This feature was hotfixed in Preview Release 2017.02).

The Okta plugin version 5.9.3 is now Generally Available (GA) for Firefox and Internet Explorer (IE) browsers. This release provides performance and security enhancements and is available to all customers via Settings > Downloads. For version history, see Browser Plugin Version History.

• The Okta IWA Web App version 1.10.1 is now GA. This release includes internal improvements as well as all the fixes and enhancements contained in EA versions 1.10.0 and 1.10.1. It is available to all customers via Settings > Downloads. For version history, see SSO IWA Web App Version History.

The Okta end user Dashboard now supports skip navigation to allow users and screen readers to bypass links at the top of the page and go directly to their desired content such as app integrations, the Add App button, and end user Settings. For more information about skip navigation technology, see here.

• To allow more granular control of outbound provisioning to Active Directory (AD), admins can now deactivate the accounts of unassigned AD users and update user attributes in AD during app assignment and profile updates. For details, see Configuring Import and Provisioning Settings.

• You can permanently delete a deactivated user with the Delete button that appears in the directory screen for that user, as shown below. You cannot undo this deletion. After deletion you can reuse the user name and other identifiers; however, log entries are retained.

• Provisioning is enabled for the SightPlan Partner-Built application (OKTA-153312). For details, see the SightPlan Configuration Guide.

• Provisioning is implemented for the Verecho Partner-Built application (OKTA-150478). For details, see the Verecho Configuration Guide.

• Code42 Provisioning, a Partner-Built integration, has updated their integration to now support Push Groups feature.

• Provisioning is enabled for Pathgather. See the Pathgather Provisioning Guide for details.

• Provisioning is implemented for the Namely Partner-Built application (OKTA-147131). For details, see the Namely Configuration Guide.

• The Pathgather app is Okta-built. The Pathgather Cloud Provisioning Connector integration is now OKTA owned and publicly available. For any existing app instances using the custom version of this integration and being migrated to this publicly available bundle, the import feature would be disabled by default. Admins will need to enable the feature on the Provisioning tab and re-save the app instance to keep using the import feature.

• Provisioning is implemented for the LastPass Sync Partner-Built application (OKTA-147131). For details, see the LastPass Sync Configuration Guide.

• The Okta/Slack integration now supports Schema Discovery and additional profile attribute mappings. For details, see the Slack Provisioning Guide.

• Okta has implemented provisioning for the Trello Partner-Built application (OKTA-142138). For details, see the Trello Configuration Guide.

• Okta has implemented provisioning for the ThousandEyes Partner-Built application (OKTA-136978). For details, see the ThousandEyes Configuration Guide.

• Provisioning is implemented for the TalentLMS Partner-Built application (OKTA-135457). For details, see the TalentLMS Configuration Guide.

• We have enhanced the Roambi provisioning integration to support Roambi's European endpoint. If you are on Roambi EU, go to the Provisioning tab in Okta, and select EU from the Account Location dropdown menu.

  
  

  For details, see the Roambi Provisioning Guide.

• The following update was deployed to Preview with 2017.28, and is now deployed to Production. The Google Apps integration includes the following improvements:

  • Reduced import time by increasing the maximum number of users returned in a page from Google from 100 to 500.

  • Reduced the time it takes to update group memberships by batching requests into a single (up to 1000 per request) request. This significantly reduces the network overhead and latency when performing a large number of updates.

• The Smartsheet integration has improved messaging.

• Provisioning is implemented for the 15Five Partner-Built application (OKTA-134568). For details, see the 15Five Configuration Guide.

• The CornerStone on Demand integration now supports a customizable SAML ACS URL.
• Okta now supports SHA256 Fingerprints for application Security Certificates. Users of Freshservice are advised to update their SHA1 fingerprint to SHA256.

We have added support for EU endpoints to our NetSuite integration. You can now select EU endpoints when configuring provisioning for NetSuite.

• Org2Org group membership update jobs are more resilient. Previously, jobs failed as soon as any user within the update failed; therefore, not all users were updated who could have been. Now jobs fail only when more than 90% of the user's group memberships fail to update.

  The 90% threshold exists to detect and prevent situations where the Org2Org connector, or the target instance, are incorrectly configured and the job terminates early.

• We have enhanced Smartsheet provisioning to support User Reactivation. For this enhancement to take effect, you need to re-save Provisioning settings for any existing app instances.

  For details about Smartsheet provisioning, see the Smartsheet Provisioning Guide.

We've enhanced error handling for Service Now Eureka app provisioning.

We've enhanced the following integrations:

• BambooHR: Schema Discovery now supports attributes with numerical names. Previously, we only imported attributes with alpha-character aliases, such as hireDate. Note that attributes that are members of BambooHR Tables are not supported at the moment.

• Rally: Schema Discovery now supports all Rally user attributes available through the API, in addition to custom attributes.

  UltiPro: We've improved error messaging for provisioning international employees.

We've implemented Provisioning for the following Partner-Built application:

• Code42 (OKTA-128569). For details, see Code42's Configuration Guide.

• Airtable (OKTA-124530)
• Beam (OKTA-124524)
• OnDMARC (OKTA-126212)
• Tesorio (OKTA-127504)

• AvidXchange (OKTA-127776)
• Travelport ViewTrip (OKTA-126959)

• Salesforce.com (Federated ID) (OKTA-55571)

We have implemented the following:

We have changed the names of the following app integrations:

• SmartRecruiters is now SmartRecruiters (SWA Only)
• SmartRecruiters SAML is now SmartRecruiters (this app has provisioning and SAML functionalities)

• StatusCast (OKTA-93551)

• Infor EAM (OKTA-120077)

• Infor EAM (OKTA-119531)

• Outlook Web Access - 2003 (OKTA-124388)

• Orginio (OKTA-123619)
• ParkMyCloud (OKTA-123570)

• PageUp (OKTA-66973)

• Ceridian Dayforce HCM (OKTA-122004)
• Global Relay Archive (OKTA-122777)
• My M360 by GSMA (OKTA-123799)

• GoodNotes (OKTA-122663)

• HBS Timesuite (OKTA-123531)

• Lender Price (OKTA-123320)
• My Atlassian (OKTA-123161)
• PeopleStrategy (OKTA-123366)

• Schwab Advisors UAT (OKTA-122167)

• Palo Alto Networks - CaptivePortal (OKTA-112813)

• Palo Alto Networks - GlobalProtect (OKTA-113138)

• SigOpt (OKTA-122575)

• Bank Of The West - WebDirect (OKTA-120423)

• Client Track (OKTA-122171)

• My Cloud (OKTA-122215)

• ONE by AOL: Video (OKTA-122583)

• Cylance (OKTA-118387)

• Logit (OKTA-116516)

• TurboRater (OKTA-121517)

• Detectify (OKTA-122007)

• HPE Connected MX (OKTA-117314)

• Recognize (OKTA-116273)

• Vena (OKTA-116275)

• YardiOne Dashboard (OKTA-117894)

• America First Credit Union (OKTA-122681)
• MasterCard Smart Data (OKTA-122268)
• ONE by AOL: Video (OKTA-121268)

• GlobalMeet Web Audio (OKTA-118774)

• Sisense (OKTA-119574)

• Akamai Enterprise Application Access (OKTA-116573)

• Amazon Appstream (OKTA-117136)

• Bugsnag (OKTA-120278)

• ClearCompany (OKTA-120378)

• Dialpad (OKTA-120168)

• DigiCert (OKTA-121112)

• F5 BIG IP (OKTA-111494)

• Five9 Plus Adapter for Agent Desktop Toolkit (OKTA-120279)

• Gatekeeper (OKTA-119753)

• IBMid (OKTA-117726)

• SalesLoft (OKTA-120019)

• Shufflrr (OKTA-116274)

• ThirdPartyTrust (OKTA-119751)

We have enhanced our Evernote integration to include support for Business Sandbox environments for SWA, SAML, and Provisioning.

• IBM Connections (OKTA-119786)

• LoansPQ (OKTA-119828)

• TrueAbility (OKTA-119073)

• Blueboard (OKTA-117705)

• BoardEffect (OKTA-120303)

• Oracle Hyperion EPM Cloud Services (OKTA-116517)

• Reflektive (OKTA-118779)

• GreatVines Beverage Sales Execution (OKTA-119035)

• Invision (OKTA-120152)

• BEAMGroups (OKTA-119020)

• Cashet (OKTA-118123)

• Chrome River (OKTA-119192)

• Citrix Receiver (OKTA-116900)

• Glip (OKTA-118950)

• KnowBe4 (OKTA-118147)

• LoansPQ (OKTA-116896)

• Aurion (OKTA-109423)

• BearTracks (OKTA-114504)

• bob (OKTA-114648)

• Lattice (OKTA-119365)

• Lessonly (OKTA-114044)

• Skyhigh Networks (OKTA-118138)

• When I Work (OKTA-117854)

• SoapboxHQ (OKTA-83597)

• Basecamp (OKTA-118773)

• Birst (OKTA-118938)

• Glip (OKTA-119377)

• Livestream (OKTA-118776)

• Workfront (OKTA-119072)

• InVisionApp (OKTA-118777)

• CloudMine (OKTA-114839)

• Snowflake (OKTA-114823)

• Titanfile (OKTA-114834)

• We have enhanced the Amazon Web Services (AWS) configuration screen to reduce sensitive information displayed.

• CBRE-EA (OKTA-115150)

• A Cloud Guru (OKTA-117538)

• Adstream (OKTA-115203)

• Alerus Financial Retirement Account Access (OKTA-116702)

• Atlassian Cloud (OKTA-118934)

• BirdDogHR (OKTA-115842)

• Cook County Illinois (OKTA-109891)

• Ensighten (OKTA-117875)

• J. P. Morgan Markets (OKTA-115883)

• Merchant e-Solutions (OKTA-116199)

• Western Union Point of Sale (OKTA-114908)

• Bambu by Sprout Social (OKTA-116521)

• ContractSafe (OKTA-116632)

• Euromonitor Passport (OKTA-117579)

• FotoWeb (OKTA-99225)

• HireVue (OKTA-112967)

• LiGO (OKTA-115115)

• Merlin Guides (OKTA-115970)

• Nmbrs (OKTA-117137)

• Onshape (OKTA-115971)

• Platform9 (OKTA-97788)

• Schwab Compliance Technologies (OKTA-108582)

• Secret Server (OKTA-115972)

• Splunk Cloud (OKTA-114946)

• Testable (OKTA-115562)

• Certify (OKTA-115303)

• Greenhouse (OKTA-115836)

• Hightower (OKTA-87082)

• Procore (OKTA-115699)

• Pulse Connect Secure VPN (OKTA-115309)

• VLC (OKTA-117613)

• LoansPQ (OKTA-116896)

• Zoom (OKTA-116961)

• BT Cloud Phone (OKTA-110344)

• Fujitsu RunMyProcess (OKTA-114630)

• myPolicies (OKTA-113177)

• Bonusly (OKTA-114813)

• Bullhorn (OKTA-113959)

• Dell Boomi SAML (OKTA-114810)

• GoodData (OKTA-114830)

• HighQ (OKTA-114811)

• Intuit Quickbase with SubDomain (OKTA-114812)

• iPass (OKTA-114837)

• Joomla (OKTA-114838)

• Keylight Platform by LockPath (OKTA-114840)

• SocialText (OKTA-114826)

• SpringCM (OKTA-114829)

• WidenCollective (OKTA-114809)

We have added the option to send email notifications upon user creation to the JIRA Cloud and JIRA on-premise app integrations.

• Adjust (OKTA-113618)

• Apple MyAccess (OKTA-113555)

• Awesome Screenshot (OKTA-113632)

• Framer Cloud (OKTA-113964)

• Google Partner Dash (OKTA-113487)

• Google Tag Manager (OKTA-113211)

• Kanbans (OKTA-69763)

• Predictive Policing (OKTA-111943)

• Principal Advisor (OKTA-112103)

• WestNet Learning (OKTA-114255)

• Duo Network Gateway (OKTA-111954)

• Honest Buildings (OKTA-112673)

• Keeper Password Manager and Digital Vault (OKTA-112806)

• LiveRamp Connect (OKTA-113207)

• MetricStream (OKTA-111284)

• Qminder (OKTA-112438)

• RFPIO (OKTA-112823)

• Velpic (OKTA-113130)

• Splunk Cloud (OKTA-96258)

• Cornerstone OnDemand (OKTA-114007)

• MyMWC - GSMA (OKTA-112838)

• SDGs in Action (OKTA-110663)

• SDGs in Action (OKTA-110663)

• AbsorbLMS (OKTA-114002)

• ACL GRC (OKTA-112483)

• ANCILE uAlign (OKTA-112835)

• BenefitSolver (OKTA-112466)

• Bright Funds (OKTA-112472)

• BSwift (OKTA-113982)

• Changepoint (OKTA-114004)

• Cisco Spark Platform (OKTA-113962)

• Corcentric COR360 (OKTA-113989)

• Corpedia (OKTA-112484)

• CultureWizard (OKTA-112487)

• Daptiv (OKTA-112488)

• Eloqua (OKTA-113985)

• Everbridge Manager (OKTA-112458)

• GetThere (OKTA-112490)

• IBM Global Expense Reporting Solutions (GERS) (OKTA-112459)

• iMeetCentral (OKTA-112477)

• Information Center (Deprecated)(OKTA-112478)

• Introhive (OKTA-112491)

• Intuit Quickbase without SubDomain (OKTA-112462)

• KnowBe4 (OKTA-112463)

• LeanKit (OKTA-114001)

• MyComplianceOffice (OKTA-112493)

• Novatus (OKTA-113963)

• Qvidian (OKTA-113995)

• SAP NetWeaver (OKTA-113987)

• Schoolzilla (OKTA-112464)

• Selectica (OKTA-113997)

• TalentWise (OKTA-112460)

• Towers Watson Case Management (OKTA-112470)

• Whitehat Security (OKTA-113977)

• Zoho (OKTA-112479)

• ZoomForth (OKTA-112480)

Trello apps have been renamed to: Trello (SWA Only) and Trello (for SAML)

• Fidelity & Guarantee Life (OKTA-110857)

• Untangled Solutions (OKTA-110783)

• Citrix Netscaler Gateway (OKTA-111142)

• Five9 Agent Desktop Plus (OKTA-111282)

• GpsGate (OKTA-111458)

• Wiredrive (OKTA-110761)

• Benefex RewardHub (OKTA-108578)

• Caspio (OKTA-97787)

• Sustainovation Hub (OKTA-110852)

• WidePoint - ITMS (OKTA-102918)

• Jobvite (OKTA-112093)

• Creditsafe (OKTA-153212)

• ISO PAAS (OKTA-151277)

• JWPlayer (OKTA-152062)

• KISS Metrics (OKTA-150894)

• Schwab Equity Award Center (OKTA-152286)

• IBM SmartCloud for Social Business (OKTA-152015)

• JobScience (OKTA-149440)

• Absolute Console (OKTA-150815)

• Amazon (OKTA-151850)

• Cain Travel (OKTA-150780)

• Cardmember Service by Elan Financial Services (OKTA-150776)

• Corporate Perks (OKTA-150781)

• Envoy (OKTA-150770)

• J.Crew (OKTA-151571)

• Kestra Financial (OKTA-150774)

• Softchoice (OKTA-150773)

• Ticketmaster (OKTA-150772)

• TimeOff Manager (OKTA-150635)

• JIRA On-Prem (OKTA-135556)

• AccessAudi (OKTA-149978)

• FedEx US (OKTA-149239)

• General Motors GlobalConnect (OKTA-149897)

• Hellofax (OKTA-150611)

• HelloSign (OKTA-149952)

• iStock (OKTA-147972)

• Linux Academy (OKTA-149374)

• Microsoft Intune Company Portal (OKTA-149953)

• NFL Game Pass (US) (OKTA-150001)

• PayPal (OKTA-149500)

• PlanGrid (OKTA-149956)

• RingCentral (OKTA-149957)

• RingCentral (UK) (OKTA-149976)

• RingCentral SWA (OKTA-149388)

• Segment (OKTA-149947)

• Squarespace V6 (OKTA-149951)

• TechSoup (OKTA-149955)

• The Australian (OKTA-148795)

• Twilio (OKTA-148606)

• Upwork (OKTA-149097)

• Webassessor (OKTA-149960)

• WebEx (Cisco) (OKTA-141708)

• Authorize.Net Merchants (OKTA-148370)
• Barclaycard (OKTA-148011)
• Amazon (OKTA-149084)
• Amazon CA (OKTA-148898)
• Amazon DE (OKTA-148475)
• Amazon UK (OKTA-148897)
• Amazon Web Services (OKTA-149088)
• Booker (OKTA-146439)
• Carta (OKTA-147973)
• Citrix Receiver (OKTA-148386)
• CRG emPerform (OKTA-147542)
• EverBridge (OKTA-148344)
• FogBugz (OKTA-147545)
• Instagram (OKTA-148040)
• J.P. Morgan Markets (OKTA-148904)
• Knoll (OKTA-148051)
• LegalZoom (OKTA-147377)
• LucidChart (OKTA-147729)
• Maxwell Health (OKTA-147827)
• Microsoft Dynamics CRM Online (OKTA-149074)
• Mint Bills (OKTA-147827)
• MSDSonline (OKTA-147186)
• Ray Wenderlich (OKTA-148510)
• Subaru Partners (OKTA-148485)
• Uber (OKTA-148431)
• Vanguard (OKTA-148206)
• Virgin Pulse (OKTA-148204)
• Wescom Credit Union (OKTA-147541)

• 6sense ABM and Analytics (OKTA-148708)
  

• TOPdesk 5 (OKTA-145409)
  

• FedEx US (OKTA-146605)

• Lead2Lease (OKTA-146486)

• LeadLander (OKTA-144833)

• Microsoft SharePoint Online Office 365 (OKTA-146946)

• Mint (OKTA-147361)

• Okta Community (OKTA-146382)

• PlanGrid (OKTA-146598)

• Proofpoint Secure Share (OKTA-145653)

• Velaro (OKTA-132288)

• Woopra (OKTA-146487)

• Citrix Netscaler Gateway (OKTA-145561)

• Adjust (OKTA-145895)

• AlertLogic (OKTA-145349)

• AppRiver (OKTA-145520)

• Code42 Single Tenant (OKTA-146498)

• D&B Hoovers (OKTA-145596)

• DealerTrack (OKTA-145445)

• DriveHQ (OKTA-145588)

• EchoSpan (OKTA-146213)

• eWallet ADP (OKTA-144251)

• FedEx US (OKTA-145604)

• Gandi.net (OKTA-145396)

• GoodHire (OKTA-145735)

• HealthEquity (OKTA-145024)

• iSqFt (OKTA-146076)

• My Health Online (Sutter Health) (OKTA-146240)

• MySonicWall (OKTA-144680)

• NFL Game Pass (OKTA-145211)

• Papyrs (OKTA-145431)

• Right Networks Server (OKTA-145270)

• Site24x7 (OKTA-143583)

• Stamps.com (OKTA-146045)

• Tenable Support Portal (OKTA-144822)

• Visual Studio (OKTA-143568)

• ZeroFox (OKTA-145166)

• Beeline TMS (OKTA-144601)

• GoToMeeting (OKTA-144380)

• Instacart (OKTA-144442)

• iSupport (OKTA-144603)

• Microsoft SharePoint Online Office 365 (OKTA-144418)

• Schwab Personal Finance (OKTA-144444)

• Spectrum Time Warner Cable (OKTA-144602)

• UsabilityHub (OKTA-144596)

• Virgin Pulse (OKTA-144600)

• FreshService (OKTA-138139)

• Mobi Wireless Management (OKTA-142935)

• AWS Console (OKTA-143728)

• Paylocity Web Pay (OKTA-143122)

• LogicMonitor (OKTA-142693)

• J.P. Morgan Markets (OKTA-142766)

• Newport Group (OKTA-142163)

• United Health Care (OKTA-142401)

• Amazon Web Services (OKTA-141303)

• AWS Console (OKTA-140247)

• Elegant Themes (OKTA-141769)

• iConnectData (Comdata) (OKTA-140618)

• MailRoute (OKTA-141171)

• MB Marketing (OKTA-141170)

• Nexus Payables (OKTA-141768)

• Track What Matters (OKTA-141925)

• Veeam (OKTA-141849)

• Workable (OKTA-141476)

• Wufoo (OKTA-141468)

• 6sense ABM AND Analytics (OKTA-139419)

• Azure Portal Login (OKTA-139980)

• Bank of America (OKTA-139976)

• BlueStar (OKTA-139997)

• CallTower (OKTA-139996)

• Cover-More Travel Insurance (OKTA-139393)

• DNSPod (OKTA-139558)

• ePayslips (OKTA-139534)

• Fedex United Kingdom (OKTA-139977)

• Filesanywhere (OKTA-140001)

• FINRA (OKTA-139416)

• Gliffy (OKTA-139954)

• iOvation (OKTA-140002)

• ISS ProxyExchange (OKTA-139632)

• KnowledgeHound (OKTA-138418)

• MCM (OKTA-140003)

• Micro Focus (OKTA-139651)

• Microsoft Office 365 (OKTA-138224)

• MURAL (OKTA-140000)

• MyActiveHealth (OKTA-139635)

• Salesforce: Marketing Cloud (OKTA-139532)

• SecureMail Cloud (OKTA-139535)

• Site24x7 (OKTA-139575)

• Socialite (OKTA-139592)

• Synnex Vendor Portal (OKTA-139979)

• Vistaprint (OKTA-140142)

• Yield Software (OKTA-139634)

• Buffer (OKTA-139413)

• Campaign Monitor (OKTA-138879)

• CareFirst (OKTA-138443)

• Client Track (OKTA-138559)

• CultureGrams (OKTA-139637)

• Docebo (OKTA-139636)

• EmblemHealth (OKTA-139302)

• Ingram Micro (OKTA-139579)

• myresourcelibrary (OKTA-138438)

• OPP (OKTA-139633)

• Principal Advisor (OKTA-138902)

• Principal Financial Personal (OKTA-138904)

• Spectrum Time Warner Cable (OKTA-139554)

• Symantec Hosted Endpoint (OKTA-138267)

• ShareFile (OKTA-139210)

• Azure Manage (OKTA-137231)

• Box (OKTA-138287)

• Shiftboard (OKTA-137224)

• Truckstop.com (OKTA-137817)

• Salesforce.com (OKTA-137272)

• MuleSoft - Anypoint Platform (OKTA-135779)

• Air France (OKTA-136448)

• Amazon Developer (OKTA-136282)

• Hightail (OKTA-136365)

• Microsoft Office 365 (OKTA-136263)

• Vungle (OKTA-136483)

• AlertLogic (OKTA-136168)

• AST Equity Plan Solutions (OKTA-136206)

• Box (OKTA-136541)

• Confluence (Atlassian) (OKTA-136065)

• Microsoft Office 365 (OKTA-136263)

• Ultimate Software (OKTA-135120)

• Webassessor (OKTA-136220)

• ADP iPayStatements (OKTA-134635)

• MIR3 inEnterprise (OKTA-133844)

• NGS Connex (OKTA-133857)

• Pivotal Academy (OKTA-134826)

• Seek (AU) - Employer (OKTA-134584)

• SyncBASE/OPTRACK (OKTA-133882)

• The Australian (OKTA-134585)

• Aviso (OKTA-133339)

• Citibank (OKTA-133064)

• Eventbrite (OKTA-133710)
• Fastly (OKTA-133683)

• FedEx US (OKTA-133418)

• Flickr (OKTA-133397)

• Huddle (OKTA-132781)

• Kammer van Koophandel (OKTA-134302)
• Symantec Email Quarantine (OKTA-133845)

• Vitality (OKTA-133361)

• Cornerstone OnDemand (OKTA-132824)

• Confluence (Atlassian) (OKTA-132033)

• Humanity (OKTA-131083)

• Mimecast Personal Portal v3 (OKTA-131191)

• Saba (OKTA-132037)

• 10000ft (OKTA-129322)

• Basecamp (OKTA-131080)

• CSCglobal (OKTA-130350)

• Egencia (OKTA-131089)

• FlipKart (OKTA-130780)

• Great-West Life (OKTA-131687)

• MassMutual RetireSmart (OKTA-131686)

• Microsoft Account (OKTA-130765)

• MURAL (OKTA-131679)

• ProofHQ (OKTA-131081)

• ServiceNow - Eureka and later releases (OKTA-129647)

• Veeam (OKTA-130821)

• VMware Partner Central (OKTA-130208)

• Yahoo Mail (OKTA-131688)

• LiquidFiles (OKTA-129648)

• AvantLink (OKTA-128518)

• Chase Bank - Personal (OKTA-127948)

• Plex (OKTA-128351)

• Redis Labs (OKTA-128346)

• Vanguard (OKTA-128343)

• Wells Fargo - Personal (OKTA-128350)

• Cascade HR (OKTA-128216)

• cloudHQ (OKTA-127742)

• Microsoft SharePoint Online Office 365 (OKTA-127652)

• The Street (OKTA-127935)

• Artifactory (OKTA-113892)

• Advent Black Diamond (OKTA-127375)
• Citrix Netscaler Gateway (OKTA-127025)
• In Honda (OKTA-126638)
• Mass Mutual (OKTA-127331)
• Miles & More (OKTA-125495)
• Zang OnEsna (OKTA-127201)
• Zoho Invoice (OKTA-127246)

• Egnyte (OKTA-117225)

• Panorama9 (OKTA-125364)

• Sugar CRM (OKTA-67252)

• Akamai EdgeControl (OKTA-126758)

• ClearCompany (OKTA-126049)

• CloudCheckr (OKTA-126623)

• CT Lien Solutions (OKTA-117451)

• Evernote Business (OKTA-125498)

• Flickr (OKTA-126727)

• Flurry (OKTA-126629)

• G Suite (OKTA-125961)

• HeyOrca (OKTA-126622)

• PeopleStrategy (OKTA-126913)

• ReadMe.io (OKTA-126630)

• CloudHealth (OKTA-123984)

• OpsGenie (OKTA-120528)

• AdMob (OKTA-125591)

• Adobe Creative (OKTA-125497)

• DoubleClick for Advertisers (OKTA-125592)

• DoubleClick For Publishers (OKTA-125960)

• Dropbox Business (OKTA-125948)

• Firebase (OKTA-125593)

• FullStory (OKTA-125929)

• Gliffy (OKTA-125634)

• Google Data Studio (OKTA-125788)

• Google DoubleClick Ad Exchange (OKTA-125820)

• Google Merchant Center (OKTA-125793)

• Google Partner Dash (OKTA-125501)

• Google Picasa (OKTA-125772)

• Google Play (OKTA-125768)

• Google Plus (OKTA-125854)

• Google Search Console (OKTA-125709)

• Google Tag Manager (OKTA-125857)

• Google Voice (OKTA-125859)

• Level 3 Communications (OKTA-125494)

• Rise Vision (OKTA-125872)

• Teamviewer (OKTA-125292)

• Verint (OKTA-125496)

• LiquidFiles (OKTA-121955)
• Space IQ (OKTA-123613)

• BetterCloud (OKTA-125215)
• Evernote Business (OKTA-123979)
• Girard Securities (OKTA-111336)
• Hertz Gold Plus Rewards (OKTA-124848)
• Kaspersky CompanyAccount (OKTA-122566)
• Markel Insurance (OKTA-124511)
• QuickVTR (OKTA-123986)
• Sage Employee Self Service (OKTA-124880)
• WorkdayCommunity (OKTA-125175)

• Clarizen (OKTA-113837)

• Absolute Data & Device Security (OKTA-123628)
• CloudCheckr (OKTA-124280)
• G Suite (OKTA-124179)
• Google Accounts Personal (OKTA-124302)
• Google AdSense (OKTA-124288)
• Google AdWords (OKTA-124298)
• Google Analytics (OKTA-124290)
• Google Apps Admin (OKTA-124429)
• Google Mail (Offline) (OKTA-124436)
• Google Play Developer Console (OKTA-123809)
• Guardian Insurance (OKTA-121265)
• Postmark (OKTA-123677)
• ProProfs (OKTA-124314)
• ReviewSnap (OKTA-124349)
• SHRM Online (OKTA-123189)
• Squarespace V6 (OKTA-123784)
• YouTube (OKTA-124138)

• ShowPro (OKTA-116217)

• Aetna Health Insurance (OKTA-123000)

• Donnelley Financial Solutions File16 (OKTA-123198)

• Frontline Education (OKTA-123177)

• Guardian by LawLogix (OKTA-122910)

• Lifelock (OKTA-123197)

• My Ceridian Solutions (OKTA-121195)

• TravelCube Pacific (OKTA-123159)

• ADP Workforce Now (Admin) (OKTA-119713)
• Ceridian Online Customer Support (OKTA-121196)
• G Suite (OKTA-122199)
• Impraise (OKTA-122557)
• NCM Axcessa (OKTA-122565)
• ONE by AOL Mobile (OKTA-121276)
• Sophos Partner Portal (OKTA-118766)
• Ticketmaster (OKTA-122560)
• US Messenger (OKTA-122562)

• AirWatch Portal (OKTA-120568)

• Akamai EdgeControl (OKTA-120409)

• ASAE (OKTA-120595)

• BT Cloud Phone (OKTA-120571)

• CBRE (Employee Login - The Navigator) (OKTA-121509)

• Cisco AMP for Endpoints (OKTA-120968)

• Credible Behavioral Health (OKTA-120697)

• CUNA Mutual (OKTA-120733)

• Datahug (OKTA-121489)

• G5 Action Analytics (OKTA-121506)

• GTA Travel (OKTA-120792)

• IBM Workspace (OKTA-121501)

• Informatica Award Program (OKTA-120596)

• Liveramp (OKTA-121512)

• Maxemail (OKTA-120809)

• MySonicWall (OKTA-120291)

• National Life Group (OKTA-120567)

• NGS Connex (OKTA-120591)

• Roadmunk (OKTA-121504)

• SAP Support Portal (OKTA-120909)

• ShareThis (OKTA-121513)

• TimeLog (OKTA-120590)

• Twitter (OKTA-121124)

• United Concordia (OKTA-120594)

• XSplit (OKTA-121497)

• CrazyEgg (OKTA-119975)

• Egnyte (OKTA-120373)

• ESPN (OKTA-120482)

• Google AdSense (OKTA-120154)

• MetLife MyBenefits (OKTA-120301)

• Microsoft OneDrive (OKTA-120264)

• SyncBASE (OKTA-120149)

• Union Bank (OKTA-119767)

• Verizon Wireless Business (OKTA-120221)

• Saba (OKTA-112840)

• Bill.com (OKTA-119939)

• ADP Workforce Now (Admin) (OKTA-104388)

• ADP Workforce Now (Employee) (OKTA-104388)

• Awin (OKTA-118368)

• CallRail (OKTA-119212)

• Creately (OKTA-119223)

• Edward Don and Company (OKTA-119203)

• Flurry (OKTA-119224)

• Real Capital Analytics (OKTA-119391)

• Travitor (OKTA-116914)

• Zkipster (OKTA-118207)

• Attendease (OKTA-117520)

• Rally Software (OKTA-117336)

• Workfront (OKTA-110025)

• AdvancedMD (OKTA-117176)

• Amazon Associates CA Affiliate (OKTA-117060)

• Amazon CA (OKTA-116925)

• Amazon Web Services (OKTA-115117)

• Amplitude (OKTA-117441)

• AP Stylebook (OKTA-117712)

• Atlas Solutions (OKTA-117476)

• AvayaLive (OKTA-115557)

• Bing Ads (OKTA-116205)

• BioCentury (OKTA-117566)

• Codeship (OKTA-117369)

• Confluence (Atlassian) (OKTA-116216)

• D2L (OKTA-117567)

• Dash (OKTA-116424)

• Dataloader.io (OKTA-115819)

• DealerSocket AAX (OKTA-117127)

• Dell EMC (OKTA-117569)

• Docker Hub (OKTA-115331)

• Essendex (OKTA-114906)

• Exclusive Resorts (OKTA-117126)

• Geckoboard (OKTA-116259)

• Give Something Back (OKTA-117129)

• Hellofax (OKTA-118422)

• HelloSign (OKTA-115502)

• Inspired eLearning (OKTA-116992)

• JoyentCloud (OKTA-117565)

• Kaiser (OKTA-116425)

• Kampyle (OKTA-116427)

• LawRoom (OKTA-117420)

• Lifesize Cloud (OKTA-115541)

• MarkMonitor (OKTA-117125)

• MathWorks (OKTA-115559)

• MetLife MyBenefits (OKTA-116356)

• Nature.com (OKTA-116426)

• OpenVPN Connect (OKTA-117714)

• Operative.One (OKTA-117179)

• Oracle Human Capital Management (OKTA-117130)

• Oracle Partner Store (OKTA-117713)

• Oracle Support (OKTA-116428)

• Rackspace Cloud Control Panel (OKTA-117443)

• RackSpace Webmail (OKTA-116598)

• RingCentral (OKTA-115817)

• RingCentral (UK) (OKTA-117124)

• RingCentral SWA (OKTA-115555)

• SendGrid (OKTA-116385)

• Skype (OKTA-115290)

• Smartsheet (OKTA-116462)

• SnapAV (OKTA-117128)

• SpyFu (OKTA-117143)

• Team Gantt (OKTA-117007)

• Tech Data (OKTA-115664)

• Teladoc (OKTA-117572)

• Twilio (OKTA-117571)

• Uline (OKTA-118130)

• ZocDoc (OKTA-116699)

• PhotoBucket (OKTA-117940)

• Soundcloud (OKTA-117941)

• Pilgrim SmartSolve (OKTA-113317)