Okta Classic Engine release notes (2021)

December 2021

2021.12.0: Monthly Production release began deployment on December 13

* Features may not be available in all Okta Product SKUs.

Generally Available Features

New Features

Sign-In Widget, version 5.14.0

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Okta Sign-In Widget Guide.

Choose client types for Office 365 sign-on policy

When creating app sign-on policy rules to manage access to Office 365 apps, you can now specify client types such as web browser, modern auth, or Exchange ActiveSync. This allows you to apply Office 365 sign-on policies to granular use-cases. See Office 365 sign-on rules options.

Branding now available in the Admin Console

This UI release provides admins and developers with an Admin Console UI to upload brand assets to customize their Okta-hosted pages. The Customizations tab in the Admin Console is also now moved to a top-level menu item in the left-hand navigation, and Branding-related controls have all been moved under it. The Settings > Appearance tab has also been removed, and functionality moved under the Customizations tab for ease of use. See Branding.

Admin Experience Redesign toggle removed

The toggle that allowed super admins to switch between the Admin Experience Redesign and the old experience has been removed. All Okta admins now benefit from our restyled Okta Admin Dashboard, responsive navigation side bar, and modern look and feel. If you need more time to adapt to the new user experience, you can revert to the old experience by contacting Okta Support until April 2022.

Upload Logo for org deprecated

The Upload Logo for Org endpoint (api/v1/org/logo) is deprecated. Use the Upload Theme Logo (/api/v1/brands/${brandId}/themes/${themeId}/logo) endpoint instead.

Policy rule events now eligible for event hooks

The following policy rule events are now eligible for event hooks:

  • policy.rule.activate

  • policy.rule.delete

See Event hooks.

Salesforce Federated ID REST OAuth

Admins can now upgrade to the latest version of our Salesforce Federated ID integration. OAuth provides enhanced security and is now used for Provisioning and Imports authentication. This feature is currently enabled by default for new orgs only. See Configure OAuth and REST integration.

Localized SAML setup instructions

To achieve its objective of becoming the leader in identity and access management, Okta is actively expanding to numerous countries. To better serve this diverse market, Okta has begun localizing its customer-facing products to improve usability. To facilitate this process for SAML setup instructions, Okta will automatically provide the instructions in the user's chosen display language, if a translated version is available. Currently, a limited number of SAML setup instructions are now available in Japanese. See .

Okta MFA Credential Provider for Windows, version 1.3.5

This version of the agent contains:

  • Security enhancements

  • Internal fixes

See Okta MFA Credential Provider for Windows Version History.

Okta On-Prem MFA agent, version 1.4.6

This version of the agent contains updates for certain security vulnerabilities.

See Okta On-Prem MFA agent version history.

Okta RADIUS Server agent, version 2.17.0

This version of the agent contains updates for certain security vulnerabilities.

See Okta RADIUS Server Agent Version History.

Okta Browser Plugin, version 6.6.0 for all browsers

This version includes minor bug fixes and improvements. See Okta Browser Plugin version history.

Enhancements

Org setting to disable device token binding

For compatibility purposes, orgs can now disable device binding. Device binding ensures that state tokens are used only by the actor who initiated the authentication flow. See General Security.

SharePoint (On-Premises) instructions updated

SharePoint (On-Premises) instructions have been updated to remove SharePoint 2010 from the Downloads page.

Early Access Features

Early Access features from this release are now Generally Available.

Fixes

General Fixes

OKTA-372730

Org admins couldn't add social Identity Providers.

OKTA-393284

UI errors occurred when users hovered over a locked app on the Okta End-User Dashboard.

OKTA-416595

The spinner stayed visible after a sign-in error in some orgs with security image disabled.

OKTA-430797

Password push events were not showing in the System Log when multiple domains were federated in the same Office 365 app.

OKTA-433327

App usernames weren't updated automatically on non-provisioning enabled apps.

OKTA-438888

The Client drop-down menu wasn't displayed properly when admins added a new access policy for Authorization Servers using Internet Explorer.

OKTA-439104

Random users were unassigned from applications when imported and assigned by group.

OKTA-439327

Applying admin-managed tabs to end users occasionally completed much later, after the changes were initially made.

OKTA-441168

Users were directed to the wrong step of the Log Stream creation wizard when they clicked a link to create a specific type of Log Stream.

OKTA-443459

Some users who accessed the Okta End-User Dashboard saw a blank screen.

OKTA-449400

The text field for an app’s alternative name was missing from the app drawer.

OKTA-450158

In orgs with a custom domain URL and self-service registration enabled, users who went directly to the registration link saw a 404 error.

OKTA-450543

Users weren't prompted to correct their device’s time if their device was behind the server’s time by more than five minutes or ahead by more than 65 minutes.

OKTA-450896

The search bar on the Okta End-User Dashboard produced results that were inaccessible for screen readers.

OKTA-450927

Two scrollbars were displayed for mobile users.

OKTA-457787H

Apps on the Okta End User Dashboard on Internet Explorer opened as a pop-up window instead of a new tab.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • Amplitude (OKTA-449138)

  • Australian Financial Review (OKTA-450189)

  • Boxed (OKTA-449140)

  • Google Tag Manager (OKTA-448703)

  • HireFire (OKTA-448711)

  • Instacart Canada (OKTA-442943)

  • International SOS Assistance (OKTA-447156)

  • LinkedIn (OKTA-443788)

  • Mural (OKTA-443063)

  • Payroll Relief (OKTA-447159)

  • Safari Online Learning (OKTA-448707)

  • The Hartford EBC (OKTA-448956)

  • Twitter (OKTA-448961)

  • XpertHR (OKTA-449721)

Applications

Application Update

The Jive application integration is rebranded as Go To Connect.

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:

SAML for the following Okta Verified applications:

  • Chatwork (OKTA-449761)

  • ContractS CLM (OKTA-446453)

  • Elate (OKTA-448860)

  • WAN-Sign (OKTA-448922)

OIDC for the following Okta Verified applications:

Weekly Updates

2021.12.1: Update 1 started deployment on December 20

Generally Available

Sign-In Widget, version 5.14.1

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Sign-In Widget Guide.

Fixes

General Fixes

OKTA-328461

The footer in some email templates contained an incorrect link to Okta.

OKTA-410446

DebugData in the System Log didn’t include ClientSecret information.

OKTA-428685

Errors occurred when admins attempted to assign DocuSign to users.

OKTA-440608

Some admins couldn't view groups that were assigned to an app, even though their custom role had permission to view them.

OKTA-447471

Duplicate reactivation requests for the Org2Org app caused 400 errors in the System Log.

OKTA-447916

Admins received the wrong error message when they attempted to delete a custom domain.

OKTA-448321

When the Custom Admin Roles feature was enabled, groups with “#” in the group name couldn’t be assigned to a role.

OKTA-449880

When Enhanced Email Macros was enabled, the text in some default email templates was incorrect.

OKTA-451075

Security fix for the Okta Provisioning Agent. For this fix, download Okta Provisioning Agent version 2.0.6.

OKTA-451868

In new developer orgs, admins weren’t provisioned for Salesforce Help.

OKTA-452041

Attempts to sign in to the Admin Console using Safari on an iOS device were prevented by the popup blocker.

OKTA-452099

The QR verification form in the device authentication flow wasn’t pre-filled with the user code.

OKTA-454767H

Some app labels were missing in the redesigned OIN App Catalog.

App Integration Fix

The following SWA app was not working correctly and is now fixed:

  • GoDaddy (OKTA-449141)

Applications

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:

2021.12.2: Update 2 started deployment on January 3

Fixes

General Fixes

OKTA-441896

Group attribute statements added in a SAML 2.0 integration app (AIW) didn’t appear in the Preview the SAML Assertion section.

OKTA-444246

Some SAML doc links in the Admin Console didn’t work.

OKTA-447069

End-users encountered a 403 error when accessing a bookmark app after being migrated to the new Okta End-User Dashboard.

OKTA-447885

When adding a custom domain, admins received the wrong error message if they left the Domain field blank.

OKTA-448560

New users received an activation email with Velocity macros instead of their name. This occurred if the org’s profile enrollment policy didn’t require first and last names.

OKTA-448936

The Create a new resource set page couldn't display groups with & in the group name. This occurred for orgs with the Custom Admin Roles feature enabled.

OKTA-448940

The Edit resources to a standard role page displayed an error when admins searched for a group. This occurred for orgs with the Custom Admin Roles feature enabled.

OKTA-451345

The Velocity parsing engine failed when email templates contained a variable that was followed by (.

OKTA-452680

Application usage reports created asynchronously for specific groups included users that didn’t belong to the groups selected for the reports.

OKTA-454197

On the Add domain page, the Next, Remove, and Verify DNS buttons were clickable while the addition was in progress.

OKTA-456383H

CSV imports failed when using Okta Provisioning Agent, version 2.0.6. For this fix, download Okta Provisioning Agent, version 2.0.7.

OKTA-458089H

Some Netsuite imports into Okta failed with the following error failure: A SOAP message cannot contain entity references because it must not have a DTD.

Applications

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration app is now Generally Available in the OIN Catalog as partner-built:

SAML for the following Okta Verified applications:

  • Imprivata Privileged Access Management (OKTA-450222)

  • Lucca (OKTA-450219)

  • PowerDMS (OKTA-454504)

  • Rybbon (OKTA-451438)

November 2021

2021.11.0: Monthly Production release began deployment on November 8

* Features may not be available in all Okta Product SKUs.

Generally Available Features

New Features

Sign-In Widget, version 5.13.0

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Okta Sign-In Widget Guide.

Okta LDAP agent, version 5.10.0

This version of the agent contains:

  • Range attribute retrieval for group membership attributes (full support will be available in a future release)

  • Real-time synchronization for user profiles, groups, and group memberships (full support will be available in a future release)

  • Expired password reset support for the eDirectory LDAP service (Okta Identity Engine)

  • Bug fixes

See Okta LDAP Agent version history.

Okta RADIUS Server agent, version 2.16.0

This version of the agent contains:

  • Government Community Cloud support

  • Internal and security fixes

See Okta RADIUS Server Agent Version History.

Okta MFA Credential Provider for Windows, version 1.3.4

This version of the agent contains:

  • Government Community Cloud support

  • Internal fixes

See Okta MFA Credential Provider for Windows Version History.

Okta ADFS Plugin, version 1.7.9

This version of the agent contains:

  • Government Community Cloud support

  • Internal fixes

See Okta ADFS Plugin version history.

Okta On-Prem MFA agent, version 1.4.5

This version of the agent contains:

  • Government Community Cloud support

  • Internal fixes

See Okta On-Prem MFA agent version history.

Okta Browser Plugin, version 6.5.0 for all browsers

Internet Explorer local storage size for the Okta Browser Plugin has been increased. See Okta Browser Plugin version history.

Brands API support for auto-detecting contrast colors

The Brands API Theme object properties primaryColorContrastHex and secondaryColorContrastHex automatically optimize the contrast between font color and the background or button color. The auto-detection feature can be disabled by updating either property value with an accepted contrast hex value. See Brands.

New default selection for MFA enrollment policies

For MFA enrollment policy rules, the Any application that supports MFA enrollment option is now selected by default. See Configure an MFA enrollment policy.

New error page macros for themed templates

Custom error page templates include new macros to customize the URL (href) in addition to the button text for themed templates. See Use macros.

Custom domain SSL certification expiration warnings

To prevent service disruptions, Okta now sends admins a warning email 30, 15, and 7 days before their custom domain’s SSL certificate expires. If no action is taken, an expiration notice is sent when the certificate expires.

See Configure a custom domain.

Token-based SSO between native apps

Single Sign-On (SSO) between browser-based web applications is achieved by leveraging shared cookies. Unlike web applications, native applications can’t use web cookies. With Native SSO, Okta offers a token-based approach to achieve SSO between native applications.

Native SSO allows you to protect native OpenID Connect applications, such as desktop apps and mobile apps, and achieve SSO and Single Logout (SLO) between these applications. See Configure SSO for native apps.

Wildcards for OAuth redirect subdomains

Developers can now use the Apps API to set multiple redirect URI subdomains with a single parameter using the asterisk * wildcard. This feature provides convenience and flexibility in cases where subdomains vary by only a few characters. For example: https://subdomain*.example.com/oidc/redirect may be used to represent subdomain1, subdomain2, and subdomain3.

Sort applications on End-User Dashboard

End users can now sort applications alphabetically or by last added on the new Okta End-User Dashboard.

Asynchronous Application Reports

When enabled, this feature turns the generation of the Application Usage and the Application Password Health reports into an asynchronous process. Okta generates a report with the results and sends an email to the admin containing a download link for the CSV file. This enhancement is ideal for orgs with large amounts of user activity, as the generated reports can cover a greater range without timing out. See Application Usage report and App Password Health report.

Risk scoring improvements

Risk scoring improvements are being slowly deployed to all organizations. See Risk scoring.

Password expiry warning for LDAP group password policies

You can now configure an LDAP group password policy to provide users with a password expiry warning when their LDAP password is about to expire. Providing a password expiry warning in advance prevents users from losing access to shared resources and reduces the likelihood that you’ll need to reset passwords. See Configure a password policy.

Create and manage group profiles

You now have the flexibility to manage the default profile for Okta groups in the Profile Editor. This new functionality simplifies group management and lets you quickly add, edit, or remove custom profile attributes to groups. See Work with profiles and attributes. This feature will be gradually made available to all orgs.

Litmos supports Advanced Custom Attributes

We’ve enriched our Litmos integration to support Advanced Custom Attributes for the user profile. This allows you to add fields into the Okta user profile. See Litmos Provisioning Guide.

AES-GCM encryption support for SAML assertions

To secure SAML assertions from attacks and to adopt a stronger security mechanism, Okta now supports AES128-GCM and AES256-GCM encryptions modes in addition to AES-128 and AES-256 for SAML applications.

Enhancements

New System Log events for custom domain setup

The following events are added to the System Log:

system.custom_url_domain.cert_renew 3

system.custom_url_domain.delete

Existing events now include CustomDomainCertificateSourceType.

OIN App Catalog user interface changes

The following text has been updated for consistency:

  • FILTERS is now Capabilities

  • Apps is now All Integrations

  • Featured is now Featured Integrations

  • OpenID Connect is now OIDC

  • Secure Web Authentication is now SWA

See Add existing app integrations.

Hash marks added to hex code fields

On the Branding page, hash marks are automatically added to the hex codes in the Primary color and Secondary color fields.

Event Hooks daily limit

The maximum allowable daily limit of Event Hooks for all orgs has increased from 100,000 to 200,000. A higher daily allocation of Event Hooks reduces the likelihood orgs will exceed their daily limits. See Workflows system limits.

Improved Branding preview

Branding previews now display correct text colors.

Sign-In Widget button colors standardized

To comply with accessibility contrast ratios, the default variant colors for buttons on Okta sign-in and error page have been standardized to use the Okta design system.

On-Prem MFA application logo

The On-Prem MFA app logo for SecurID has been updated.

Early Access Features

New Features

Enhancements

Manage email notifications for custom admin roles

Super admins can configure the system notifications and Okta communications for custom admin roles. Configuring the email notifications helps ensure admins receive all of the communications that are relevant to their role. See Configure email notifications for an admin role.

Fixes

General Fixes

OKTA-243898

When multiple factors were required in the MFA for Active Directory Federation Services (ADFS) enrollment flow, only a single factor was enrolled before the user was allowed to sign in.

OKTA-409578

After the Microsoft ADFS (MFA) app Sign-On setting was changed to MFA as a Service, the app no longer appeared on the end-user home page.

OKTA-411306

Users weren't instructed to sign out and then sign in again when the mobile device management (MDM) remediation screen appeared during Intune setup.

OKTA-412100

The Identity Provider factor name wasn’t updated when the admin changed the Identity Provider name.

OKTA-412459

The YubiKey report didn’t list all YubiKeys when the user sorted the entries by Status.

OKTA-417499

When the Remove Group endpoint was called with an invalid group profile attribute, the group wasn't removed.

OKTA-418219

Sometimes when a super admin assigned several standard roles to a group at a time, some of those roles didn’t appear on the Groups page.

OKTA-422328

Screen Readers didn't interact properly with the search bar on the Okta End-User Dashboard.

OKTA-422586

On the Suspicious Activity User Report, the Login field was incorrectly labeled Email and didn't display the primary email address of the user who reported the activity.

OKTA-425318

Admins weren't able to use the Expression Language to compare a user's status to a string.

OKTA-428079

Admins weren’t able to add multiple custom attributes to an app on the Okta End-User Dashboard.

OKTA-430675

When the super org admin role was revoked from a user, the resulting email notification didn’t include the org name or URL.

OKTA-432942

Selecting the ellipses on an app card on the Okta End-User Dashboard incorrectly opened the app instead of accessing its settings.

OKTA-434233

Users attempting to enroll an MFA factor while signing in to an OIDC app received server error messages and couldn’t complete the enrollment.

OKTA-440551

The Sort Apps function didn't work when the Okta End-User Dashboard was displayed in Dutch, Brazilian, Portugese, Simplified Chinese, or Traditional Chinese.

OKTA-440618

For some orgs with Branding enabled, the theme was reset after an admin’s role changed.

OKTA-440816

Sometimes, when deactivated LDAP-sourced users attempted to sign in to Okta, an incorrect message appeared.

OKTA-440695

Some users saw an error when signing in to the new End-User Dashboard or OIDC apps for the first time.

App Integration Fixes

The following SAML app was not working correctly and is now fixed

  • Cloze (OKTA-440336)

Applications

Application Updates

  • The configuration guide for the Vable SCIM integration is updated: Okta Users Provisioning For The Vable Platform.

  • The American Express Work was a duplicate integration and has been removed from the OIN Catalog. Customers should use the American Express - Work integration.

New Integrations

New SCIM Integration Application:

The following partner-built provisioning integration app is now Generally Available in the OIN as partner-built:

OIDC for the following Okta Verified applications:

Weekly Updates

2021.11.1: Update 1 started deployment on November 15

Early Access

Okta Provisioning agent, version 2.0.4

This release of the Okta Provisioning agent contains vulnerability fixes. See Okta Provisioning agent and SDK version history.

Fixes

General Fixes

OKTA-429081

When an admin deleted an app with Federation Broker Mode enabled, users could continue to sign in to the app.

OKTA-429782

Sometimes when the app group membership for a user was deactivated, any role assignments that were revoked from that user still appeared on the Administrators page.

OKTA-429868

API tokens for group admins didn't have the role displayed in the Security > API > Token section.

OKTA-431083

An error occurred when admins attempted to upload an IPA file to the Upload Mobile App page.

OKTA-434925

Email address change notifications were incorrectly sent to the new email address and not the old email address.

OKTA-435431

On the new Okta End-User Dashboard, end users were still able to request apps after an admin had disabled the app request feature.

OKTA-436761

End users were incorrectly prompted to copy password credentials to their clipboard when accessing SWA apps that were shared between users with admin-controlled passwords.

OKTA-439047

Sometimes, the System Log displayed Grant user privilege success events for admins when there were no changes to their privileges.

OKTA-439196

The Okta End-User Dashboard displayed a blank screen to users whose clocks were incorrectly set.

OKTA-441222

When a super admin changed the role notification settings for an admin, some third-party admins with that role were included in the notification subscription.

OKTA-441434

The View Setup Instructions link was broken on the Add Identity Provider page.

OKTA-444012

Branding features weren’t visible in the navigation menu of the legacy Admin Console.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed:

  • Alibaba Cloud (Aliyun) (OKTA-439430)

  • Apple Store for Business (OKTA-439233)

  • ID90 Travel (OKTA-435212)

  • MessageBird (NL) (OKTA-440295)

  • Screen Leap (OKTA-440292)

  • TD Ameritrade (OKTA-436146)

Applications

New Integrations

SAML for the following Okta Verified applications:

  • Agencyzoom (OKTA-436124)

  • Altruistiq (OKTA-440339)

  • Auvik (OKTA-435860)

  • Ceresa (OKTA-437597)

  • Clumio (OKTA-440285)

  • Workstream (OKTA-441160)

SWA for the following Okta Verified application:

  • Greene King (OKTA-441236)

OIDC for the following Okta Verified application:

  • Luma Brighter Learning: For configuration information, see Okta/Luma SSO.

2021.11.2: Update 2 started deployment on November 29

Fixes

General Fixes

OKTA-419946

When an admin assigned an app to a user, the Edit User Assignments window appeared too small.

OKTA-428017

When the Custom Admin Roles feature was enabled and an admin searched for a group to assign to a role, the list of groups didn’t display their respective app logos.

OKTA-436016

In orgs with deleted groups, admins couldn't run the Admin role assignments report.

OKTA-438793

On the Admin Dashboard, the Overview section displayed an incorrect Updated at time between 12:00 AM and 1:00 AM.

OKTA-441161

When a super admin edited the User Account customization settings, an error occurred after they verified their password.

OKTA-443995

End users were unable to add org-managed apps to the Okta End-User Dashboard after admins had enabled self-service.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • HelpSpot Userscape (OKTA-440296)

  • Instacart Canada (OKTA-442946)

  • Moffi (OKTA-442915)

Applications

New Integrations

SAML for the following Okta Verified applications:

  • Autodesk (OKTA-425911)

  • YesWeHack (OKTA-443624)

OIDC for the following Okta Verified applications:

2021.11.3: Update 3 started deployment on December 6

Generally Available

Sign-In Widget, version 5.13.1

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Sign-In Widget Guide.

Fixes

General Fixes

OKTA-373558

App approval forms incorrectly listed deactivation options and available licenses for Google Workspace.

OKTA-414394

On the Applications page, some admins with a custom role could view the buttons for actions that they didn’t have permission to perform.

OKTA-414517

Users who self-registered but hadn’t completed activation were deactivated if they attempted to sign in with a Google IdP.

OKTA-424842

On the Select assignments to convert page, eligible users didn't appear in the user list.

OKTA-424897

When using the Self-Service Registration feature, users with slower internet connections could click Register again while the account was being created.

OKTA-431945

Sometimes when a third-party admin role was assigned though the public API, the admin's status didn't change in the Okta Help Center.

OKTA-433439

Push Profile updates sometimes failed due to a missing Effective Date value.

OKTA-434556

In Try Okta Free orgs, the Days left in your trial banner didn’t always display the correct number of days.

OKTA-434789

When Veeva Vault was provisioned, the authentication rate limit was incorrectly applied to bulk operations.

OKTA-435148

Unique attributes were retained when admins used a CSV file to import user attributes and the import was unsuccessful.

OKTA-438657

When a custom admin role had the View application and their details permission, admins with that role couldn’t access OIDC applications.

OKTA-441490

When previously deactivated users with expired passwords were reactivated and allowed to sign in using their Personal Identity Verification (PIV) cards, they were required to reset their passwords.

OKTA-442991

When the Custom admin roles feature was enabled, the Administrator assignment by admin and Administrator assignment by role pages displayed the Edit button for admin roles that couldn’t be constrained to a resource.

OKTA-443494

When MFA for Active Directory Federation Services (ADFS) was in OIDC mode and two users were assigned the same custom name, an incorrect error was returned.

OKTA-445826

The help link was incorrect for Settings > Customization > Configure a custom URL domain.

OKTA-453056H

When accessing reports, report admins received a 403 error.

OKTA-453535H

An older library for the RSA and RADIUS agents caused potential security issues in certain situations.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed:

  • American Funds Advisor Client Login (OKTA-442550)

  • Bank of America CashPro (OKTA-444481)

  • M&T Bank - Commercial Services (OKTA-447154)

  • Nimble (OKTA-444703)

  • The Trade Desk (OKTA-445291)

Applications

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:

SAML for the following Okta Verified applications:

  • ParkOffice (OKTA-445142)

  • SecZetta (OKTA-446467)

October 2021

2021.10.0: Monthly Production release began deployment on October 11

* Features may not be available in all Okta Product SKUs.

Generally Available Features

New Features

Sign-In Widget, version 5.12.0

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Sign-In Widget Guide.

Okta Active Directory agent, version 3.7.0

This version of the agent contains:

  • Government Community Cloud support

  • Improved logging functionality to assist with issue resolution

  • Bug fixes

See Okta Active Directory agent version history.

Okta LDAP agent, version 5.9.0

This version of the agent contains:

  • Government Community Cloud support

See Okta LDAP Agent version history.

Okta SSO IWA Web App agent, version 1.14.0

This version of the agent contains:

  • Government Community Cloud support

  • Internal fixes

See Okta SSO IWA Web App version history.

Okta Active Directory Password Sync agent, version 1.4.0

This version of the agent contains:

  • Government Community Cloud support

  • Security enhancements

  • Internal fixes

See Okta Active Directory Password Sync Agent version history.

Okta Browser Plugin, version 6.4.0 for all browsers

  • For orgs that enable this feature through self-service EA, end users can now generate passwords from the Okta Browser Plugin pop-up window.

  • For orgs that enable this feature through self-service EA, the Okta Browser Plugin now recommends strong passwords during SWA app sign-up.

  • Plugin extension architecture for Safari has been updated to WebExtension.

See Okta Browser Plugin version history.

SAML 2.0 Assertion grant flow

You can use the SAML 2.0 Assertion flow to request an access token when you want to use an existing trust relationship without a direct user approval step at the authorization server. The flow enables a client app to reuse an authorization by supplying a valid, signed SAML assertion to the authorization server in exchange for an access token. This flow is often used in migration scenarios from legacy Identity Providers that don't support OAuth. See API access management.

Password management on the new Okta End-User Dashboard

Users who access the new Okta End-User Dashboard from mobile or desktop can now show and copy passwords for their apps to their clipboard. They can also use a new password management modal to edit the username or password fields for their apps.

Okta Provisioning agent incremental imports

The option to incrementally import user data is now available for the Okta Provisioning agent. Incremental imports reduce the time required for synchronization by only downloading user information that has changed since the last successful import. See Okta Provisioning Agent incremental import.

Schemas API unique attributes

The Schemas API now includes unique attributes for custom properties in Okta user profiles and the Okta group profile. You can declare a maximum of five unique properties for each user type and five unique properties in the Okta group profile. This feature helps prevent the duplication of data and ensures data integrity.

Org Under Attack for ThreatInsight

Okta ThreatInsight now has enhanced attack detection capability. “Org under attack” establishes a base line traffic pattern and adjusts based on legitimate changes in traffic patterns. When a threat is detected, the algorithms are optimized to block all malicious requests while creating a System Log event to alert on the attack. After the attack subsides, threatInsight returns into its normal mode of operation. This capability enables quick blocking action during an attack. See About Okta ThreatInsight. This feature will be gradually made available to all orgs.

Enhancements

Custom footer enhancement

With Branding enabled, admins can now hide the Powered by Okta message in the footer of their Okta-hosted sign-in page and End-User Dashboard. See Customize the footer for your org.

Routing Rules performance enhancements

Performance enhancements on the Routing Rules page include optimized adding, editing, dragging, and deactivating of rules, and improved loading when the number of rules exceeds 1,000. See Configure identity provider routing rules.

Log per client mode for client-based rate limits

Client-based rate limits are now in Log per client mode for all orgs for both OAuth 2.0 /authorize and /login/login.htm endpoints. This offers additional isolation to prevent frequent rate limit violations.

Early Access Feature

Early Access features from this release are now Generally Available.

Fixes

General Fixes

OKTA-325592

When LDAP delegated authentication was enabled, an incorrect event type was used to process user profile updates.

OKTA-372064, OKTA-430527, OKTA-431382

Accessibility issues occurred on the new Okta End-User Dashboard.

OKTA-420524

A password change notification email wasn’t sent to users after their password was changed by an administrator.

OKTA-421812

A Download Latest button wasn’t available for Okta LDAP agents on the Admin Console Downloads page.

OKTA-426923

When users were deleted asynchronously, the entries associated with the user weren't removed from the UniqueEntityProperty table.

OKTA-427016

When Self-Service Registration was enabled, a change to a user's email address in their profile source caused their UPN (user principal name) in Okta to also change, despite it being mapped to the username.

OKTA-427932

When Branding was enabled, the Sign-In Widget was distorted on custom sign-in pages.

OKTA-428268

When an LDAP interface (LDAPi) client had Custom Admin Roles enabled, time-out errors sometimes occurred during group member queries.

OKTA-431349

Translated versions of AD and LDAP configuration validation messages weren’t provided.

OKTA-431868

In the UI for the SuccessFactors app, options for Active User Statuses weren't displayed.

OKTA-432400

Some dialogs didn't appear on the new Okta End-User Dashboard for some users.

App Integration Fixes

The following SWA app was not working correctly and is now fixed

  • Amplitute (OKTA-429432)

Applications

Updates

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:

OIDC for the following Okta Verified application:

  • Extole: For configuration information see Okta Instructions.

Weekly Updates

2021.10.1: Update 1 started deployment on October 18

Fixes

General Fixes

OKTA-383501

When a custom admin role was assigned to an existing group with standard roles, the System Log displayed duplicate Grant user privilege events for the members of the group.

OKTA-399667

Provisioning to Zendesk failed when a user with the same email already existed in Zendesk.

OKTA-414295

For orgs with Custom Administrator Roles enabled, the page filters on the Roles, Resources, and Admins tabs of the Administrators page were labeled incorrectly.

OKTA-414339

Org2Org Push Groups sometimes failed.

OKTA-415370

On OIDC app creation, if no locale was specified, it defaulted to an invalid value (en-US).

OKTA-423420

After Branding was enabled, admins could still navigate to original Settings > Customization pages.

OKTA-426692

Provisioning (create/update) users to NetSuite failed with a Null Pointer Exception (NPE).

OKTA-427646

Group rule Okta Expression Language IF statements couldn’t include integer array attributes.

OKTA-429330

Sometimes, when an org used the Okta IWA Web Agent for Desktop Single Sign-on (DSSO), a missing objectGUID caused a 500 Internal Server Error when users attempted to sign in to Okta.

OKTA-431920

Clicking ASN Lookup when configuring a dynamic zone in the Admin Console didn't open a valid autonomous system number (ASN) lookup service.

OKTA-433981

When an admin role was constrained to a group, users with that role sometimes experienced time-out errors on the People page.

Applications

Application Updates

New Integrations

New SCIM Integration Application:

The following partner-built provisioning integration app is now Generally Available in the OIN Catalog as partner-built:

SAML for the following Okta Verified applications:

  • Docutrax (OKTA-433521)

  • Testsigma (OKTA-405606)

OIDC for the following Okta Verified applications:

2021.10.2: Update 2 started deployment on November 1

Generally Available

Sign-In Widget, version 5.12.2

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Sign-In Widget Guide.

Fixes

General Fixes

OKTA-329002

The Custom Administrator Roles Early Access feature wasn’t available for Developer orgs.

OKTA-335217

OAuth applications granted authorization tokens on accounts for which users had not yet completed registration.

OKTA-419163

Some admins who were assigned a custom role could convert app assignments for users they weren’t constrained to.

OKTA-419532

The System Log didn’t display Client IP for user.lifecycle.create events from users created through self-service registration.

OKTA-421451

Permission attributes for the Dropbox application weren’t displayed correctly.

OKTA-421698

Password-reset failures due to sign-in policy violations didn't appear in the System Log.

OKTA-425798

The endUserDashboardTouchPointVariant property on the Brands API Theme object didn’t include a variant for LOGO_ON_FULL_WHITE_BACKGROUND.

OKTA-425804

Admins who viewed completed tasks on the new Okta End-User Dashboard couldn't see who approved or rejected the tasks.

OKTA-426548

A 500 Internal Server error appeared when sensitive attributes were included in attribute search results.

OKTA-428163

When using the Firefox browser, users were unable to edit the Forgot Password Text Message section of the Settings page.

OKTA-428329

Some admins who were assigned more than one custom role could manage the app assignments for users and groups they weren’t constrained to.

OKTA-431377

End users couldn't customize how long pop-ups were displayed on the new Okta End-User Dashboard.

OKTA-431675

When admins used the Add Person dialog in the new Admin Console to add users, automatic resizing of the dialog resulted in a "The field cannot be left blank" error message.

OKTA-431879

If admins edited their Branding theme after it had been applied to an Okta page, the changes weren’t applied until they performed a hard refresh.

OKTA-432829

With Enhanced Email Macros enabled, email templates that were previously customized or translated with Expression Language (EL) couldn’t be edited and saved due to invalid EL expressions.

OKTA-433352

Some end users lost access to the Pressbox and Genny apps when accessing them from the new Okta End-User Dashboard.

OKTA-434859

SAML Org2Org didn't work on the new Okta End-User Dashboard.

OKTA-435293

After Branding was enabled, admins couldn’t use their org logo on a white background for the End-User Dashboard.

OKTA-436513

After Branding was enabled, some orgs were unable to update their existing subdomain names.

OKTA-436732

After the MFA Factor Enrolled email template was customized with Enhanced Email Macros, its default template continued to be sent to users.

OKTA-436949

The Recently Used Apps section wasn't translated on the Settings page of the new Okta End-User Dashboard until the page was refreshed.

OKTA-437664

An Event Hook for group-based privilege change events sometimes didn't include the Okta subdomain events in the JSON response.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • Alabama Power (OKTA-437660)

  • Ally Bank (OKTA-435214)

  • American Express - Work (OKTA-438301)

  • Azure Portal Login (OKTA-436740)

  • Booking Admin (OKTA-436792)

  • Cat SIS (OKTA-436148)

  • Cronitor (OKTA-438303)

  • Exact Online (OKTA-435209)

  • Grove (OKTA-438304)

  • Key Bank (OKTA-438305)

  • Redis Labs (OKTA-436147)

  • SiteGround (OKTA-437897)

  • UBS (OKTA-436149)

  • Vitality (OKTA-436145)

Applications

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:

SAML for the following Okta Verified applications

  • Level AI (OKTA-435557)

  • Loom (OKTA-398082)

  • Pima.app (OKTA-435601)

  • Polytomic (OKTA-435605)

  • Smarp (OKTA-415875)

OIDC for the following Okta Verified applications

September 2021

2021.09.0: Monthly Production release began deployment on September 7

* Features may not be available in all Okta Product SKUs.

Generally Available Features

New Features

Sign-In Widget, version 5.10.1

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Okta Sign-In Widget Guide.

MFA Credential Provider for Windows, version 1.3.3

This version includes hardening around certain security vulnerabilities. See Okta MFA Credential Provider for Windows Version History.

Improved new device behavior detection

Stronger signals are now used for the detection of new devices. Devices with web browsers that don't store cookies are treated as new and trusted applications must send a unique identifier for each device as a device token. See Behavior Detection and evaluation. This feature is now enabled by default for all orgs.

Enhancements

ThreatInsight default mode for new orgs

For new orgs, the default mode for ThreatInsight is now set to Audit mode. Previously, with no mode set by default, events weren't logged unless Audit mode or Block mode was enabled manually. Now with Audit mode set by default for new orgs, the security.threat.detected event is logged once a malicious request is detected. See Okta ThreatInsight.

OIN Manager enhancements

  • The UI text has been clarified for the group patch batching process in the OIN Manager for SCIM submissions. See the Submit an app integration guide.
  • Partners can now provide multiple support contacts, such as email addresses, support URLs, and phone numbers for customers who need assistance when installing or configuring their app integration. This information is shared with users through the app integration’s details page in the OIN catalog. See the Submit an app integration guide.

PagerDuty SSO Domain Support

Base URL is now used instead of Organization Subdomain for PagerDuty SSO configuration. This enables customers with EU domains to input their URL when they set up SSO.

Updated End-User Dashboard icon for mobile users

The End-User Dashboard icon has been updated for mobile users.

Updated Delete Person and Delete Group dialogs

The Delete Person and Delete Group dialogs now include statements to clarify what is removed when a person or group is deleted. This can include application assignments, sign-on policies, routing rules, and user profiles. This change helps admins better understand the ramifications of deleting people and groups. See Deactivate and delete user accounts and Manage groups.

Early Access Features

Early Access features from this release are now Generally Available.

Fixes

General Fixes

OKTA-364848, OKTA-364849, OKTA-364921, OKTA-382725, OKTA-382848, OKTA-382907

Some accessibility issues occurred on the Okta End-User Dashboard.

OKTA-386820

Group Push tasks weren't displayed on the Admin Dashboard.

OKTA-391032

Custom admins with Manage group permissions could view the Add Rule button on the Groups > Rules tab.

OKTA-393077

The View IDP Metadata link incorrectly required an active session when application-specific certificates were enabled.

OKTA-408184

A gap between the deactivation of a contractor and the activation of that user to a full-time employee caused incremental imports for Workday to fail.

OKTA-408562

On the Directory > Groups page, an icon didn’t appear for the Zendesk application.

OKTA-409182

Translations weren't provided for some unsuccessful LDAP password update error messages.

OKTA-409388

Users weren't added to groups when the locale attribute filter was set to equals in the group rule.

OKTA-411252

If an admin added an app integration but didn't complete the process and subsequently assigned it to a group, then clicking the link for the app integration through the Groups directory opened the Add app integration process instead of the settings page for that app integration.

OKTA-416414

Sign-in redirect URI requests failed due to wrapping of the designated URI in the Admin Console.

OKTA-416671

Wildcard OAuth redirect URIs failed if subdomains included underscores.

OKTA-417982

During an OAuth client lifecycle event, the debug data section of the System Log logged incorrect client IDs.

OKTA-420534

While loading, the side navigation on the new Okta End-User Dashboard was misaligned.

OKTA-421801

Some users with a custom domain URL couldn't add or edit resource sets for custom admin roles.

OKTA-421951

Adding an expiration date macro to the Password Reset email template resulted in an Invalid Expression error.

OKTA-422282

End users were able to add bookmark apps after their admins configured the App Catalog Setting to allow org-managed apps only.

OKTA-422340

The number of groups displayed in the Admin Dashboard Overview differed from the correct number of groups reported on the Directory > Groups page.

OKTA-422782

Text didn't wrap properly in the Note for requester field for app approval requests.

OKTA-425921H, OKTA-425993H

Sometimes, when users signed in to Okta and Agentless Desktop Single Sign-on (ADSSO) was enabled, groups outside of the selected organizational units were retrieved.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed:

  • Avalara (OKTA-415081)

  • Fisher Scientific (OKTA-422646)

  • Microsoft Volume Licensing (OKTA-420160)

  • Quadient Cloud (OKTA-422635)

  • RescueAssist (OKTA-422643)

  • WeWork (OKTA-423570)

Applications

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:

SAML for the following Okta Verified applications:

  • Anomalo (OKTA-421527)

  • Paradime (OKTA-420444)

OIDC for the following Okta Verified application:

Weekly Updates

2021.09.1: Update 1 started deployment on September 13

Fixes

General Fixes

OKTA-407869

Some error messages in the Sign-In Widget were translated from English to other languages when the user's language was English.

OKTA-417450

LDAP-sourced users weren’t able to sign in to the Okta Admin Console when their passwords expired and a password policy allowed passwords to be updated.

OKTA-418723, OKTA-420397

New Okta branding didn’t appear on some default error page templates.

OKTA-421227

On the Administrator assignment by admin page, the Copy groups and Paste groups buttons didn’t appear for standard roles that were constrained to one or more groups.

OKTA-421767

The User Profile > Admin roles tab was visible for deactivated users. For active users with no assigned roles, the button to add privileges was mislabeled Edit individual admin privileges.

OKTA-422485

Searches in the LDAP Interface didn’t return results when the search terms were capitalized.

OKTA-423616

The Push Groups page became unresponsive when admins created new group push mappings.

OKTA-424357

ThreatInsight didn't always block IP addresses that were identified as the source of password spray attacks.

Applications

New Integrations

New SCIM Integration Application

The following partner-built provisioning integration app is now Generally Available in the OIN Catalog as partner-built:

SAML for the following Okta Verified application:

  • Wiz (OKTA-422626)

2021.09.2: Update 2 started deployment on September 20

Fixes

General Fixes

OKTA-399959

Session timeout policy wasn't enforced during IdP-initiated login to the Admin Console.

OKTA-412102

If an admin added a rule to an app sign-on policy and named it Default sign on rule, they were unable to edit or delete the rule.

OKTA-414089

Admins with the Manage Applications custom admin permission couldn’t access the Profile Editor, Directory Integrations, or Profile Sources pages.

OKTA-414564

A Sign-in Widget message was translated into Russian incorrectly.

OKTA-420154

If client-based rate limiting was enabled, end users were sometimes presented with a 429 error instead of the sign-in page when their session expired or they signed out.

OKTA-421356

LDAP-sourced user profiles weren’t updated when an admin changed the user profile status from suspended to unsuspended.

OKTA-423419

When Enhanced Email Macros was enabled, using required variables without brackets resulted in a validation error.

OKTA-423470

Org logos on the new Okta End-User Dashboard were sometimes oversized.

OKTA-424330

Some Preview org customers received an error when accessing end-user pages after they changed their browser language to Chinese-Traditional.

OKTA-425588

Rate limit enforcement for Voice-based MFA was not mitigating certain toll fraud attacks.

OKTA-427137

DocuSign deprovisioning sometimes failed with the following error: “Adding entity to http method DELETE is not supported.”

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • 3Rivers (OKTA-424892)

  • Adobe Enterprise (OKTA-424893)

  • CallTower (OKTA-424894)

  • Parse.ly (OKTA-422625)

Applications

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:

  • KnowBe4: For configuration information, see here (you need to sign in to KnowBe4 to access their documentation).

SAML for the following Okta Verified application

  • Code Climate Velocity (OKTA-424882)

OIDC for the following Okta Verified applications

2021.09.3: Update 3 started deployment on September 27

Generally Available

Sign-In Widget, version 5.11.0

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Sign-In Widget Guide.

Fixes

General Fixes

OKTA-393693

If an app sign-on policy required re-authentication every 0 minutes, some users were unable to reset their passwords.

OKTA-419837

When Branding was enabled, custom code editor pages displayed an incorrect warning.

OKTA-423586

Function names that include blank spaces didn’t work with Enhanced Email Macros.

OKTA-425232

When Branding was enabled, the Go to Homepage button on the Okta error page didn’t use the default Okta variant color.

OKTA-425425

When a super admin tried to generate a Current Assignment report, Okta Admin Console didn’t appear as an available application.

OKTA-426446

When a third-party admin role was assigned, the admin's status didn't change in Salesforce and the Exclude admin from receiving all admin-related communications rule wasn't enforced.

OKTA-430127

When Branding was enabled and later disabled, the sign-in and error pages that were customized with HTML code editors during the enabled period could be reset to their defaults.

OKTA-430524

The default password policy was sometimes being evaluated for users instead of the configured password policy.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • Frame.io (OKTA-427018)

  • Google Play Developer Console (OKTA-425775)

  • PNC Borrower Insight (OKTA-426061)

  • Tech Data (OKTA-427022)

Applications

New Integrations

SAML for the following Okta Verified applications

  • Blue Ocean Brain (OKTA-426050)

  • Kintone.com (OKTA-421223)

  • Skypher (OKTA-426992)

OIDC for the following Okta Verified applications

2021.09.4: Update 4 started deployment on October 4

Generally Available

Sign-In Widget, version 5.11.1

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Sign-In Widget Guide.

Fixes

General Fixes

OKTA-327544

An HTTP 500 Internal Server Error message appeared when users attempted to sign in to Okta and their username included an asterisk (*).

OKTA-417936

During an IdP Discovery flow, routing rules were no longer observed if users clicked Back to sign in from the MFA prompt.

OKTA-420946

When admins customized the MFA Factor Enrolled or MFA Factor Reset email templates, the default template was sent to users.

OKTA-423578

Admins could create ADSSO IdP routing rules when ADSSO functionality was enabled and then disabled.

OKTA-425321

When an admin had a custom role with the Manage users and Edit users' authenticator operations permissions, they couldn’t enroll users in the YubiKey factor.

OKTA-427145

When the Admin role assignments report was filtered by a group, it didn’t include group membership admins who were constrained to that group.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • Autotask (OKTA-429728)
  • Contract Express (OKTA-429434)
  • DocsCorp Support (OKTA-425176)
  • Google Play Developer Console (OKTA-425775)
  • SAP Concur Solutions (OKTA-427469)
  • Shipwire (OKTA-426103)
  • Twitter (OKTA-430242)

Applications

New Integrations

New SCIM Integration Application

The following partner-built provisioning integration app is now Generally Available in the OIN Catalog as partner-built:

SAML for the following Okta Verified applications

  • Jooto (OKTA-429135)
  • Merge (OKTA-430337)

OIDC for the following Okta Verified applications

August 2021

2021.08.0: Monthly Production release began deployment on August 9

* Features may not be available in all Okta Product SKUs.

Generally Available Features

New Features

Sign-In Widget, version 5.9.0

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Okta Sign-In Widget Guide.

Okta solution visible in footer

To help admins identify their Okta solution, the version number in the footer of the Admin Console is now appended with C for Classic Engine orgs and E for Identity Engine orgs. See Identify your Okta solution.

On-Prem MFA agent, version 1.4.4

This version includes bug fixes, security enhancements, and a new version of the Log4J library. See Okta On-Prem MFA agent version history.

ADFS Plugin, version 1.7.8

This version includes bug fixes and security enhancements. See Okta ADFS Plugin version history.

Root signed PIV certificate support

Certificates signed directly from a root CA certificate, with no intermediates, can now be used for Personal Identity Verification (PIV) authentication.

Multiple active user statuses for SuccessFactors integration

Support for multiple active user statuses: When importing users from SuccessFactors into Okta, admins can now select more than one active user status, such as Leave of Absence. See Learn about SAP SuccessFactors Employee Central data provisioning.

Deleted schema property scrubber

All existing data associated with a schema property is now removed when a schema property is deleted. To prevent data corruption, the property cannot be recreated until the existing data is fully removed. Previous data is no longer restored when recreating a deleted schema property with the same definition. This new functionality prevents the corruption of profile data and the associated Elastic search issues. See Add or remove custom directory schema attributes.

This feature will be gradually made available to all orgs.

LDAP agent, version 5.8.0

This version of the agent contains:

  • Password expiry warning support for Oracle Directory Server Enterprise Edition (ODSEE), Oracle Unified Directory (OUD), OpenDJ, and SunOne 5.2 LDAP directory services

See Okta LDAP Agent version history.

Enhancements

New warning for excessive IP addresses

A warning now appears if a gateway or proxy has an IP range with more than 5 million addresses. See Create zones for IP addresses.

Start time and end time of rate limit windows

The Rate Limit Dashboard now displays the start time and end time of the rate limit window for each data point. This helps you analyze each data point with more granularity. See Rate limit dashboard.

End-User Dashboard styling

On the new Okta End-User Dashboard, text color in the side navigation has been updated. See Control access to the Okta End-User Dashboard.

OIN Manager enhancements

The Apps for Good category has been added to the selectable categories list. Also, other category names have been adjusted to match those shown in the OIN App Catalog.

OIN App Catalog UI improvements

If available, support contact information now appears on the details page for app integrations.

Early Access Features

New Features

Third-Party Risk

Okta Risk Eco-System API / Third-Party Risk enables security teams to integrate IP-based risk signals to analyze and orchestrate risk-based access using the authentication layer. Practitioners can step up, reduce friction or block the user based on risk signals across the customer’s security stack. Apart from improving security efficacy, this feature also enhances the user experience by reducing friction for good users based on positive user signals. See Risk scoring.

Fixes

General Fixes

OKTA-381874

On the Agents page, admins couldn't remove deleted RADIUS agents or hide the ones that weren't in use.

OKTA-386797

Users were able to make too many attempts to enter an SMS one-time passcode when performing a self-service unlock.

OKTA-388903

Using an Office 365 thick client to open documents from the SharePoint Server didn't work consistently.

OKTA-399414

A link was broken on the OIDC Identity Provider profile mapping page.

OKTA-404612

When updating the provisioning settings for an app integration, some admins had to reload the page because the Admin Console showed a verification message and then stopped responding.

OKTA-404620

Workflow URLs with the okta-emea subdomain weren’t automatically verified when used as an Event Hook URL.

OKTA-406499

On the Admin Console Tasks page, the first 10 tasks were duplicated when Show more tasks was selected and 10 or more tasks were already listed.

OKTA-409514

If an app integration with provisioning enabled was upgraded to support the Push Groups feature, admins were repeatedly prompted to enable provisioning.

OKTA-415772

The Tasks view was missing from the new Okta End-User Dashboard.

App Integration Fixes

The following SWA apps weren't working correctly and are now fixed:

  • Azure Portal Login (OKTA-411455)

  • Cisco WebEx Meeting Center - Enterprise (OKTA-411543)

  • Matrix Teams (OKTA-415413)

Applications

New Integrations

New SCIM Integration Application

The following partner-built provisioning integration app is now Generally Available in the OIN catalog as partner-built:

SAML for the following Okta Verified application:

  • Neptune (OKTA-393740)

Weekly Updates

2021.08.1: Update 1 started deployment on August 16

Generally Available

Sign-In Widget, version 5.9.4

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Sign-In Widget Guide.

Fixes

General Fixes

OKTA-386084

Error page templates were inconsistently formatted.

OKTA-409142

The Registration Inline Hook didn’t correctly display error messages to the user during user self-registration.

OKTA-411448

Users who enrolled in multifactor authentication using the Active Directory Federation Services integration were unable to download the Okta Verify app from the Apple App Store and the Google Play store during enrollment.

OKTA-415642

Theme colors weren’t applied to custom pages in Internet Explorer 11.

OKTA-416292

The password management modal was incorrectly minimized on the new Okta End-User Dashboard after an end user responded to the copy confirmation modal.

OKTA-417651

When admins attempted to delete or revoke a YubiKey from the Okta Admin Console, the Done button didn’t appear upon completion.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • Fannie Mae Desktop Underwriter (OKTA-416904)

  • Frame.io (OKTA-416896)

  • i-Ready (OKTA-416899)

  • InternationalSOS (OKTA-415410)

  • LifeLock (OKTA-413854)

  • Milestone Xprotect Smart Client (OKTA-416893)

  • SDGE (OKTA-416903)

  • ShipStation (OKTA-416897)

  • Simple Sales Tracking (OKTA-416906)

  • Washington Post (OKTA-416908)

  • Yodeck (OKTA-415411)

Applications

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN catalog as partner-built:

SAML for the following Okta Verified application

  • Hiretual (OKTA-413861)

OIDC for the following Okta Verified application

2021.08.2: Update 2 started deployment on August 23

Fixes

General Fixes

OKTA-309646

The scroll bar didn't function as expected while adding a new access policy to an authorization server.

OKTA-364838

Some accessibility issues occurred on the Okta End-User Dashboard.

OKTA-392409

Office 365 silent activation sometimes failed if the sign-on policy required re-authentication.

OKTA-407591

Prompts initiated by an admin to reset an end user’s password for an SWA app weren't displayed on the Okta End-User Dashboard.

OKTA-410027

When a user was deleted, the AlternateId field in the System Log displayed the user’s Okta identification number and not their email address.

OKTA-412526

The Note for requester field within the self-service app request approval settings didn't properly display messages.

OKTA-414136

The Office 365 integration in the Okta App Catalog showed a Group Linking option that wasn't available for Office 365.

OKTA-414387

End users who attempted to use a custom sign out URL were presented with a blank page on Internet Explorer 11.

OKTA-418656

Users weren’t prompted for additional authenticators after self-service password resets even though their sign-on policy required them.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed:

  • Alerus (OKTA-418805)

  • BenXcel (OKTA-418794)

  • Inbox by Gmail (OKTA-412080)

  • IBM MaaS360 (OKTA-418799)

  • Redis Labs (OKTA-418789)

Applications

Application Updates

  • We have added the userType attribute to the Slab SCIM schema. For details see the Slab Okta SCIM Integration Guide.

  • The FIS Global Client integration is deprecated from the OIN Catalog.

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:

SAML for the following Okta Verified applications:

  • Blingby Inline (OKTA-410691)

  • Panzura Data Services (OKTA-419287)

  • RudderStack (OKTA-413572)

OIDC for the following Okta Verified applications:

2021.08.3: Update 3 started deployment on August 30

Fixes

General Fixes

OKTA-295856

Buttons and text were misaligned on the API > Trusted Origins tab.

OKTA-382908

A confirmation message wasn’t displayed when an admin removed the last resource from a resource set or the last permission from a role.

OKTA-385343

Group attributes weren't pushed from Okta to Active Directory (AD) as expected.

OKTA-387007

When an admin clicked Custom roles from the Overview section on the Administrators page, the Roles tab opened with the incorrect filters applied.

OKTA-402814

Users didn't receive a verification email after updating a secondary email address.

OKTA-402856

In the redesigned Admin Console, import safeguard warning messages didn’t appear on the Dashboard.

OKTA-412025

Users didn't receive a verification email after they were activated on the People page.

OKTA-413954

Certain YubiKey device make and model names didn't appear correctly on the Okta End-User and Admin Dashboards.

OKTA-417326

Some tabs and buttons on the user and group profile pages of the Custom Administrator Roles user interface were labeled incorrectly. Also, the Admin role assignment report page was called Custom reporting.

OKTA-418039

Enhanced email macros didn’t work with Branding.

OKTA-418150

On the People page, the last user with super admin permissions could be deleted without generating an error.

OKTA-418922

When a user was deleted on the People page, the PostDeleteUserEvent event type was Initiated and not Completed.

OKTA-420122

In the redesigned Admin Console, the Actions drop-down menu for SAML app certifications didn’t expand correctly.

OKTA-420740

When a theme was applied to the Okta-hosted sign-in page, the Sign in button didn’t change to the selected primary color.

OKTA-421446

The Administrator assignment by admin page didn’t load properly when the delegated admin had a standard role that was constrained to specific apps or groups.

OKTA-421481

Some Expression Language email templates didn’t work with Branding.

App Integration Fixes

The following SWA app was not working correctly and is now fixed:

  • Vitality (OKTA-420790)

Applications

Application Update

The following integrations are deprecated from the OIN Catalog:

  • Hiveed

  • BenXcel

  • FIS Global

  • Nanigans

New Integrations

SAML for the following Okta Verified applications:

  • Blingby Programmatic (OKTA-421181)

  • Perimeter 81 (OKTA-415079)

  • Snackmagic (OKTA-419393)

  • Suveryapp (OKTA-420053)

SWA for the following Okta Verified application:

  • Integromat (OKTA-420293)

OIDC for the following Okta Verified application:

July 2021

2021.07.0: Monthly Production release began deployment on July 12

* Features may not be available in all Okta Product SKUs.

Generally Available Features

New Features

Dedicated help sites for Okta products

Three of Okta’s products — Access Gateway, Advanced Server Access, and Workflows — now have their own dedicated help sites:

  • Okta Advanced Server Access
  • Okta Access Gateway
  • Okta Workflows

This enhancement offers direct access to independent online help sites for these products from help.okta.com. The new sites provide several benefits:

  • Compactly designed, product-centric content
  • Streamlined navigation
  • More efficient content updates and responsiveness to customer feedback

Okta Device Registration Task, version 1.3.2

This release includes internal code refactoring. You can download this version from the Settings > Downloads section of the Admin Console.

New Domains API response properties available

The Domains API includes the new response object properties of certificateSourcetype and expiration. The certificateSourcetype is a required property that indicates whether the Certificate is provided by the user. The accepted value is Manual. The expiration property on the DNSrecord object is an optional property that defines the TXT record expiration. See Domains API.

Default end-user experience

New orgs, including those created through the org creator API or the developer.okta.com website, will have the new end-user experience enabled by default in preparation for the old end-user experience deprecation starting on October 13. Learn more about this migration and other frequently asked questions in our support article.

Disable Import Groups per SCIM integration

Admins can now choose whether or not to import groups with all SCIM integrations. This new option is available when you set up provisioning for a SCIM integration.

Note that you can't disable group imports for an app if:

  • Import New Users and Profile Updates isn't enabled.

  • App Assignments based on Group exist.

  • Group policy rules exist.

  • Group Push mappings exist.

In these cases, an error is displayed.

Nutanix support

Okta Access Gateway customers can now download and deploy the Access Gateway virtual appliance on Nutanix Acropolis Hypervisor (or Nutanix AHV), a hyper-converged infrastructure platform popular among larger organizations. This provides customers with more options for infrastructure services supported by Access Gateway, including AWS, OCI, VMWare, and now Nutanix.

Remove the ability to disable Admin Experience Redesign

You can no longer disable the Admin Experience Redesign feature for your orgs.

Note: This is not applicable for orgs that didn't have Admin Experience Redesign enabled and used the legacy experience until 2021.06.4.

Windows Hello as an MFA factor is not supported for new orgs

Windows Hello as an MFA factor is no longer supported for new orgs. Existing orgs already using this feature can continue using it.

Test custom email templates

Admins can send themselves a test email to see how their custom email templates will look and function. This allows them to validate macro attributes and translations in the customized template and to see how the template will render in different email environments. Sending the test email to their primary email address eliminates their need to create a real end-to-end workflow to test customization. For more information, see Test a customized email template .

Create LDAP group password policies

You can now create group password policies for LDAP sourced users. This gives you the flexibility to provide users with the same password policy requirements as your local LDAP directory, easing the user experience of an LDAP integration with Okta. See Group password policies and Sign-on policies.

Event Hook preview

Event Hook preview lets admins easily test and troubleshoot their Event Hooks, as well as send sample requests without manually triggering an actual event. This means admins can preview the payload of a specific Event Hook type and make sure that it's what they need to move forward before a full deployment to production. See Preview an event hook.

Enhancements

Workplace by Facebook new custom attribute

Okta now supports the is_frontline custom attribute in Workplace from Facebook. Supporting user type designations enables access for frontline and deskless workers.

OIN App Catalog UI improvements

For each app integration in the OIN App Catalog, the details page has been updated to use tabs that display the overview and the specific capabilities of the app integration. The details page also shows the Capabilities in the side navigation. Clicking a specific capability returns the administrator to the main Add Application page with that capability pre-selected in the filter. When an admin searches for app integrations, the filter is now persistent through category changes or when they refresh the page.

OIN Manager category selections

For app submissions in the OIN Manager, the category designations have been updated to match the categories available in the OIN App Catalog.

Changes to group assignment options for OIDC apps

Admins can create new OIDC applications without assigning them to a group. See Create OIDC app integrations.

HTML sanitizer for email templates

Velocity-based email templates are now processed by an HTML sanitizer. Templates that don’t conform to the rules of the sanitizer are corrected before they are sent. See Customize an email template.

Email template events

The creation and deletion of email templates are now logged as events in the System Log.

Rate limit violation event logging

Session-user and User rate violation events are now logged as operation-level events instead of org-wide events. This allows you to distinguish between rate limit violations at an org level and individual level.

Updated branding for End-User Dashboard

Okta branding on the Okta End-User Dashboard has been updated.

Early Access Features

Early Access features from this release are now Generally Available.

Fixes

General Fixes

OKTA-274754

When an admin attempted to add an app integration to their org for which the org was not entitled, the error message didn't display the org's edition name.

OKTA-380653

A user-created on-the-fly app incorrectly appeared on the Tasks page under Number of apps that can have provisioning enabled.

OKTA-397607

Sometimes the failed-sign-in counter didn’t reset to zero after an end user successfully signed in, which resulted in improper lockouts.

OKTA-400220

When OpenLDAP was used with delegated authentication, an error message containing unnecessary information appeared if users attempted to change their password and it didn't meet the LDAP complexity requirements.

OKTA-401490

LDAP import schedules weren't updated when Relative Distinguished Name (RDN) attribute mapping from Okta to LDAP was missing.

OKTA-402247

New device notifications weren't sent during passwordless sign-in flows.

OKTA-404865

Group Push for Slack caused group members to be reset and gradually re-added, during which time group members couldn't access the app.

OKTA-405351

Some deactivated SAML IdP users whose attributes were updated with Just-in-time Provisioning were activated even though the reactivation JIT setting wasn't selected.

OKTA-407292

Some users were deactivated instead of deleted in Automations.

OKTA-408802

Sometimes, during SAML app configuration, the metadata link improperly required a sign-in session.

App Integration Fixes

The following SWA app was not working correctly and is now fixed

  • San Diego Gas and Electric (OKTA-407572)

Applications

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN as partner-built:

SWA for the following Okta Verified applications

  • Headspace (OKTA-403509)

  • Redprint (OKTA-394718)

  • SCOPE (OKTA-405791)

OIDC for the following Okta Verified applications

Weekly Updates

2021.07.1: Update 1 started deployment on July 19

Generally Available

Sign-In Widget, version 5.8.2

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Sign-In Widget Guide.

Fixes

General Fixes

OKTA-405084

Long-running deactivation jobs didn't overwrite user status changes after a user was deleted.

OKTA-409081

Google Chrome users saw a session lifetime warning if they accessed an end-user dashboard embedded in an iFrame.

OKTA-409227

In the OpenID Connect (OIDC) app wizard, the default Assignments selection was Allow everyone in your organization to access.

Applications

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN catalog as partner-built:

SAML for the following Okta Verified applications

  • 4Degrees (OKTA-405438)

  • SkillsHood (OKTA-404888)

2021.07.2: Update 2 started deployment on August 02

Generally Available

Sign-In Widget, version 5.8.4

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Sign-In Widget Guide.

Fixes

General Fixes

OKTA-382511

Users saw the wrong error message if they attempted self-service registration with a unique attribute (such as Customer Account Number) that was already in use.

OKTA-383402

In Identity Provider routing rules, the User attributes input field for the AND User Matches condition was narrow and misaligned.

OKTA-394734

The Admin Console Search field was unavailable with Lightweight Directory Access Protocol integrations.

OKTA-398165

Admins who selected the Users Locked Out task on the Admin Dashboard were redirected to the Reset Password page instead of the Unlock People page.

OKTA-399643

Org groups didn't appear as expected on the Admin Console Groups page.

OKTA-401969

Active Directory Single Sign-On users who were prompted to upgrade to Okta Verify with Push Authentication received an error 403 Forbidden message.

OKTA-404295

When an app request email was sent to an admin, the encoded URL was listed instead of its punycode URL.

OKTA-404488

During searches for Lightweight Directory Access Protocol-sourced users, concurrency limit violations caused 429 Too Many Requests errors.

OKTA-405064

Deleted user profiles were permanently removed when they were reactivated.

OKTA-405259

Sometimes, an agent status email wasn’t sent when the Okta IWA Web agent was unavailable.

OKTA-406581

End users who were unable to sign in successfully with Just-in-Time provisioning were sometimes redirected back to the sign-in page without seeing an error message.

OKTA-410072

Sample app bundle downloads didn’t use the current SDK version.

OKTA-411109

The Russian translation for an expired token was inaccurate.

OKTA-413703

Some orgs experienced an issue where the More Integrations section of the Okta App Catalog appeared empty.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • Addison Lee (OKTA-410400)

  • Business Insider Prime (OKTA-411534)

  • Calxa (OKTA-411523)

  • CB Insights (OKTA-410399)

  • Cloudapp (OKTA-411535)

  • Dashlane Business (OKTA-410403)

  • Dealer Daily Lexus (OKTA-411531)

  • eFlex Employee (OKTA-411513)

  • Fresh Direct (OKTA-410395)

  • Instacart (OKTA-411491)

  • Instacart Canada (OKTA-411510)

  • Ned Davis Research (OKTA-409608)

  • New York Times (OKTA-410985)

  • Office Tools Portal (OKTA-410397)

  • Passkey (OKTA-411526)

  • Samsara (OKTA-410392)

  • Skillsoft (OKTA-410402)

  • Soundcloud (OKTA-411532)

  • Trustwave (OKTA-410406)

  • United Tranzactions (OKTA-411519)

  • Untangle (OKTA-411520)

  • Wall Street Journal (OKTA-410396)

  • Zocdoc (OKTA-410398)

  • Zscalerbyz (OKTA-410405)

Applications

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN catalog as partner-built:

SAML for the following Okta Verified applications

  • Bonsai (OKTA-409442)

  • Cafe (OKTA-405554)

  • Dashlane (OKTA-407393)

  • eSuite (OKTA-405607)

  • FileFlex (OKTA-410143)

  • ShopRun (OKTA-411470)

  • TeamPay (OKTA-393790)

  • Transcend Engagement (OKTA-409454)

SWA for the following Okta Verified application

  • Samsara (Driver Sign In) (OKTA-414275)

OIDC for the following Okta Verified applications

June 2021

2021.06.0: Monthly Production release began deployment on June 7

* Features may not be available in all Okta Product SKUs.

Generally Available Features

New Features

Okta Sign-In Widget, version 5.7.0

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Sign-In Widget Guide.

MFA Credential Provider for Windows, version 1.3.1

The MFA Credential Provider for Windows version 1.3.1 includes hardening around certain security vulnerabilities, support for Windows 2019, and other general bug fixes and improvements. See Okta MFA Credential Provider for Windows Version History

Okta Device Registration Task, version 1.3.1

This release is based on Python 3, to support macOS 10.15.xx (Catalina) and above. It addresses the known issue of device enrollment failures. You can download this version from the Settings > Downloads section of the Admin Console. See Enforce Okta Device Trust for Jamf Pro managed macOS devices and OktaDevice Trust for macOS Registration Task Version History.

LDAP Interface sign on policy

When creating a sign on policy, you can now create rules that apply only to LDAP Interface user authentications. With this change, you can apply a sign on policy to LDAP Interface authentications and exclude other authentication methods. See Sign-on policies.

Import Safeguard Event Hook

The Import Safeguard event is available for use as an Event Hook. Admins can use the Import Safeguard event to generate a notification when an import safeguard occurs. See Import safeguards and Event Types.

App Integration Wizard improvements

The App Integration Wizard has been updated with several usability improvements. For quicker access, you can now launch the wizard from either the Applications page or the Browse App Integration Catalog page. The platform and sign-on method selection process has been streamlined to remove unnecessary inputs. Help hints in the wizard have been improved to eliminate the need to look up definitions and guidance from the documentation. To save time, trusted origins and group assignment tasks can now be completed as part of the process rather than after the wizard creates the app integration. See Create custom app integrations.

Polling support for Agentless Desktop Single Sign-on and Integrated Windows Authentication authentication sessions

Agentless Desktop Single Sign-on (ADSSO) and Integrated Windows Authentication (IWA) authentication sessions now include polling to reduce the likelihood of service disruptions during periods of high bandwidth use. For users authenticating with ADSSO or IWA during peak periods, this change increases the likelihood that a server will be available to process their authentication request. See Active Directory Desktop Single Sign-on.

Okta Verify support for risk-based authentication

Okta Verify with Push now supports risk-based authentication. With this feature, admins can assess the level of risk when an end user signs in to their org and attempts to authenticate with Okta Verify. See . This feature will be gradually made available to all orgs.

RADIUS support for EAP-TTLS

The RADIUS agents now support the EAP-TTLS network authentication protocol. See the supported factors section in any RADIUS integrations. This feature is now enabled by default for all orgs.

Recently Used Apps

A Recently Used apps section has been added to the top of the Okta End-User Dashboard and the Okta Browser Plugin to make it easier for end users to access their applications. End users can enable and disable the Recently Used setting in their Preferences panel or Account Settings on the Okta End-User Dashboard.

When enabled, the Recently Used apps section is visible at the top of the Okta End-User Dashboard regardless of the number of apps assigned to the end user or whether any apps have been launched. If an end user re-enables the Recently Used apps section, apps that were used when the feature was previously enabled are not preserved. See Recently used apps. This feature will be gradually made available to all orgs.

Enhancements

OIN Manager category selection changes

The choices in the OIN Manager App category selection list have been updated to match the categories available in the public OIN catalog. For existing submissions, the category choice isn't changed until the ISV updates the app submission in the OIN Manager. ISVs can also now select up to three categories for their app integration. See Submit an app integration.

OIN Manager OIDC enhancements

ISVs can now select which OpenID Connect modes their application supports: Single-Page Application (SPA) or Web. See OIDC settings.

Rate limit System Log Event Hook enhancements

The system.operation.rate_limit.warning event has been updated and now notifies administrators when their org is approaching an Event Hook rate limit.

The system.operation.rate_limit.violation event has been updated and now notifies administrators when their org has exceeded an Event Hook rate limit.

See Event Types.

OAuth scope flexible consent

When user consent is required for an OAuth scope, a new check box is available to enable Flexible consent, which blocks services from requesting the scope. See API access management.

Combined OAuth claim evaluation events

To reduce system load and operational cost, a single app.oauth2.as.evaluate.claim event is now recorded per request, instead of separate events for access tokens and ID tokens.

Updated UI for provisioned username options

If an app integration doesn't support the Create only option in the Application username format drop-down menu, the option is now disabled rather than hidden.

Session synchronization

All browser tabs that access the Okta End-User Dashboard now maintain the same session lifetime.

Hidden fields in Sign-In Widget

Hidden username and password fields in the Sign-In Widget are no longer identifiable by screen readers.

File upload tool tips

Tool tip text formatting has been standardized on the App Instance page.

Active SAML certificate warning

A warning now appears when currently active SAML certificates are set as inactive in the Okta Admin Console.

Early Access Features

Early Access features from this release are now Generally Available.

Fixes

General Fixes

OKTA-371017

Assigning attributes when provisioning to Webex sometimes resulted in errors.

OKTA-374204

When a custom sign-out page was configured, users who reset their password with SMS and then clicked Back to sign in were redirected to the custom page.

OKTA-386816

Some app tasks that weren't mapped to Okta users didn't appear on the Admin Dashboard.

OKTA-387918

Admins were unable to view the Import Monitoring dashboard for applications when the application admin role was assigned to specific applications.

OKTA-388914

Okta erroneously pushed profile updates to Rally upon user reactivation when updates to user attributes were disabled.

OKTA-389233

The Sign-In Widget appeared blank for users who attempted to sign in while using multiple WebAuthn authenticator enrollments.

OKTA-393663

Some Firefox 88.0 users on Mac devices were presented with a blank page after signing in to Okta.

OKTA-395953

An incorrect error message was displayed when a user was created with a duplicate unique property.

OKTA-396812

If a user tried to re-enroll via RADIUS after their SMS factor was reset, they weren't prompted to verify their phone number.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • Addepar (OKTA-396929)

  • Ustream (OKTA-396921)

Applications

Application Updates

Adobe Sign now supports OAuth and REST API mode for provisioning for new app instances. Existing app instances should be migrated to the new app, see the Adobe Sign Migration Guide for details.

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration app is now Generally Available in the OIN as partner-built:

SAML for the following Okta Verified applications

  • AlphaSense (OKTA-394744)

  • cloudtamer.io (OKTA-399136)

Weekly Updates

2021.06.1: Update 1 started deployment on June 14

Generally Available

Sign-In Widget, version 5.7.1

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Sign-In Widget Guide.

Fixes

General Fixes

OKTA-386890

Automation rules that were created to delete inactive users sometimes failed due to deprovisioning errors.

OKTA-388300

When the new Admin redesign experience was enabled, the Agents Dashboard displayed incorrect version information about upgraded RADIUS agents.

OKTA-388727

The Clear Unconfirmed Users button didn't work consistently on the Active Directory (AD) Import page.

OKTA-389975

The Sign On page was unresponsive after the Credentials Details section of Bookmark apps was updated.

OKTA-391272

Provisioning errors occurred when email addresses were pushed from Okta to UltiPro after being updated in Active Directory.

OKTA-398218

Syncplicity couldn't be provisioned for EU-based domains.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • 1Password Business (OKTA-398705)

  • Eden Workplace (OKTA-398670)

  • Gong (OKTA-394257)

  • Instagram (OKTA-398090)

  • Schwab Advisors (OKTA-401549)

Applications

Application Update

The existing Cacoo integration is deprecated and renamed Cacoo (deprecated). Customers should now use the Nulab Pass (Backlog Cacoo Typetalk) (SAML) integration in our OIN catalog.

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN catalog as partner-built:

OIDC for the following Okta Verified applications

2021.06.2: Update 2 started deployment on June 21

Generally Available

Sign-In Widget, version 5.7.2

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Sign-In Widget Guide.

Fixes

General Fixes

OKTA-381119

Silent Activation was blocked for certain orgs if the app sign on-policy required MFA reauthentication.

OKTA-383213

Admins could create an app using the App Integration Wizard even when their trusted origin configuration was incorrect.

OKTA-384020

The Active Directory Self-Service Unlock Account email template didn't recognize ${samAccountName} as a valid input.

OKTA-391097

Admins couldn't clear the Auxiliary Object Class attribute for an LDAP integration after setting the attribute's value.

OKTA-392165

Pushing a group from Okta to Slack failed if the group contained more than 15,000 users.

OKTA-393207

End users with custom user types couldn't modify their personal information from End-User Dashboard > Settings.

OKTA-393223

Admins weren't able to use the tab key to navigate in the Upload Logo section of the App Integration Wizard.

OKTA-395044

Factor enrollment with Device Trust failed for some users when they attempted to sign in to Airwatch Workspace One for the first time.

OKTA-398676

Admin permissions were sometimes revoked unexpectedly when new permissions were assigned to the admin.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • 8x8 Account Manager (OKTA-402020)

  • Airbnb (OKTA-400493)

  • Certify (OKTA-401731)

  • Dodge Company Shop (OKTA-402526)

  • Enterprise (OKTA-402529)

  • LiveWell (OKTA-402511)

  • Recorded Future SSO (OKTA-402503)

  • Shopify (OKTA-401733)

  • Techsmith (OKTA-400221)

Applications

Application Updates

  • The Boardvantage Meetx/Director app integration is renamed to Nasdaq Boardvantage.

  • The Udemy for Business SCIM app is updated as follows:

    • The Separate Group and Membership Creation setting is enabled.

    • Batch size is updated to 500

  • The Zoom SCIM app integration schema is updated. For details, see Okta user management with Zoom.

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN catalog as partner-built:

SAML for the following Okta Verified applications

  • Muck Rack (OKTA-399126)

  • Pave Commute (OKTA-399131)

SWA for the following Okta Verified application

  • HomeTagz (OKTA-402746)

OIDC for the following Okta Verified applications

2021.06.3: Update 3 started deployment on June 28

Generally Available

Sign-In Widget, version 5.7.3

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Sign-In Widget Guide.

Fixes

General Fixes

OKTA-372803

When set to custom, Okta Username format was autofilled with an invalid SpEL expression in the AD General Settings.

OKTA-386004

Some text strings in the End-User Dashboard weren't translated.

OKTA-386545

Exchange ActiveSync Settings in the Office 365 app > Mobile tab couldn't be saved.

OKTA-386841

When admins clicked the Application requests waiting task in the new Admin Dashboard, nothing happened.

OKTA-388959

The app import status showed as In Progress even when the import job had failed.

OKTA-395489

The Create new app integration and CAPTCHA integration forms used the term sign-on instead of sign-in.

OKTA-398094

The new End-User Dashboard displayed options to download Okta Mobile.

OKTA-399667

Some new Zendesk users weren't correctly provisioned in Okta.

OKTA-402379

Some admins could add apps to their orgs after the app limit was reached.

OKTA-402547

Users were prompted for MFA after they reset their passwords using Okta Windows Credential Provider.

OKTA-404379

The OIDC default scopes link sometimes added non-default scopes to access policy rules for authorization servers.

OKTA-407122H

Routing rules were ignored when using the user matches expression.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • CarGurus (OKTA-404542)

  • Delivery Slip (OKTA-402517)

  • SAP Concur Solutions (OKTA-404533)

  • Small Improvements (OKTA-402942)

  • Spectrum Business: Time Warner Cable (OKTA-402523)

  • SquareSpace Template (GT) (OKTA-404538)

  • Staples Advantage (OKTA-402525)

  • Workday Community (OKTA-404532)

Applications

New Integrations

New SCIM Integration Application

The following partner-built provisioning integration app is now Generally Available in the OIN catalog as partner-built:

SAML for the following Okta Verified application

  • Vimeo (OKTA-403474)

OIDC for the following Okta Verified applications

2021.06.4: Update 4 started deployment on July 6

Fixes

General Fixes

OKTA-294735

Some text strings in the default email template editor weren’t translated.

OKTA-378363

When a user signed in over the Cisco Meraki network, using the RADIUS agent and Cisco Meraki app, and then changed their password, their account became locked.

OKTA-383559

Profile updates failed to push to the G Suite app and no error information was logged.

OKTA-386081

Error page templates for default and custom domains had inconsistent styling.

OKTA-387154

After the Content Delivery Network (CDN) was disabled for an org, the Sign-In Widget was still served from their custom domain.

OKTA-397685

On the Applications page, the cursor changed to show an extended hand cursor for non-clickable items.

OKTA-400622

The Browse App Catalog button on the Applications page was disabled for app admins.

OKTA-404562

The password policy requirements for LDAP-sourced user passwords were shown in a sentence format instead of a list.

OKTA-408809H

The MS Dynamic application icon didn't work as expected.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • Akamai EdgeControl (OKTA-406128)

  • AutoEntry (OKTA-406126)

  • AxurePortal (OKTA-405442)

  • Lincoln Financial Group (OKTA-404686)

  • Recorded Future (OKTA-405697)

  • SharePoint (OKTA-405464)

  • WealthEngine (OKTA-405780)

Applications

Application Update

  • The Bluecross Member Central - Massachusetts integration is deprecated and has been removed from the OIN catalog.

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN catalog as partner-built:

SAML for the following Okta Verified application

  • TrueCare (OKTA-405039)

OIDC for the following Okta Verified application

May 2021

2021.05.0: Monthly Production release began deployment on May 10

* Features may not be available in all Okta Product SKUs.

Generally Available Features

New Features

Okta Sign-In Widget, version 5.6.0

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Okta Sign-In Widget Guide.

Okta Browser Plugin, version 5.45.0 for all browsers

  • The Recently Used apps section is now visible and accessible from the plugin popover.

  • The Recently Used apps section can be configured by end users on the Okta End-User Dashboard.

  • Plugin popover loading times have been decreased.

  • The plugin’s design and images have been updated.

See Okta Browser Plugin version history.

Agentless Desktop Single Sign-on authentication progress screen updates

Agentless Desktop Single Sign-on (ADSSO) authentication progress screens have been updated to make authorization and verification progress more visible and improve the user experience. See Configure agentless Desktop Single Sign-on.

Group push mapping change

When admins create a group push mapping and link it to a group whose members were imported through another method, those users are now Okta sourced. See Group Push.

New Select assignments to convert screen

The addition of a Select assignments to convert screen to the Okta Admin Console makes the conversion of app assignments from individually-managed to group-managed easier. With the click of a button you can now quickly locate, select, and then convert individual users, or convert all eligible assignments. See Convert an individual assignment to a group assignment.

Generally Available Enhancements

System Log enhancements

OAuth refresh token event details

System Log events now display information that indicates whether an OAuth refresh token is rotating or persistent.

System Log debug field changes

System Log Advanced Filters no longer support the Contains operator for the following fields:

  • debugContext.debugData.url

  • debugContext.debugData.requestUri

This is to ensure that service stability and operations aren't impacted.

actionId value now available in the System Log

To identify the Okta Active Directory agent used to process a delegated authentication request, the actionId value has been added to the user.authentication.auth_via_AD_agent event in the System Log . For orgs that use multiple agents, this value makes it easier to identify the specific location of log data used to resolve authentication issues. See System Log.

OIN Manager - SCIM submission enhancement

When submitting a SCIM app in the OIN Manager, ISVs can now specify the maximum number of group membership changes that can be included in a single PATCH request. See Configure protocol-specific settings.

Open On-Prem MFA and RSA SecurID page on select

When admins select either On-Prem MFA or RSA SecurID token names from Security > API, the associated MFA factor page now opens.

New help text for Initiate Login URI field

The Initiate login URI field, available in an application’s General Settings tab, now includes additional inline help text to clarify the correct URI to add to this field.

TLS certificate update for okta.com

The TLS certificate for okta.com will be updated beginning on May 6th, 2021, US Pacific Time. The updated certificate will be signed with a new trust chain and Root Certificate Authority (CA) trust anchor. The Root CA will change from the DigiCert High Assurance EV Root CA to the DigiCert Global Root CA. To avoid negative impact and service outages, customers who have a limited or non-standard set of certificates in their trust stores must take action prior to May 6th, 2021. See FAQs.

Password Health Report enhancement

Date columns in the Password Health Report are now in ISO 8601 format to improve readability.

Increased authorization code lifetime

The OAuth authorization code lifetime is increased from 1 to 5 minutes.

Early Access Features

Early Access features from this release are now Generally Available.

Fixes

General Fixes

OKTA-379813

In some cases, end users who verified with IdP as a factor and selected the option to Remember this device were unable to save their configuration.

OKTA-379879

When signing in to a third-party identity provider (IdP), the sign in hint wasn’t provided as a request parameter to the IdP.

OKTA-380784

In some cases, the security.threat.detected event type in the System Log was missing geographic information when ThreatInsight was enabled.

OKTA-387800

Vanity URLs for deleted users incorrectly included stack trace information with the 404 error.

OKTA-390301

Radius authentication with Duo sometimes failed if Single-line MFA prompts were disabled.

OKTA-391166

The link from the OIN Manager to the OIDC concepts document was broken.

Applications

Application Updates

The catalog descriptions for many OIN app integrations have been updated to improve accuracy and show available capabilities.

New Integrations

New SCIM Integration Application

The following partner-built provisioning integration app is now Generally Available in the OIN as partner-built:

OIDC for the following Okta Verified applications

Weekly Updates

2021.05.1: Update 1 started deployment on May 17

Generally Available

Okta Sign-In Widget, version 5.6.1

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Okta Sign-In Widget Guide.

Fixes

General Fixes

OKTA-215049

When an OpenID Connect application was created using a deactivated application's name, a Duplicate Client Name error appeared.

OKTA-374204

End users were incorrectly redirected to the sign-out page if they reset their password through SMS and clicked the Back to Sign In link on the Code Verification page.

OKTA-380326

When an application was edited, the Initiate login URI field was erroneously auto-populated with a default value.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • ADP Vantage HCM (OKTA-390470)

  • ISACA (OKTA-391074)

  • ServiceNow (OKTA-390773)

  • Ticketmaster Account Manager (OKTA-390224)

  • United Health Care Member Login (OKTA-390993)

  • Xandr (AppNexus) (OKTA-390469)

Applications

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN as partner-built:

SAML for the following Okta Verified applications

  • Assembly (OKTA-387208)

  • Calendly (OKTA-390432)

  • Crosschq (OKTA-392449)

  • Ground Truth Intelligence (OKTA-385029)

  • ICI App (OKTA-391167)

  • Kaonavi (OKTA-389262)

  • Listrak (OKTA-386611)

  • MaestroQA-Enterprise (OKTA-393110)

  • Malt (OKTA-389581)

  • Officebooking (OKTA-389582)

  • QueryPie (OKTA-388315)

  • Webcasts.com Admin (OKTA-391005)

OIDC for the following Okta Verified applications

2021.05.2: Update 2 started deployment on May 25

Generally Available

Okta Sign-In Widget, version 5.6.3

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Okta Sign-In Widget Guide.

Fixes

General Fixes

OKTA-362581

End users who attempted to sign in to the new Okta End-User Dashboard while access was prevented were not redirected to the proper error page.

OKTA-369101

Admins couldn't save login mappings for some OIDC Identity Providers.

OKTA-376269

When some users updated their recovery question, the password import inline hook was erroneously triggered.

OKTA-379913

Admins couldn't use the Tab key to advance to the next text field in the Test Delegated Authentication modal.

OKTA-383803

Creating new users in Coupa through Okta provisioning failed with a password length error even though the Sync password option was not selected.

OKTA-386927

The Light Agent role was not available to the users assigned to the Zendesk app.

OKTA-387820

The Current Assignment report in Application Access Audit sometimes failed to load and returned a 500 error.

OKTA-389874

The Client Credentials Flow could not implement a custom claim named scope.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • 1Password Business (OKTA-392758)

  • Concur - ProTrav (OKTA-394860)

  • Cradlepoint NetCloud (OKTA-392389)

  • Lifeworks (OKTA-395025)

  • SAP Concur Solutions (OKTA-395184)

  • The Washington Post (OKTA-393397)

Applications

Application Updates

The following SWA integrations are deprecated from the OIN:

  • Mindtickle - Admin

  • Lead Apparel

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN as partner-built:

SAML for the following Okta Verified applications

  • Acronis Cyber Cloud (OKTA-393653)

  • Emerge (OKTA-393802)

OIDC for the following Okta Verified applications

2021.05.3: Update 3 started deployment on June 1

Generally Available

Sign-In Widget, version 5.6.4

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Sign-In Widget Guide.

Content security policy enforcement on end-user pages

Content security policy is now enforced for end-user pages. Content Security Policy headers provide an additional layer of security that helps to detect attacks such as cross-site scripting and data injection by ensuring browsers know what kind of actions the webpage can execute. We already had a policy enforced in our admin pages from last year and in report-only mode for end-user pages. We plan that future iterations of our Content Security Policy enforcement for end-user pages will become stricter than this first release.

This feature will be gradually made available to all orgs.

Fixes

General Fixes

OKTA-330390

On the Onboarding tasks page, the Create an app integration task wasn’t marked Complete after an OIDC or OIN app was added.

OKTA-363972

The RelayState value sent from Jira on-prem to Okta was invalid.

OKTA-378981

SAML requests and responses weren't logged in the System Log as distinct event fields and lacked detail about the SAML assertion.

OKTA-385091

Attempts to push blank values from Okta to any custom app attributes in Google Workspace failed.

OKTA-386112

Imports of more than 2,000 users from Adobe Experience Manager sometimes failed.

OKTA-390477

Suspended users were automatically unlocked but appeared as suspended in the Admin Console.

OKTA-393682

Automatic provisioning of users to Google Workspace sometimes failed with a java.io.IOException error.

OKTA-396391

Some Internet Explorer users received a ScriptError alert when signing in to apps.

OKTA-398081

If the users and groups in an app-level policy were deleted, the Admin Console incorrectly showed the policy as applied to all users and groups.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • Airbnb (OKTA-395954)

  • Boxed (OKTA-396919)

  • CultureIQ (OKTA-396932)

  • Eden (OKTA-395029)

  • Fortune (OKTA-395031)

  • Gong (OKTA-394257)

  • Granite Rock Reports (OKTA-393958)

  • LivePerson Expert (OKTA-390448)

  • Moffi (OKTA-395032)

  • MURAL (OKTA-395023)

  • Notion (OKTA-395035)

  • Odoo (OKTA-394706)

  • Traackr (OKTA-396931)

Applications

Application Updates

The following SWA integrations are deprecated from the OIN:

  • EverFi NEXT

  • AppNexus (replaced by Xandr)

New Integrations

New SCIM Integration Application

The following partner-built provisioning integration app is now Generally Available in the OIN as partner-built:

  • Sisense for Cloud Data Teams: For configuration information, see Sisense SCIM documentation.

SAML for the following Okta Verified applications

  • iHASCO Training Suite (OKTA-396044)

  • Mursion (OKTA-394726)

  • PoliteMail (OKTA-393990)

  • Soveren (OKTA-389257)

  • Writer.com (OKTA-393658)

SWA for the following Okta Verified applications

  • IDEE MFA (OKTA-393819)

  • Xandr (OKTA-394701)

OIDC for the following Okta Verified applications

April 2021

2021.04.0: Monthly Production release began deployment on April 12

* Features may not be available in all Okta Product SKUs.

Generally Available Features

New Features

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Okta Sign-In Widget Guide.

Okta Active Directory agent, version 3.6.1

This version of the agent contains:

  • Improved query performance for customers with a large number of organizational units.

  • Security enhancements.

  • Improved logging functionality to assist with issue resolution.

  • Managed service account support for the Okta Active Directory agent.

  • Bug fixes.

See Okta Active Directory agent version history.

New operators available in Advanced Filters for System Log

Admins can now filter using new Advanced Filters operators:

  • ends with

  • not equal

  • is present (value exists)

  • greater than

  • greater than or equal to

  • less than

  • less than or equal to

Additionally, admins can now use the not equal, ends with, and is present operators in the System Log search bar. These operators provide greater flexibility when filtering System Log events. See System Log filters and search.

Admin Experience Redesign

With the Admin Experience Redesign feature, the Okta Admin Console now has:

  • A modern look and feel with improved responsiveness for the new navigation side bar.

  • A redesigned Okta Admin Dashboard that displays more practical insights for admins.

  • An Agents page in the Okta Admin Dashboard that shows the status and version of every Okta agent that is connected to customers' on-premises servers.

This improves the accessibility of the product, improves admin productivity, and helps admins to be more proactive with security issues.

Okta Applications

Okta admins can now create app-based sign-on policies for the Okta Dashboard, Okta Admin Console, and Okta Browser Plugin.

Previously, sign-on policies couldn't be configured for these first party applications. With this release, policy based on context such as user location, device, behavior, risk level, group membership, and more is included. This gives admins more flexibility and granular control over sign-on requirements for these first party apps. For example, different MFA requirements might apply to the Okta Admin Console for different groups of people.

See Control access to the Okta End-User Dashboard.

Generally Available Enhancements

TLS certificate update for okta.com

The TLS certificate for okta.com will be updated beginning on May 6th, 2021, US Pacific Time. The updated certificate will be signed with a new trust chain and Root Certificate Authority (CA) trust anchor. The Root CA will change from the DigiCert High Assurance EV Root CA to the DigiCert Global Root CA. To avoid negative impact and service outages, customers who have a limited or non-standard set of certificates in their trust stores must take action prior to May 6th, 2021. See FAQs.

Email notification settings

Email notification settings for New sign-on, MFA enrolled, and MFA reset are no longer enabled by default for new orgs. This change prevents new orgs from unintentionally sending email notifications to end users. See General Security.

NetSuite integration enhancement

Okta can now import the supervisor/manager ID for an employee from NetSuite, removing the dependency on Active Directory.

OIN Manager supports variable SAML ACS URLs

SAML app integrations that support multiple ACS URLs can now use app instance property variables to create non-static single sign-on URLs in their submissions.

Okta ThreatInsight free trial

Orgs that use free trial editions now see a limited functionality notification in the Okta ThreatInsight Settings section of the Security > General page. See General Security.

End users on new dashboard can request apps

End users can now request an app through the link in the footer of the new Okta End-User Dashboard. To turn this setting on, go to the Okta Admin Console > Applications > Self Service and enable Allow users to email "Technical Contact" to request an app.

Early Access Features

Early Access features from this release are now Generally Available.

Fixes

General Fixes

OKTA-336939

For some orgs, the user activation page didn't display logos correctly if it was accessed through the redirect link in the User Activation email.

OKTA-337030, OKTA-375978, OKTA-378809, OKTA-379613, OKTA-380069, OKTA-380636, OKTA-381076, OKTA-381639

Some orgs that have the Admin Redesign Experience feature enabled had the following issues:

  • Scrolling functionality didn’t work as expected on some pages.

  • The Okta Admin Dashboard reached the rate limit threshold rapidly, causing a failure to load data in the Admin Dashboard widgets.

  • The spotlight search input field had extra padding.

  • Some pages had layout issues.

  • Some dialog boxes had unwanted scrollbars.

  • Some conditions in group rules were unreadable.

  • Group icons weren't display properly on the Group Assignment page.

OKTA-362647

Self-Service Registration incorrectly appeared in the Directory menu for group admins. This feature is available to super admins only.

OKTA-363849

The 12-hour timestamp on the Import Monitoring Dashboard didn’t display AM or PM.

OKTA-369992

The Report Suspicious Activity page didn’t display the geolocation and the IP address of the suspicious request.

OKTA-373689H

Sometimes the public OAuth metadata API responses did not include a Vary: Origin header, resulting in some browsers incorrectly caching the response across Origins.

OKTA-373957

Some iPhone and iPad users using Okta Mobile couldn’t sign in to Microsoft Teams.

OKTA-375702

The Okta Workflows app erroneously counted towards an org's app limit.

OKTA-375878

The Import Safeguard help documentation link on the Directories page was broken.

OKTA-376041

Some pop-up messages during the OAuth validation process incorrectly had scrollbars.

OKTA-376281

During creation of a new SPA app integration, the App Integration Wizard incorrectly enabled the Allow Access Token option under the Implicit grant type by default.

OKTA-376795

Registration Inline Hook sometimes failed during the self-service registration process.

OKTA-378045H

The Applications page in Developer orgs didn't have clear instructions about how to create more custom apps by upgrading to an Enterprise plan.

OKTA-378989

For some orgs, SAML inline hooks didn’t work as expected.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • AlertLogic (OKTA-380563)

  • Blacklane Car Service (OKTA-380186)

  • Bookmark App (OKTA-377640)

  • DHL Express (OKTA-380565)

  • Fortune (OKTA-380576)

  • ImpactOffice (OKTA-380575)

  • Music Vine (OKTA-380580)

  • mySE: My Schneider Electric (OKTA-375671)

  • Tumblr (OKTA-380562)

  • WordFly (OKTA-380953)

The following SAML app was not working correctly and is now fixed

  • Mimecast Personal Portal v3 (OKTA-381518)

Applications

New Integrations

SAML for the following Okta Verified applications

  • Altitude Networks (OKTA-369534)

  • Cerby (OKTA-381104)

  • LogMeOnce (OKTA-376650)

  • Millie (OKTA-378822)

  • Sketchboard (OKTA-377849)

  • Starred (OKTA-379901)

  • Vulcan Cyber (OKTA-366907)

Weekly Updates

2021.04.1: Update 1 started deployment on

April 19

Generally Available Features

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Okta Sign-In Widget Guide.

Generally Available Enhancements

Password Health Report enhancement

Date columns in the Password Health Report are now in ISO 8601 format to improve readability.

Increased authorization code lifetime

The OAuth authorization code lifetime is increased from 1 to 5 minutes.

Fixes

General Fixes

OKTA-360669

Errors on the App Sign On Policy page were displayed at the top of the page rather than near the respective fields.

OKTA-360937

In some cases, Okta didn't import all users from ServiceNow.

OKTA-362325

Attributes with the number data type were reported to have been updated after CSV Directory imports even if nothing had changed.

OKTA-362647

Self-Service Registration, a super admin feature, incorrectly appeared in the Directory menu for group admins.

OKTA-375536

Developer org admins were incorrectly redirected to the user app page instead of the Admin Dashboard.

OKTA-375698

In some cases, the OAuth access token for Salesforce expired daily, which caused issues with provisioning.

OKTA-377265

In some cases, admins received a 500 error while creating a new user with JIT provisioning.

OKTA-380356

The Trusted Origin field in the new App Integration Wizard appeared even if the user didn't have the permission to manage the field.

OKTA-380892

Some help documentation links in the Agentless Desktop SSO and Silent Activation section didn't work.

OKTA-382214

In some cases, Group Administrators were incorrectly displayed as User Administrators in the Email Notification dropdown on the Account Settings page.

OKTA-382433

The text in the App Embed Link section of the Custom SAML App page was misaligned.

OKTA-385342

The new App Integration Wizard showed an error when creating an API Services app due to incorrect response type validation.

OKTA-388027

The Email Change Confirmed Notification configuration (part of Email & SMS Customization) didn’t have an option to specify whether admins only, or admins and end users received the notification.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • Carta (OKTA-380324)

Applications

Updates

  • The Nature.com SWA integration is deprecated from the OIN.

    Use the Nature Research SAML app instead.

New Integrations

SAML for the following Okta Verified applications

  • Productive.io (OKTA-377469)

  • TigerConnect (OKTA-382369)

OIDC for the following Okta Verified application

2021.04.2: Update 2 started deployment on

May 03

Generally Available

Okta Sign-In Widget, version 5.5.4

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Okta Sign-In Widget Guide.

Fixes

General Fixes

OKTA-355894

The Recently Used tab on the Okta End-User Dashboard wasn't translated for all languages.

OKTA-361861

During a full import, profile updates occurred in Workday even if no attributes were changed for the user in Okta.

OKTA-369527

AD-sourced users received misleading error messages when they attempted to reset their passwords while the AD agent was down.

OKTA-371158

Some LDAP-sourced users' temporary passwords became their main passwords after they used them to sign in.

OKTA-373409

Some AD-sourced users were redirected to the default Okta org when they clicked the activation link in their welcome email.

OKTA-373578

Some Dynamic Network zones didn't block traffic as configured.

OKTA-375317

Some users received errors when they authenticated to Okta from ADFS with a custom domain.

OKTA-376991

After reactivation, some users weren't properly reassigned their applications.

OKTA-377853, OKTA-379764

International phone numbers were incorrectly parsed during profile updates in Workday.

OKTA-378405

Pushing AD-imported groups from one Okta instance to another failed.

OKTA-379707

The ThreatSuspected field in the System Log wasn’t consistently updated.

OKTA-380165

Previously scheduled Workday imports were still shown on the Import Monitoring dashboard after provisioning was disabled.

OKTA-381764

Some admins couldn't save settings for Incremental Import Schedule when they integrated a new CSV Directory.

OKTA-382686

The Upload CSV button wasn't clearly visible on the Application Import page of the new Okta Admin Console.

OKTA-382711

Syntax highlights were not correct in the Okta Admin Console code editors for the Custom Sign-In Widget and the Custom Error pages.

OKTA-383630

Preview and test emails in the Okta Admin Console didn’t render customization variables in the email subject field.

OKTA-383632

After a custom domain was configured, the test email dialog in the Okta Admin Console displayed the default email sender details as Okta <noreply@okta.com>.

OKTA-383647

Admins received timeout errors when they deactivated AD-sourced users through imports from Active Directory.

OKTA-384306

Icons in the Okta API Scopes tab were misaligned for OAuth apps.

OKTA-385297

Text on the Sign On tab was misaligned for some apps.

OKTA-389502H

In some cases when the new Okta End-User Dashboard was enabled, Okta incorrectly made hourly token renewal requests that caused user sessions to be active longer than configured.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • Accertify (OKTA-388719)

  • Adobe (OKTA-385008)

  • ADP IPayStatements (OKTA-389106)

  • Apollo (OKTA-382989)

  • Beeline TMS (OKTA-383007)

  • Calendly (OKTA-382474)

  • Citi Credit Cards (OKTA-385007)

  • Cradlepoint NetCloud (OKTA-388566)

  • Delta Dental (OKTA-379327)

  • Dow Jones Private Equity and Venture (OKTA-388720)

  • Federal Procurement Data System (OKTA-382991)

  • Grammarly (OKTA-388717)

  • Jitterbit (OKTA-385006)

  • KeyBank (OKTA-385011)

  • LastPass Sync (OKTA-386955)

  • Milestone XProtect Smart Client (OKTA-386601)

  • MongoDB Cloud (OKTA-385010)

  • Portal Nutanix (OKTA-386598)

  • Shatswell MacLeod (OKTA-386604)

  • WEX Health Cloud (OKTA-385013)

  • WorkFlowy (OKTA-386597)

  • XpertHR (OKTA-382990)

  • ZeeMaps (OKTA-388718)

Applications

Application Updates

  • Our Dynamic Signal integration has been updated as follows:

    • The existing Dynamic Signal integration is deprecated and renamed Dynamic Signal (Deprecated).

    • A new Dynamic Signal integration is now available, without provisioning functionality.

  • The following SWA integrations are deprecated from the OIN:

    • Crazy Egg

    • Dow Jones Private Equity and Venture

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN as partner-built:

  • Cato Networks Provisioning: For configuration information, see Cato Networking documentation here. Note that this documentation is only available for Cato authenticated users.

SAML for the following Okta Verified applications

  • brandworkz (OKTA-380978)

  • Dooly (OKTA-384467)

  • Feroot (OKTA-387002)

  • Folia (OKTA-369123)

  • Jobcan (OKTA-383754)

  • JoVE (OKTA-386197)

  • LINE WORKS (OKTA-387869)

  • MPulse 9 (OKTA-379463)

  • Open Practice Solutions (OKTA-379650)

  • Planisware Enterprise (OKTA-382573)

  • Propel PRM (OKTA-385027)

  • QReserve (OKTA-383759)

  • Thrive LXP (OKTA-385858)

  • Webcasts Admin (OKTA-382549)

SWA for the following Okta Verified applications

  • Atlanta Fine Homes (OKTA-383598)

  • Walkthechat (OKTA-385436)

  • WSRB (OKTA-385426)

OIDC for the following Okta Verified applications

  • Mantra: For configuration information, see Okta SSO.

March 2021

2021.03.0: Monthly Production release began deployment on March 8

* Features may not be available in all Okta Product SKUs.

Generally Available Features

New Features

LDAP agent, version 5.7.2

This version of the agent contains:

  • Support for Lightweight Directory Access Protocol (LDAP) group password policies

  • Internal improvements and security fixes

  • Bug fixes

To view the agent version history, see Okta LDAP Agent version history.

RADIUS Agent, version 2.15.1

RADIUS agent version 2.15.1 GA contains all updates release since version 2.7.4 EA, including:

  • Support for EAP-GTC and EAP-TTLS to improve security and extend support network access vendors, such as Netmotion Mobility.

  • Support for TLS 1.2, which is required for all connections to Okta.

  • Support for internet proxies.

  • A simplified installer, which no longer requires shared secrets and ports.

And has been tested on new Linux operating systems:

  • CentOS 7.6.

  • Ubuntu 20.04.1 LTS.

  • Red Hat Enterprise Linux release 8.3.

  • Windows Server 2016.

  • Windows Server 2019.

In summary, the new agent provides admins with an easier installation, configuration, and run-time experience, and we recommend it for all Okta RADIUS customers.

See Okta RADIUS Server Agent Version History.

Okta Sign-In Widget, version 5.4.0

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Okta Sign-In Widget Guide.

New number challenge options in Okta Verify admin settings

New Okta Verify settings in the Admin Console now allow admins to control when users receive a number challenge. Number challenge is an existing Okta Verify feature in eligible orgs that helps Android and iOS users enrolled in Okta Verify with Push avoid accepting fraudulent push notifications when they try to access a protected app. Completing the challenge ensures that the sign-in attempt came from the user and not from an unauthorized person. Admins can now choose to never challenge users, challenge with all push notifications, or challenge only for high-risk sign-in attempts. See Push Notification and Number Challenge.

Option to switch between Admin Experience Redesign and the old experience

Super admins can now switch between Admin Experience Redesign and the old experience by using the option provided on the Okta Admin Dashboard. This gives admins time to adapt to the new user experience, which is on by default, and the option to revert to the old experience if required.

OIN Catalog enhancements

The OIN catalog adds several customer identity categories, highlights key app integrations, and now shows relevant Okta Workflow connectors and templates. Administrators can click Add integration to add a specific app integration directly to their org. These improvements make it easier for administrators and application developers to learn about Okta’s customer identity integrations. They can browse for relevant integrations like social identity providers and identity proofing solutions and add these integrations to their Okta org.

This feature will be gradually made available to all orgs.

Deleted schema property scrubber

All existing data associated with a schema property is now removed when a schema property is deleted. To prevent data corruption, the property cannot be recreated until the existing data is fully removed. Previous data is no longer restored when recreating a deleted schema property with the same definition. This new functionality prevents the corruption of profile data and the associated Elastic search issues. See Add or remove custom directory schema attributes.

This feature will be gradually made available to all orgs.

OIDC App tab improvements

The following improvements have been made to the OIDC App tab:

  • The default tab is now General instead of Assignments.

  • Client Credentials moved to the top of the page.

  • Downloaded sample apps now have pre-populated environment variables.

See Create OIDC app integrations.

This feature is available for all new Production orgs.

LDAP self-service password reset

End users can now perform a self-service reset of their LDAP password using SMS (Short Message Service). Without compromising security, this functionality simplifies the password reset process and removes the need to involve IT Help Desk for credential management. Using SMS for password resets reduces the Help Desk workload and support costs. See Manage self-service password reset.

Improved auto-complete functionality

To improve the accuracy and speed of user searches, the auto-complete functionality on the Okta Admin Console administrator pages is updated.

Generally Available Enhancements

Improvements to the OIN Manager submission QA process

The Okta Operations team now conducts a final internal QA test for app integration submissions in the OIN Manager Portal and sends an email when the final review is complete. If the review is successful, your submission is automatically published in the OIN. These changes streamline the QA and approval process for OIN app integrations.

OIN Manager additional fields

The OIN Manager portal now accepts encrypted SAML assertion certificates. Also, fields are added to clarify OIDC configuration requirements and to confirm that SCIM app integrations are prepared properly for submission. See Configure protocol-specific settings. These changes simplify the ISV submission process, reducing unnecessary communications with the Okta Operations team.

Early Access Features

Early Access features from this release are now Generally Available.

Fixes

General Fixes

OKTA-209671

Updating a user address field with a string that was too long returned a 500 error response instead of a 400 error with appropriate details.

OKTA-335776

In rare cases when an admin re-typed their password in the Office 365 Admin Password field and then clicked Fetch and Select on the Sign On tab, the Fetch and Select command failed with an error.

OKTA-336326

Sometimes, when the Office 365 Provisioning option was selected to Licenses/Roles Management Only, roles and licenses assigned to Office 365 users in Okta didn't sync in Microsoft.

OKTA-346766

Text on some AD Import pages in the new Okta Admin Console was misaligned.

OKTA-352294

Workday incremental imports sometimes failed with a NullPointerException error.

OKTA-359091

Expanding Admin Tasks on the Admin Dashboard changed the index value of the tasks.

OKTA-367327

When IDP as Factor was enabled, some users received the Invalid Token error on stale sign-in pages.

OKTA-367834

The QR code image in the Setup Okta Verify flow didn't include alt text, which caused screen readers to not recognize the image.

OKTA-367844

The SCIM provisioning feature was not enabled for the Lifecycle Management SKUs included with API products.

OKTA-367999

Some end users were stuck in an authentication loop when trying to sign in to Okta.

OKTA-370037

Text on some pages in the new Okta Admin Console was misaligned.

OKTA-371599

Text on the LDAP tab of the Delegated Authentication page was not rendered properly.

OKTA-372049

Text on the Sign On tab of the App Settings page was misaligned.

OKTA-372436

An issue with ThreatInsight was resolved for some organizations who upgraded a free trial edition to Production.

OKTA-372678

Sometimes the sign-in page didn't refresh if the token was expired.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • Aflac (OKTA-372087)

  • Alarm (OKTA-372091)

  • CBRE (Employee Login - The Navigator) (OKTA-370216)

  • Frontier Communications (OKTA-370218)

  • GoCompare (OKTA-370219)

  • MX Merchant (OKTA-370217)

  • MxToolbox (OKTA-370503)

  • Premium Audit Advisory Service (PAAS) (OKTA-368399)

  • Rippe and Kingston LMS (OKTA-372081)

  • ShopAtHome (OKTA-372067)

  • The Economist (OKTA-372207)

  • Visage MobilityCentral (OKTA-372095)

Applications

New Integrations

SAML for the following Okta Verified applications

  • Banyan Command Center (OKTA-370640)

  • Five9 Plus Adapter for Microsoft Dynamics CRM (OKTA-367992)

  • Noticeable (OKTA-370631)

SWA for the following Okta Verified application

  • Clarizen One (OKTA-371928)

OIDC for the following Okta Verified application

Weekly Updates

2021.03.1: Update 1 started deployment on

March 15

Fixes

General Fixes

OKTA-337155

Sometimes, if a refresh token flow contained an invalid refresh token, the hash was not logged in the System Log.

OKTA-340754

In some cases, users couldn't be assigned to or removed from a group from their Okta Profile.

OKTA-347379

The Okta Browser Plugin incorrectly suggested a new password for the ServiceNow app.

OKTA-362310

The Dutch translation for password requirements on the password reset screen was incorrect.

OKTA-369737

Search boxes on some pages under Security had a CSS issue.

OKTA-370192

Some admins couldn't create users for Box if the default input value for the parent folder path was left empty in Okta.

OKTA-370944

In some cases, after a user deletion legitimately failed, admins were unable to delete other users.

OKTA-378843H

Invalid token requests resulted in a 500 error.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • Benchmarking (OKTA-375324)

  • Forbes (OKTA-372724)

  • Fusion MortgagebotLOS (OKTA-373862)

  • Google Workspace (OKTA-374871)

  • Hawaiian Airlines (OKTA-375320)

  • Papertrail (OKTA-375327)

  • Pingdom (OKTA-375323)

  • Schwab Advisors (OKTA-358544)

  • Taboola (OKTA-371937)

  • WorkdayCommunity (OKTA-374314)

  • Zapier (OKTA-374811)

  • Zoom (OKTA-372449)

Applications

Application Updates

Our OrgWiki integration has been updated as follows:

  • The existing OrgWiki integration is renamed OrgWiki (Deprecated).

  • Customers should now use the OrgWiki (SCIM) integration in our catalog.

New Integrations

SAML for the following Okta Verified applications

  • Admin By Request (OKTA-372458)

  • Fortanix Self Defending Key Management Service (OKTA-373374)

  • Taskize Connect (OKTA-369898)

2021.03.2: Update 2 started deployment on

March 22

Generally Available Features

Okta Sign-In Widget, version 5.4.3

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Okta Sign-In Widget Guide.

Fixes

General Fixes

OKTA-297743

Apps weren't highlighted automatically if they matched a user’s search terms in the App Catalog.

OKTA-319109

In orgs with the Admin Experience Redesign feature enabled, the Imports Paused task was missing from the Dashboard page in the Okta Admin Console.

OKTA-345217

Some user interface elements on sign-on policy pages for apps were formatted incorrectly.

OKTA-355148

LDAP-sourced users received a 500 error error while attempting a self service password reset that violated common password patterns.

OKTA-362677

In orgs with the Admin Experience Redesign feature enabled, when admins clicked Workflow > Workflow console, the page didn't open in a new browser tab.

OKTA-368354H

Some Adobe Experience Manager imports failed.

OKTA-370306

The side navigation in the Okta Admin Console didn't scroll automatically to a selected item.

OKTA-371058

In some cases, users experienced performance issues on the Okta End-User Dashboard and had to refresh the page manually.

OKTA-372440

The Add Section button was missing from the new Okta End-User Dashboard app list when embedded in an iframe.

OKTA-373004

The Upload button for Encryption Certificates was missing from the Sign-On settings tab in the Okta Admin Console.

OKTA-373729

In some cases, importing users from Active Directory to Okta failed and app assignment didn't complete if a single user failed to import.

OKTA-373944

In orgs with the Admin Experience Redesign feature enabled, admins who didn't have search permissions could see the search box in a deactivated state.

OKTA-375432

In some cases, the onboarding checklist for new developer orgs wasn't populated correctly upon registration.

OKTA-375541

Some app sign-on policy pages had display issues.

OKTA-375953

Smart Card authentication failed if an org had multiple Smart Card Identity Providers (IdPs) configured.

OKTA-375998

The Help documentation link on the Active Directory introductory page redirected users to the wrong documentation page.

OKTA-376620

The error message shown to end users when the login page had an expired token was unclear.

OKTA-379196

End users that belonged to environments without the new Okta End-User Dashboard self-service feature enabled were presented with a blank page after signing onto a custom domain.

App Integration Fixes

The following SWA app was not working correctly and is now fixed

  • Domo (OKTA-373343)

Applications

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN as partner-built:

SAML for the following Okta Verified applications

  • JustCall (OKTA-375104)

  • Rent Dynamics (OKTA-373350)

  • Roadster (OKTA-359604)

  • Vonage (OKTA-373104)

2021.03.3: Update 3 started deployment on

March 29

EA Enhancement

Dashboard and Browser Plugin apps available in Admin Console

Admins of the orgs that have enabled the new Okta End User Dashboard and First Party Applications can now see the Okta Dashboard and Okta Browser Plugin apps in Okta Admin Console > Applications. They can also set up sign-on policies for these apps. See Control access to the Okta End-User Dashboard. This feature will be gradually made available to all orgs.

Fixes

General Fixes

OKTA-333391, OKTA-362811, OKTA-372138, OKTA-372662, OKTA-372959, OKTA-375504, OKTA-375682, OKTA-375977, OKTA-376890, OKTA-376908, OKTA-376985, OKTA-376988, OKTA-377189

Orgs with the Admin Experience Redesign feature enabled had the following issues on some pages:

  • Text or UI elements were misaligned or didn’t wrap correctly.
  • Drop-downs didn’t work properly.
  • Old UI elements replaced the new ones.
  • Font or font color was inconsistent.
  • The scroll functionality didn’t work properly.

OKTA-354628

The RADIUS app didn't have a configuration option to permit MFA-only configuration to allow access-challenge responses.

OKTA-372692

If multiple users matching a UPN or SAM Account Name existed, the authentication process failed even if only one of those users was assigned the RADIUS app.

OKTA-373288

In rare cases, during multifactor authentication (MFA) enrollment with SMS as a factor, users could have multiple unverified phone numbers and weren't able to verify any of them.

OKTA-373963

Group memberships were still being synced to an app even when API integration for the app was disabled.

OKTA-377201

After the local numbers were changed to 10 digits, users in Ivory Coast enrolling in SMS and Voice Call authentication received a warning about the phone numbers not being valid, and they had to retry the same number to complete the enrollment.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • Azure Manage (OKTA-377470)

  • Baystate Benefits - Employee (OKTA-377235)

  • Brainerd Dispatch (OKTA-377232)

  • Chase Bank - Personal (OKTA-377215)

  • Domo (OKTA-377226)

  • GuideStar (OKTA-377224)

  • IBM Blueworks Live (OKTA-377219)

  • IntraLinks (OKTA-377496)

  • Iola (OKTA-377217)

  • Jack Henry & Associates Client Portal (OKTA-377212)

  • Lucidchart (OKTA-376367)

  • SAP Concur Solutions (OKTA-375460)

  • Skykick (OKTA-377845)

  • Staples (OKTA-377474)

  • Texas Mutual (OKTA-355698)

  • The Information (OKTA-372438)

  • TSheets QuickBooks (OKTA-372937)

Applications

Application Updates

  • The Fastly application is now private and is renamed Fastly (Deprecated)

  • The Signal Sciences application is now private is renamed Signal Sciences (Deprecated)

  • The Fastly SAML is renamed Fastly and is updated with SWA Sign On mode.

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration app is now Generally Available in the OIN as partner-built:

SAML for the following Okta Verified applications

  • EVA Voice Biometrics (OKTA-379067)

  • FortiSASE SIA (OKTA-379066)

  • GitHub Enterprise Managed User (OKTA-379065)

  • IDrive360 (OKTA-378511)

  • Lucid (OKTA-377238)

  • SecureFlag (OKTA-377229)

February 2021

2021.02.0: Monthly Production release began deployment on February 8

* Features may not be available in all Okta Product SKUs.

Generally Available Features

New Features

Option to activate and deactivate rate limit warning and violation notifications for all orgs

All admins now receive the warning and violation notifications for rate limits. Additionally, you have the option to activate and deactivate the notification from the Admin Console.

Additional events available for use as Event Hooks

The following event types are now available for use as an Event Hook:

  • The user.account.lock event makes admins aware of accounts that are locked because of suspicious activity or due to multiple incorrect sign-in attempts. Admins can also use this Event Hook to take action against affected accounts.
  • The user.account.unlock event makes admins aware of accounts that are no longer locked. Admins can also notify users of appropriate next steps to prevent future account locking.
  • The group.lifecycle.create event notifies admins when new Okta groups are created. The group.lifecycle.delete event notifies admins when new Okta groups are deleted. Admins can use Event Hooks based on these events to initiate automated custom flows.
  • The system.org.rate.limit.warning event notifies admins when their org is approaching an org-wide rate limit. The system.org.rate.limit.violation event notifies admins when their org has exceeded an org-wide rate limit. Admins can use Event Hooks based on these events to trigger a real-time alert to a downstream system, such as PagerDuty.
  • The system.import.group.create event helps admins to automate IT processes, such as providing members of the imported group with access to applications.
  • The system.import.group.delete event helps admins use these events to trigger actions in downstream systems, such as an Okta Workflows Flow that creates a Slack notification.
  • The user.mfa.factor.suspend and user.mfa.factor.unsuspend events notify your service when enrolled MFA factors are suspended or unsuspended. This typically occurs when a registered device associated with the factor is suspended or unsuspended either through the Okta Admin Console or the Okta API.

New System Log events for MFA factor activity and for importing users through CSV

The following System Log event types are now available:

  • The system.mfa.factor.activate event indicates that the MFA factor is activated.

  • The system.mfa.factor.deactivate event indicates that the MFA factor is deactivated.

These events help admins collect metrics for MFA factor activity and track user action for activating and deactivating an MFA factor. These events are triggered when an MFA factor is activated and when it is deactivated.

  • The system.import.user_csv.start event indicates that the process to import users from CSV is started.

  • The system.import.user_csv.complete event indicates that the process to import users from CSV is completed.

These events help admins track user activity of batch importing users through CSV. These events are triggered when the process to import users from CSV is started and when it is completed.

Support for Safari user interaction requirement for WebAuthn flows

Okta now supports Safari's user interaction security requirement for WebAuthn flows. When accessing resources protected by an Okta WebAuthn MFA policy, end users now must tap Verify before they're challenged to provide biometrics or a security key.

General Availability of Workflows

Okta Workflows is now Generally Available for additional customers in the APAC cell.

Okta Workflows is an interface-driven, no-code platform for business process automation that provides integration with some of the most widely used third-party APIs in the industry, including Box, Slack, Salesforce, and Google Workspace. See Okta Workflows.

Deployment is taking place over the course of several days to entitled orgs with the following SKUs:

  • IT Products - Advanced Lifecycle Management

  • Legacy SKU: IT Products - Lifecycle Management, Unlimited

  • Legacy SKU: IT Products - Lifecycle Management, Unlimited OIN Apps

  • Legacy SKU: IT Products - Lifecycle Management, 10 OIN Apps

To access Workflows, select the Workflow > Workflows console menu option from the Okta Admin Console.

Limit group stats when searching for user groups during admin assignment

In search results, groups with more than 10,000 users or apps now appear with a count of 10,000. This speeds up results when super admins search for groups to assign admin privileges. The actual totals are not impacted and can be viewed on the group's page.

New System Log delAuthTimeout and LDAP delAuth values

The following values now appear in the System Log:

  • The delAuthTimeout value identifies the authentication timeout value. The delegated authentication timeout value is the time in milliseconds that Okta waits for delegated authentication responses. Knowing this value can help identify when timeout values are too high and consuming system resources unnecessarily. See System Log.

  • The Ldap delAuth value identifies the delegated authentication type. The values returned are LDAP or AD. Knowing this value can help you identify and resolve delegated authentication issues. See Enable delegated authentication for LDAP.

Generally Available Enhancements

Admins only receive rate limit warning and violation notifications for org events

All admins are notified for rate limit warning and violations for their orgs in the Admin Console and by email. These notifications are for org-wide events and not for client and operations-based events. This reduces unnecessary email notifications.

Updates to the text in rate limit warning and violation notifications

The text in the rate limit warning and violations notification in the Admin Console and email has been updated to make it more user-friendly. Now, the email notification also contains a link to the Rate limit overview document to boost your understanding of rate limits. See Rate limits.

Link to Okta agent support policies

The Downloads page in the Admin Console now has a direct link to the latest Okta agent support policies. See Okta agent support policies.

Enhancement to the OIDC app creation message

After an OIDC application is created, the Application created successfully notification is frequently missed because it only appears briefly after an app is saved. The message now appears after the UI redirects to the new application's main page.

Okta Workflows URL verification in Event Hooks

Admins can now enter a Workflow API Endpoint URL as an Event Hook URL without the need for verification. This helps admins easily configure a Workflow to be triggered from an Event Hook for multiple events or for events not yet available in Workflows.

See Event hooks.

Enhancements to policy scheduled execution System Log events

The policy.scheduled.execute event has been updated. When triggered by Okta Automations, this event now displays the number of user lifecycle state changes for deactivations, deletions, and suspensions in the SuccessfulDeactivations, SuccessfulDeletions, and SuccessfulSuspensions fields under the DebugContext object. This event is useful for admins to measure the number of user accounts that have been affected by Okta Automations.

New color scheme for the map view in System Log

The mapview in the System Log now has a new color scheme that increases visibility and clarity.

Early Access Features

New Features

Enhanced Admin Console search

Admins can now search for end user email addresses in the Spotlight Search field in the Admin Console. You can also view the user's status in the search results when you search by username and email address. This robust global search helps you find what you need in the Admin Console quickly, thereby, saving time and increasing productivity. See Admin Console search.

Fixes

General Fixes

OKTA-336933

Some Office 365 users were deprovisioned with an incorrect localization error.

OKTA-347240

During account creation, if a user's input violated the length constraints, the error message didn't include the value of the length constraint.

OKTA-348024

SuccessFactor users weren't deactivated by timezone.

OKTA-351180

SAML Preview returned the 400 Bad Request error if the SAML sign-on mode for an app was configured with Single Logout.

OKTA-353734

Some users who had successfully authenticated received a sign-in failed error when they attempted to sign in to an app that wasn't assigned to them.

OKTA-355854

The Okta Admin Dashboard wasn't properly aligned in Internet Explorer 11.

OKTA-358580

Admins couldn't approve or deny app access requests in the new Okta End-User Dashboard.

OKTA-358736

Resend SMS factor sometimes resulted in a 400 error upon app sign-in.

OKTA-359104

Some base attributes were missing from the User Profile.

OKTA-359189

The Preview banner in Preview orgs wasn't properly displayed.

OKTA-361024

The new Okta End-User Dashboard didn't show all company-managed apps or the Show More button.

OKTA-361741

In an IdP-initiated flow, end users were prompted to verify the IdP factor when they accessed an app even if they'd verified a factor when they signed in to the Okta End-User Dashboard.

OKTA-362034

In some browsers, extra scroll bars appeared on the Okta Admin Dashboard.

OKTA-362764

The Tasks card on the Okta Admin Dashboard didn't load properly in Internet Explorer 11.

OKTA-363398

The Help documentation link under Customization > New End User Experience was broken.

OKTA-364583

In the SmartSheet provisioning profile, when admins tried to change the Group Priority setting to Combine values across groups for the variable smartsheet.userPermissions, the error message: Not allowed to modify property userPermissions from the base schema was returned.

OKTA-366948H

Some imports from AD were delayed, especially when large number of import jobs were being run.

OKTA-367152H

In some cases, MS Office authentication did not prompt for MFA and failed.

Applications

  • The Okta SAML Toolkit is deprecated and removed from the Okta Downloads page.

  • Google Apps is rebranded as Google Workspace. We have updated the OIN Application and associated documentation.

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN as partner-built:

SAML for the following Okta Verified applications

  • TravelPerk (OKTA-362457)

Weekly Updates

2021.02.1: Update 1 started deployment on

February 16

Fixes

General Fixes

OKTA-348508

During Okta to Box provisioning, if the Create personal Box folder when new user account is provisioned option was selected, the admin was sometimes added to the folder with the user.

OKTA-350375

Some profiles were not updated when Active Directory (AD) attributes were pushed to custom attributes in Okta.

OKTA-358884

During CSV import, attempts to add and update User Profile attributes failed.

OKTA-359569

During password reset, an incorrect error message was reported if security requirements were not met.

OKTA-360989

Admins couldn't enable the Okta Browser Plugin toolbar for specific groups.

OKTA-361726

In the new Okta Admin Console, the Overview section of the Admin Dashboard didn't reflect the correct last-updated date for reports.

OKTA-362107

A non-functioning Learn More link was displayed under Status in the Agents panel.

OKTA-363845

In the new Okta Admin Console, the number of apps displayed on the dashboard was different from the number of actual apps.

OKTA-365531

The Russian translation for the Show More button in the App Catalog was inaccurate.

OKTA-366755

In Internet Explorer 11, the left navigation menu was missing from the new Okta Admin Dashboard.

OKTA-367191

The word Authenticator was not translated on the new Okta End-User Dashboard or in the security enrollment flow.

OKTA-367776

When using a browser other than Safari to access resources protected by an Okta WebAuthn MFA policy, end users were required to tap Verify before they were challenged to provide biometrics or a security key.

OKTA-370361H

Admins sometimes encountered errors when attempting to update O365 app settings or with provisioning related operations to AAD.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • 123RF (OKTA-365452)

  • Avery (OKTA-361758)

  • Chrome River (OKTA-364083)

  • CSI - WatchDOG Elite (OKTA-362468)

  • Exclusive Resorts (OKTA-364063)

  • mySE: My Schneider Electric (OKTA-364080)

  • Nationwide Evictions (OKTA-367116)

  • Notion (OKTA-366913)

  • Skrill (OKTA-366912)

  • SmartyStreets (OKTA-361757)

  • vAuto (OKTA-361755)

  • Visionplanner (OKTA-360707)

  • Wayfair (OKTA-366424)

Applications

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN as partner-built:

SAML for the following Okta Verified applications

  • A Cloud Guru (OKTA-361798)

  • Genesys Cloud (OKTA-362719)

  • Onfido (OKTA-365910)

  • Strings (OKTA-364012)

  • zkipster (OKTA-364003)

2021.02.2: Update 2 started deployment on

February 22

Fixes

General Fixes

OKTA-344871

Although the Add Rule button on the Groups page appeared inactive, in some cases users accessed the Add Rule dialog box after clicking the button.

OKTA-345647

3-byte characters weren't readable in the Okta Password Health report.

OKTA-347025

Group admins could view all Okta tenant users and not just the ones in their group.

OKTA-354798

Sometimes, sign-in attempts with Just-In-Time provisioning using LDAP failed with an UNKNOWN_USER error when delegated authentication was enabled.

OKTA-356023

Importing users from SAP Litmos to Okta failed in some cases.

OKTA-358253

The Okta End-User Dashboard didn't display localized content when the web browser's default language was set to Indonesian.

OKTA-360983

Password requirement error messages shown during self-service registration weren't consistent.

OKTA-361189

In the new Okta Admin Console, the My Settings link erroneously redirected to the organization's Settings page instead of the end-user Settings page.

OKTA-364406

When creating a new app integration as part of the developer onboarding experience, users were redirected to the deprecated Okta Developer Console App Integration Wizard, instead of the App Integration Wizard in the Okta Admin Console.

OKTA-365037

Sometimes, Just-In-Time provisioning or Real Time Sync wasn't triggered during Active Directory delegated authentication.

OKTA-365205/OKTA-366761

Some pages in the new Okta Admin Console didn't display properly in Internet Explorer 11.

OKTA-365925

Sometimes, admins received a 500 Internal Server Error when they deleted a user.

OKTA-367666

When creating a new SAML 2.0 app integration, the Attribute Statement heading in the wizard wasn't grouped with the corresponding input fields.

OKTA-367941

On the Create OpenID Connect App Integration page in the Okta Admin Console, the yellow bar was missing from the side note.

OKTA-368138

In the new Okta Admin Console, removed app instances were identified as agent down on the Dashboard > Agents page.

OKTA-368828

In the new Okta Admin Console, selected child pages were sometimes not highlighted in the left navigation menu.

OKTA-370995

The Admin Console search didn't deliver expected search results when customers searched by the full name of the user. As part of this fix, the ability to search by email address and to view the user's status has been rolled back and is now only available as Early Access.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • Arena Solutions (OKTA-366918)

  • CoderPad (OKTA-368916)

  • IBM Blueworks Live (OKTA-366917)

  • NewEgg (OKTA-366340)

  • UserVoice (OKTA-366920)

Applications

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN as partner-built:

SAML for the following Okta Verified applications

  • Cybereason (OKTA-364009)

  • EmployerD Payroll and HR Solutions (OKTA-356069)

  • Exium (OKTA-367104)

  • HyperStore (OKTA-365050)

  • Samdesk (OKTA-367358)

SWA for the following Okta Verified applications

  • Beyond Identity (OKTA-354040)

  • Secret Double Octopus (OKTA-353300)

  • Silverfort (OKTA-352875)

  • Trusona (OKTA-352871)

  • Truu (OKTA-352866)

2021.02.3: Update 3 started deployment on

March 1

Fixes

General Fixes

OKTA-332375

Sometimes, admins received a generic 500 error for agentless Desktop Single Sign-On failures caused by request timeout.

OKTA-341050

Some banners in the new Okta Admin Console had inconsistent style.

OKTA-344854

The Sign-In Widget pages were missing language attributes required by screen readers.

OKTA-358773

For deactivated users, apps were still displayed in the Assigned Applications list although they had been unassigned.

OKTA-358826

In the new Okta Admin Console, after opening and closing the spotlight search window with the keyboard shortcut Control + Space, the window no longer opened when admins clicked the Search field or icon.

OKTA-363680/OKTA-371218

Sometimes, a user that was removed from a group wasn't unassigned from the apps assigned to that group, and was instead left with individual assignment.

OKTA-365542

In the new Okta End-User Dashboard, the check box for Lightweight Directory Access Protocol (LDAP) delegated authentication settings was misaligned.

OKTA-365604

Although the See Password and Update Credential settings shouldn't be available for bookmark apps, these settings were still displayed in the Okta End-User Dashboard.

OKTA-370942

Sometimes, a deactivated Office 365 app instance in Okta couldn't be deleted if the username and password for the app instance failed authentication in Microsoft.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • Google Workspace (OKTA-368883)

  • Onfido (OKTA-368220)

Applications

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration app is now Generally Available in the OIN as partner-built:

SAML for the following Okta Verified applications

  • Claim Leader (OKTA-369552)

  • FAX.PLUS (OKTA-370972)

  • Gamesight (OKTA-360548)

  • IBMid (OKTA-367991)

  • MyCarSpot (OKTA-355697)

  • Osano (OKTA-368805)

  • Sigma on AWS (OKTA-369098)

  • SmartHR (OKTA-368788)

  • Tanda (OKTA-352713)

  • Very Good Security (OKTA-369127)

  • Whil (OKTA-370655)

January 2021

2021.01.0: Monthly Production release began deployment on January 11

* Features may not be available in all Okta Product SKUs.

Generally Available Features

New Features

New phone rate limits

Users who attempt Voice and SMS enrollment can now be rate limited. Voice and SMS enrollment rate-limit events are now logged in the System Log. See Rate Limits.

WebAuthn feature validation updates with Trusted Origins API

The WebAuthn feature now supports trusted cross-origin and cross-Relying Party Identifier (RP ID) validation when using the Trusted Origins API. Trusted Origins are configured in the Okta Trusted Origins framework either through the Admin UI or the API. These Trusted Origins, configured with the CORS scope, now support orgs using WebAuthn for sign-in pages hosted at Trusted Origins distinct from the org's Okta URL (that is, different from the org's Okta or custom domain URL).

User authentication with MFA can be used as an Event Hook

The user.authentication.auth_via_mfa event type is now available for use as an event hook. See Event Types for a list of events that can be used with event hooks.

Browser Plugin notification expiration

Notifications for new features in the Okta Browser Plugin now expire after three months. See Okta Browser Plugin version history.

Okta Workflows is Generally Available

Okta Workflows is an interface-driven, no-code platform for business process automation that provides integration with some of the most widely used third-party APIs in the industry, including Box, Slack, Salesforce, and G Suite Admin. See Okta Workflows.

Deployment is taking place over the course of several days to entitled orgs with the following SKUs:

  • IT Products - Advanced Lifecycle Management

  • Legacy SKU: IT Products - Lifecycle Management, Unlimited

  • Legacy SKU: IT Products - Lifecycle Management, Unlimited OIN Apps

  • Legacy SKU: IT Products - Lifecycle Management, 10 OIN Apps

APAC and HIPAA cells are excluded.

To access Workflows, select the Workflow > Workflows Console menu option from the Okta Admin Console.

Reports delivered by email

Admins can now receive the following reports by email:

  • Okta Usage Report

  • Okta Password Health Report

  • Current Assignments Report

  • MFA Usage Reports

See Monitoring and reports.

Workday Field Overrides support

The Workday integration now uses Field Overrides reports to fetch custom profile data information instead of custom reports. Field Overrides is a faster report type than custom reports, so using this method is much more efficient. Existing custom report configurations will work, but new app instances will not have these configuration options. See Workday Provisioning.

Import Monitoring dashboard

The Import Monitoring dashboard is now available and displays user attribute imports for a seven day period. You can use the dashboard to view import progress, status, details, and logs. See View the Import Monitoring dashboard.

Technical admin configuration

Admins can now disable UI prompts that allow for end-users to contact technical admins and report issues. This is enabled by default for existing orgs, and disabled for new orgs.

Email address change notifications

Email change confirmation notification emails can now be sent to admins or admins and users. By default, email change confirmation notification emails are sent to admin users only. These notifications not only make admins and users aware of email address changes, they can also act as an early warning of suspicious activity. See Customize an email template. This feature will be gradually made available to all orgs.

Generally Available Enhancements

Group Membership System Log enhancement

The Add user to group membership and Remove user from group membership events have been updated. When triggered by group rules, these events now display the group rule ID in the TriggeredByGroupRuleId field under the Debug Context object.

Extra Verification UI enhancement for end users

The Extra Verification section under End-User Dashboard Settings is now displayed in the right column.

Inclusive language updates

As part of the Okta inclusive language initiative, the following is changed:

  • Application provisioning documentation and UI elements have been updated with inclusive language.

  • Allow list has replaced whitelist, block list has replaced blacklist, and source has replaced master.

  • Instances of profile masters, profile master, and profile mastering on the Okta Admin Console Profile Masters page have been updated to profile source and profile sourcing. The administrator documentation has been updated to reflect this change.

Risk Scoring settings

When enabled, Risk Scoring settings now appear in the Okta sign-on policy rule. See Sign-on policies.

Early Access Features

New Features

Workplace by Facebook Push AD Manager functionality

Admins can choose to disable Push AD Manager functionality using this self-service Early Access feature. This enables admins to control the manager attribute using Okta Expression Language syntax to avoid being dependent on AD for the field. See Workplace by Facebook.

Enhancements

Skip to Content improvements

End users can now click Skip to Content on the new Okta End-User Dashboard to navigate directly to the Add Apps page.

Options relocation

The Recent Activity tab, End-User preferences, Admin View, and Sign Out options are now displayed in the user drop down menu on the Okta End-User Dashboard.

Fixes

General Fixes

OKTA-329862

Indonesian translations and templates were displayed in English.

OKTA-330432

The Okta Browser Plugin continued to recommend strong passwords for apps after the setting was disabled.

OKTA-345311

The sign-in page auto refresh sometimes didn't work when factor sequencing was used.

OKTA-347526

Information text in Settings > Update Credentials was incorrect for bookmarked apps.

OKTA-352737

Self-Service Registration with inline hooks failed for some orgs.

OKTA-354151

Some users were unable to enroll in Okta Verify through TOTP and PUSH methods in some orgs.

OKTA-354967

When defined for an MFA Enrollment policy, the App Condition was not enforced when a user signed in to an application.

OKTA-355035

Security methods for Safari web authentication did not allow for biometric authentication.

OKTA-355482

When super admins edited a group admin role in Security > Administrators, only the first 10 groups were displayed.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • Adobe Sign Provisioning (OKTA-352597)

  • FIS E-ACCESS (OKTA-346510)

  • Google Analytics (OKTA-348673)

  • Nationwide Financial (OKTA-355417)

Applications

New Integrations

New SCIM Integration Application

The following partner-built provisioning integration app is now Generally Available in the OIN as partner-built:

SAML for the following Okta Verified applications

  • Culture Connect (OKTA-354618)

  • hCaptcha (OKTA-352403)

  • LinkedIn Talent Solutions (OKTA-343875)

  • Process Bolt (OKTA-353096)

SWA for the following Okta Verified applications

  • Adweek (OKTA-350720)

  • Amazon Payee Central (OKTA-347803)

  • CenturyLink (OKTA-350562)

  • TechCrunch (OKTA-343939)

  • Vue Mastery (OKTA-342948)

OIDC for the following Okta Verified applications

Weekly Updates

2021.01.1: Update 1 started deployment on

January 19

Fixes

General Fixes

OKTA-336092

The import of user accounts from Adobe Experience Manager to Okta failed if there were duplicate entries in the database.

OKTA-336966

The password requirements presented to LDAP-sourced users during password reset didn’t match the password policy definition.

OKTA-337515

In some cases, the link to activate an account through self-service registration led to an empty page.

OKTA-340836

When admins enabled password change notification, end users going through self-service registration erroneously received a password change notification in addition to the account activation email.

OKTA-341729

In some cases, when a role was deleted from the Amazon Web Services (AWS) console, refreshing the app data in Okta removed group assignments causing users to lose access to AWS.

OKTA-343739

Some users received notifications for new app assignments although no new apps had been assigned to them.

OKTA-346826

In the SmartSheet provisioning profile, when admins tried to change the Group Priority setting to Combine values across groups for the variable smartsheet.userPermissions, the error message: Not allowed to modify property userPermissions from the base schema was returned.

OKTA-354279

In some orgs, after account activation, Active Directory users were redirected to a blank page instead of the Okta End-User Dashboard.

OKTA-355574

Some generic or anonymized WebAuthn factors were inaccurately labeled YubiKey.

OKTA-358425

When evaluating risk using device token as a signal, some new users signing in to Okta were incorrectly marked as high risk.

OKTA-359363

Reactivated users from AD did not maintain their group memberships after import.

App Integration Fixes

The following SWA app was not working correctly and is now fixed

  • Cisco Webex Meetings (OKTA-356220)

Applications

Integration Updates

The Tableau Online SAML app has been updated to add support for Single Logout (SLO). Customers who previously added the integration should refer to the SAML Setup Instructions to enable this new feature.

New Integrations

New SCIM Integration Application

The following partner-built provisioning integration app is now Generally Available in the OIN as partner-built:

SAML for the following Okta Verified applications

  • Communifire (OKTA-353568)

  • LabLog (OKTA-356012)

  • Ybug (OKTA-356075)

SWA for the following Okta Verified applications

  • eClinical Works (OKTA-349360)

  • SiteLink myHub (OKTA-354952)

2021.01.2: Update 2 started deployment on

February 1

Fixes

General Fixes

OKTA-303059

API calls to Workday sometimes removed the secondary email of a user when attempting to update the user information.

OKTA-324780

Failed Lightweight Directory Access Protocol (LDAP) sign-in attempts were logged as failed Active Directory (AD) sign-in events in the System Log.

OKTA-333518

Using SAML-based Device Trust with VMware for Identity Provider (IdP) initiated flows threw a 404 error for some users.

OKTA-334383

After entering an invalid username in the Okta Sign-In Widget, users sometimes received a 404 error after refreshing the browser.

OKTA-351888

When editing a user profile, the value of a custom attribute defaulted to the first value, rather than blank (null).

OKTA-353590

If end users accessed Okta by using a Sign-In Widget in Internet Explorer, their origin header wasn't logged in the System Log.

OKTA-354271

Removing a permission set in Salesforce sometimes caused provisioning failures in Okta even though that permission set was no longer selected for the Salesforce app assignment.

OKTA-354309

The EmailEncodingKey attribute in Okta orgs was sometimes incorrectly reported to Salesforce.

OKTA-355368

Profile sourcing and attribute-level sourcing functionality was erroneously not available for Universal Directory SKUs.

OKTA-356087

Send SMS button text was not displayed correctly if the text was too long for certain languages.

OKTA-357656

When using Agentless Desktop Single Sign-on (ADSSO), admins sometimes received scripting errors.

OKTA-358469

The client IP was sometimes missing from user.authentication and policy.evaluate_sign_on events.

OKTA-358970

The logo on the user activation page didn't display correctly if it included a redirect to an application.

OKTA-359173

Inactive users were sometimes erroneously displayed in the Current Assignments report.

OKTA-362398

If the username was different from the email address, Okta Password Health reports were sent erroneously to the username instead of the user's primary email.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • ADP Workforce Now (Employee) (OKTA-361462)

  • Angus (OKTA-360602)

  • Cisco Partner (OKTA-359699)

  • MessageBird (NL) (OKTA-361828)

  • Parallels (OKTA-360298)

  • RIMS (OKTA-360587)

  • Sylvania (OKTA-360624)

  • The Economist (OKTA-360588)

  • Xero (OKTA-361732)

Applications

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN as partner-built:

SAML for the following Okta Verified applications

  • Airbase (OKTA-356338)

  • Kandji (OKTA-360958)

  • Pactflow (OKTA-355531)

  • Partnerize (OKTA-345643)

  • Pave Total Comp (OKTA-359579)

  • Pilgrim SmartSolve (OKTA-359054)

  • Sapling (OKTA-358186)

  • Sociabble (OKTA-355695)

  • Tax1099 (OKTA-355507)

  • ThankYouKindly (OKTA-354613)

  • WhosOffice (OKTA-355012)

  • Yonyx Interactive Guides (OKTA-355527)