Okta Classic Engine release notes (2019)
December 2019
2019.12.0: Monthly Production release began deployment on December 16
* Features may not be available in all Okta Product SKUs.
Generally Available Features
New Features
Okta Browser Plugin version 5.35.0 for Safari and Internet Explorer
This version includes the following:
- Bug fixes for custom URL domain support for the plugin
- Okta privacy link
- Back-end enhancements
For version history, see Okta Browser Plugin version history.
Okta Confluence Authenticator, version 3.1.2
This release contains a fix for OpenSaml initialization in OSGi environment and an update to OpenSaml library version 3.2.0. For version history, see Okta Confluence Authenticator version history
Okta SAML Toolkit for Java, version 3.1.2
This release contains a fix for OpenSaml initialization in OSGi environment and an update to OpenSaml library version 3.2.0. For version history, see Okta SAML Toolkit for Java Version History
SAML or SCIM applications created in certain developer cells can now submit to ISV portal
Developers in the OK7 developer cell who create and test SAML or SCIM applications using the App Wizard can now submit directly to the ISV portal at oinmanager.okta.com.
Increased timeout for Okta Sign In page
The initial timeout duration has been extended on the Okta Sign-In page.
ACS Limit Increased
The maximum number of Assertion Consumer Service (ACS) URLs for a SAML app is increased to 100.
LDAP Password Push
Okta now supports Password Push for LDAP. This allows each user's LDAP password to be synced to their Okta password. Any subsequent password changes users make are pushed to their user profile in LDAP. In addition to simplifying password management for orgs using LDAP, organizations using both Active Directory (AD) and LDAP can now synchronize their user passwords from AD through Okta to LDAP. For details, see the Provisioning section in Install and Configure the Okta Java LDAP Agent.
Suspicious Activity Reporting
End users can now report unrecognized activity to their org admins when they receive an account activity email notification. This feature is now available through the EA feature manager. See Suspicious Activity Reporting.
Group rules triggered by user reactivations
Group rules are now triggered when a user is reactivated. See Group rules for more information.
Multifactor Authentication for admins
MFA for Admins allows Super admins to enable mandatory multifactor authentication for all administrators accessing admin functionality. For details see Authentication.
Beta features available in Feature Manager
You can now enroll your Preview org in Open Betas in the Feature Manager. When you enroll in a Beta feature, you receive an email with further details.
SAML Inline Hook
The SAML Inline Hook enables you to customize the authentication flow by allowing you to add attributes or modify existing attributes in outbound SAML assertions. For details, see our SAML Inline Hook page.
Admin Getting Started tasks
The new Admin Getting Started page helps super admins begin configuring their new Okta org.
For more information, see Get started with Okta.
Token Inline Hook
The Token Inline Hook enables you to integrate your own custom functionality into the process of minting OAuth 2.0 and OpenID Connect tokens. For details, see our Token Inline Hook page.
System Log events for successful Office 365 logins
A new System Log event is added when an end user successfully signs in to Office 365 using any of the Office 365 app integrations on the dashboard.
SCIM Template Apps include ISV portal link
Any apps created from the SCIM app templates display a banner that directs developers to use the ISV portal at oinmanager.okta.com to submit their SCIM app to the OIN.
SAML App Wizard change for software developers
During the creation of a SAML app with the App Wizard, software vendors receive a link to the ISV portal at oinmanager.okta.com to submit their app to the OIN. If the software vendors elect not to submit through the App Wizard, a banner appears on their app configuration page with the link to the ISV portal.
Custom URL domain support for the Okta Browser Plugin
This support enables the Okta Browser Plugin to work on the configured custom URL domain. See Configure custom URL domain.
Improved People page filter and Profile page details
We've added more detail to the user state labels on the People page.
And now provide the action required for users in a pending state on the User Profile page.
Generally Available Enhancements
OAuth Consent UX Enhancements
- The OAuth Consent end-user dialog has been modified to improve the user experience.
- For OAuth Scopes created for a new Authorization Server, the default values for Display Name and Description are updated to be more informative.
Select group UI enhancement
The appearance of Select Group elements are enhanced throughout the UI to be more visually intuitive and consistent with other Okta select elements:
Application Settings enhancements
- When you create a new application in the dashboard, it will be created with a default Post Logout Redirect URI (previously this field existed but defaulted to blank).
- When you create a new application of type Single Page Application (SPA), it will default to using Authorization Code with PKCE instead of defaulting to Implicit Flow.
- The Post Logout Redirect URI only impacts users using our /logout API call (not using any of our SDKs), and it is a list of possible values just like the (Login) Redirect URI.
Event hooks support for MFA factor events
Event hooks are now enabled for MFA factor life-cycle events such as activating or resetting a factor.
Windows Mobile and Blackberry options removed
The option in the Okta Sign In Widget and in the End User Settings to enroll in Okta Verify or Google Authenticator using Windows Mobile or Blackberry devices is now removed.
Sorting functionality added for inline hooks and event hooks
Admins can now sort inline hooks by Status, Type, or Name, and event hooks by Verification, Status, or Name. For more information, see Inline hooks and Event hooks.
Authentication Server display name enhancement
The Authorization Server scope display name for new entries is now limited to 40 characters.
Use of admin information
Additional legal text regarding use of admin information is added to Settings > Account >Admin email notifications.
Email notification when org licensing changes
Super admins will now receive an email when their org is converted from a free trial and licensed based on a new active contract.
Addition of status text to status icons
The On-Prem MFA and RSA SecureID Agents status icons relied on color to provide status. Status is now also represented by text for improved accessibility.
Workplace by Facebook domain update
When setting up a Workplace by Facebook app, you now have the option to switch from the default org.facebook.com domain to the org.workplace.com domain.
Device fingerprinting for custom org URLs
Custom org URLs now support device fingerprinting for improved accuracy of new sign-in notifications and new device detection.
New device behavior detection
New device behavior detection is improved to provide better accuracy with new devices.
New warning modal for provisioning to apps
Admins who enable Profile Master and Push for the same app are now warned of the potential for overwritten attributes and the risk of lost data. For more information, see Profile sourcing.
Fixes
General Fixes
OKTA-250443
When using Factor Sequencing, the Custom Password label did not appear in the Password field on the Sign-In page.
OKTA-251904
Okta did not update null/blank profile attributes into RingCentral.
OKTA-253324
In some cases, an incorrect System Log event of INVALID_OKTA_MOBILE_ID was logged even when OMM Device Trust was not enabled.
OKTA-256102
Country Code prefix for Kosovo was set to +undefined when enrolling SMS as a factor.
OKTA-259414
In some cases, Reapply mapping was displayed incorrectly when editing app users with an app user property that was sourced from two different groups.
OKTA-260360H
Social Login created a race condition with Self Service Registration.
OKTA-261676
LDAPi searches using a filter containing entryDN=* failed with result code 80.
OKTA-263016
For customers who opted into the New Import and Provisioning Settings Experience for Active Directory Early Access feature, if an admin entered an invalid custom expression into the AD username format field on the AD Settings page, clicking Save caused infinite loading of the page without saving the settings.
OKTA-263017
Customers who opted into the New Import and Provisioning Settings Experience for Active Directory Early Access feature could not see the UI control for previewing the result of the custom expression underneath the AD username format field when custom was chosen in the drop down.
OKTA-263915
Additional customizations applied to the ADFS site were not displayed when users accessed the ADFS second factor challenge page.
OKTA-264334
In some cases, customers importing users from Workday (as a Master) got an undefined error when executing profile matching.
App Integration Fixes
The following SWA app was not working correctly and is now fixed
-
Ingram Micro (OKTA-260621)
Applications
Application Updates
Provisioning support has been removed from the following apps due to low customer usage, lack of standards based integration, and high supportability cost:
- Veeva
- Replicon
- Roambi Business
- Gooddata
- Rightscale
New Integrations
New SCIM integration applications
The following partner-built provisioning integration app is now Generally Available in the OIN as partner-built:
- Getabstract: For configuration information, see the Getabstract SCIM Configuration Guide Instructions.
SAML for the following Okta Verified applications
-
Appsian Security Platform for PeopleSoft (OKTA-258107)
-
Cincopa (OKTA-260900)
-
Cisco Webex (OKTA-263286)
-
Firmex VDR (OKTA-262869)
-
Juro (OKTA-258096)
-
TripActions (OKTA-263057)
-
Wochit Studio (OKTA-263299)
Weekly Updates
2019.12.1: Update 1 started deployment on
January 6
Fixes
General Fixes
OKTA-252780
When a super admin canceled edits made to the email settings for an admin type, the edits were not actually canceled.
OKTA-260752
Dynamic SAML attributes appeared in read-only mode with the name, type, and value. Attributes now show only the name and value.
OKTA-261688
When adding Dynamic Attributes to a new SAML 2.0 app instance with long names or values, the text did not wrap correctly on the screen.
OKTA-261738
When creating a new SAML 2.0 app instance, the Attribute fields were auto-expanded, however the Expand button indicated that they were collapsed.
OKTA-262950
Okta Verify Push could be enabled even when Okta Verify was an inactive factor.
OKTA-264060
UNIQUE_PROPERTIES_UI caused delays and 500 errors for Postman DELETE USER API.
OKTA-264158
When OU_PICKER_V2_IN_AD_SETTINGS and AD_GROUP_PUSH were enabled, the organizational unit tree in the Push Groups tab on the AD Settings page rendered without formatting and check boxes.
OKTA-267811H
When AAD Graph API was enabled, role assignment and imports from Office365 sometimes failed.
App Integration Fixes
The following SAML apps were not working correctly and are now fixed
-
GaggleAMP (OKTA-265520)
-
NetFortris HUD Web (OKTA-264119)
-
Open Air (OKTA-252147)
The following SWA apps were not working correctly and are now fixed
-
AmericanFunds Retirement Solutions (OKTA-264261)
-
BioWorld (OKTA-265878)
-
BridgeBank Business eBanking (OKTA-263159)
-
eBay (OKTA-265287)
-
Kamer van Koophandel (OKTA-265639)
-
Mimecast (OKTA-263189)
-
Netskope (OKTA-265465)
-
Principal Advisor (OKTA-263869)
-
The Daily Beast (OKTA-266188)
-
WebRoot Anywhere (OKTA-264805)
The following Mobile apps were not working correctly and are now fixed
-
NetSuite (OKTA-263316)
-
SAP Cloud for Customer (OKTA-263312)
Applications
New Integrations
The following partner-built provisioning integration apps are now Generally Available in the OIN as Okta Verified:
- Articulate 360: For configuration information, see Configuring Provisioning for Articulate 360.
- SLIDO: For configuration information, see Configuring Provisioning for slido.
- Wellness360: For configuration information, see Configuring Provisioning for Wellness360.
- NanoLearning: For configuration information, see the Junglemap Okta user provisioning.
SAML for the following Okta Verified application
-
Blocks Edit (OKTA-264267)
SWA for the following Okta Verified applications
-
AuctionAccess (OKTA-263763)
-
Hunter Communications (OKTA-264917)
-
HYPR (OKTA-264057)
-
MKB Brandstof (OKTA-262883)
-
Savannah Morning News (OKTA-265411)
-
The Daily Beast (OKTA-264753)
Mobile applications for use with Okta Mobility Management (OMM) (Android and iOS)
-
Adobe Experience Manager (OKTA-263294)
-
FieldGlass SAML (OKTA-263295)
November 2019
2019.11.0: Monthly Production release began deployment on November 11
* Features may not be available in all Okta Product SKUs.
Generally Available Features
New Features
Agentless Desktop SSO migration
Customers who enabled Agentless Desktop SSO using the registry key configuration method must migrate to the Kerberos alias supported configuration. Contact Support to enable ENG_ADSSO_MIGRATION_READINESS_CHECK which allows you to check your readiness prior to migrating.
For a list of complete migration steps refer to Migrate your agentless Desktop Single Sign-on configuration.
New System Log events for Okta user groups
System Log events have been added to indicate when Okta user groups are successfully created or deleted.
Sign-in widget for end-user factor enrollment
The sign-in widget is now displayed if an end user enrolls in a factor manually or resets a factor from the End User Dashboard settings. This feature is being released to Production orgs gradually over the month of November.
Minor visual changes to the Feature Manager
The Feature Manager user interface has been updated with minor changes including:
- The Early Access auto-enroll option is now at the bottom of the Early Access section.
- When a feature is auto-enabled in EA, the date of enrollment is listed beside the toggle switch.
Agentless Desktop SSO
Agentless desktop SSO and Silent Activation now support Kerberos alias authentication for customers implementing these features for the first time. See Configure agentless Desktop Single Sign-on and Office 365 Silent Activation: New Implementations. This feature is Generally Available in Production for new orgs only.
Web Authentication for MFA
Admins can enable Web Authentication as a factor as defined by WebAuthn standards. Web Authentication supports both security key authentication such as YubiKey devices and platform authenticators. For more information, see Multifactor Authentication.
Automations
Automations enable you to quickly prepare and respond to situations that occur during the lifecycle of end users who are assigned to an Okta group. You can set up two types of Automations and perform actions such as changing user lifecycle states and notifying users:
- Recurring Automations to check for conditions such as user inactivity and password expiration
- One-time Automations to bulk suspend and notify users belonging to a particular group irrespective of their activity
For more information, see Automations.
Required update for Microsoft Dynamics CRM, admin consent needed
We have updated the landing URL for the Microsoft Dynamics 365 app to use OAuth and to be accessible globally. The updated app resolves the issue where end-users outside the USA could not access Dynamics 365 and were redirected to an error page.
You need to provide or renew Admin consent within the Okta Office 365 app instance to continue using Dynamics 365 app in your Okta org.
Security Behavior Detection
To provide additional security without overburdening your end users, you can configure a Sign On policy for your organization to require additional authentication for behaviors defined as higher risk based on variance from individual users' prior sign ins. Admins can configure the system so that individual end users are only prompted for an additional MFA factor when there is a change in behavior that the admin defines. For more information, see Security Behavior Detection.
Generally Available Enhancements
Admin roles for groups
Admin roles can now only be granted to groups with less than 5000 members.
Admin settings for end-user suspicious activity reporting
In account settings, admins now have the option to exclude themselves or other admins from receiving user-reported notifications about suspicious account activity.
For more information, see Suspicious Activity Reporting.
WebAuthn UI enhancement
The description and icon for the WebAuthn factor have been updated both in the Admin Console and Sign-in Widget.
For more information, see Multifactor Authentication.
Fixes
General Fixes
OKTA-212852
Group rules were not applied to reactivated users.
OKTA-221328
With Routing Rules enabled, users saw the message This is the first time you are connecting to [an application] from this browser even though they had logged in before.
OKTA-240039
With Routing Rules enabled, users saw the message This is the first time you are connecting to [an application] from this browser even though they had logged in before.
OKTA-241929
Custom TOTP factors were not supported as part of the authentication flow in Factor Sequencing.
OKTA-249465
On some web browsers, switching between Okta Verify and WebAuthn caused an error.
OKTA-254641
Changes to Max Import Unassignment settings were not logged in the System Log.
OKTA-254723
WebAuthn factor types were incorrectly named as Windows Hello in the MFA Usage Report.
OKTA-255688
The Reset via Email button on a custom sign-in page was visible and active even when that option was disabled for custom URL domains.
OKTA-257032
The Agentless Desktop SSO flow failed to authenticate users accessing custom-domain URLs.
OKTA-257269
In some cases, end users registering for Okta Verify were enrolled in One-Time Password but not in Push.
OKTA-257277
Some admins with MFA for Admin configured entered an infinite page-loading loop when signing into the Admin Console.
OKTA-257315
The HealthInsight page did not load properly for certain Okta orgs.
OKTA-56159
Re-authentication defined in sign-on policies only supported SAML-based apps and did not support SWA.
App Integration Fixes
The following SWA apps were not working correctly and are now fixed
-
Adobe Stock (OKTA-257769)
-
GoToWebinar (OKTA-255869)
-
Grammarly (OKTA-258776)
-
Instacart (OKTA-258045)
-
Sainsburys Groceries (OKTA-258041)
-
Twenty20 Stock (OKTA-257496)
-
Twilio (OKTA-258047)
Applications
Application Updates
Provisioning support has been removed from the following apps due to low customer usage, lack of standards based integration, and high supportability cost:
- OutSystems
- ExactTarget
- RightnowCX
- SugarCRM
New Integrations
SAML for the following Okta Verified application
-
GainsightPX (OKTA-253926)
SWA for the following Okta Verified applications
-
Ontario MC EDT (OKTA-244471)
-
ParcelQuest (OKTA-249541)
-
WatchGuard Evidence Library (OKTA-244478)
Weekly Updates
2019.11.1: Update 1 started deployment on
November 18
Fixes
General Fixes
OKTA-162537
The Testing IWA Web App help link on the Delegated Authentication page was broken.
OKTA-218841
End users did not receive proper credential update exceptions when there was an issue with their change password flow.
OKTA-235243
Group Push stopped on the first failure received by O365 and did not display any warnings in the System Log to indicate the issue.
OKTA-236583H
The error message for when a user was locked out did not respect the Group Password Policy settings.
OKTA-244438
In some cases a user could not be unassigned from a SCIM app if the SCIM Server had a slow response time.
OKTA-250498
Super admins were able to select the Rate limit warning and violation email notification when the feature was not enabled for their org.
OKTA-251844
Users were unable to sign in due to a 400 error that was caused by the following conditions: using Internet Explorer, using an SP-initiation SAML sign on, IDP Discovery was enabled, IWA and an MFA prompt were configured.
OKTA-257469
Due to hard validation, attempts to use group functions between profile-mastered appuser to Okta user mapping resulted in validation errors.
OKTA-260343
The Firefox plugin could not be downloaded from the Mozilla Add-ons store. The Firefox plugin version 5.34.0 is now available from the Admin Console, Settings > Downloads menu.
App Integration Fixes
The following SWA apps were not working correctly and are now fixed
-
BombBomb (OKTA-258406)
-
Mimecast Personal Portal v2 (OKTA-258584)
-
MyGeotab (OKTA-258044)
-
Veeva Vault (OKTA-258852)
-
WebEx Premium (OKTA-258040)
-
WP Engine (OKTA-259045)
Applications
New Integrations
The following partner-built provisioning integration apps are now Generally Available in the OIN as Okta Verified:
- Zestful: For configuration information, see Configuring Provisioning for Zestful.
- Mixpanel Provisioning: For configuration information, see Configuring SCIM Provisioning for Mixpanel with Okta.
- Web Manuals: For configuration information, see Web Manuals' Okta provisioning instructions.
- Workgrid: For configuration information, see Okta SCIM API Configuration.
- Chorus.ai: For configuration information, see Configuring Provisioning for Chorus.ai.
- Drafted: For configuration information, see Okta Provisioning (SCIM).
- ClickUp: For configuration information, see Okta SCIM Configuration Guide for ClickUp.
SAML for the following Okta Verified applications
-
Concur Travel and Expense (OKTA-254835)
-
JazzHR (OKTA-246402)
-
NetFortris HUB Web (OKTA-250307)
-
Netskope User Enrollment (OKTA-253910)
-
Portnox CLEAR (OKTA-253896)
-
Portnox CLEAR Self-onboarding (OKTA-253895)
-
Udemy for Business (OKTA-258121)
-
Vant SSO Proxy (OKTA-257483)
-
YouAttest (OKTA-259546)
SWA for the following Okta Verified applications
-
Dealerpull (OKTA-248564)
-
Encompass TPO Connect (OKTA-241362)
-
Global Database InvestmentMetrics (OKTA-245640)
-
Global Database InvestmentMetrics (OKTA-245640)
-
Informa (OKTA-245651)
-
Instacart Canada (OKTA-248835)
-
k-eCommerce (OKTA-256824)
-
Safeco Agent (OKTA-247347)
-
Southwest Traveler (OKTA-244178)
-
Stetson Insurance Funding Agent Login (OKTA-247772)
-
Street Smart by CycloMedia (OKTA-247460)
-
Transus (OKTA-247849)
Mobile applications for use with Okta Mobility Management (OMM) (Android and iOS)
-
Jive (OKTA-245483)
-
ShareFile (OKTA-260468)
Mobile application for use with Okta Mobility Management (OMM) (Android iOS)
-
Jive Communications (OKTA-245485)
2019.11.2: Update 2 started deployment on
December 2
Fixes
General Fixes
OKTA-247115
Some links in Suspicious Activity Reporting events did not work as expected.
OKTA-260013
The MFA Usage Report did not display some MFA factors when it was generated for all users.
OKTA-262346H
Some provisioning operations for some orgs failed with 409 errors.
OKTA-262644H
For some orgs, the Upload Logo button (Settings > Appearance) did not work.
App Integration Fixes
The following SWA apps were not working correctly and are now fixed
-
Acronis Cloud (OKTA-261592)
-
Dell Boomi (OKTA-260860)
-
eOriginal (OKTA-260858)
-
HotSchedules (OKTA-259809)
-
Lola (OKTA-259813)
-
Nationwide Eviction (OKTA-261405)
-
Percolate (OKTA-259811)
-
U.Chicago Dist. Ctr. (OKTA-259812)
Applications
New Integrations
The following partner-built provisioning integration app is now Generally Available in the OIN as Okta Verified:
- Ooma Enterprise: For configuration information, see Configuring Provisioning for Ooma.
SAML for the following Okta Verified applications
-
PrinterLogic SaaS (OKTA-257046)
-
PTO Exchange (OKTA-259997)
SWA for the following Okta Verified applications
-
Bannockburn Global Forex (OKTA-252379)
-
Booking Admin (OKTA-257151)
-
Brex (OKTA-254738)
-
Crown Mark (OKTA-255472)
-
Dealer Daily Toyota (OKTA-253563)
-
Empower (OKTA-248283)
-
Firemax - G5 (OKTA-249415)
-
Health Assured UK (OKTA-258033)
-
Rileys eStore (OKTA-248900)
-
RUN Powered by ADP (OKTA-251863)
-
SafetySync (OKTA-248899)
-
State of California Department of Motor Vehicles (OKTA-256771)
-
Untangle (OKTA-250112)
-
Wipster (OKTA-248068)
-
WordFly (OKTA-251885)
2019.11.3: Update 3 started deployment on
December 9
Fixes
General Fixes
OKTA-244018
Signing out from Okta from within the password re-authentication screen caused a new Okta Sign In page to appear within the existing Okta UI.
OKTA-246083
When configured to add apps on the fly, the Okta Browser Plugin did not always offer to save credentials for some apps.
OKTA-249009
Attempts to Push Groups from Okta to ShareFile failed and produced an error.
OKTA-252921
The wrong attribute values were mapped from Okta to PagerDuty if the values limited_user or team_responder were selected in the app assignment for a user.
OKTA-253183
When an admin attempted to modify an existing admin's role by unchecking all roles, then clicked Update Administrator, a non-user-friendly error message was returned instead of the message At least one role must be selected.
OKTA-256370
CSV imports failed when there were unique custom properties in the user profile and imported users had non-empty values set for the unique properties.
OKTA-257508
A 500 error rather than a user-friendly error was returned when an invalid factor was used during the credential authentication flow.
OKTA-257703
An application.provision.user.sync event was generated with a successful outcome before provisioning was attempted.
OKTA-258832
Imports from Confluence 7.0 failed with the error No such operation getUser.
OKTA-259741
Additional MFA factors were not enforced for Okta Mobile if an org created a sign-on policy using Okta as IDP as the priority one rule that defined additional MFA factors.
OKTA-261115
In some cases, the My Applications button was not visible on the admin console.
OKTA-262419
Not all Yubikey device names were displayed after they were enrolled for WebAuthn.
App Integration Fixes
The following SAML app was not working correctly and is now fixed
-
Cisco Webex Teams (OKTA-259313)
The following SWA apps were not working correctly and are now fixed
-
Adobe Reseller Console (OKTA-263079)
-
AlertLogic (OKTA-261300)
-
Apple Store (OKTA-262873)
-
Avalara CertCapture (OKTA-262331)
-
BioWorld (OKTA-262957)
-
CallTower (OKTA-262327)
-
Experian (OKTA-262329)
-
General Motors GlobalConnect (OKTA-262328)
-
Inspired eLearning (OKTA-262335)
-
Kamer van Koophandel (OKTA-262334)
-
Percipio (OKTA-262330)
-
Southwest Traveler (OKTA-262925)
-
WeWork (OKTA-261968)
-
Work Number Commercial Verifier (OKTA-261507)
Applications
New Integrations
The following partner-built provisioning integration apps are now Generally Available in the OIN as Okta Verified:
- Clearwage: For configuration information, see the Clearwage Provisioning and SSO Configuration guide.
- Vant SSO Proxy: Note: The configuration guide for this app is not public. The ISV will provide the internal link to this documentation to the engineers who will be using this integration directly.
- Book4time: For configuration information, see Book4time SCIM Setup Guide.
SAML for the following Okta Verified applications
-
KindLink (OKTA-259556)
-
Mitel Connect (OKTA-262010)
-
NetFortris HUD (OKTA-261151)
-
Netskope User Enrollment (OKTA-261565)
-
TeamzSkill (OKTA-262037)
-
Visit.org (OKTA-261400)
SWA for the following Okta Verified applications
-
Amazon ES (OKTA-259282)
-
Applied Epic Assuredpartners (OKTA-256238)
-
ASIC - Registered Agents (OKTA-260407)
-
Averon (OKTA-260126)
-
ConnectWise Automate (OKTA-252945)
-
Double Dutch Event (OKTA-256694)
-
Nx2me Clinician Portal (OKTA-259247)
-
OneNote (OKTA-259831)
-
RFPIO (OKTA-259502)
-
SALTO KEYS (OKTA-260440)
-
The Hartford Customer Service Center (OKTA-257302)
-
USA Today (OKTA-261633)
-
Welltower Portal (OKTA-254521)
-
WestJet Biz (OKTA-261389)
October 2019
2019.10.0: Monthly Production release began deployment on October 14
* Features may not be available in all Okta Product SKUs.
Generally Available Features
New Features
Reports calendar selections limited to past 3 months
The calendar date range for a report displays the past three months only. This matches the maximum date range for report data.
Tokens transform events no longer available
Token transform System Log [events]() will no longer fire for SAML and Token inline hooks. They are retained in Inline Hook events.
See API event types.
Device Trust applies to apps in Okta Mobile for iOS
Any Device Trust policies configured in your environment are now also enforced when iOS device users access resources through Okta Mobile. This functionality is enabled by default. To change it, go to Security > General > Okta Mobile.
See Okta Mobile Settings.
Okta Browser Plugin version 5.33.0 for all browsers
This version includes the following:
- Security warning and anti-phishing whitelist
- Reflection of real-time app and profile changes in the end user dashboard
- Custom URL domain support for the plugin (available in Preview orgs)
- New look (available in beta)
- Back-end enhancements
OPP agent, version 1.3.4
This version of the OPP agent:
- Improves networking utilities and recovery speed after a DR event
- Improves log correlation between the agent and Okta
- Fixes a bug that read special characters from a CSV incorrectly
Active Directory agent, version 3.5.9
This release of the AD agent fixes an issue where meta data about Active Directory domains was not updated in Okta during imports from AD. In some cases this prevented features which rely on this meta data, for example Agentless Desktop SSO, from working correctly or being configured for the first time.
JIRA Authenticator Toolkit, version 3.1.2
This release includes the following bug fix: JIRA service failed to start after upgrading the JIRA Authenticator from 3.0.7 to 3.1.1.
Okta Browser Plugin reflects real-time app and profile changes in the end user dashboard
The Okta Browser Plugin now reflects the real-time state of the end user dashboard, eliminating the need to refresh the dashboard for the plugin to reflect the latest app and profile changes. This feature is available on Okta Browser Plugin version 5.29.0 or higher. For more information, see .
App condition for MFA enrollment policy
Admins can now use a new condition when setting a rule for an MFA enrollment policy. When this condition is configured, end users are prompted for factor enrollment when accessing all of their applications or only for those selected by their org admin. For more information, see App condition for MFA enrollment policies.
Add event hooks from the Admin Console
Admins can now add event hooks from the Admin Console. Event hooks send outbound calls from Okta that trigger asynchronous process flows in admins' own software. For more details, see Event hooks.
Generally Available Enhancements
Adobe CQ Enhancement
You can specify whether to ignore inactive users or not during imports to/from Adobe CQ.
Group Admin behavior change
When a group admin with permissions to manage a single group adds a new user to the org, the group name is automatically populated.
New System Log event for email challenge
The new event now includes more debugData information to indicate whether an email challenge was answered (redeemed) using the same browser from which it was initiated.
Scope Naming Restriction
OAuth Scopes may not start with the okta. prefix. See Create scopes.
Fixes
General Fixes
OKTA-220377
When assigning users to Microsoft Office 365, a Profile push error message was displayed. Users could still sign in and their profiles were updated correctly.
OKTA-221078, OKTA-231642
When Okta MFA for Azure AD Conditional Access was enabled, admins were unable to configure Microsoft Office 365 using the I want to configure WS-Federation myself using PowerShell option.
OKTA-233578
Deactivated users were imported from Adobe CQ.
OKTA-235187
In OAuth 2.0/OIDC /authorize request, the Okta Sign-In Widget incorrectly rendered the login_hint parameter, substituting + with a space.
OKTA-236849
Users were unable to sign in to the GoAnywhere SWA app automatically and had to enter their credentials manually.
OKTA-237085
Admins could not add an IP to a Network Zone in the System Log if there were more than 20 Network Zones. Only the first 15 zones were displayed.
OKTA-240197
The group icon for the Namely app was incorrectly displayed on the Directory > Groups page.
OKTA-240375
MFA factor enrollment policies were not enforced when Factor Sequencing was enabled.
OKTA-243056
When admins removed a user from a group with more than one # character in the group name, the confirmation message ignored all text preceding the last #. This resulted in an incorrect confirmation message.
OKTA-244957
Users were able to sign in to the NorthWest Evaluation Association MAP app only when using Sign in with 1 click.
OKTA-245114
Imports failed in Preview instances of the WebEx (Cisco) app.
OKTA-246107
In SP-initiated flows for the AnyBill app, the Okta plugin did not route the user to the correct URL.
OKTA-247915
Admins were allowed to subscribe to email notifications for which they did not have permission.
OKTA-248760
When admins entered a username to test if a new LDAP configuration was valid, the Next button did not work.
OKTA-250256
In some cases, the group attribute for Template WS-Fed apps was evaluated incorrectly.
App Integration Fixes
The following SWA apps were not working correctly and are now fixed
-
Chicago Tribune (OKTA-248424)
-
CrowdStrike Support Portal (OKTA-250779)
-
Cube19 (OKTA-253339)
-
MailGun (OKTA-250727)
-
Nice inContact Workforce Management (OKTA-250421)
-
Template 2 Page Plugin (OKTA-249755)
Applications
Application Updates
- Provisioning support removed for Huddle and Connected Data apps - Provisioning support has been removed from the Huddle and Connected Data apps due to its low customer usage, lack of standards based integration, and high supportability cost.
- The following partner-built provisioning integration apps are now Generally Available in the OIN as partner-built:
- Elevio: For configuration information, see Provisioning Users with Okta.
- Dynamic Signal: For configuration information, see Setup for Okta SCIM User Provisioning.
New Integrations
SAML for the following Okta Verified applications
-
Compusense (OKTA-252571)
-
Moesif API Analytics (OKTA-251060)
Weekly Updates
2019.10.1: Update 1 started deployment on
October 21
Fixes
General Fixes
OKTA-235246
Org2Org setup created a new appUser instead of restoring the original user after encountering an Error while Reactivating user message.
OKTA-247437
Report admins did not have access to the Proxy IP Usage Report.
OKTA-249412
403 return status in API caused spinning icon in UI when Mobile admins tried to view the Security Health Check page.
OKTA-249465
Users encountered an error if they switched between WebAuthn and other factors when signing in to Okta in a web browser.
OKTA-250499
Telangana was missing as a region for India in Network Zones.
OKTA-252845
Immediately after enabling WebAuthn, users saw Windows Hello in a stale window when resetting an enrollment factor.
OKTA-253687
Back to Settings link incorrectly appeared in the OIDC sign-in flow.
App Integration Fixes
The following SWA apps were not working correctly and are now fixed
-
2145 Parkplace (OKTA-250451)
-
Adobe Creative (OKTA-254693)
-
Adobe Enterprise (OKTA-254514)
-
Cisco Webex Meetings (OKTA-253433)
-
Dealer Daily Lexus (OKTA-253658)
-
Google Analytics (OKTA-253582)
-
My T-Mobile (OKTA-251610)
-
Paycor (OKTA-253575)
-
SSQ Financial Group (OKTA-253421)
Applications
New Integrations
SAML for the following Okta Verified applications
-
CyberArk Password Vault Web Access (OKTA-251875)
-
DataRails (OKTA-251850)
-
Elevio (OKTA-253738)
-
SimpliGov (OKTA-249789)
-
Visibly (OKTA-253409)
-
VMWare Workspace ONE (OKTA-252568)
SWA for the following Okta Verified application
-
Adobe Admin Console (OKTA-254510)
2019.10.2: Update 2 started deployment on
November 4
Fixes
General Fixes
OKTA-208239
Duplicate notifications were displayed in the Profile Editor after a new attribute was added.
OKTA-218100
Security email notifications sometimes displayed extra commas.
OKTA-231286
Editing AD instances sometimes resulted in a provisioning error in Office 365 instances.
OKTA-237415
Activation emails were sent to end users despite being configured otherwise.
OKTA-237944
When saving a user's updated profile details from the Profile page, a manual refresh was required.
OKTA-244162
The MFA Factor Reset email displayed the TOTP factor with an error.
OKTA-244298
The Import from Active Directory tab did not describe what type of import will remove AD groups in Okta if the groups have been deleted in the AD.
OKTA-244986
Behavior Detection logs showed UNKNOWN for user's first sign-in, but showed POSITIVE for sign-in after resetting the behavior profile.
OKTA-247912
If the IdP routing rule contained a user identifier condition and an application condition, some users were routed incorrectly.
OKTA-249204
For orgs that allow non-email usernames, users with an ID me were not able to sign in due to an API conflict. This ID is no longer allowed, but existing users with that ID are unaffected.
OKTA-250170
Attempts to add users to the approval process of the Access Request Workflow failed.
OKTA-254883
Duo factor activation events were not generated.
OKTA-255088
The Early Access Self-Service link for User Types incorrectly pointed to the Beta doc rather than the EA release topic in online help.
OKTA-255517
In the Security > General page, the Learn More link next to the Report Suspicious Activity selection pointed to the wrong page in the online help.
OKTA-255582
In Preview orgs, users who removed Okta Verify through their Settings page remained enrolled in the factor.
OKTA-255940
After access to Okta Support was enabled, impersonation could be disabled or enabled in the impersonated session.
OKTA-256720
Import settings for Salesforce were unintentionally reset and lost.
OKTA-256724
Users who signed in via IWA after their password was reset with the Temporary Password option were prompted to change their password twice.
OKTA-257203
Resetting all factors for a user resulted in an error.
OKTA-257353
Auth schema inline hooks could not be renamed.
App Integration Fixes
The following SWA apps were not working correctly and are now fixed
-
Adobe Fonts (OKTA-254976)
-
Adobe Licensing Website (OKTA-254315)
-
Amazon UK (OKTA-255211)
-
Eden (OKTA-221449)
-
Entelo (OKTA-253476)
-
GoToMeeting (OKTA-255995)
-
iTunes Connect (OKTA-257282)
-
Jive (OKTA-256518)
-
JumpCloud (OKTA-254291)
-
Knoll (OKTA-257055)
-
Kyriba (OKTA-255894)
-
MIBOR (OKTA-257057)
-
My Jive (OKTA-256680)
-
Nexus System Connect (OKTA-254290)
-
The Wall Street Journal (OKTA-255220)
-
Threads Culture (OKTA-256355)
-
U.S. Bank (OKTA-254309)
-
WP Engine (OKTA-257193)
-
YouCanBook.me (OKTA-257284)
-
Zoominfo (OKTA-243203)
Applications
Application Updates
-
Netskope now supports the following Provisioning features (this is in addition to the other provisioning features it already supports):
- Group Push
Users who have previously set up the Netskope integration and enabled Provisioning need to follow the migration steps detailed in the Netskope Configuration Guide if they want to use the new feature.
- OfficeSpace Software now supports the following Provisioning features (this is in addition to the other provisioning features it already supports):
- Importing users
- Profile/Attribute Level Mastering
- Schema updates
Users who have previously set-up the OfficeSpace Software integration and enabled Provisioning need to follow the migration steps detailed in the OfficeSpace Software Configuration Guide if they want to use the new features
New Integrations
The following partner-built provisioning integration apps are now Generally Available in the OIN as Okta Verified:
- AMGtime: For configuration information, see Configuring User Provisioning for AMGtime/Okta.
- DatoCMS: For configuration information, see Configuring Provisioning with Okta.
- Miro (formerly RealtimeBoard): For configuration information, see Setting up automated provisioning with OKTA.
- Signagelive: For configuration information, see Okta Single Sign On and Automated Provisioning Configuration.
SAML for the following Okta Verified applications
-
Accrualify (OKTA-256378)
-
Ambient.ai (OKTA-254752)
SWA for the following Okta Verified applications
-
E-Link (OKTA-249632)
-
EagleBank (OKTA-242296)
-
TECtok (OKTA-245077)
-
Time Clock Plus Manager (OKTA-244676)
September 2019
2019.09.0: Monthly Production release began deployment on September 9
* Features may not be available in all Okta Product SKUs.
Generally Available Features
New Features
Customizable email template for LDAP users
The LDAP Forgot Password Denied email template can now be customized for LDAP users who have requested a password reset but must have their password reset by an admin. See Customize an email template.
New System Log event for event hooks
Event hook eligible System Log events now display the event hook ID in the Debug Context object under the TargetEventHookId field.
For a list of event hook eligible System Log events, filter our Event Types Catalog by the event-hook tag.
Okta Browser Plugin, version 5.32.0 for all browsers
This version includes the following:
- Custom URL domain support for the plugin (available through the EA Feature Manager)
- Back-end enhancements
End of support for Okta Mobile Connect on iOS 13 and iPad OS 13
Okta Mobile Connect will not function on iPhones and iPads that upgrade to iOS 13 and iPad OS 13, respectively, because version 13 introduces changes that affect the way an Apple API handles external requests to open Okta Mobile.
User enrollment of multiple Web Authentication factors
End users now have the option to enroll in more than one instance of a WebAuthn-based factor, which can be set up either from the sign-in widget or from the end user dashboard settings. See Multifactor Authentication.
Active Directory, honor AD password policy
If an AD-mastered user has forgotten their password the AD password policy is honored when the user resets their password.
Support for LDAP provisioning
With the addition of the following Provisioning Features, Okta's LDAP integrations now closely match the functionality already available to Okta Active Directory (AD) integrations.
-
Create Users
-
Update and deactivate LDAP accounts
-
DN customization
-
Profile Masters
For more information, see LDAP integration.
Admin report CSV changes
The Administrator report containing information about all admins, their roles, and permissions will now be generated asynchronously. Super admins can generate the report by clicking Request Report and they will receive an email with a download link when the report is ready.
Inline Hooks
Admins can now add Inline Hooks from the admin console. Inline Hooks enable admins to integrate custom functionality into Okta process flows. For more information, see Inline hooks.
Configure Okta Device Trust for Native Apps and Safari on MDM managed iOS devices
Okta Device Trust for MDM managed iOS devices allows you to prevent unmanaged iOS devices from accessing enterprise services through browsers and native applications:
Note: This feature requires Okta Mobile 5.12 for iOS (or later), available in the App Store beginning February 1st.
For details, see Configure Okta Device Trust for Native Apps and Safari on MDM managed devices.
ThreatInsight Threat Detection
Admins can now configure ThreatInsight — a new feature that detects credential-based attacks from malicious IP addresses. ThreatInsight events can be displayed in the admin system log and also be blocked once this feature is configured. For more information, see Okta ThreatInsight.
Apps supporting incremental imports
Workday joins Active Directory and LDAP in the ability to run immediate, incremental imports. Okta strives to add this functionality to more and more provisioning-enabled apps. This feature is currently only available for Preview orgs.
Note: To use this functionality, your org must also have the Workday Incremental Imports (ENG_PROV_WORKDAY_INCREMENTAL_IMPORTS) Early Access feature enabled.
Early Access Features
New Features
Quick Access tab on the Okta Browser Plugin available through EA feature manager
Quick Access tab on the Okta Browser Plugin is now available through the EA feature manager.
MFA for Oracle Access Manager
With Okta MFA for Oracle Access Manager (OAM), customers can use OAM as their Identity Provider (IdP) to applications and also use Okta for MFA to provide a strong method of authentication for applications. For more information, see MFA for Oracle Access Manager.
Factor Sequencing
Admins can now provide end users with the option to sign in to their org using various MFA factors as the primary method of authentication in place of using a standard password. See MFA Factor Sequencing.
Fixes
General Fixes
OKTA-192270
The translations were missing for the API AM User Consent buttons.
OKTA-230781
On the Push Groups to Active Directory > Push Groups by Name page, clicking Show more incorrectly redirected the admin to the People page.
OKTA-232406
The Self-Service Create Account Registration form did not clear a failed password validation status even after the password was updated to meet complexity requirements.
OKTA-237684
The last MFA factor used was not remembered for some orgs that use app-level MFA rules and a custom URL domain for sign-in attempts initiated by a Service Provider.
OKTA-237864
The Active Directory Settings page was slow or unresponsive for directories with more than 10,000 Organizational Units (OUs). To obtain the fix for this bug, contact Support.
OKTA-238146
When Factor Sequencing was enabled and a user clicked Sign Out from the sign-in widget, the browser page had to be refreshed manually for the user to sign in again.
OKTA-240089
Some authentication error messages for the custom IdP factor were not displayed by the sign-in widget.
OKTA-242345
Some sign-on policies and rules for IWA were not applied when a user signed in.
OKTA-246020
An extra character > appeared in the Admin navigation header.
OKTA-246246H
The temporary password was not displayed in developer account activation emails.
OKTA-247093
Web Authentication factor names were not displayed correctly under Extra Verification in end user settings.
App Integration Fixes
The following SWA apps were not working correctly and are now fixed
-
Active Campaign (OKTA-245468)
-
Aegify (OKTA-245093)
-
BSPlink (OKTA-239934)
-
Check Point (OKTA-244812)
-
CultureIQ (OKTA-245092)
-
DesignCrowd (OKTA-245635)
-
Google Play Developer Console (OKTA-241992)
-
Hippo CMMS (OKTA-246930)
-
Key Bank (OKTA-245091)
-
MyFax (OKTA-244628)
-
OnePath Advisor (OKTA-243552)
-
ProjectManager.com (OKTA-244279)
-
Shutterfly (OKTA-245801)
-
Wells Fargo Funding (OKTA-244825)
Applications
Application Updates
To reflect Webex name changes we have updated our documentation as follows:
- Webex (Cisco) is renamed to Cisco Webex Meetings
New Integrations
SAML for the following Okta Verified applications
-
15five (OKTA-245730)
-
Centrify Privilege Access Service (OKTA-244805)
-
COMPASS by Bespoke Metrics (OKTA-246403)
-
Gateway Software Solutions (OKTA-231714)
-
Good2Give (OKTA-244842)
-
Legal Diary (OKTA-231714)
-
Wellness360 (OKTA-242402)
SWA for the following Okta Verified application
-
United Capital (OKTA-240147)
Weekly Updates
2019.09.1: Update 1 started deployment on
September 16
Fixes
General Fixes
OKTA-239075
After having their passwords reset by an admin, AD-mastered users who changed their AD password and then used Delegated Authentication to sign in to Okta encountered an unnecessary password reset page during the IWA Desktop SSO sign-in flow.
OKTA-239805
It was possible to remove the last individually assigned super admin from an org.
OKTA-243796
The Import Now button did not appear for newly created OPP app instances.
OKTA-244073
Jira service failed to start after upgrading the Jira Authenticator from 3.0.7 to 3.1.1.
Note: To receive this bug fix, download the latest Jira Authenticator 3.1.2.
OKTA-248184
Suspicious Activity emails sent to admins erroneously included information about actions taken as a result of the suspicious activity.
OKTA-248458
When an org admin toggled the WebAuthn factor feature, non-Windows users with their browsers open to the sign-in page erroneously saw the Windows Hello factor.
OKTA-249451H
Sending an Okta Verify push, then while waiting for the end user's response, switching to WebAuthn as a factor resulted in an error.
Applications
New Integrations
SAML for the following Okta Verified applications
-
Airbrake (OKTA-247505)
-
Parley Pro (OKTA-239461)
2019.09.2: Update 2 started deployment on
September 23
Fixes
General Fixes
OKTA-221735
The Docusign app did not display the Permission profile values correctly.
OKTA-230033
Admins were allowed to attempt to assign a U2F factor to a user even when it was disallowed by policy.
OKTA-238336
Provisioning more than 3600 requests from Okta to Salesforce caused both user creation and user updates to fail.
OKTA-240371
During an SP-initiated app sign in to a custom domain, the behavior of the Remember Device check box was inconsistent for App-level and Org-level MFA.
OKTA-240769
WebEx was not provisioning the correct email attribute value.
OKTA-241439
User profile mappings did not generate errors when Expression Language group functions were used inside an App to Okta mapping.
OKTA-241761
A new NetSuite domain name was missing from the list of NetSuite options.
OKTA-241916
There was a typo in one of the Feature Manager Early Access features.
OKTA-244297
After having their passwords reset by an admin, AD-mastered users who changed their AD password and then signed in to Okta encountered an unnecessary password reset page during the IWA Desktop SSO sign-in flow.
To obtain the fix for this bug, contact Support.
OKTA-244537
Users were able to re-enroll in a previously enrolled WebAuthn authenticator.
OKTA-245768
While it was still pending verification, WebAuthn appeared on the end user's Settings page as an enrolled factor.
App Integration Fixes
The following SAML app was not working correctly and is now fixed
-
Workday (OKTA-245265)
The following SWA apps were not working correctly and are now fixed
-
Air Canada Travel Agency (OKTA-246673)
-
Alerus Retirement (OKTA-248084)
-
Alerus: Account Access (OKTA-246929)
-
BigBlueOnline (OKTA-248218)
-
Duo Security (OKTA-247829)
-
HackerRank For Work (OKTA-247487)
-
Mimecast (OKTA-246444)
-
OneSignal (OKTA-247482)
-
ProofHub (OKTA-247818)
-
Sun Life Financial (OKTA-246462)
-
SyncHR (OKTA-247514)
-
The Hartford At Work (OKTA-247955)
-
Wistia (OKTA-246913)
-
Zuman (OKTA-247537)
Applications
New Integrations
SAML for the following Okta Verified applications
-
Arxspan (OKTA-248526)
-
EdCast (OKTA-246404)
-
FaxLogic Advanced Web Client (OKTA-247506)
-
Heureka Platform Connector (OKTA-239141)
-
Mapbox (OKTA-247507)
-
Notion (OKTA-246110)
SWA for the following Okta Verified applications
-
ContentSquare (OKTA-244251)
-
Wells Fargo - Personal (OKTA-244153)
-
WhiteHat Customer Portal (OKTA-243554)
Mobile application for use with Okta Mobility Management (OMM) (Android and iOS)
-
Clarizen (OKTA-248809)
-
Doxis4 (OKTA-244112)
-
MobileIron Cloud (OKTA-248803)
-
xMatters (OKTA-248805)
-
Zscaler Private Access (OKTA-248807)
Mobile application for use with Okta Mobility Management (OMM) (Android)
-
Igloo (OKTA-248490)
-
Syncplicity (OKTA-248487)
2019.09.3: Update 3 started deployment on
September 30
Fixes
General Fixes
OKTA-230273
Clicking the name of an Organizational Unit rather than selecting its check box in Group OUs connected to Okta caused the corresponding Organizational Unit in User OUs connected to Okta to be selected.
OKTA-235285
When signing in to an app, users were prompted to enroll in email authentication instead of specific apps that were included as part of the App Condition for Enrollment policy.
OKTA-239833
Clarizen provisioning configured for a sandbox environment failed.
OKTA-245037
The Custom Email Templates preview CSS appeared to be different from the actual email.
OKTA-246931
Okta groups of type APP_GROUP failed to be marked as deleted using Group API when the original App Group was already marked as DELETED.
OKTA-247199
WebAuthn did not work with custom domains.
OKTA-248625
After upgrading from U2F to WebAuthn and then disabling WebAuthn, U2F users did not see a U2F option on the enrollment page.
OKTA-249385
Admins could add the same property name with different cases into the appUser profile for Generic OIDC IdP.
OKTA-250615
Users for orgs without a group-based Okta MFA enrollment policy could not enroll WebAuthn factors from the end user Settings page.
OKTA-250722
The custom sign-in page call-out displayed the wrong version number as the latest version of the Okta Sign-in Widget.
OKTA-251211H
Metadata about Active Directory domains was not updated in Okta during imports from AD. In some cases this prevented features which rely on this metadata, for example Agentless Desktop SSO, from working correctly or being configured for the first time.
To obtain this fix, download the Okta Active Directory agent, version 3.5.9.
OKTA-251828H
App icons on the Okta End-User Dashboard took longer to load in Chrome 77 when hardware acceleration was on.
App Integration Fixes
The following SWA apps were not working correctly and are now fixed
-
ADP Employee Self Service Portal (OKTA-247820)
-
Evernote (OKTA-247819)
-
Microsoft Office 365 (OKTA-239332)
-
Milestone XProtect Smart Client (OKTA-248227)
-
MobileIron Cloud (OKTA-247821)
-
MyFax (OKTA-244628)
-
OnceHub (OKTA-249321)
-
Universal Production Music (OKTA-249121)
-
Wells Fargo (Commercial Electronic Office) (OKTA-249085)
-
Work Number Commercial Verifier (OKTA-248228)
Applications
New Integrations
The following partner-built provisioning integration app is now Generally Available in the OIN as partner-built:
- Vable: For configuration information, see Okta users provisioning for Vable platform.
SAML for the following Okta Verified applications
-
OpsRamp (OKTA-247509)
-
RSA SAML Test Service Provider (OKTA-246422)
-
SevenRooms (OKTA-248528)
-
SpotMe (OKTA-248481)
-
ValenceDocs (OKTA-244909)
Mobile applications for use with Okta Mobility Management (OMM) (Android and iOS)
-
ADP (OKTA-248495)
-
Cvent (OKTA-248498)
-
SolarWinds Service Desk (OKTA-249028)
-
Wordpress by MiniOrange (OKTA-249020)
Mobile applications for use with Okta Mobility Management (OMM) (Android)
-
Atlassian Confluence Server (OKTA-248497)
-
Benevity (OKTA-248496)
2019.09.4: Update 4 started deployment on
October 7
Fixes
General Fixes
OKTA-219847
Provisioning tasks for G Suite failed to complete when the daily limit for API calls was reached.
OKTA-221627
The honorificSuffix and honorificPrefix were mapped incorrectly between Okta and AD.
OKTA-241281
Samanage import failed with an Error while download schema enum values: null error.
OKTA-245525
Okta to App profile mappings could not be saved after provisioning settings were enabled for an application.
App Integration Fixes
The following SWA apps were not working correctly and are now fixed
-
Apptio (OKTA-249495)
-
BAML Works (OKTA-250531)
-
ESRI Customer Care Portal (OKTA-249497)
-
Lucidchart (OKTA-239922)
-
LucidChart (OKTA-239922)
-
Mailchimp (OKTA-250518)
-
Nice inContact (OKTA-245717)
-
Trustwave (OKTA-249499)
Applications
New Integrations
The following partner-built provisioning integration app is now Generally Available in the OIN as partner-built:
- Udemy for Business: For configuration information, see Configuring Single Sign-On and Provisioning in Okta for Udemy for Business.
SAML for the following Okta Verified applications
-
Clutch (OKTA-247508)
-
Cyberator (OKTA-250305)
-
PurelyHR (OKTA-250517)
-
Scout CMS (OKTA-251113)
-
Smart360 (OKTA-248575)
August 2019
2019.08.0: Monthly Production release began deployment on August 12
* Features may not be available in all Okta Product SKUs.
Generally Available Features
New Features
System Log event for Agentless Desktop SSO authentication error
A new System Log event (User not found during agentless DSSO Auth) appears when there is an Agentless DSSO authentication error due to one of the following reasons:
- The UPN is not in a valid format multiple users match
- The search criteria no users match the search criteria
Okta Active Directory agent, version 3.5.8
This release of the Okta AD agent implements a check on the AD agent service startup. The check overrides the value of the connectionLimit parameter if it is misconfigured. If the value is acceptable but not optimal, a warning message that describes the recommended value is logged. For details about the recommended values, see Okta Active Directory agent variable definitions. For agent version history, see Okta Active Directory agent version history.
Install Plugin button on the end-user dashboard on Firefox goes to Firefox Add-ons
In the Firefox browser, the Install Plugin button on the end-user dashboard now redirects to Firefox Add-ons, where users can download the latest version of Okta Browser Plugin.
Remove Duo from end user settings
Duo may now be removed from end user settings so that end user enrollment takes place only at sign-in, based on the configured MFA enrollment policy. For more information, see Duo Security (MFA).
Admin console search
Admins can now use a quick search for the names of end users or apps. However you only see search results based on what you have admin permission to view. When the search results are presented, if the name or app you are seeking is listed, you can click on the item and be taken to the corresponding user page or application page. For details, see Admin Console search.
Scoping admin privileges, AD and LDAP-mastered groups now supported
Super admins can now scope Group and Help Desk admin privileges to AD and LDAP-mastered groups in addition to Okta-mastered groups. For details, see Assign Help Desk admin privileges.
LinkedIn IdP Creation Re-Enabled
Creation of LinkedIn Identity Providers has been re-enabled in all Preview Orgs. For more information, see Set up a LinkedIn app.
Incremental import support for LDAP users
LDAP users can now take advantage of incremental imports, eliminating the need for full imports every time. Incremental imports improve performance by only importing users that were created, updated, or deleted since your last import. For details, see LDAP integration.
Reauthentication prompts
All prompts for reauthentication now use the Sign In widget rather than the Classic UI.
IWA Desktop SSO, behavior change
If you turn off IWA DSSO, the IWA Routing Rule will be switched to Inactive. The next Routing Rule will be used to direct your users to the appropriate sign in. When you turn IWA DSSO on again, you must also switch the IWA Routing Rule to Active again. For details, see Install and configure the Okta IWA Web agent for Desktop Single Sign-on in Install and configure the Okta IWA Web agent for Desktop SSO.
Generally Available Enhancements
Devices menu is changing to the OMM menu
The Devices menu and other OMM-specific areas of Admin Console have been renamed to OMM or Okta Mobility Management. This was done to:
- Clarify that items in the menu and associated product areas are relevant only for orgs that have configured Okta Mobility Management.
- Free-up the label Devices for future use.
Active Directory, first and last name optional
You can now mark the first and last name attributes as optional for AD-mastered users. This allows you to import users with one or both of these blank fields. For details, see Make names optional in Active Directory.
New prompt during WebAuthn enrollment
A new prompt during WebAuthn enrollment that asks the user if they want to Allow Okta to see authenticator data. Fore details, see Multifactor Authentication.
2019.08.1: Update 1 started deployment on
August 14
August 19
Early Access Features
New Features
Custom Factor Authentication
Custom Factor Authentication allows admins to enable an Identity Provider factor using SAML authentication. For more information, see Custom IdP factor.
Integrate Okta Device Trust with VMware Workspace ONE for iOS and Android devices
The Okta + VMware integration is a SAML-based solution that combines the power of Okta Contextual Access Management with device signals from VMware Workspace ONE to deliver a secure and seamless end-user experience. For details, see Integrate Okta Device Trust with VMware Workspace ONE for iOS and Android devices.
Fixes
General Fixes
OKTA-194153
SCIM App template URI requests were using + instead of %20 (space), making them RFC non-compliant.
OKTA-207634
In some cases, there were redirect issues after upgrading to JIRA On-Prem version 3.0.7.
OKTA-228380
MFA-required users with , in their passwords did not automatically go through the proper PUSH flow.
OKTA-229541
To preserve cross-site functionality in light of upcoming updates to Chrome (https://www.chromestatus.com/feature/5088147346030592), Okta has added the SameSite=None attribute to all relevant cookies.
OKTA-239067
The Get Okta Mobile on the App Store page was corrupted when attempting to add a new account to native Outlook app.
OKTA-239419
Agentless DSSO failed when the Routing Rules feature was enabled because no IdP rule was created.
OKTA-240083
When Agentless DSSO failed and there was no OnPrem IWA agent, users were redirected to a default login page (an example default login page URL custom.com/login/default) instead of the customer's login page (an example URL custom.com) configured by the customer under Identify Provider Settings.
OKTA-240115
Attempts to change Group Roles through the public API failed and incorrect events were logged in the System Log.
OKTA-240523
If Prompt for factor was cleared for an existing rule, Factor mode and Factor Lifetime were erroneously displayed when the rule was expanded.
OKTA-240669
No customer-facing error messages were displayed when admins tried to save a customized email template with a subject that exceeded the 128-character limit.
OKTA-71860
An incorrect error message was shown when the body of a customized email template exceeded the maximum number of characters.
App Integration Fixes
The following SWA apps were not working correctly and are now fixed
-
AnyBill (OKTA-240273)
-
FCO (OKTA-241250)
-
Indianapolis Business Journal (OKTA-241433)
-
Knoll (OKTA-240954)
-
Nextiva VOIP (OKTA-240856)
-
Sfax (OKTA-241251)
-
Twilio (OKTA-241252)
-
Webex Premium (OKTA-241571)
-
WORK NUMBER Social Service Verifier (OKTA-241573)
Applications
New Integrations
SAML for the following Okta Verified applications
-
Arxspan (OKTA-240204)
-
DataGrail (OKTA-239290)
-
Getabstract (OKTA-239289)
-
HackEDU (OKTA-237775)
-
ITProTV (OKTA-238934)
-
RStudio Connect (OKTA-241802)
-
Zoom (OKTA-143049)
SWA for the following Okta Verified applications
-
One Net Receptionist (OKTA-234416)
-
Thrift Savings Plan (OKTA-233571)
-
Vendor Invoicing Portal (OKTA-233570)
Mobile applications for use with Okta Mobility Management (iOS)
-
Adobe Fill & Sign - Doc Filler (OKTA-235517)
-
Adobe Scan (OKTA-235515)
-
Adobe Scan: Mobile PDF Scanner (OKTA-235514)
Weekly Updates
2019.08.1: Update 1 started deployment on
August 19
Fixes
General Fixes
OKTA-229898
If the Service account username field was left blank on the Desktop SSO settings page when configuring Agentless Desktop SSO settings for Active Directory, the error message incorrectly used the term SPN instead of Service account username.
OKTA-237827
In Feature Manager, when an Open Beta had a dependency on a Closed Beta, the Contact Support link was missing from the Open Beta description.
OKTA-237924
Some LDAPi search requests using group membership filters timed out.
OKTA-241759
When an end user canceled their enrollment in an Identity Provider factor, they were not returned to the Okta enrollment screen automatically.
OKTA-242944
When admins enabled a Beta feature, the confirmation email they received contained incorrect Beta feature names.
OKTA-244013H
The attribute for userId in the SAML assertion was interpreted as Okta userid instead of the value sent.
OKTA-244527H
Some users could not login to their Okta org using samAccountname.
App Integration Fixes
The following SWA app was not working correctly and is now fixed
-
IBM MaaS360 (OKTA-232700)
Applications
New Integrations
SAML for the following Okta Verified applications
-
Lab Horizon (OKTA-240597)
-
Motus (OKTA-240602)
-
Purchasing Platform (OKTA-231720)
-
Target Solutions (OKTA-241682)
SAML for the following Community Created application
-
Area 1 Horizon (OKTA-241845)
2019.08.2: Update 2 started deployment on
August 26
Fixes
General Fixes
OKTA-240654
When admins customized the sign-in page, tool tip fields appeared when there should be none.
OKTA-241861
When editing the On-Prem Desktop SSO form on the Security > Delegated Authentication page, the Cancel button at the top of the form was not displayed.
OKTA-179828
Admins could deactivate a SAML Identity Provider when it was still active as an Idp Factor.
OKTA-223737
For some users, the ACTIVATE MY ACCOUNT button did not render correctly in the Activate your developer account email.
OKTA-226475
In the BambooHR app, users were imported one day before their actual start dates.
OKTA-236983
When factor sequencing feature was enabled, the Add button was displayed even when all authentication options had been added.
OKTA-239014
AD-mastered users were not able to update their primary phone number on the Settings page when the attribute was Okta-mastered and with READ-WRITE permissions.
OKTA-242976
When factor sequencing feature was enabled, for orgs that require Okta Verify with push notifications, users that were enrolled for Okta Verify TOTP and not push notifications could not sign in.
OKTA-243197
When factor sequencing feature was enabled and an Idp factor was configured, the default factor strength of the IdP factor was missing.
OKTA-243624
No results were displayed when filtering application group's membership by application name.
OKTA-243665
Users could not sign in if they were enrolled in Custom TOTP by an admin but the factor enrollment policy included both Custom TOTP as a required factor and any other factor as an optional/required factor.
OKTA-244032
A change was made to prevent conflicts with the Universal Directory expression language. It now correctly fetches the configured userId.
App Integration Fixes
The following SWA apps were not working correctly and are now fixed
-
First Advantage Enterprise Advantage (OKTA-239473)
-
Microsoft Office 365 (OKTA-239316)
-
Mitel Sky Portal (OKTA-241260)
-
Nice inContact Workforce Management (OKTA-242929)
-
QANTAS (OKTA-241871)
Applications
New Integrations
The following partner-built provisioning integration apps are now available in the OIN as partner-built Early Access:
- Heureka Platform Connector: For Configuration information, see Configuring Okta Connector for Heureka Intelligence Platform
- Invisionv7: For Configuration information, see the InVision for Okta SCIM Configuration Guide.
SAML for the following Okta Verified applications
-
Arbitrip (OKTA-242956)
-
Assetnote (OKTA-243043)
-
CaseFleet (OKTA-242714)
-
Contentful (OKTA-242957)
-
Conversocial Bots Platform (OKTA-243282)
-
Good2Give (OKTA-242715)
-
Nutanix Frame (OKTA-239515)
-
Zestful (OKTA-242404)
SWA for the following Okta Verified applications
-
GetYourGuide for Suppliers (OKTA-236209)
-
Inman (OKTA-236695)
-
Oracle Textura Payment Management (OKTA-236554)
-
Simmons Insights (OKTA-236319)
-
Sprout Mortgage (OKTA-233945)
-
Telesystem CommPortal (OKTA-237396)
-
Telesystem Hosted VoIP Admin CommPortal (OKTA-237395)
-
The Trade Desk API (OKTA-241847)
Mobile application for use with Okta Mobility Management (iOS/Android)
-
OrgWiki (SCIM) (OKTA-242734)
2019.08.3: Update 3 started deployment on
September 3
Fixes
General Fixes
OKTA-221428
Group push failed if the group name shared a prefix with an already pushed group.
OKTA-222859
The Token Inline Hook service did not trigger Inline Hook System Log events.
OKTA-226939
The SAML Inline Hook service did not trigger Inline Hook System Log events.
OKTA-231689
The Resend Activation Email prompt showed the incorrect expiration time-frame.
OKTA-243785
The MFA Factor Reset email displayed an error for a custom TOTP factor.
OKTA-243953
Calls and SMS from some US regions were considered international instead of domestic for billing purposes.
App Integration Fixes
The following SWA apps were not working correctly and are now fixed
-
Cisco Webex Teams (OKTA-243546)
-
ClearCompany (OKTA-243545)
-
General Motors GlobalConnect (OKTA-243537)
-
Instacart (OKTA-243551)
-
Nice inContact (OKTA-243548)
-
Stampli (OKTA-243543)
Applications
Application Updates
To reflect GitHub name changes we have updated our documentation as follows:
- GitHub is renamed to GitHub Team
- GitHub Enterprise Cloud is renamed GitHub Enterprise Cloud – Organization
New Integrations
SAML for the following Okta Verified applications
-
Concur Travel and Expense (Early Access) (OKTA-239059)
-
Conversocial Bots Platform (OKTA-243282)
-
FaxLogic Administrator Dashboard (OKTA-244803)
-
IntSights (OKTA-243531)
-
KCM GRC Platform (OKTA-244907)
-
Trestle (OKTA-244439)
SWA for the following Okta Verified applications
-
Armstrong e-Service (OKTA-245629)
-
Armstrong Online Order Tracker (OKTA-237974)
-
Australian Injectable Drugs Handbook (AIDH) (OKTA-242364)
-
Foxpass (OKTA-239867)
-
GlobeTax ESP (OKTA-236982)
-
Honey (OKTA-238638)
-
IBM Micromedex (OKTA-239816)
-
NYC Procurement and Sourcing Solutions Portal (PASSPort) (OKTA-242930)
-
Quest (OKTA-241899)
-
Slido (OKTA-239865)
-
TRAXPayroll (OKTA-239158)
-
Zuman (OKTA-239495)
July 2019
2019.07.0: Monthly Production release began deployment on July 15
* Features may not be available in all Okta Product SKUs.
Generally Available Features
New Features
Timeout warning added to the Sign-In Widget
A timeout warning has been added to the Sign-In Widget for SMS and Voice Factor enrollment and challenge flows. For more information, see Customize the Okta-hosted sign-in page.
Token expiration window increased to five years
The expiration window of Refresh Tokens can be configured up to five years in custom authorization servers. The minimum expiration is unchanged. For more information, see API access management.
AD Desktop Single-Sign On, interface changes
The user interface for the Security > Delegated Authentication page used to configure Desktop Single-Sign On has been streamlined. There are no functional changes. For details, see Install and configure the Okta IWA Web agent for Desktop Single Sign-on.
Okta Verify factor available for all orgs
All orgs now have the option to configure and enable Okta Verify as a factor. For more information, see Multifactor Authentication or Okta Verify.
ADFS app support for OIDC authentication
The ADFS app now provides support for OIDC authentication. For more information, see MFA for Active Directory Federation Services (ADFS).
Custom Email Template enhancement
To curtail phishing, free editions of Okta are no longer able to create and send customized email templates. For feature information, see Customize an email template.
Okta Browser Plugin for Firefox available from Firefox Add-ons
Okta Browser Plugin version 5.31.0 for Firefox is now available from the Firefox Add-ons. For version history, see Okta Browser Plugin version history.
OPP agent, version 1.3.2
On Premises Provisioning Agent version 1.3.2 supports CSV Directory Integration. For version history, see Okta Provisioning agent and SDK version history.
Prevent end users from choosing commonly used passwords
Admins can restrict the use of commonly used passwords through the group password policy. For more information, see Configuring an Organization-wide Password Policy.
Multifactor Authentication for admins
MFA for Admins allows Super admins to enable mandatory multifactor authentication for all administrators accessing admin functionality. For details see Authentication. This feature is currently available for new orgs only.
New admin role, Report admin
The Report admin role grants a user read-only access to all reports and the System Log. Report admins do not have edit access to any data.
Dynamic network zones
You can define dynamic network zones that match IP type and geolocation specifications. For more information, see Network Zones.
LDAP support for Auxiliary Object classes
You can now input a comma-separated list of auxiliary object classes when importing users from LDAP. For more information, see Configuring Your LDAP Settings.
Current Assignments and Recent Unassignments reports added to the Reports page
Current Assignments and Recent Unassignments reports are now linked from the Application Access Audit section of the Reports page. These match the reports available from the Applications tab. For information, see Reports.
Generally Available Enhancements
New System Log event for sent emails
A new System Log event has been added to notify admins when an email is sent to a user for verification. When fired, this event contains information about the token lifetime in the debugData.
New System Log event for redeemed credentials in an email
A new System Log event has been added to identify when a credential sent in an email to a user has been redeemed, meaning the link was clicked or the code was entered. When fired, this event contains information about the result and debugData with the action.
Validate service account credentials for Kerberos realm
When configuring the service account credentials for the Kerberos realm, you can now optionally choose to validate these credentials. For more information on Agentless DSSO, see Configure agentless Desktop Single Sign-on.
UI enhancements for Sign-On Policies and Password Policies
When creating a new MFA sign-on policy, the Prompt for Factor option is now selected by default. When creating a new password policy, the option to enforce a password history is now set to the last four passwords by default. For more information about sign-on policies and password policies, see to Sign-on policies.
System Log events for Behavior Settings
New System Log events now appear when creating, deleting, or updating behavior settings.
2019.07.1: Update 1 started deployment on
July 17
July 22
Early Access Features
New Features
Enforce Okta Device Trust for Native Apps and Browsers on MDM-managed Android devices
Okta Device Trust for Native Apps and Browsers on MDM-managed Android devices allows you to prevent unmanaged Android devices from accessing enterprise services through browsers and native applications.
Note: This feature requires Okta Mobile 3.14.1 for Android (or later). For details, see Enforce Okta Device Trust for Native Apps and Browsers on MDM-managed Android devices.
Fixes
OKTA-215899
The Downloads page incorrectly reported that some agents needed to be upgraded.
OKTA-221328
Group rules were not applied to reactivated users.
OKTA-235794
When MULTIPLE_FACTOR_ENROLLMENTS was enabled and MULTIPLE_OKTA_VERIFY_ENROLLMENTS disabled, changing the Okta Verify factor to REQUIRED returned a 400 error.
App Integration Fixes
The following SWA apps were not working correctly and are now fixed
-
Amgen FIRST STEP (OKTA-234000)
-
Bank of America CashPro (OKTA-234532)
-
Bullhorn Jobscience (OKTA-233305)
-
Credible Behavioral Health (OKTA-236584)
-
eFax Corporate Admin (OKTA-232145)
-
HRConnection by Zywave (OKTA-234054)
-
Mimecast Personal Portal v3 (OKTA-235247)
-
Percolate (OKTA-235361)
-
Thomson Reuters Legal Tracker (OKTA-228672)
-
Xfinity (OKTA-234737)
Applications
Application Updates
The following partner-built provisioning integration app is now Generally Available in the OIN as partner-built:
- Twic: For configuration information, see the Twic SCIM Integration Guide.
New Integrations
New SCIM Integration Application
The following partner-built provisioning integration app is now available in the OIN as partner-built Early Access:
- Zapier: For Configuration information, see the Zapier User Provisioning with SCIM guide.
SAML for the following Okta Verified applications
-
Panorays (OKTA-233837)
-
Teamie (OKTA-233564)
SWA for the following Okta Verified applications
-
A.I.D.A. Virtual Cards (OKTA-229475)
-
Aquera apps (OKTA-232806):
- AD LDS by Aquera
- Adobe Cloud by Aquera
- ADP Workforce Now by Aquera
- Atlassian by Aquera
- Box by Aquera
- Ceridian Dayforce by Aquera
- Documentum by Aquera
- Fastly by Aquera
- InvisionApp by Aquera
- Jama Software by Aquera
- LaunchDarkly by Aquera
- MongoDB by Aquera
- Runscope by Aquera
- Smartsheet by Aquera
- VividCortex by Aquera
-
Avery (OKTA-228198)
-
Cision Communications Cloud (OKTA-231151)
-
Coalfire (OKTA-228801)
-
Correspondent Hub (OKTA-229741)
-
Grip On It (OKTA-224027)
-
Jackson (OKTA-231411)
-
Moneris Gateway (OKTA-228650)
-
Music Vine (OKTA-229245)
-
National Life Group Agents Login (OKTA-231088)
-
Nationwide Financial (OKTA-231408)
-
OneMobile Oath (OKTA-224130)
-
PerfectServe (OKTA-230812)
-
Structural (OKTA-229603)
-
TIAA (OKTA-231409)
-
VPAS Life (OKTA-231407)
-
Zix Customer Support (OKTA-229476)
Weekly Updates
2019.07.1: Update 1 started deployment on
July 22
Fixes
General Fixes
OKTA-212923
A deleted LDAP instance was still visible on the Profile Editor page.
OKTA-220203
A SCIM Patch request did not handle a 204 No content response as expected.
OKTA-229606
In some cases, email notification settings for Helpdesk admins were not honored.
OKTA-237862
Instructions in Okta Verify to upgrade to Push Notifications mistakenly instructed end users to click Edit instead of + (plus) on Android devices.
OKTA-237865
Using the System Log Advanced Filter feature generated errant rate limit events.
App Integration Fixes
The following SWA app was not working correctly and is now fixed
-
Carta (OKTA-234742)
Applications
Application Updates
The following partner-built provisioning integration app is now Generally Available in the OIN as partner-built:
- Spoke (www.askspoke.com) : For configuration information, see Configuring Provisioning for Spoke.
New Integrations
The following partner-built provisioning integration apps are now available in the OIN as partner-built Early Access:
- FuseLogic: For Configuration information, see Configuring Provisioning for FuseLogic.
- AFAS by FuseLogic: For Configuration information, see Configuring Provisioning from Afas.
- Leapsome: For Configuration information, see User provisioning via Okta from Leapsome.
- HackerRank For Work: For Configuration information, see Setting up SCIM Provisioning with Okta from HackerRank.
- iObeya: For Configuration information, see Configuring user provisioning with Okta from iObeya.
- New Relic (Limited Release): For Configuration information, see Configure SCIM provisioning from New Relic.
- PlusPlus: For Configuration information, see Configuring User Provisioning with OKTA and SCIM from PlusPlus.
SAML for the following Okta Verified applications
-
Good2Give (OKTA-233039)
-
InVision V7 (OKTA-227283)
-
PandaDoc (OKTA-236095)
-
Pathmatics Explorer (OKTA-236215)
-
QuestionPro (OKTA-236060)
-
Small Batch Learning (OKTA-237044)
-
Springer Link (OKTA-235129)
-
Viima (OKTA-235095)
-
VirtualPeople.ai (OKTA-236075)
SWA for the following Okta Verified applications
-
Angus (OKTA-233616)
-
Typography Hoefler and Co (OKTA-233903)
Mobile application for use with Okta Mobility Management (OMM) (iOS)
-
Citrix Netscaler Gateway (OKTA-227497)
2019.07.2: Update 2 started deployment on
August 5
Fixes
General Fixes
OKTA-182061
The system.agent.ad.read_topology System Log event contained a misspelling and also saved with no display message.
OKTA-222840
The 404 error page in French contained a spelling error on the Go to home page button.
OKTA-226817
Read Only admins had access to Add Origin and Edit buttons on the Trusted Origins page, but they received a You do not have permission to perform the requested action error message when trying to add or edit an origin.
OKTA-227476
For the Netsuite app, non-mandatory object attributes were treated as mandatory for group app assignments.
OKTA-228324
When signing in to an app with a factor originally registered as U2F then subsequently used as WebAuthn, users received a success message but the sign-on process looped, prompting continuously for MFA.
OKTA-228418
For the Workday app, username mappings were deleted when Provisioning settings were saved for the application.
OKTA-228446
The Japanese translation on the Password Reset screen had unnecessary punctuation.
OKTA-228963, OKTA-229818
The Japanese translation on the Okta-generated Activation page was incorrect.
OKTA-231247
For the Samanage app, user deactivation failed.
OKTA-232686
Active Directory scheduled imports ran as full imports instead of incremental.
OKTA-233323
When saving the Profile and Lifecycle Mastering settings for an LDAP directory, an error message was displayed if the Allow LDAP to master Okta users option was selected along with any Okta to LDAP provisioning features were also enable.
OKTA-233327
Changes made to the Allow <App name> to master Okta users option in an app's Provisioning settings were lost if the admin subsequently clicked the Save button in the To App section, without reloading the page.
OKTA-234463
The getManagerUser("active_directory").$attribute expression used the appuser schema to look up the property definition instead of the Okta user.
OKTA-235669
The Get Okta Mobile on the app store screen did not display correctly on the iPhone SE.
OKTA-236083
When deleting a YubiKey seed, the confirmation messages were misleading.
OKTA-236260
The Hyperspace Agent checked for SSL pinning against all requests instead of only Okta requests.
OKTA-236860
Admins were able to remove all groups and individually assigned Super Admins for an org. We now check to ensure there is always at least one Super Admin in the org.
OKTA-238999
The Okta Verify icon displayed on the User Factor Reset page of the Admin Console was outdated.
OKTA-239323
In existing free trial editions of Okta, the pencil icon that allows admins to edit customized email templates was grayed out instead of active, as expected. Note that in new free trial editions, the pencil icon is grayed out as a security precaution.
App Integration Fixes
The following SAML app was not working correctly and is now fixed
-
Zapier SAML (OKTA-239414)
The following SWA apps were not working correctly and are now fixed
-
AvePoint Online Services (OKTA-236799)
-
Constellation Energy Manager (OKTA-239151)
-
Dynatrace (OKTA-236800)
-
Equinix Customer Portal (OKTA-237306)
-
FastMail (OKTA-236798)
-
Flickr (OKTA-237551)
-
Forrester Research (OKTA-233568)
-
GS1 US (OKTA-237509)
-
Gusto (OKTA-239476)
-
Inbox by Gmail (OKTA-237790)
-
Informatica Cloud (OKTA-239291)
-
Liquid Web (OKTA-237452)
-
LiveChat (OKTA-239926)
-
MassMutual RetireSmart (OKTA-239477)
-
Microsoft Embedded Communication Extranet (OKTA-237786)
-
My NS Business (OKTA-236797)
-
Notion (OKTA-236796)
-
Parse.ly (OKTA-239314)
-
Peapod (OKTA-236795)
-
PremiumBeat (OKTA-236801)
-
Royal Caribbean Cruise Lines (OKTA-239334)
-
Sainsburys Groceries (OKTA-238858)
-
Skrill (OKTA-236794)
-
Societe Generale: Markets (OKTA-237787)
-
The Wall Street Journal (OKTA-237636)
-
Thomson Reuters Legal Tracker (OKTA-237785)
-
VSP (OKTA-238098)
-
Wells Fargo Funding (OKTA-236805)
Applications
Application Updates
The following partner-built provisioning integration app is now Generally Available in the OIN as partner-built:
- HackerRank for Work: For configuration information, see Setting up SCIM Provisioning with Okta.
New Integrations
The following partner-built provisioning integration apps are now available in the OIN as partner-built Early Access:
- RFPIO: For Configuration information, see the RFPIO User Provisioning Okta guide.
- Siftrock: For Configuration information, see the Siftrock Okta SCIM Configuration Guide.
SAML for the following Okta Verified applications
-
Amazon Business (OKTA-236081)
-
Circula (OKTA-233040)
-
Forcepoint Web Security (OKTA-209495)
-
Wealth Access (OKTA-238247)
SWA for the following Okta Verified applications
-
8x8 PartnerXchange (OKTA-226146)
-
Agilent (OKTA-232699)
-
Aimsio (OKTA-232267)
-
Behance (OKTA-234044)
-
Bpost (OKTA-231079)
-
citibank (OKTA-239471)
-
CodySoft Health Plan Management System (OKTA-231679)
-
Evan Evans Tours (OKTA-232322)
-
HERE Developer (OKTA-233014)
-
M Financial Group (OKTA-231423)
-
MenaITech (OKTA-233606)
-
MillerSearles (OKTA-231421)
-
Pacific Life Annuities (OKTA-231420)
-
Schwab Institutional (OKTA-230675)
-
SmartFile (OKTA-237953)
-
Trustwave Portal (OKTA-231868)
June 2019
2019.06.0: Monthly Production release began deployment on June 10
* Features may not be available in all Okta Product SKUs.
Generally Available Features
New Features
Matching imported users
When you import users, you now can set up Okta rules to match any attribute that is currently mapped from an AppUser profile to an OktaUser profile. This helps you sync identities across systems and determine whether an imported user is new or if the user profile already exists in Okta. For more information, see Match imported user attributes.
Enhanced Okta LDAP integrations with Universal Directory
Okta LDAP integrations now feature custom mapping, schema discovery, and a fully extensible attribute schema that allows you to import or update any attribute stored in LDAP. With these enhancements, Okta LDAP matches the schema functionality already available to Okta's Active Directory integrations. Note: This feature is in Production for new orgs only.For more information, see Profile Editor.
Last factor remembered for authentication
End users who attempt to sign in to their org are prompted to authenticate with the last factor they used based on the device or client. For more information about authentication factors, see Multifactor Authentication.
Enhanced Group Push for Samanage
Group Push now supports the ability to link to existing groups in Samanage. For details about this feature, see Group Push
Location zones support blacklisting
You can blacklist an entire location zone to prevent clients in the zone from accessing any URL for your org. For more information on zones, see Networks.
LDAP support for Auxiliary Object classes
You can now input a comma-separated list of auxiliary object classes when importing users from LDAP. For more information, see LDAP integration.
New macOS Device Trust Registration Task, version 1.2.1
This release provides the following:
- The enrollment process is halted if the default keychain is unavailable for some reason (for example, is corrupted or missing). This ensures that end users are not prompted to reset the keychain.
- An improved Registration Task update process ensures that enrolled devices are not inadvertently unenrolled in the event the update itself fails.
- Provides support for a query allowing admins to determine which version of the Registration Task is installed on the device.
For details, see Okta Device Trust for macOS Registration Task Version History.
New Windows Device Trust Registration Task, version 1.3.1
This release includes the following:
- Improved handling of private keys to ensure successful certificate renewal.
- To fix an issue in earlier versions where a failed certificate renewal could leave computers in a bad state, this version allows admins to trigger certificate renewal on a per-computer basis. For details, see Force certificate renewal in some circumstances.
For version history, see Device Trust for Windows Desktop Registration Task Version History.
Okta Windows Credential Provider, version 1.1.4
This version contains bug fixes and general improvements
For more details, see Okta MFA Credential Provider for Windows.
Okta Browser Plugin version 5.29.0 for all browsers
This version includes the following:
- Quick Access apps tab (currently available as Early Access)
- Real time reflection of apps and profile changes in the end-user dashboard (currently Generally Available for Preview orgs)
- Back-end enhancements
For more information, see Allow end-users to quickly access apps.
Generally Available Enhancements
Password policy default for new orgs
The default password policy for new orgs is updated to enforce that a password may not be reused if it matches one of four previously used passwords. For more information, see Sign-on policies.
Early Access Feature Manager enhancement
The EA Feature Manager now displays a dialog box detailing any known limitations for that Early Access feature. Admins will be prompted to acknowledge they have read and accept these limitations.
Aquera apps timeout increased
We have increased the SCIM API timeout value for Aquera and Aquera (Basic Auth) apps to 5 minutes.
Okta Sign-on widget improvements
The look and feel of the Okta Sign-on Widget has been improved for accessibility and readability.
2019.06.1: Update 1 started deployment on
June 12
June 17
Early Access Features
New Features
System Log event for Agentless Desktop SSO configuration updates
When changes are made to the Agentless DSSO configuration, the System Log tracks the action as shown below. For more information on Agentless Desktop SSO, see Configure Agentless Desktop SSO.
System Log event for Kerberos realm settings
When changes are made to the Kerberos realm settings, the System Log tracks the action as shown below. This event also indicates the initiator of the event and the current setting for Kerberos Realm. For more information on Agentless Desktop SSO, see Configure agentless Desktop Single Sign-on.
System Log event for Agentless Desktop SSO redirects
When Agentless Desktop SSO redirects to the IWA SSO agent or the default Sign In page, the System Log tracks the action as shown below. For more information on Agentless Desktop SSO, see Configure agentless Desktop Single Sign-on.
Fixes
General Fixes
OKTA-145726
Admins were able to enter more than one name into the Add Administrator dialog box.
OKTA-198019
Okta didn't push the user reactivation to Salesforce when a user was reassigned to the application in Okta.
OKTA-214457
Report admins were able to view the Directory > People tab.
OKTA-218387
Super admins were able to assign Org admin notifications to include Rate limit warning and violation emails.
OKTA-222666
When a user was mastered by both LDAP and AD, group rules that are dependent on the second master's group membership weren't triggered.
OKTA-225931
Inline hooks weren't called when importing data using a CSV Directory integration.
OKTA-227137
In the Device Trust set up for iOS and Android, the Reset Secret Key dialog box was too wide.
OKTA-227449
When using Internet Explorer to view Step 2 of the Device Trust Setup wizard in the Admin Console, the Previous button was missing.
App Integration Fixes
The following SWA apps were not working correctly and are now fixed
-
Airbnb (OKTA-223490)
-
Atlassian Jira Service Desk (OKTA-225796)
-
Butler University (OKTA-225109)
-
Comerica Business Connect (OKTA-228368)
-
Corporate Traveler (OKTA-228370)
-
Curalate (OKTA-228373)
-
Go365 (OKTA-229492)
-
HighBond (OKTA-228038)
-
HM Revenue and Customs (HMRC) (OKTA-229496)
-
Hyatt Legal Plans (OKTA-229498)
-
InVision (OKTA-227444)
-
Lifeworks (OKTA-225685)
-
Lucky Orange (OKTA-228407)
-
Okta Help Center (OKTA-229494)
-
PowerDMS (OKTA-228367)
-
Safari Online Learning (OKTA-228404)
-
Schwab StockPlanManager (OKTA-226694)
-
Sonic Boom (OKTA-229495)
-
Squarespace V5 (OKTA-228400)
-
The Trade Desk (OKTA-219683)
-
TigerText (OKTA-229690)
The following SAML apps were not working correctly and are now fixed
-
HighBond (OKTA-228037)
-
Service-Now UD (OKTA-210568)
Applications
Application Updates
The following partner-built provisioning integration app is now Generally Available in the OIN as partner-built:
- TOPdesk Person by FuseLogic: For configuration information, see The TOPdesk Person Configuration Guide.
- TOPdesk Operator by FuseLogic: For configuration information, see The TOPdesk Operator Configuration Guide.
New Integrations
New SCIM Integration Application
The following partner-built provisioning integration app is now available in the OIN as partner-built Early Access:
- SalesLoft: For Configuration information, see the SCIM Guide for SalesLoft - Okta.
SAML for the following Okta Verified applications
-
Bamboo by miniOrange (OKTA-225331)
-
Chargebee (OKTA-228025)
-
COR (OKTA-223779)
-
Fisheye/Crucible by miniOrange (OKTA-225341)
-
MindTouch (OKTA-222766)
-
QuestionPro (OKTA-229101)
-
StatusHub Admin (OKTA-228032)
-
Synerion Enterprise (OKTA-229100)
SWA for the following Okta Verified applications
-
Barracuda Email Security Service (OKTA-223499)
-
Constellation Energy Manager (OKTA-217426)
-
Greenbyte Breeze (OKTA-226657)
-
ISACA (OKTA-220349)
-
NetFortris HUD Web (OKTA-221616)
-
Techsmith (OKTA-221549)
-
UHOne Broker Portal (OKTA-224243)
Weekly Updates
2019.06.1: Update 1 started deployment on
June 17
Fixes
General Fixes
OKTA-207466
When locked-out user emails were sent to all admins, not just those able to unlock the users, the emails did not include user information.
OKTA-218823
When editing an existing Device Trust configuration using the new mobile Device Trust wizard, the Mobile device management provider field was blank instead of containing the vendor name.
OKTA-219430
When using the Radius app for authentication, after the initial push notification, subsequent notifications from Okta Verify listed the incorrect location.
OKTA-220139
The Send test email feature attempted to send emails to admin's username instead of their email address.
OKTA-221079
Not all zones were displayed in the Exempt Zones search filter when there were more than 10 search results.
OKTA-224052
When users tried to sign in but chose the incorrect PIV card, clicking Retry displayed the Okta 404 error page instead of the custom error page.
OKTA-224158
Trying to access custom apps on Okta Mobile Android browser failed.
OKTA-225869
Group admins were able to add a user to an administrator group upon user creation.
OKTA-226049
If no Device Trust platform was configured in Security > Device Trust, an incorrect message was displayed in the Device Trust section of the Add Rule dialog box when creating a Sign On policy.
OKTA-226145
LDAP provisioning failed when trying to deactivate users in the AD Lightweight Directory Services (LDS) server.
OKTA-226369
The documentation icon and link on the FIDO2 (WebAuthn) factor type page was formatted incorrectly.
OKTA-229440
When a user attempted to reset the Webauthn factor and the reset failed, the wrong error message was shown.
OKTA-229725
Two System Log events were generated instead of one when the name of an Inline Hook was changed.
App Integration Fixes
The following SAML app was not working correctly and is now fixed
-
HighBond (OKTA-230762)
The following SWA apps were not working correctly and are now fixed
-
American Express - Work (OKTA-230058)
-
Appsee (OKTA-230282)
-
GitHub (OKTA-229516)
-
PowerDMS (OKTA-230286)
-
Spiceworks (OKTA-230304)
Applications
New Integrations
SAML for the following Okta Verified application
-
Way We Do (OKTA-229995)
SWA for the following Okta Verified applications
-
Amgen FIRST STEP (OKTA-217876)
-
Apptio (OKTA-223714)
-
BSPlink (OKTA-224041)
-
Flightradar24 (OKTA-71196)
-
GitHub.com (OKTA-229516)
-
Notion (OKTA-220840)
-
Snowflake (OKTA-227090)
-
Synopsys eLearning (OKTA-226662)
2019.06.2: Update 2 started deployment on
June 24
Fixes
General Fixes
OKTA-218818
Identity Provider Routing Rules produced unnecessary System Log events.
OKTA-227097
The SMS Usage Report categorized messages to Canada as international instead of domestic.
OKTA-230756
Navigating the System Log and maps generated rate limit warnings and violations.
OKTA-231842
The Windows Hello factor was listed as enabled when only the U2F factor was enrolled.
OKTA-232420
On the Okta Privacy page, information in the Introduction and Contact Us sections was out of date.
App Integration Fixes
The following SAML app was not working correctly and is now fixed
-
RedLock (OKTA-228626)
The following SWA apps were not working correctly and are now fixed
-
AT&T Business Direct (OKTA-225556)
-
Bing Ads (OKTA-230606)
-
Carta (OKTA-231435)
-
Commuter Check Direct (OKTA-230032)
-
Flexential Portal (OKTA-231722)
-
Intel - Supplier (OKTA-229135)
-
MyRackspace Portal (OKTA-231264)
Applications
Application Updates
-
We are updating the names of some app integrations as follows:
-
Jira On-premise > Atlassian Jira Server
-
Confluence On-premise SAML > Atlassian Confluence Server
-
Atlassian Confluence Server > Atlassian Confluence Cloud
-
Jira Cloud (Atlassian) > Atlassian Jira Cloud
-
- Tableau Online now supports the following Provisioning features (this is in addition to the other provisioning features that it already supports):
- Update user attributes
- New attribute: Site Role
Users that set up the Tableau Online integration and enabled Provisioning before June 12, 2019 need to follow the steps detailed in the Tableau Online Configuration Guide in order to use this new feature and/or attribute.
New Integrations
The following partner-built provisioning integration app is now available in the OIN as partner-built Early Access:
- OrgWiki (SCIM): For Configuration information, see the OrgWiki Okta SCIM Configuration Guide.
SAML for the following Okta Verified applications
-
Avochato (OKTA-228020)
-
Stack Overflow for Teams (OKTA-229999)
-
Whimsical (OKTA-232056)
SWA for the following Okta Verified applications
-
American Banker (OKTA-227046)
-
Ivanti Partners (OKTA-228205)
2019.06.3: Update 3 started deployment on
July 1
Fixes
General Fixes
OKTA-145001
When a user entered an invalid country code in a user profile, the error message was not specific enough.
OKTA-221804
Reports listing App admin application assignments incorrectly displayed All <appname> Apps instead of only the scoped applications that the admin had access to.
OKTA-222453
Org admins were able to access the Getting Started page.
OKTA-224240
End users authenticating with Inbound SAML into Okta could not edit their profiles from the end-user dashboard.
OKTA-225137
The IWA web app redirected user sessions to the incorrect user when the web app was located behind AWS Network Load Balancer.
OKTA-228723
Updating more than one inline hook field created a System Log entry for each changed field.
OKTA-229765
Sign-in attempts that were prevented by the Pre Authentication Sign-On Policy Evaluation were not identified correctly in the System Log.
OKTA-231465
Searching for groups using the LDAP Interface worked only when the Paged Search option was enabled in the LDAP settings.
App Integration Fixes
The following SWA apps were not working correctly and are now fixed
-
Comcast Business (OKTA-229067)
-
Toggl (OKTA-230708)
-
CloudAlly (OKTA-232109)
-
Synopsys eLearning (OKTA-232254)
Applications
Application Updates
-
We have made the following changes to our OrgWiki SCIM OAuth integration:
-
Changed the assignedID attribute to assignedId
-
Changed attribute mapping for assignedId attribute from user.employeeNumber to user.email
-
-
We have added the following SAML attribute to our Zapier integration:
-
Name: internalId, value: user.id
-
- We have added the following SAML endpoints to our Sumologic integration:
- https://service.ca.sumologic.com
- https://service.de.sumologic.com
- https://service.jp.sumologic.com
New Integrations
SAML for the following Okta Verified applications
-
Jumpstart (OKTA-225579)
-
ClickUp (OKTA-231641)
-
Atatus (OKTA-231643)
-
Auryc (OKTA-231655)
-
Postman (OKTA-233559)
-
Cloud Management Suite (OKTA-204349)
-
ChurnZero (OKTA-207112)
-
Sigma (OKTA-231716)
-
BigID (OKTA-231654)
2019.06.4: Update 4 started deployment on
July 8
Fixes
General Fixes
OKTA-155522
The Get access with Okta mobile link was underlined inconsistently in webview.
OKTA-205368
When an app sign-on policy rule was set to deny not-in-zone authentications, users who were denied the access were not redirected to the contact admin page as expected.
OKTA-221617
When using the group search API to search based on group names, if the group name contained a %(percentage) symbol the API call failed and returned no value.
OKTA-227706
api/v1/groups endpoint did not return the next page header unless limit was specified and defaulted to 10,000, even when more than 10,000 groups existed.
OKTA-227747
Downloading the list of admins in CSV format from the Devices > Devices tab failed with a 500 error.
OKTA-228245
The default new user activation emails were not formatted correctly when viewed inside Outlook 2016 client on Windows 10.
OKTA-229130
If an app name was bigger than 50 characters, a POST call to /api/v1/meta/schemas/apps/$instanceId/default failed with the error name: The field is too long.
App Integration Fixes
The following SWA apps were not working correctly and are now fixed
-
Betterment (OKTA-232680)
-
GoAnywhere Login (OKTA-233563)
-
Iheart Radio (OKTA-233013)
-
Microsoft Office 365 (OKTA-232668)
-
PlanGuru (OKTA-233010)
-
ServiceM8 (OKTA-233011)
-
Shopify (OKTA-231343)
-
Solarwinds (OKTA-233164)
-
Udacity (OKTA-233012)
Applications
New Integrations
SAML for the following Okta Verified applications
-
BigID (OKTA-231654)
-
New Relic (Limited Release) (OKTA-233359)
-
SWBC - AutoPilot Portal (OKTA-226704)
-
Wandera (OKTA-233317)
-
Zscaler Private Access 2.0 (OKTA-193443)
Mobile application for use with Okta Mobility Management (OMM) (Android and iOS)
-
Aquera (OKTA-230755)
SWA for the following Okta Verified application
-
Aquera (OKTA-230755)
May 2019
2019.05.0: Monthly Production release began deployment on May 13
* Features may not be available in all Okta Product SKUs.
Generally Available Features
New Features
Password Expiry settings for Active Directory
You can specify the password expiry policies for Active Directory for all preview organizations to set the number of days before password expiry when the user receives a warning.
Improved mobile Device Trust enablement flow for admins
The new mobile Device Trust enablement flow uses a 2-step wizard for a clearer, more consistent admin experience. Existing enablement settings are migrated automatically to the new flow, so there's no need for customers with existing Device Trust deployments to change their configuration. For details, see .
Assign admin privileges to an Okta group
Super admins can now assign Okta admin privileges to Okta groups, making it easier to onboard large numbers of admins quickly. Everyone in the group receives the admin privileges assigned to the group.
IdP Extensible Matching Rules
IdP extensible matching rules allow you to define a regular expression pattern to filter untrusted IdP usernames. For details, see our IdPs page.
Configure a custom URL domain
You can customize your Okta org by replacing the Okta domain name with a custom URL domain name that you specify. For example, if the URL of your Okta org is https://example.okta.com, you can configure a custom URL for the org such as https://id.example.com.
CSV Directory Integration
The CSV directory integration is a lightweight out-of-the-box option that enables you to build custom integrations for on-premises systems using the Okta On-Premises Provisioning agent. See CSV directory integration.
Active Directory agent, version 3.5.7
This version of the AD agent includes fixes to close and recreate connection groups and add a retry in response to 502 errors during import.
For agent version history, see Okta Active Directory agent version history.
System Log events for blacklisted countries
When a country is added or deleted from a blacklist, the System Log tracks the action, as shown below. For more information on blacklisting, see Network zones.
Generally Available Enhancements
Accounts locked after ten successive lockouts without a successful sign-in attempt
If an account has ten successive account lockouts followed by auto-unlocks with no successful sign-in attempts, Okta ceases auto-unlocks for the account and logs an event. For more information on account locking, see Sign-on policies.
Okta SSO IWA Web agent, new version 1.12.3
This version of the Okta SSO IWA Web agent contains internal fixes. For version history, see Okta SSO IWA Web App version history.
UI Improvements for Security Email Notifications
Settings for end user email notifications have been moved to their own section: Security Notification Emails. For more information, see General Security.
WebEx additional attributes
We have added more extensible attributes to the WebEx application. For details, see the WebEx Provisioning Guide.
DocuSign authentication mode change
We are switching the authentication mode of our DocuSign provisioning integration to OAuth. For more information, see the DocuSign Provisioning Guide.
Okta Browser Plug-in version 5.28.0 for all browsers except Internet Explorer
This version includes the following enhancements:
- Accessibility improvements
- ARIA attributes for UI elements
- Alt text for logos and images
- Access to controls and tooltips through keyboard
- Real-time reflection of the end user dashboard (currently an Early Access feature). For more information, see Okta Browser Plugin version history.
Fixes
General Fixes
OKTA-215983
Email templates translations for MFA Factor Enrolled and MFA Factor Reset did not work when the Thai language was selected.
OKTA-217878
For Self Service app registration for apps with provisioning enabled, when admins changed the Approval setting from Required to Not Required the resulting error message was misleading.
OKTA-218001
System Log entries for Device Trust displayed incorrect spacing for some entries.
OKTA-220849
The SuccessFactors app import API did not work.
OKTA-221717
Routing rules for Identity Provider discovery were ignored when both IWA Desktop SSO and Agentless SSO were enabled.
OKTA-221914
Identity Provider routing rules that set User Matches to User Attribute matches Regex were not evaluated correctly.
OKTA-222256
CSV Directory scheduled incremental imports failed.
OKTA-222632
Admins who manage two groups, one granted via individual assignment, and the other via group assignment, could not assign users from one group into the other.
OKTA-222660
When using the LDAP interface, pagination on groups containing more than 1000 users failed.
OKTA-224104
Users assigned admin roles by group did not get assigned the correct default admin email settings.
App Integration Fixes
The following SWA apps were not working correctly and are now fixed
-
Adobe Fonts (OKTA-222877)
-
Air France (OKTA-223010)
-
The Australian (OKTA-221618)
-
FINRA IARD (OKTA-223775)
-
Keap (OKTA-222416)
-
LastPass (OKTA-206231)
-
Metropolitan Bank US (OKTA-222451)
-
Mimecast Personal Portal v2 (OKTA-221490)
-
Nationale Nederlanden: Pensioen Service Online for Business (OKTA-222412)
-
Nextdoor (OKTA-223774)
-
Nmbrs (OKTA-223801)
-
Oakland Public Library Catalog (OKTA-222415)
-
Onfido (OKTA-223804)
-
Optimal Blue (OKTA-223500)
-
Plooto (OKTA-223747)
-
Poll Everywhere (OKTA-223776)
-
The San Diego Union-Tribune (OKTA-223015)
-
WhiteHat Sentinel (OKTA-222784)
-
Wrike (OKTA-223803)
Applications
New Integrations
New SCIM Integration Application
The following partner-built provisioning integration apps are now available in the OIN as partner-built Early Access:
- TeamViewer: For configuration information, see Configure Provisioning for TeamViewer
- Zerotek: For configuration information, see the Zerotek SCIM Configuration Guide Instructions.
- Drafted: For configuration information, see the Drafted Okta Provisioning (SCIM) Step-by-Step Guide.
-
Spoke (www.askspoke.com): For configuration information, see Configuring Provisioning for Spoke.
SAML for the following Okta Verified applications
-
Buildkite (OKTA-215231)
-
ExpenseIn (OKTA-223019)
-
FireHydrant (OKTA-221216)
-
StoriesOnBoard (OKTA-223754)
-
Syndio (OKTA-221802)
-
Zoom SAML (OKTA-223027)
SWA for the following Okta Verified applications
-
Dynatrace (OKTA-221851)
-
Legislative Tracking System (OKTA-219355)
-
Park-line (OKTA-222807)
-
Tax Workflow (OKTA-222999)
Mobile application for use with Okta Mobility Management (OMM) (Android and iOS)
-
RescueAssist (OKTA-220114)
Weekly Updates
2019.03.1: Update 1 started deployment on
March 20
Fixes
General Fixes
OKTA-211631
Active Directory imports failed when federation broker mode was disabled for the app.
OKTA-212278
The Japanese translation of the end-user activation page needed improvement.
OKTA-213647
The System Log advanced search returned a 500 error when processing search terms containing the percent character (%).
OKTA-221535
Admins saw a loop when they enabled Multifactor Authentication for admins with no MFA factor set as Optional or Required in the corresponding MFA policy.
OKTA-221914
In cases where IdP Discovery was enabled, when a routing rule was configured to use User Attribute matches Regex for User Matches, the regular expression would be evaluated improperly.
OKTA-222183
If an Event Hook name was changed after it had been verified, users were asked to verify the Event Hook again.
OKTA-224205
Local users not assigned the RDP app were able to sign in to the app without being prompted for MFA if their user account on the server had rights to connect to RDP sessions and InternetFailOpenOption was set to True. Okta Windows Credential Provider version 1.1.4.0 needs to be downloaded for this fix.
OKTA-225805
The Security > General > Security Email Notifications page briefly displayed incorrect values after the email fields were set to Enabled and then the page was refreshed.
OKTA-225584H
When using the LDAP interface if a soft token was specified as a part of a bind request's credentials, a push notification may have been erroneously sent to the user's phone while normal authentication using the soft token was taking place.
App Integration Fixes
The following SAML app was not working correctly and is now fixed
-
RedLock (OKTA-213155)
The following SWA apps were not working correctly and are now fixed
-
Cisco (OKTA-218994)
-
Visual Website Optimizer (OKTA-224230)
Applications
New Integrations
SAML for the following Okta Verified applications
-
CloudAcademy (OKTA-220845)
-
Druva 2.0 (OKTA-224318)
-
PitchBook (OKTA-222083)
-
Squadcast (OKTA-223018)
SWA for the following Okta Verified applications
-
CodySoft (OKTA-223598)
-
iAuditor (OKTA-225943)
-
Medi-Cal (OKTA-225406)
-
Saia (OKTA-223491)
2019.05.2: Update 2 started deployment on
May 28
Fixes
General Fixes
OKTA-220205
Failed authentication using FIDO factors were counted towards account lockout limit.
OKTA-222410
Mobile admins could not edit native apps despite having necessary permissions.
OKTA-223821
An IWA Auth event was incorrectly triggered in the System Log when a user logged in via Agentless Desktop SSO. The Authenticate User via IWA event has been removed from this flow. No other events in the flow are impacted.
OKTA-224002
Changing the LDAP configuration did not convert the next LDAP incremental import to a full import as expected.
OKTA-226976H
Setting up JAMF failed when testing the API credentials for On-Premises JAMF server that uses SSL certificate signed by by USERTrust RSA Certification Authority.
OKTA-227307
A user identifier condition evaluation for IdP Discovery sometimes returned an HTTP 400 bad request error when either the user or the attribute being evaluated was not found.
OKTA-228350H
When the EA feature, OFFICE365_USE_GRAPH_API_FOR_PROVISIONING was enabled, in certain cases Office 365 groups were deleted during an import.
OKTA-2285347H
Imports from Office 365 failed if the EA feature, OFFICE365_USE_GRAPH_API_FOR_PROVISIONING was enabled.
OKTA-230034H
Agentless Desktop SSO failed to authenticate on misconfigured Chrome browsers, resulting in a 400 Bad Request error.
App Integration Fixes
The following SWA apps were not working correctly and are now fixed
-
Boxed (OKTA-226698)
-
CBT Nuggets (OKTA-226697)
-
Contract Express (OKTA-225826)
-
Copper (OKTA-223771)
-
Customer Service Portal (OKTA-225821)
-
Mimecast Personal Portal v2 (OKTA-226257)
-
Nextiva NextOS 3.0 (OKTA-225822)
-
Prosperworks (OKTA-225823)
-
Rackspace Admin Control Panel (OKTA-225820)
-
WP Engine (OKTA-225575)
Applications
Application Updates
The MaestroQA application integration now supports Just In Time (JIT) provisioning.
New Integrations
The following partner-built provisioning integration apps are now available in the OIN as partner-built Early Access:
- Syndio: For configuration information, see Syndio SSO Configuration.
- Status Hero: For configuration information, see Configuring Okta SCIM Provisioning for Status Hero.
SAML for the following Okta Verified applications
-
Activaire Curator (OKTA-226658)
-
Aqua Cloud Security Platform (OKTA-220542)
-
CallPlease (OKTA-225465)
SWA for the following Okta Verified applications
-
Cisco Webex Teams (OKTA-221715)
-
Healthx (OKTA-226236)
-
Key Travel (OKTA-223497)
-
Technology Review (OKTA-225508)
2019.05.3: Update 3 started deployment on
June 03
Fixes
General Fixes
OKTA-193320
When Agentless Desktop SSO was denied due to Network Zone settings, the default Okta Sign In page was presented instead of defaulting to agent-based Desktop SSO.
OKTA-218719
No more than five applications could be created through the Admin Console for developer production orgs.
OKTA-219246
Users were unable to sign in to Okta when using Chrome browsers on Chromebooks.
OKTA-220360
The Identity Provider (IdP) admin page encountered a rate limit error when there were a large number of IdPs configured and an admin clicked through the list quickly.
OKTA-220640
Deactivated admins were not listed on the Administrators page.
OKTA-222413
Clicking the Resend Activation Email button sent the Password Reset email instead of the User Activation email.
OKTA-225581
The System Log did not log the User account unlock by admin event when a bulk account unlock action was performed by an admin.
OKTA-226272
After an OAuth2 authorize flow, ID Tokens were missing the nonce claim if a routing rule was configured to default to a social IdP.
OKTA-229525H
When a user tried to sign in to an IdP that was set up as a profile master, it sometimes resulted in incorrectly creating a new user instead of linking to the existing user.
App Integration Fixes
The following SWA apps were not working correctly and are now fixed
-
Amazon UK (OKTA-226343)
-
Bing Ads (OKTA-226105)
-
IBM Cloud (OKTA-226062)
-
Northern Trust (OKTA-225827)
-
Sterling HSA (OKTA-223769)
-
UBS One Source (OKTA-226305)
Applications
Application Updates
The following partner-built provisioning integration app is now Generally Available in the OIN as partner-built:
- Syndio: For configuration information, see Syndio SSO Configuration Guide.
New Integrations
The following partner-built provisioning integration app is now available in the OIN as partner-built Early Access:
- Cybsafe: For configuration information, see CYBSAFE-Okta SCIM App Configuration.
- Druva 2.0: For configuration information, see Manage Users from Okta using SCIM.
- Snowflake: For configuration information, see Configuring Provisioning for Snowflake.
SAML for the following Okta Verified applications
-
Aspen Mesh (OKTA-223014)
-
BitBucket by miniOrange (OKTA-225246)
-
Confluence by miniOrange (OKTA-225240)
-
Jira by miniOrange (OKTA-225231)
-
Juno (OKTA-227096)
-
productboard (OKTA-225440)
SWA for the following Okta Verified application
-
GoToMeeting (OKTA-226649)
April 2019
2019.04.0: Monthly Production release began deployment on April 15
* Features may not be available in all Okta Product SKUs.
Generally Available Features
New Features
Enhanced Group Push for Litmos
Group Push now supports the ability to link to existing groups in Litmos. While this option is currently only available for some apps, we'll periodically add this functionality to more provisioning-enabled apps. For details about this feature, see Group Push.
Schema Discovery for Litmos
The Litmos provisioning app now supports UD and Schema Discovery. For more information, see the Litmos Provisioning Guide.
Enhanced Okta Mobile Security Settings for Android and iOS
Applies to:
- Okta Mobile 3.8.1+ for Android
- Okta Mobile 5.22.0+ for iOS
From the admin console, you can configure the following security settings for devices running specific versions of Okta Mobile:
- Specify the PIN length.
- Allow/disallow use of a simple PIN (repeating/ascending/descending numeric sequences).
- (Android only) Allow/disallow users taking screenshots, recording videos, or sharing their screen.
For details, see Okta Mobile Settings.
Enhanced search for Group membership rules
You can now search for group rules by name, target groups, and expression conditions. For more information about Group membership rules, see Group rules.
Change to Reset Password page
When Administrators navigate to Directory > People > Reset Password, the default view is now Locked Out users instead of All. This has been changed for performance reasons. See Reset a user password or Reset multiple user passwords.
LDAP Agent, version 5.5.7
This release includes the following:
- Bug fixes for incremental import.
-
A new System Log event fires when the modifyTimestamp attribute in LDAP is null for users or groups, which causes incremental import to be converted to a full import. One event per import session is logged.
For agent version history, see Okta LDAP Agent version history.
Admin change to org settings requires additional reauthentication
To increase security on admin accounts, additional authentication is required when an admin makes changes to the org's User Account settings (Settings > Customization > User Account). If it has been more than 15 minutes since they last entered their pass- word, the admin is asked to enter their password again to reauthenticate. If multifactor authentication is configured, the admin will be prompted for MFA verification as well. For details, see Configure whether user passwords and personal information are managed by Okta or externally.
New Template App
The Template Two Page Plug-in App has been added to the OIN. This plugin template app enables org admins to create private SWA apps for the two-page sign in flow, where the username field is on the first page, and the password field is on the second page. It works much like the Template Plug-in App and Template Plug-in App 3 Fields. For more information about Template apps, see Configure the Okta Template App and Okta Plugin Template App.
Okta Browser Plug-in version 5.27.0 for Chrome and Internet Explorer
This version includes the following enhancements:
-
For Chrome and Internet Explorer, a keyboard shortcut to open the Okta Browser Plug-in. Users will see a recommendation to use the shortcut when they click on the plugin popover window. This recommendation is only shown once.
- For Internet Explorer, you can disable the shortcut in the Registry Editor.
-
Users can also close Okta Browser Plug-in popups using keyboard shortcuts.
- For Chrome, the Okta Secure Web Authentication Plug-in is renamed to the Okta Browser Plug-in.
Okta Browser Plug-in version 5.26.2 for Safari
This version includes backend enhancements. For version history, see Okta Browser Plugin version history
Generally Available Enhancements
EA Feature Manager enhancement
The EA Feature Manager now allows you to more easily discover and enable functional dependencies for EA product features. Any EA product feature with dependencies highlights its dependencies and provides a link to that dependency so that you can enable the dependencies before enabling the EA product feature.
Trust site links renamed to Status
The Trust site links in the Admin footer and error pages have been renamed to Status.
Sensitive values masked
For values of attributes marked as sensitive, the values are masked with asterisks in OpenID Connect and Access Token Preview. For more information on these types of tokens, see API access management.
Custom Sign-in Pages can use Sign-in Widget version 2.18
Custom Sign-in Pages can now use Sign-in Widget version 2.18. Selecting the latest option automatically uses 2.18. For more information on the Sign-In Widget, see Okta Sign-in Widget.
Self-service OIDC Apps
OIDC apps are eligible for self-service registration. For more information about self-service registration, see About self-service registration.
Amazon AWS app updates
The Amazon AWS app integration has been updated as follows:
- Dynamic mapping of multiple accounts/roles within AWS: This feature allows dynamic mapping of multiple accounts/roles within AWS by using group assignments from Okta. For more information, see Connect Okta to Multiple AWS Instances via User Groups. Note that previously this was available as an Early Access feature. This functionality is now available as a option on the Sign On tab.
- Join all roles: A new Join all roles option is available on the Amazon AWS app Sign On page that allows admins to specify that AWS SAML uses all roles (users and groups).
- Improved security: The Amazon AWS app integration's App Filter application property on the Sign On tab is updated to provide better security and maintainability.
Rate Limits Updated
Okta's API rate limits have been updated: OAuth 2 rate limits were updated and clarified for all orgs. The limit for the api/v1/apps endpoint was updated for Enterprise orgs. For more information, see Rate Limits at Okta.
Enhanced user experience on end user dashboard
This includes the following enhancements:
- End-user dashboard UI elements respond better to mobile screen sizes.
- Launch App box is available on mobile screens. The dashboard app integrations have a new appearance.
For more information about the dashboard, see Manage dashboard tabs for end users
2019.04.1: Update 1 started deployment on
April 19
April 22
Fixes
General Fixes
OKTA-191963
Some G Suite license options were missing from the Okta Integration Network.
OKTA-198767
Loading a Custom Sign On Page with a configured Custom Domain returned a 404 error if the web browser was configured with a primary language other than English.
OKTA-207897
When importing user profiles from WebEx, the country code did not convert to the country name.
OKTA-208292
While creating a new contact in the SFDC Customer Portal, Okta provisioning did not search for matching existing Contact objects in Salesforce.
OKTA-208907
When a new LDAP instance was configured, settings related to Delegated Authentication were overwritten.
OKTA-209762
End users could not upgrade from Okta Verify with a One Time Passcode (OTP) to Okta Verify with Push if their org Sign On policy did not prompt for an MFA, but their app Sign On policy did.
OKTA-210250
The lastDownloadToken field in agent logs did not update after incremental imports.
OKTA-210873
When BambooHR was Profile Master, expression mappings were not updated for Office 365.
OKTA-211709
Litmos did not automatically reschedule and import a job once a rate limit was reached.
OKTA-213074
The App Admin role could not be assigned when an org had a significantly large number of deleted apps.
OKTA-213122
Pushing groups from Okta to G Suite failed when group member was already in a group, or had been already removed.
OKTA-213291
When importing users via a CSV file, the Do not create a password and only allow login via Identity Provider option could not be selected.
OKTA-213293
When conducting an import from Workday to Okta, boolean properties were not handled properly and did not map to the actual values.
OKTA-214020
In Agentless Desktop SSO settings, only the first 20 instances were editable.
OKTA-216082
When pushing users from Okta to Salesforce Federated ID, the profile attribute could not be set to not required.
OKTA-218007
Identity Providers did not support matching the user with an Okta username or email when the IdP Extensible Matching Rules feature was enabled.
App Integration Fixes
The following SWA apps were not working correctly and are now fixed
-
Amadeus Selling Platform Connect (OKTA-217081)
-
Amplitude (OKTA-215291)
-
Answer 1 Zapier (OKTA-215720)
-
AT&T Cybersecurity (formerly AlienVault) (OKTA-217657)
-
Atlassian (OKTA-215304)
-
Basecamp (OKTA-215286)
-
BB&T (OKTA-217648)
-
Buffer (OKTA-217890)
-
CareFirst (OKTA-215296)
-
CyberSource (OKTA-217636)
-
FINRA Web CRD (OKTA-215277)
-
HipChat (OKTA-215244)
-
IBM Partner World (OKTA-215287)
-
Loggly (OKTA-215999)
-
Pacer (OKTA-216799)
-
RingCentral (OKTA-215283)
-
Smallpdf (OKTA-217685)
-
SmartyStreets (OKTA-217661)
-
T. Rowe Price (OKTA-214661)
-
TruQu (OKTA-216808)
-
Vungle (OKTA-215348)
-
WePay (OKTA-215245)
-
WP Engine (OKTA-217760)
-
Yelp Biz (OKTA-215074)
-
YouCanBook.me (OKTA-215253)
Applications
Application Updates
The following partner-built provisioning integration app is now Generally Available in the OIN as partner-built:
- Idiomatic: For configuration information, see Configuring Provisioning for Idiomatic.
New Integrations
New SCIM Integration Application
The following partner-built provisioning integration apps are now available in the OIN as partner-built Early Access:
- Infor CloudSuite: For configuration information, see Infor CloudSuite Provisioning for Okta Online Help.
- Egnyte: For configuration information, see Configuring Okta SCIM Provisioning for Egnyte.
- Fin Analytics: : For configuration information, see Using Okta for Fin SSO.
SAML for the following Okta Verified applications
-
Area 1 Security (OKTA-216838)
-
BuiltWith (OKTA-216847)
-
Kiva (OKTA-215932)
-
Palo Alto Networks - Aperture (Reverse Proxy) (OKTA-214670)
-
Workable (OKTA-212879)
SWA for the following Okta Verified applications
-
American Express vPayment (OKTA-212465)
-
B of A Automative Dealer Services (OKTA-214379)
-
BigBlueOnline (OKTA-214709)
-
BrickFTP for Las Vegas Nevada (OKTA-214142)
-
Cal Bank Trust (OKTA-213107)
-
Comcast Payment Center (OKTA-217425)
-
Connect CDK Global (OKTA-216063)
-
DigiDip (OKTA-217112)
-
European Union (OKTA-209889)
-
FIS E-Banking Services: Generic Login Flow (OKTA-209723)
-
Frontier Communications (OKTA-214708)
-
Frontier Communications (OKTA-217302)
-
FSRS gov Awardees (OKTA-217427)
-
Greenwaste (OKTA-217198)
-
IOI Payroll V2 (OKTA-214471)
-
Leumi Bank UK (OKTA-215922)
-
Metropolitan Bank US (OKTA-215923)
-
MyMerrill (OKTA-213642)
-
Nationale Nederlanden: Pensioen Service Online for Business (OKTA-214224)
-
Obeo (OKTA-210256)
-
PNC Foreign Currency (OKTA-215697)
-
Premium Haystack (OKTA-215438)
-
Rookout (OKTA-213093)
-
Schoox (OKTA-215053)
-
Signature Bank (OKTA-201621)
-
Silvergate Bank (OKTA-201618)
-
Ski Data for 2145 Parkplace (OKTA-214361)
-
Van Lanschot (OKTA-214922)
Weekly Updates
2019.04.1: Update 1 started deployment on
April 22
Fixes
General Fixes
OKTA-213061
Group admins scoped to manage a group that was assigned an admin role did not display user or group pages properly.
OKTA-214827
After a SPA OIDC client was created, the Client Authentication method was not displayed in the UI as expected.
OKTA-215691
Adding an IP address to an IP Blacklist Zone from the System Log resulted in a 400 error.
OKTA-215977
When an AD agent connected via proxy, a TLS alert to the proxy caused AD imports to intermittently fail.
OKTA-218083
Search functionality for IDP routing rules failed to get results for apps that contained the "|" pipe character.
OKTA-219226
The enrollment window for MFA U2F used an incorrect CSS that caused the display to be slightly incorrect.
OKTA-221403
There was no space between the app name icon in the app search results on the end user dashboard.
App Integration Fixes
The following SAML app was not working correctly and is now fixed
-
Miro (OKTA-219464)
The following SWA apps were not working correctly and are now fixed
-
Expensify (SWA Only) (OKTA-218710)
-
HM Revenue and Customs (HMRC) (OKTA-218854)
-
Rabobank Internetbankieren (OKTA-218881)
-
Sprout Social (OKTA-218711)
-
The Information (OKTA-218929)
-
UserVoice (OKTA-218709)
-
WFX (OKTA-218240)
Applications
New Integrations
The following partner-built provisioning integration app is now available in the OIN as partner-built Early Access:
- TOPdesk Operator by FuseLogic: For configuration information, see the TOPdesk operator provisioning integration guide.
SAML for the following Okta Verified applications
-
Broker Buddha (OKTA-219121)
-
Celonis (OKTA-217901)
-
Drafted (OKTA-219407)
-
Enzyme QMS (OKTA-213382)
-
Matik (OKTA-218397)
-
PressPage (OKTA-218318)
-
RStudio Connect (OKTA-219846)
-
Trend Micro Apex One as a Service (OKTA-218066)
-
Zerotek (OKTA-218354)
SWA for the following Okta Verified applications
-
California Water (OKTA-217189)
-
Compass PHS (OKTA-207732)
-
Harland Clarke Checks Center (OKTA-216860)
-
Lola (OKTA-211494)
-
New York Magazine (OKTA-215724)
-
Nexus System Connect (OKTA-215329)
-
United TranzActions (OKTA-216858)
-
Westchester Fast Track (OKTA-218185)
2019.04.2: Update 2 started deployment on
May 6
Fixes
General Fixes
OKTA-201787
The Okta browser plugin did not work in Chrome for the ALMobile private app.
OKTA-205783
Private apps that were incorrectly categorized as User Directory appeared on the Directory Integrations page.
OKTA-206470
User credentials were not passed to the LastPass app when using Chrome.
OKTA-206749
Super admins could subscribe to org-wide email notifications for admin roles, to which they did not have permission.
OKTA-207909
When setting up a new password, the Change Password button did not become inactive after the first click.
OKTA-210587
The Dashboard displayed links that the following admin roles cannot access: App, Group, Help Desk and API access management admins.
OKTA-210776
The security image on the sign-in page did not load when the username contained a plus (+) character.
OKTA-210869
An App admin assigned permissions through a group role was not able to edit the SAML settings of an app for which they had permission.
OKTA-210961
The Need help signing in link did not have ARIA attributes to indicate its expand or collapse state.
OKTA-211541
When an admin created a user with a password that did not meet the password requirements, the System Log showed a successful Create Okta User event even though the user creation failed.
OKTA-213686
Authorization for an app failed when using a routing rule configured to default to a social identity provider.
OKTA-214203
In some cases, reactivating a user created a duplicate entry in the System Log.
OKTA-214365
Some /authn APIs were missing the Cancel link in their response.
OKTA-215638
The Japanese translation of the password reset restrictions needed improvement.
OKTA-215983
Email templates for MFA Factor Enrolled and MFA Factor Reset did not translate into the Thai language correctly.
OKTA-221657
When IdP Discovery was enabled for some customers, IWA sign-in flows stopped working due to browsers truncating requests in the URL.
OKTA-221667
An App Admin assigned permissions through a group role could only view OpenID Connect apps when creating a new app.
OKTA-221708
Some icons were missing when signing in to the Gmail app using Okta Mobile for Device trust.
App Integration Fixes
The following SWA apps were not working correctly and are now fixed
-
2020 Spaces (OKTA-220169)
-
ADP Workforce Now (OKTA-221296)
-
Alabama Power (OKTA-220005)
-
Avalara (OKTA-218996)
-
Benefit Resource Inc (OKTA-218390)
-
Breeze (OKTA-221637)
-
CAPPS Enterprise Portal (OKTA-219133)
-
CRG emPerform (OKTA-219139)
-
Express Xactlycorp (OKTA-220904)
-
EZPassNY (OKTA-218426)
-
Harland Clarke Checks Center (OKTA-221646)
-
Lifeworks (OKTA-219537)
-
New York Times (OKTA-221218)
-
Redis Labs (OKTA-221219)
-
Shopify (OKTA-221653)
-
SpringCM (OKTA-217660)
-
T. Rowe Price (OKTA-220319)
Applications
Application Updates
We are switching the authentication mode of our DocuSign provisioning integration to OAuth. For more information see the DocuSign Provisioning Guide.
New Integrations
The following partner-built provisioning integration app is now available in the OIN as partner-built Early Access:
- Chorus.ai: For configuration information, see Configuring Provisioning for Chorus.ai.
SAML for the following Okta Verified applications
-
Braze (OKTA-218398)
-
Chorus.ai (OKTA-217886)
-
Fulcrum (OKTA-220635)
-
Harness (OKTA-219122)
-
IT-Conductor (OKTA-220627)
-
MaestroQA (OKTA-220841)
-
PhraseApp (OKTA-220846)
-
Zapier SAML (OKTA-219123)
-
ZenQMS (OKTA-220313)
SWA for the following Okta Verified applications
-
Adobe Admin Console (OKTA-214878)
-
Adobe Fonts (OKTA-217129)
-
BigBlueOnline (OKTA-214709)
-
Catsy (OKTA-221527)
-
CFA Institute (OKTA-218957)
-
Cloud Ranger (OKTA-220214)
-
Condeco Connect (OKTA-220492)
-
E-Boekhouden (OKTA-217430)
-
First Republic Securities (OKTA-217204)
-
Jaggaer Supplier Support (OKTA-221245)
-
MD-Staff (OKTA-211897)
-
my529 Financial Advisor (OKTA-219991)
-
Outgrow (OKTA-217883)
-
PG&E (OKTA-217203)
-
SecureDock (OKTA-220676)
-
Stratechery (OKTA-217201)
-
The Trade Desk for Goodway Group (OKTA-218990)
-
US Plastic (OKTA-220482)
March 2019
2019.03.0: Monthly Production release began deployment on March 11
* Features may not be available in all Okta Product SKUs.
Generally Available Features
New Features
Security Tips on admin console
Security Tips now appear on the admin console. These tips suggest a list of security features that can be enabled to improve the security posture of an org. For more information, see HealthInsight.
Skip importing groups during Office 365 user provisioning
While provisioning Office 365 in Okta, you can choose to skip importing Office 365 user groups and group memberships into Okta. This allows you to focus initially on user provisioning and take care of group assignments later in the deployment process. For more information, see Skip importing groups during Office 365 user provisioning.
Additional Custom Attributes for Webex integration
Our Webex integration is enhanced by adding support several new custom attributes. Okta imports these attributes that you can then map as additional custom properties. For more information see the Webex Provisioning Guide.
System Log enhancement
We've enhanced our System Log to take advantage of our new Network Zones feature. Admins can now hover over an IP address that's part of an event and navigate through the series of menus to add that IP address to either the gateway or proxy list of IP addresses.
SCIM App Wizard
Okta supports SCIM (System for Cross-domain Identity Management specification) provisioning for apps created with the Okta App Integration Wizard (AIW).
For more information about SCIM, see SCIM-Based Provisioning Integration. For instructions to enable SCIM for app-wizard apps, see The SCIM App Wizard.
View admin list by role
Super admins can now filter the list of admins by role and type for easier searching.
Social Identity Providers
This feature allows your end users to self-register with your custom applications by first authenticating through their existing social identity accounts, such as Facebook, Google, Yahoo, or LinkedIn. For new users of your custom application, Okta creates a Just In Time (JIT) Okta user profile based on attributes stored in their social profiles.
For more information see Identity Providers.
System Log events for YubiKey Seed
New System Log events have been added when a user uploads or revokes a YubiKey Seed successfully.
System Log events for Active Directory imports
A new System Log event appears when an Active Directory import is converted from an incremental to a full import.
A new System Log event appears when a full Active Directory import is required.
Admin role behavior changes
Admin roles assigned by adding a user to an Admin group can no longer be edited or customized for individual users. To edit or remove admin privileges from a user that were assigned by adding the user to an admin group, you must remove the user from the group. Additionally, if a user has individual admin privileges assigned to them as well as admin privileges they received due to being in an admin group, each admin privilege will be listed separately. The icons indicate whether the privilege was assigned individually or as a result of group membership.
Use Expression Language (EL) to map AD attribute to Workplace by Facebook
Okta now uses EL to map manager from AD to the Workplace by Facebook app for all new apps. For more information about Workplace by Facebook provisioning, see the Workplace by Facebook Provisioning Guide.
CPC app operations throttling
To ensure execution of all customers' provisioning operations in a timely manner, operations for CPC apps are now throttled on a per org basis.
Generally Available Enhancements
Documentation links for Security Checklist
The Security Checklist on the admin console is updated to include documentation links for each setting. For more information about this feature, see .
Region codes updated for network zones
Network zones region codes are updated to adhere to the specifications of the ISO-3166 standard. This update includes changes to region names within Mexico, the Democratic Republic of the Congo, and Czech Republic. For more information about using country and region codes, see Network zones.
Early Access Features
New Features
Review prompt on Okta Mobile for iOS
End-users using Okta Mobile on iOS are prompted to provide an App Store rating for the app. When they provide a rating in the app and click Submit, they are taken to the App Store page for the Okta Mobile app to provide more optional feedback about the app. They can click Not now to dismiss the option. For more information, see About Okta Mobile.
OIN Manager supports multiple application submissions
When submitting a new application integration for review by Okta, the OIN Manager now supports multiple concurrent application submissions (for new orgs only).
Fixes
General Fixes
OKTA-135037
Disabled users in the Roambi app were incorrectly imported into Okta.
OKTA-205616
The tooltip for username was missing on the Identifier-first login page when using IdP Discovery.
OKTA-205713
The Okta Interstitial page used an incorrect font on Windows OS.
OKTA-205734
The authentication process took more time than expected when the "Permit Automatic Push for Okta Verify Enrolled Users option for the RADIUS application was activated.
OKTA-207282
End-users could not see the Zip Code on the Personal Information page on the end user dashboard despite having read-write permissions.
OKTA-207634
Customers were not properly redirected to the correct JIRA On-Prem instance after updating to JIRA On-Prem version 3.0.7.
OKTA-208446
Updates to the Okta Reporting Path were not saved on the first attempt and failed with errors when configuring API integration for the UltiPro app.
OKTA-209118
When configuring an OPP app with a SCIM connector, authentication headers were sometimes misconfigured.
OKTA-210624
For Desktop Device Trust flows, authentication failures reported in the System Log lacked sufficient detail.
OKTA-211769
When Single Line Prompt was enabled in the Radius app, login using a soft token generated duplicate events in the System Log.
App Integration Fixes
The following SWA apps were not working correctly and are now fixed
-
Allegra False Creek (OKTA-211577)
-
Amazon Web Services (OKTA-200754)
-
Basecamp (OKTA-210785)
-
Bitbucket (OKTA-209277)
-
Citi Velocity (OKTA-211570)
-
CrazyEgg (OKTA-208795)
-
Expensify (SWA Only) (OKTA-209343)
-
Glance (OKTA-211569)
-
Google AdSense (OKTA-208416)
-
Meetup (OKTA-208796)
-
MSCI ESG Manager (OKTA-210231)
-
SecureMail Cloud (OKTA-210230)
-
Stamps.com (OKTA-211576)
-
T. Rowe Price (OKTA-208929)
Applications
Application Updates
-
The following partner-built provisioning integration app is now Generally Available in the OIN as partner-built:
-
WorkRamp: For configuration information, see Configuring SCIM Provisioning for WorkRamp.
-
Expensify: For configuration information, see Expensify's Deactivating User's with Okta.
-
-
Namely now supports the following Provisioning features (in addition to the Profile Master feature that it already supports):
-
Create users
- Update user attributes
For users that have set-up the Namely integration and enabled Provisioning before July 23, 2018, they have to follow the migration steps detailed in the Namely Configuration Guide if they want to use the new feature.
-
New Integrations
New SCIM Integration Application
The following partner-built provisioning integration apps are now available in the OIN as partner-built Early Access:
- LogMeIn: For configuration Information, see Configuring Provisioning for LogMeIn Products.
-
SendSafely: For configuration Information, see Configuring SCIM Provisioning for SendSafely.
Mobile application for use with Okta Mobility Management (OMM) (Android and iOS)
-
Zscaler 2.0 (OKTA-210280)
SAML for the following Okta Verified applications
-
Idiomatic (OKTA-210213)
-
Stack Overflow Enterprise (OKTA-211271)
SWA for the following Okta Verified applications
-
1st Global: Identity Server (OKTA-203266)
-
Amazon Incentives (OKTA-205373)
-
ClickToTweet (OKTA-206100)
-
Cumberland (OKTA-202677)
-
ForeScout (OKTA-203181)
-
Fremont Bank (OKTA-205715)
-
GoodHabitz (OKTA-206150)
-
HR Certification Institute (OKTA-204048)
-
Johnson & Johnson (OKTA-207334)
-
LinkedIn Sales Navigator (OKTA-202984)
-
LivePerson LiveEngage (OKTA-206681)
-
Lutron (OKTA-206149)
-
PNC Retirement Directions Participant Login (OKTA-206676)
-
SagicoreLife: Agent Login (OKTA-202262)
-
SecurePay (OKTA-210232)
-
Supermetrics (OKTA-205909)
-
Template Two Page Plugin App (OKTA-207162)
-
Texas Mutual (OKTA-207028)
-
Zscaler 2.0 (OKTA-210280)
Weekly Updates
2019.03.1: Update 1 started deployment on March
March 20
Fixes
General Fixes
OKTA-184126
Custom domains were incorrectly reserved before being verified.
OKTA-194918H
Password credentials for the Paychex Online app were not inserted into the Password field in Edge browsers.
OKTA-204814
Certain group membership rules to assign AD-mastered users to an Okta group did not remove the users from the group when they were deactivated in AD.
OKTA-207871
Editing certain existing custom SAML app configurations resulted in errors.
OKTA-209615
In some cases, the EA Feature Manager page on the Admin Console had mismatched or empty feature descriptions.
OKTA-211237H
The complex password generator was able to generate passwords in the format of an <html> tag.
OKTA-212828
Resetting Web Authentication from the end user Settings page displayed errors even when the action was successful.
OKTA-212890
The Getting Started page on the Admin Console displayed errors for Internet Explorer 10 users.
OKTA-213551H
Push Group failed for the Zscaler 2.0 app and no Retry task was available in the admin console.
App Integration Fixes
The following SAML app was not working correctly and is now fixed
-
NetSuite (OKTA-209499)
The following SWA apps were not working correctly and are now fixed
-
MileIq (OKTA-212466)
-
Ncontracts (OKTA-209463)
-
Ray Wenderlich (OKTA-212010)
-
Sequr (OKTA-212548)
-
Skillshare (OKTA-211690)
-
WorkFlowy (OKTA-212464)
-
WP Engine (OKTA-210832)
Applications
New Integrations
SAML for the following Okta Verified applications
-
Casetabs (OKTA-212169)
-
Projector PSA (OKTA-212170)
-
Sqreen (OKTA-211580)
-
UWV Employer Portal (OKTA-209228)
SWA for the following Okta Verified applications
-
Arrowhead Auto: Producer Login (OKTA-203718)
-
Citi Investor Reporting For Structured Finance (OKTA-194263)
-
ClinPhone (OKTA-211579)
-
IDShield Plus (OKTA-207842)
-
Salt Lake Tribune (OKTA-203950)
-
Taleo Enterprise User Login (OKTA-211578)
-
Wright National Flood Insurance Company (OKTA-207916)
Mobile application for use with Okta Mobility Management (OMM) (Android and iOS)
-
Microsoft Office 365 (OKTA-199395)
2019.03.2: Update 2 started deployment on
March 25
Fixes
General Fixes
OKTA-130296
When configuring JIT settings for a social identity provider, the Everyone group could erroneously be selected as one of the Group Assignments.
OKTA-139818
Attempting to set user credentials for an AppUser to a string longer than the permitted maximum length displayed an Internal Server Error instead of a Forbidden message.
OKTA-204598
Some successful MFA events did not appear in the System Log for some Orgs.
OKTA-205976
In some cases, Web Authentication FIDO2 appeared as Windows Hello (Web Authentication) while resetting factors on the Admin Console.
OKTA-209194
First time import of Namely-mastered users into Active Directory failed.
OKTA-209332
An app's Current Assignments report did not autopopulate the app's name even when the report was accessed through the app page.
OKTA-213567
Sometimes Okta Verify took too long to respond back to the browser, resulting in time-outs.
OKTA-214003
Certain invalid state token values caused the AuthN API to return an internal server error.
OKTA-214175
Okta Verify push did not work when authenticating via the LDAP Interface.
OKTA-217033H
The Group Attribute Statements filter could not be saved in a custom SAML App.
App Integration Fixes
The following SWA apps were not working correctly and are now fixed
-
Dell Premier (OKTA-213974)
-
Drift (OKTA-213975)
-
Fidelity & Guarantee Life (OKTA-213252)
-
Fitbit (OKTA-213976)
-
Flurry (OKTA-213977)
-
IBM Cloud (OKTA-214031)
-
NoMachine: Workbench (OKTA-210779)
-
Poll Everywhere (OKTA-213315)
-
RingCentral (OKTA-213133)
-
Safari Online Learning (OKTA-213099)
-
T. Rowe Price (OKTA-212189)
Applications
New Integrations
SAML for the following Okta Verified applications
-
Automox (OKTA-212528)
-
HealthKick (OKTA-212505)
-
Hive (OKTA-213326)
-
Sapling HR (OKTA-212512)
-
Workpath Platform (OKTA-213337)
SWA for the following Okta Verified applications
-
2020 Spaces (OKTA-210855)
-
Alabama Power (OKTA-211825)
-
Atlassian Service Desk (OKTA-206555)
-
BuildingConnected (OKTA-210302)
-
Cat SIS (OKTA-210839)
-
CoSchedule (OKTA-210164)
-
Fidelity Funds Network (OKTA-209733)
-
Interxion (OKTA-211723)
-
IOI Payroll V2 (OKTA-210854)
-
John Deere Service Advisor (OKTA-210838)
-
LexisNexis Bridger Insight XG (OKTA-195697)
-
LexisNexis Member Login (OKTA-209424)
-
Rabobank Internetbankieren (OKTA-209208)
-
Regus (OKTA-209724)
-
Rhino3d (OKTA-209991)
-
Salesforce (force.com) (OKTA-209752)
-
Steelcase Americas Village (OKTA-207490)
-
Steelcase Product Reference (OKTA-213961)
-
Thomson Reuters Practical Law (OKTA-209079)
-
Traackr (OKTA-210193)
2019.03.3: Update 3 started deployment on
April 8
Fixes
General Fixes
OKTA-193430
The German translations for password requirements on the Welcome page and in the Password Reset flow were incorrect.
OKTA-203455
HTML in the Activation Email template did not render properly.
OKTA-204472
The Status box on the Admin Console erroneously displayed non-existent tasks for Group Push mappings.
OKTA-205284
When users tried to access some SAML apps that they were not assigned, they got an incorrect response code.
OKTA-208042
Certificate renewal failures sometimes rendered the existing certificate unusable and Device Trust validation failed until renewal was attempted again and succeeded. Note: This fix requires the New Windows Device Trust Registration Task, version 1.3.1.
OKTA-209139
Features in the Early Access Feature Manager could be disabled even if they had dependent features that were enabled and not in Early Access Feature Manager.
OKTA-210984
The alt text for the logo on the Sign In page was not clear.
OKTA-214498
In some cases the activation token in the Activation Email was valid beyond the set time limit.
OKTA-218084H
GSuite group memberships could not be imported from nested groups. Note that the following feature flags must be enabled: PROV_GOOGLE_USE_ACTUAL_ID_AS_EXTERNAL_ID_FOR_GROUP, PROV_GOOGLE_FIX_GROUP_ID_NESTED. Contact Okta Support for assistance.
App Integration Fixes
The following SWA apps were not working correctly and are now fixed
-
Cisco (OKTA-213384)
-
CCH Intelliconnect (OKTA-214497)
-
Frontier (OKTA-214713)
-
myKASTLE (OKTA-214293)
-
Workable (OKTA-214303)
Applications
Application Updates
The following partner-built provisioning integration app is now Generally Available in the OIN:
- Abstract: For configuration information, see Configuring SCIM Provisioning for Abstract.
New Integrations
New SCIM Integration Application
The following partner-built provisioning integration apps are now available in the OIN as Early Access:
-
Infor CloudSuite: For configuration information, see Infor CloudSuite Provisioning for Okta Online Help.
SAML for the following Okta Verified applications
-
CallCabinet Atmos (OKTA-211053)
-
CareerVillage (OKTA-214516)
-
Cisco ASA VPN (SAML) (OKTA-196744)
-
FactSet (OKTA-214985)
-
Leapsome (OKTA-214515)
-
Status Hero (OKTA-215230)
-
Valimail Defend (OKTA-209773)
-
Zapier SAML (OKTA-214934)
SWA for the following Okta Verified applications
-
AJ Bell (OKTA-212543)
-
BSA-E-Filing (OKTA-213447)
-
Clear Company Krostcpas (OKTA-213476)
-
Hitachi Visualization Suite (OKTA-212856)
-
Las Vegas Open Data (OKTA-212857)
-
Lumity (OKTA-212197)
-
PricingDirect (OKTA-212352)
-
Tech Data NL (OKTA-212439)
-
Tracxn (OKTA-209902)
-
Valet Living (OKTA-214387)
February 2019
2019.02.0: Monthly Production release began deployment on February 19
* Features may not be available in all Okta Product SKUs.
Generally Available Features
New Features
PIV Support for MTLS
Authentication for PIV (Personal Identification Verification) now supports the MTLS protocol and may be used once you have whitelisted the following domain: *.mtls.okta.com. For more information about IP whitelisting and Okta domains, refer to Allow access to Okta IP addresses.
Location-based network zones
Zones can now be defined based on geo-location. For more information on location zones, see Networks.
Remember Device setting enabled by default
As part of sign-on policy rules, admins can now enable by default the setting for end users to not be challenged on the same device again upon sign in. For more information on this feature, see Security Policies.
Support for converting contractors to full time employees in Workday
Added support for converting contractors to full time employees within Workday. For more information see Workday Provisioning Guide.
End-user plugin settings
End users can now configure Okta Plug-in settings directly from the Your Apps menu in their browser. This feature lets end users customize the local behavior of the plugin, and helps end users and admins troubleshoot problems that may occur with the plugin. For details, see Configure the Okta browser plugin (end user settings). This feature is GA for Preview orgs only.
Copy temporary password to clipboard
When resetting a password, admins can copy the temporary password directly to the clipboard by clicking the copy to clipboard icon.
Google Integration updated
Okta's Google social login integration has been updated to account for the deprecation of the Google+ API. More information can be found in our Knowledge Base.
Signature and Digest Algorithms for Template WS-Fed Applications
Template WS-Fed applications can now choose between SHA1 vs SHA256 options for their Signature and Digest Algorithms. In addition, all Template WS-Fed applications will have X.509 certificates signed with SHA256. For more information, see Configure the Okta Template WS Federation Application.
Okta Plug-in for Safari updated to 5.26.1
The Okta plugin for Safari browsers is updated to version 5.26.1. To meet Apple requirements, Okta built this version of the plugin as an App Extension to replace the legacy .safariextz architecture. This and future versions of the Okta Safari plugin will be available from the Mac App Store. For history, see Okta Browser Plugin version history
Generally Available Enhancements
Email notifications enabled by default
The setting for sending an email notification to end users who enroll in a new factor or request a factor reset is now enabled by default. For more information, see General Security.
EA Feature Manager feature list expanded
You can now enable Early Access features in the EA Feature Manager that may have other feature dependencies. If you select an EA feature that has a dependency on another feature, you must enable the required feature dependency before enabling your initial selection.
G Suite Provisioning Guide
Provisioning for G Suite now includes a link to the G Suite Provisioning Guide.
2019.01.2: Update 2 started deployment on
January 30
February 4
Early Access Features
New Features
MFA for ePCS
Okta provides multifactor authentication for the Electronic Prescribing for Controlled Substances (ePCS) system with its integration to Epic Hyperspace, which is the front-end software that launches ePCS. For more information, see MFA for Electronic Prescribing for Controlled Substances - Hyperspace
Early Access Enhancements
Inline MFA Enrollment for RADIUS Apps
Admins can now either allow or prohibit end users to access resources protected by RADIUS to enroll in MFA while authenticating. For more information, see RADIUS applications in Okta.
Fixes
General Fixes
OKTA-145565
The response error message included a typo when an invalid 4-byte UTF-8 character (such as an emoji) was input into a text field
OKTA-201017
Sometimes when a Microsoft proxy was used, the proxy IP was displayed as the client IP in the System Log although the policies were enforced on the client IP.
OKTA-201572
End users had difficulty entering an SMS MFA code on the Okta sign-in page because a large portion of the Enter Code field was not clickable.
OKTA-201733
The Early Access feature that allows Okta-mastered users to move across OUs sometimes failed to update the organizational unit for Active Directory users whose account was pushed to Active Directory from Okta and whose AD username (CN) contained one of the following characters: ,\#+<>;"=
OKTA-203163
User profile updates for the Cornerstone app failed if the user already existed in Cornerstone.
OKTA-206191
In some cases group rules dependent on other group rules were not processed properly during user updates.
OKTA-206270
The Identity Provider list did not properly display the Authorize URI and Redirect URI fields.
OKTA-207402
Attempts to apply an app Sign On Policy Rule to users returned a spinning icon. This issue only occurred on Preview orgs.
OKTA-207554
The app Sign On Policy Rule that denied user access was not logged in the System Log's application.policy.sign_on.deny_access event.
App Integration Fixes
The following SAML app was not working correctly and is now fixed
-
CyberArk Password Vault Web Access (OKTA-206890)
The following SWA apps were not working correctly and are now fixed
-
BullsEye Telecom (OKTA-207387)
-
Easy Projects (OKTA-207086)
-
Google Data Studio (OKTA-207296)
-
Infor EAM (OKTA-206680)
-
Looker (OKTA-206856)
-
ThinkHR (OKTA-207312)
-
Visible Equity (OKTA-206845)
Applications
Application Updates
-
Quick Base now supports the following Provisioning feature:
-
Group Push.
For configuration information, see Configuring Okta Provisioning for Quick Base.
-
- The following partner-built provisioning integration apps are now Generally Available in the OIN as partner-built:
- Atlassian Cloud: For configuration information, see Atlassian's Configure User Provisioning with Okta.
- Zoom: For configuration information, see Configuring Zoom with Okta.
New Integrations
New SCIM Integration Application
The following partner-built provisioning integration apps are now available in the OIN as partner-built Early Access:
- Oracle Cloud Infrastructure: For configuration information, see Oracle Cloud Infrastructure Okta Configuration for Federation and Provisioning.
- PlanMyLeave: For configuration information, see PlanmyLeave User Provisioning using SCIM v2.
SAML for the following Okta Verified applications
-
Boostr (OKTA-203119)
-
Pavaso (OKTA-207100)
-
PitchBook (OKTA-206101)
-
Revivn (OKTA-206671)
-
Rockset (OKTA-207102)
SWA for the following Okta Verified application
- Zywave Home (OKTA-193830)
Weekly Updates
2019.02.1: Update 1 started deployment on
February 25
Fixes
General Fixes
OKTA-197013
MFA Factor Reset email template failed to save with a validation error.
OKTA-199716
If the Self Service Registration form included Preferred Language and Country Code attributes, the Registration page did not load.
OKTA-200815
The Report Client IP setting of the RADIUS app did not affect the IP displayed in the Okta Verify Push notification received by the end user.
OKTA-202390
The setting for Dropbox user deactivation type in the application's Provisioning tab was not saved.
OKTA-202836
The number of Adobe Experience Manager groups and roles displayed in Okta was limited to 2000.
OKTA-203199
CSV reports downloaded from the System Log were missing IPChain data.
OKTA-203815
Some Okta accounts were not reactivated properly after related Active Directory accounts were re-enabled.
OKTA-204327
Assigning more than 10 network zones to Agentless Desktop SSO failed with an internal server error.
OKTA-204577
Some admins without appropriate permissions were able to see the Import tab for Directory Integrations.
OKTA-204887
Downloading CSV reports for Current Assignments failed.
OKTA-205714
When a Routing Rule was used with Agentless Desktop SSO or on-premise IWA, and user match criterion was specified, the rule resulted in a failed login flow.
OKTA-208669
Litmos app provisioning failed for some clients using the Australian tenant of the app.
OKTA-209258
Evaluation of some EL expressions resulted in unintended errors.
OKTA-209844
If routing rules and IWA were both enabled, the User matches section for Routing Rules was erroneously visible.
App Integration Fixes
The following SAML apps were not working correctly and are now fixed
-
NetSuite (OKTA-208950)
-
SightPlan (OKTA-208109)
-
SightPlan (OKTA-208109)
-
Torii (OKTA-208155)
The following SWA apps were not working correctly and are now fixed
-
AccessNS (OKTA-207099)
-
Amazon JP (OKTA-206135)
-
Apple Developer (OKTA-208815)
-
BVS Performance Solutions (OKTA-201303)
-
EZ Texting (OKTA-207091)
-
IATA (OKTA-205105)
-
NCCI Field Call (OKTA-207098)
-
Shopify (OKTA-209070)
-
Site5 (OKTA-207092)
-
Tegile (OKTA-208801)
-
Virgin Pulse (OKTA-207089)
-
yodeck (OKTA-208800)
Applications
Application Updates
The following partner-built provisioning integration app is now Generally Available in the OIN as partner-built:
- Effy Freshservice: For configuration information, see Effy's Configuring SCIM with Okta.
New Integrations
New SCIM integrations
The following partner-built provisioning integration apps are now available in the OIN as partner-built Early Access:
- Abstract: For configuration information, see Configuring SCIM Provisioning for Abstract.
- Symantec Web Security Service: For configuration information, see Symantec's Integrate Okta at the SAML IdP.
- Flock: For configuration information, see the Flock Okta Connector Configuration Guide.
SAML for the following Okta Verified applications
-
AMGtime (OKTA-208211)
-
Doppler (OKTA-208076)
-
EpicCareLink (OKTA-209500)
-
Flock (OKTA-208088)
-
Ontrack Workflow (OKTA-205379)
-
Qualified.io (OKTA-204346)
-
Squadcast (OKTA-208072)
-
Stormboard SAML (OKTA-208075)
-
Web Manuals (OKTA-206111)
Mobile applications for use with Okta Mobility Management (OMM) (Android and iOS)
-
Jobvite (OKTA-205265)
-
Lattice (OKTA-203396)
-
Lattice (OKTA-203396)
SWA for the following Okta Verified applications
-
Access FileCloud (OKTA-202796)
-
Aquera (OKTA-207382)
-
AutoEntry (OKTA-201237)
-
BungalowNet (OKTA-201604)
-
Centralized Showing Service (OKTA-202381)
-
Qumulo Partner Portal (OKTA-202644)
-
Rocket Lawyer (OKTA-202052)
-
Sweetgreen (OKTA-201715)
-
SwipedOn (OKTA-203574)
-
Tempo (OKTA-200175)
-
Travelport: Rooms and More (OKTA-201895)
-
Uxpressia (OKTA-199602)
2019.02.2: Update 2 started deployment on
March 4
Fixes
General Fixes
OKTA-175415
Some users who enabled Yubikey as an MFA factor could not use it for sign in.
OKTA-186607
In some cases, AD-mastered users reactivated in Okta remained in the Password Reset status on the Okta Admin Console.
OKTA-196329
The toggle button for switching between the Okta Developer Console and the Classic UI was mispositioned.
OKTA-205724
Adding a SAML identity provider with the Assertion Consumer Service URL set to Organization (shared) resulted in a 400 bad request error during SP-initiated flows.
OKTA-205914
Profile changes were not synced to Active Directory or LDAP directories when they occurred at the same time that an app-mastered user was reactivated in the app.
OKTA-206305
Deleted users were sometimes incorrectly shown as Active instead of Inactive in the Okta Usage Report.
OKTA-206513
In some cases, the Okta Admin Console took a long time to load.
OKTA-206559
Sometimes IdP routing rules did not direct to the correct identity provider when the request contained an empty username query parameter.
OKTA-210021
For app sign on policies configured to gate app access when client IPs match specified network zones, the matched network zone did not appear in the Zone field of the System Log events.
App Integration Fixes
The following SAML apps were not working correctly and are now fixed
-
HostAnalytics (OKTA-208766)
-
IBM MaaS360 (OKTA-195086)
The following SWA apps were not working correctly and are now fixed
-
Appbot (OKTA-209897)
-
DHL Express (OKTA-209932)
-
IDrive (OKTA-209898)
-
Smallpdf (OKTA-209784)
-
WP Engine (OKTA-209535)
Applications
Application Updates
The following partner-built provisioning integration apps are now Generally Available in the OIN as partner-built:
- Flock: For configuration information, see the Flock Okta Connector Configuration Guide.
- Expensify: For configuration information, see Expensify's Deactivating User's with Okta.
- 4me: For configuration information, see 4me's Okta configuration documentation.
New Integrations
The following partner-built provisioning integration app is now available in the OIN as partner-built Early Access:
- Lessonly: For configuration information, see Configuring Provisioning for Lessonly.
SAML for the following Okta Verified applications
-
Fulcrum (OKTA-210208)
-
HostAnalytics (OKTA-210227)
-
IDrive (OKTA-204347)
-
Modern Health (OKTA-210046)
-
PlainID (OKTA-210274)
SWA for the following Okta Verified applications
-
Adobe Experience Cloud (OKTA-204957)
-
Benson (OKTA-204945)
-
Bloomberg BNA (OKTA-205736)
-
Boston Properties (OKTA-204477)
-
Catalist (OKTA-204927)
-
Comerica Business Connect (OKTA-204380)
-
Florida Peninsula (OKTA-204778)
-
Genworth Mortgage Insurance (OKTA-202860)
-
Legrand Service Center (OKTA-204458)
-
NCR (OKTA-205586)
-
SoftMouse (OKTA-205528)
-
Title365 (OKTA-202822)
-
Wish (OKTA-205049)
Mobile application for use with Okta Mobility Management (OMM) (Android and iOS)
-
Figma (OKTA-203395)
January 2019
2019.01.0: Monthly Production release began deployment on January 14
* Features may not be available in all Okta Product SKUs.
Generally Available Features
New Features
Email notifications for Factor Enrollment and Factor Reset
Admins can enable two new settings for email notifications that are sent to end users. When enabled, end users will receive an email confirmation if the end user or an admin enrolls in a new factor or resets an existing factor for their account. For more information on end user email notifications, see General Security.
Automatically send an email to locked-out end users
You can automatically send your users an email if their account becomes locked due to too many failed sign-in attempts. You can insert a link in the email to let users unlock their account. For details, see Configure lockout settings.
Group Push enhancements
Group Push now supports the ability to link to existing groups in the following application integrations:
- Slack
- Dropbox for Business
- ServiceNow UD
You can centrally manage these apps in Okta. For details, see Group Push.
Extended Client Access policy capability for apps
When you create App Sign on Policy rules, you can now specify platform types with greater granularity. For details, see Add Sign On policies for applications.
Additional Custom Attributes for DocuSign integration
Our DocuSign integration is enhanced by adding support several new custom attributes. Okta imports these attributes that you can then map as additional custom properties. For details, see the DocuSign Provisioning Guide.
System Log save and reuse searches
After performing a System Log search, a Save button now appears next to the query. Click Save and you are prompted to name your search. Once saved, your named search appears on the main Reports page. You can reuse your saved search, modify it, or delete it. Note that saved searches can only be seen by the user who created them. A maximum of 20 searches can be saved at any time.
LDAP Interface, query performance improvement
LDAP Interface queries will no longer return the memberOf attribute unless requested specifically, or when all operational attributes are queried using "+". This change brings performance improvement to searches that did not require this attribute. Improvements were also made to return additional operational attributes that were part of LDAP core schema. This list includes hasSubordinates, structuralObjectClass, entryDN, subschemaSubentry, and numSubordinates. Note that numSubordinates is not calculated for users and groups containers. For details, see Set up and manage the LDAP Interface.
XFF Evaluation for Dynamic Zones and Behavior Detection
As part of Dynamic Zone and Behavior Detection evaluation, the client IP is now validated using the trusted proxies that have been configured for that org. In the admin System Log, this IP appears as the Client IP. For more information, see Dynamic Zone Evaluation.
New Windows Device Trust Registration Task, version 1.3.0
This release includes the following:
- Improved support for organizations that route internet traffic through a proxy server.
- Fixes an issue in which some Device Trust System Log events reported the Windows operating system version inaccurately on Windows desktops running Windows 8.1 or higher.
For version history, see Device Trust for Windows Desktop Registration Task Version History.
Support for Vietnamese language
Support for the Vietnamese language for the end user experience is now available to all customers. You can select the default language preference for your entire org, and your end users can select a different language preference for their own experience. For more information, see Configure the Display Language.
JIRA On-Prem Authenticator, version 3.0.7
This release includes enhanced SP-initiated SAML flow and support for spUsers and spGroups to handle JIRA only users. For version history, see JIRA Authenticator Version History.
Okta Browser Plug-in, version 5.25.0
Okta Browser Plug-in has been updated to version 5.25.0 for Chrome, Edge, Firefox, and Internet Explorer. This version contains security enhancements in addition to enhanced end user settings. For version history, see Okta Plug-in Version History. (Version history/browser ver history).
Enforce Device Trust for managed Windows computers
Okta Device Trust for Windows allows you to prevent unmanaged Windows computers from accessing enterprise services through browsers and native applications. For details, see Enforce Device Trust for managed Windows computers.
Generally Available Enhancements
EA Feature Manager
To provide more information about self-serviceable EA Features, links to help or developer documentation are now available for select features in the EA Feature Manager.
New device notification enhancement
The setting for end users to receive a new device notification email when signing in to Okta from a new or unrecognized device is now enabled by default for all orgs. For more information about email notification settings, refer to New or Unknown Device Notification Emails.
Username passes to IdP when using identity-first IdP Discovery flow
When using an identifier-first IdP discovery flow and the user is redirected to the Identity Provider, such as SAML, Google, Microsoft, or Generic OIDC, the username value is passed on to the Identity Provider so the user does not have to type it in again.
API Token size increased for OAuth
We have increased the API token size when configuring OAuth 2.0 based authentication from 2 kB to 64 kB. For more information about OAuth, see OpenID Connect & OAuth 2.0 API.
Logos available for all Social Identity Providers
All social identity providers have the default logos shown below:
LDAP Interface, increased page size
The LDAP page size is increased from 200 to 1001, allowing LDAP clients to use a multiple page size of 1000. See Set up and manage the LDAP Interface.
Search range for group membership
The Okta LDAP Interface previously limited membership searches to the first 200 users for a group. This restriction has been removed and the LDAP Interface will iterate through all pages before returning membership response back to the client. This applies to LDAP searches that query uniquemember and ismemberOf attributes. See Set up and manage the LDAP Interface.
2018.12.1: Update 1 started deployment on
December 12
December 17
Temporary Passwords for Pending Users
Temporary passwords can now be created for users who are in the Pending user action state and cannot access their activation email. Creating a temporary password for a user in this way will activate the user and require them to change the password during their next successful sign-in attempt. For more information see Manage users.
2018.12.2: Update 2 started deployment on
December 27
January 7
IP Blacklist zone, increased Gateway IP limit
We have increased the number of Gateway IP addresses that can be used in an IP Blacklist zone from 150 to 1000. For details, see Networks.
IP Blacklist zones enhancement
Blacklist zones are no longer configurable in policies as they are evaluated before policy rules are evaluated. For more information about Network Zones, see Networks.
Early Access Features
New Features
Multi-forest support for Windows Device Trust enrollment
IWA web app version 1.12.2 supports cross-forest/cross-domain Windows device trust enrollment. Now an IWA web app running in one forest can detect and assess the trust posture of Windows desktop devices located in another trusted forest and then allow these devices to enroll in Windows Device Trust. For more about Windows Device Trust, see Enforce Okta Device Trust for managed Windows computers.
Okta collecting product feedback from end users
Admins can allow Okta to collect feedback from end users. If this feature is turned on, end users will see a prompt on their Okta dashboard requesting feedback about our products and services. You can opt out of Okta User Communication in Settings > Customization > General. For more information, see End User Communication.
Web Authentication for U2F as a Factor
Admins can enable the factor Web Authentication for U2F, where U2F keys are authenticated using the WebAuthn standard. For more information, see Web Authentication for U2F.
Fixes
General Fixes
OKTA-193300
In the admin System Log, the zone field was populated for all events that matched a sign-on policy even when the IP of the client request did not match any zones configured in the policy.
OKTA-193330
When the same user was API and App Admin, only OIDC apps were visible in the Universal Directory profile editor.
OKTA-194244
A misleading error message was displayed when the rate limit was exceeded while using the LDAP Interface to query LDAP.
OKTA-197762
Fixed inconsistent behavior with the Reset Password Link for LDAP users.
OKTA-199498
In some cases, Okta-mastered users were deactivated when their linked accounts in Active Directory were deactivated.
OKTA-200928
Logging on through Jira on-prem app integration didn't error out properly if the end user didn't exist in the target app.
OKTA-203819H
Some orgs were unable to create the number of users that they were entitled to.
App Integration Fixes
The following SWA apps were not working correctly and are now fixed
-
ADP Portal (Admin) (OKTA-198299)
-
Bloomberg BNA (OKTA-202952)
-
Blue Cross Blue Shield North Carolina (OKTA-191585)
-
Coolblue (OKTA-203010)
-
Copper (OKTA-202311)
-
Dell EMC (OKTA-197625)
-
Egencia France (OKTA-202309)
-
Garveys (OKTA-202308)
-
Google AdWords (OKTA-200072)
-
Google Play Developer Console (OKTA-201061)
-
GT Nexus (OKTA-203008)
-
Monster Hiring (OKTA-202848)
-
Newton Software (OKTA-202111)
-
ONE by AOL Mobile (OKTA-201772)
-
SAP NetWeaver Application Server (OKTA-202310)
-
Tenable Support Portal (OKTA-201111)
-
The San Diego Union-Tribune (OKTA-202856)
Applications
Application Updates
The following partner-built provisioning integration app is now Generally Available in the OIN as partner-built:
- Meta Networks Connector: For configuration information, see How to Configure SCIM 2.0 For Meta Networks.
New Integrations
New SCIM Integration Application
The following partner-built provisioning integration app is now available in the OIN as partner-built Early Access:
- Effy: Freshservice Provisioning: For configuration information, see Effy: Freshservice Provisioning's Configuring SCIM with Okta.
SAML for the following Okta Verified applications
-
Oracle Cloud Infrastructure (OKTA-203179)
-
PerimeterX (OKTA-202317)
-
Visitly (OKTA-202988)
-
Workpath (OKTA-202894)
SWA for the following Okta Verified applications
-
AIMA (OKTA-197142)
-
BioDigital (OKTA-197194)
-
Cisco Registered Envelope Service (OKTA-197090)
-
DeKalb Physician Portal (OKTA-197193)
-
Financial News (OKTA-198739)
-
Fresh Direct (OKTA-197128)
-
My Eaton (OKTA-200770)
-
Ocado (OKTA-197129)
-
Private Advisors (OKTA-198720)
Weekly Updates
2019.01.1: Update 1 started deployment on
January 22
Fixes
General Fixes
OKTA-192916
Okta Expression Language for defining a custom UserName mapping was not supported when creating a new app.
OKTA-194089
Read-only admins and Application admins saw incorrect values for Max Unassignments for applications with provisioning enabled.
OKTA-197629
In SAML App Wizard apps, the error returned when the Relay State was too long, was unclear.
OKTA-200927
Some DelAuth users who had an incomplete profile setup were not able to complete the SAML forceAuthn flow.
OKTA-201827
Group Rules did not trigger for SecondEmail if the attribute was updated via self-service.
OKTA-203326
System Log processing experienced a lag when clearing large import queues because of firing a syslog event for each user in the import flow. Now a single syslog event is fired indicating the number of users cleared from the import queue.
OKTA-205267H
For some SP-initiated SAML Requests, it incorrectly included the <Subject> element in the AuthN request.
OKTA-205324H
Okta did not allow admins to delete a group push mapping if the mapping was in error status.
App Integration Fixes
The following SWA apps were not working correctly and are now fixed
-
ADP Portal (Admin) (OKTA-203745)
-
Avalara Partner Portal (OKTA-204049)
-
Barrons Online (OKTA-203796)
-
LA Times (OKTA-203390)
-
Netflix (OKTA-204051)
-
Shopify (OKTA-203516)
-
TigerText (OKTA-203393)
Applications
Application Updates
The following partner-built provisioning integration app is now Generally Available in the OIN as partner-built:
- Peakon: For configuration information, see Peakon's Set up user provisioning with Okta.
New Integrations
SAML for the following Okta Verified applications
-
Cobalt (OKTA-204332)
-
Imagineer Clienteer (OKTA-203743)
SWA for the following Okta Verified applications
-
AnyImage (OKTA-200388)
-
Crowdstrike Falcon (OKTA-199903)
-
FIS Client Portal (OKTA-193928)
2019.01.2: Update 2 started deployment on
February 4
Fixes
General Fixes
OKTA-152340
Pushing after removing group memberships failed for CPC apps (For example, ServiceNow, Dropbox, Slack).
OKTA-167393
In Okta Verify, Push challenges that were approved by users from the notification center had to be approved again in the Okta Verify iOS app.
OKTA-184036
Re-creating a user via JIT did not assign AD group memberships if the User Must Change Password At Next Logon option was enabled on the AD user profile after the user was deleted from Okta.
OKTA-189547
Translation to Japanese for the MFA prompt Do not challenge me on this device for the next 30 minutes was incorrect.
OKTA-192100
Multiple run-time exception errors caused the LDAP agent to fail.
OKTA-195065
Pushing groups for GSuite app failed with the error Unexpected character ( '<' (code 60)): expected a valid value.
OKTA-196483
When the default backoff setting for the AD and LDAP agents was 1 hour, it caused the agents to remain unavailable for the entire hour regardless of when the underlying issue was fixed.
OKTA-197083
Admin roles that were granted, scoped, or revoked through the Roles API did not appear in the System Log.
OKTA-197934
Provisioning for the Adobe Experience Manager SAML app failed when users had an underscore "_" in their login attribute.
OKTA-198025
The following role attributes can now be added in PagerDuty: admin, limited_user, observer, read_only_user, restricted_access, team_responder, user.
OKTA-198932
Template SAML 1.1 apps did not honor the configuration for response/assertion signing in IdP-initiated flows.
OKTA-199767
The Help link for Verifying IE Plug-in Enablement led to an invalid page.
OKTA-201029
The MFA Factor Enrolled email was sent before enrollment was completed.
OKTA-201591
The application condition for an IdP Discovery rule only allowed for 20 applications.
OKTA-201763
The Update Now button on the Sign On tab was always present even when not needed.
OKTA-201789
When searching for users by string match, if the string contained a space (for example, users with multiple last names such as "Van Horne") Okta only tried matching against the full name.
OKTA-202346
Changing profile mappings between applying only at user creation and applying at both creation and update would sometimes fail to apply the change.
OKTA-202684
For custom SAML applications, if the admin changed the Name Id format to persistent, the metadata was not updated.
OKTA-203596
An Application Sign-On policy created to allow or deny access to rich clients using modern auth and running on iPad didn't work as expected.
OKTA-204275
Domain matching in IdP Discovery rules were incorrectly case-sensitive.
OKTA-204738
An Invalid Factor error was encountered when end users used a permitted U2F factor, but also had one or more disallowed devices registered.
OKTA-205371
The Language drop-down list box on the Settings page incorrectly contained the label Beta for some languages.
OKTA-205410
Customers with Network Zone locations with China region codes CN-11, or CN-(some number) could not see the name of the region correctly, nor could they edit the Network Zone.
OKTA-205446H
For new enrollments, Voice Call MFA failed with Each code can only be used once. Please wait for a new code and try again.
OKTA-205703
The Current Assignments report was not filtering correctly when USER_LISTS_FOR_AUDITING was enabled.
App Integration Fixes
The following SAML app was not working correctly and is now fixed
-
Bomgar (OKTA-196914)
The following SWA apps were not working correctly and are now fixed
-
ADP Screening and Selection Services (OKTA-202613)
-
Air Canada (OKTA-204326)
-
AnswerForce (OKTA-204331)
-
Backblaze (OKTA-205585)
-
BlackBerry Developers (OKTA-204370)
-
BlueJeans (OKTA-204960)
-
Booking (OKTA-204584)
-
Capital One (OKTA-204050)
-
Copper (OKTA-204325)
-
Crowdstrike Falcon (OKTA-205584)
-
CSCglobal (OKTA-204849)
-
Curalate (OKTA-206158)
-
Dell Boomi (OKTA-204328)
-
Eventbrite (OKTA-206655)
-
Evernote (OKTA-206169)
-
FACTs (OKTA-204599)
-
GatherContent (OKTA-205587)
-
Google AdWords (OKTA-206109)
-
Google Analytics (OKTA-205638)
-
GuideStar (OKTA-206168)
-
Hippo CMMS (OKTA-205390)
-
Infor EAM (OKTA-204329)
-
JobAdder (OKTA-202705)
-
LoopUp (OKTA-205012)
-
Maxemail (OKTA-206469)
-
My ADT (OKTA-206221)
-
MyCitrix (OKTA-205472)
-
NodePing (OKTA-205274)
-
Quantum Workplace (OKTA-204596)
-
Reputation.com Personal (OKTA-204737)
-
Shopify (OKTA-205380)
-
SimplyWell Member (OKTA-206545)
-
Trip Advisor (OKTA-205588)
-
USPS (OKTA-206184)
-
Virgin Mobile OneView (OKTA-206157)
-
WorkflowMAX (OKTA-206136)
-
WorkTerra (OKTA-206161)
Applications
New Integrations
The following partner-built provisioning integration apps are now available in the OIN as partner-built Early Access:
- Zscaler 2.0: For configuration information, see Zscaler's SAML & SCIM Configuration Guide for Okta.
- Twic: For configuration information, see the Twic Scim Integration Guide.
- Visitly: For configuration information, see Visitly's Integrate with Okta Provisioning.
- Workteam: For configuration information, see Workteam's Configuring User Provisioning.
SAML for the following Okta Verified applications
-
CodeSignal (OKTA-204339)
-
Signagelive (OKTA-202831)
-
Simian (OKTA-204348)
-
Stampli (OKTA-203206)
-
Workspace (OKTA-205099)
SWA for the following Okta Verified applications
-
Ask the Fed (OKTA-197941)
-
Data Navigator (OKTA-197939)
-
Doctena (OKTA-198514)
-
Jack Henry & Associates Client Portal (OKTA-194264)
-
LexisNexis Bridger Insight XG (OKTA-196365)
-
Tech Data France (OKTA-192411)