Preview release notes
Help us improve our release notes by filling out this short survey.
Current release status
Current | Upcoming | |
---|---|---|
Production | 2023.09.0 | 2023.09.1 Production release is scheduled to begin deployment on September 25 |
Preview | 2023.09.1 |
2023.09.2 Preview release is scheduled to begin deployment on September 27 |
September 2023
2023.09.0: Monthly Preview release began deployment on September 13
* Features may not be available in all Okta Product SKUs.
Content
Generally Available Features
Sign-In Widget, version 7.10.0
For details about this release, see the Sign-In Widget Release Notes.
For more information about the Widget, see the Okta Sign-In Widget Guide.
Okta AD agent, version 1.16.0
This release includes:
- Migration of the Windows installer from Internet Explorer to Edge.
- Security enhancements.
- Internal updates.
Okta LDAP agent, version 5.18.0
This version of the agent contains security enhancements.
Note: In Windows, the LDAP Agent auto-update feature isn't capable of deploying all security enhancements that are introduced in version 5.18. To completely deploy all security enhancements from this release, all LDAP agents running version 5.17 or earlier must be uninstalled, and version 5.18 must be manually installed. See Install the Okta LDAP Agent.
Okta MFA Credential Provider for Windows, version 1.3.9
This release includes bug fixes, security enhancements, and support for an additional top-level domain. See Okta MFA Credential Provider for Windows Version History.
Lockout Prevention
This feature adds the ability to block suspicious sign-in attempts from unknown devices. Users who sign in to Okta with devices they’ve used before aren’t locked out when unknown devices cause lockouts.
Enhanced Okta LDAP integrations with Universal Directory
Okta LDAP integrations now feature custom mapping, schema discovery, and a fully extensible attribute schema that allows you to import or update any attribute stored in LDAP. With these enhancements, Okta LDAP matches the schema functionality already available to Active Directory integrations. See Profile Editor. This feature is being re-released.
Custom Identity Source app available
The Custom Identity Source app is now available in Okta Integration Network.
Count summary added to report
The User accounts report now displays the total number of records returned for the report.
Product Offers dashboard widget
A Product Offers widget now displays on the Admin Dashboard for super and org admins. The widget provides a cost- and commitment-free way for admins to explore and test the capabilities of various Okta products. When a new free trial is available, admins can click Get started to activate it, or Not interested to dismiss the widget.
Automatically assign the super admin role to an app
Admins can now automatically assign the super admin role to all of their newly created public client apps. See Work with the admin component.
Okta apps and plugin no longer available to certain users
Beta users of the PingFederate MFA plugin can no longer create Okta apps or download the plugin.
Early Access Features
This release doesn't have any Early Access features.
-
OKTA-570804
The RADIUS Server Agent installer for versions 1.3.7 and 1.3.8 didn't prompt users to install missing C++ runtime libraries on Microsoft Windows servers.
-
OKTA-574216
Reconciling group memberships sometimes failed for large groups.
-
OKTA-578184
The inbound delegated authentication endpoint didn't correctly handle errors when the authentication request wasn't associated with an org.
-
OKTA-592745
Full and incremental imports of Workday users took longer than expected.
-
OKTA-605996
A token inline hook secured by an OAuth 2.0 private key returned an error for all users except super admins.
-
OKTA-616604
The password requirements list on the Sign-In Widget contained a grammatical error.
-
OKTA-616905
Events weren't automatically triggered for Add assigned application to group, Remove assigned group from application, and Update Assign application group event hooks.
-
OKTA-619102
Invalid text sometimes appeared in attribute names.
-
OKTA-619179
A timeout error occurred when accessing a custom report for UKG Pro (formerly UltiPro).
-
OKTA-619419
Group admins could see their org’s app sign-in data.
-
OKTA-624387
Sometimes attempting to change an app's username failed due to a timeout.
-
OKTA-627559
Access policy evaluation for custom authorization servers was inconsistent when default scopes were used.
-
OKTA-628944
Email notifications from Okta Verify were sent from the default domain address instead of the email address configured for the brand.
-
OKTA-629774
Some user import jobs failed to restart after interruption.
-
OKTA-631621
Read-only admins couldn't review the details of IdP configurations.
-
OKTA-633431
When an Okta Org2Org integration encountered an API failure, the resulting error message was displayed in Japanese.
-
OKTA-634308
Group app assignment ordering for Office 365 apps couldn't be changed.
-
OKTA-637259
An error occurred when importing users from Solarwinds Service Desk.
-
OKTA-641062
The link to Slack configuration documentation was invalid.
-
OKTA-641447
Super admins couldn’t save new custom admin roles.
-
OKTA-648092
New admins didn't get the Support app in their End-User Dashboard.
Okta Integration Network
App updates
- The CoRise app integration has been rebranded as Cobalt.
New Okta Verified app integrations
- Armis (SCIM)
- Astrix Security (OIDC)
- CloudEagle (API service)
- Darwinbox (SAML)
- DataOne (OIDC)
- Edgility (OIDC)
- Elba SSO (OIDC)
- Experience.com (OIDC)
- GraphOS Studio (SAML)
- HealthKey (OIDC)
- Huntress Security Awareness Training (API service)
- Lifebalance Program (OIDC)
- Mapiq (OIDC)
- Mapiq (SAML)
- OpenComp (OIDC)
- OpsHelm (OIDC)
- OpsHelm (SCIM)
- PlanYear (SAML)
- Spyglass (OIDC)
- Tuvis (SAML)
App integration fixes
- American Express Online (OKTA-637925)
- hoovers_level3 (OKTA-637274)
- MSCI ESG Manager (OKTA-637624)
- PartnerXchange (OKTA-632251)
- Staples Advantage (OKTA-639141)
Weekly Updates

Generally Available
Sign-In Widget, version 7.10.1
For details about this release, see the Sign-In Widget Release Notes.
For more information about the Widget, see the Sign-In Widget Guide.
Fixes
-
OKTA-595549
IdP users were redirected to an unbranded sign-in page after SSO failure.
-
OKTA-614488
Admins could view only 50 applications in the Default application for the Sign-In Widget dropdown menu when configuring a custom sign-in page.
-
OKTA-619163
When the Universal Distribution List group was pushed to Active Directory, some users' group memberships didn't sync.
-
OKTA-627660
Users whose admin permissions were revoked continued to receive emails with an Admin only audience setting.
-
OKTA-628227
Some SAML-linked accounts in DocuSign couldn't use SWA.
-
OKTA-637801
Admins without permission to manage apps saw an Edit button for the app’s VPN Notification settings.
-
OKTA-638911
The RSA Authenticator used the old SamAccountName of AD-sourced users after it was changed.
-
OKTA-639465
The LDAP Agent Update service used an unquoted path, which could allow arbitrary code execution. For more information, see the Okta security advisory.
-
OKTA-647842
Okta displayed two different titles for the End-User Dashboard to users whose locale was set to Vietnamese.
Okta Integration Network
App updates
- The Amazon Business SAML app now has a configurable SAML issuer.
- The Amazon Business SCIM app now has a configurable SCIM base URL and Authorize endpoint.
- Application profile and mapping has been updated for the Jostle SCIM app.
- The mobile.dev SAML app has been rebranded as Maestro Cloud.
New Okta Verified app integrations
- Base-B (SAML)
- Base-B (SCIM)
- Comprehensive (OIDC)
- Palo Alto Networks Cloud Identity Engine (API service)
- Palo Alto Networks Cloud Identity Engine (Application-enabled) (API service)
- Rezonate Security (API service)
- supervisor.com (OIDC)
- WorkSchedule.Net (OIDC)
App integration fixes
- American Express Online by Concur (OKTA-642832)
New custom admin role permission
Super admins can now assign View delegated flow permission to their custom admin roles. See About role permissions.
Content security policy enforcement on end-user pages
Content Security Policy is now enforced for end-user pages in orgs with custom domains. Content Security Policy headers help detect attacks such as cross-site scripting and data injection by ensuring browsers know what kind of actions the webpage can execute. Future iterations of the Content Security Policy enforcement for end-user pages will become stricter than this first release. This feature will be gradually made available to all orgs.
Okta ThreatInsight coverage on core Okta API endpoints
Okta ThreatInsight coverage is now available for core Okta API endpoints (OpenID Connect & OAuth 2.0, Okta Management, and MyAccount API). Based on heuristics and machine learning models, Okta ThreatInsight maintains an evolving list of IP addresses that consistently show malicious activity across Okta's customer base. Requests from these bad IP addresses can be blocked or elevated for further analysis when Okta ThreatInsight is enabled for an Okta org.
Previously, Okta ThreatInsight coverage only applied to Okta authentication endpoints (including enrollment and recovery endpoints). With this release, enhanced attack patterns are detected for authentication endpoints and limited attack patterns are also detected for non-authentication endpoints.
There are no changes to the existing Okta ThreatInsight configuration. You can still enable Okta ThreatInsight with log and block mode, log mode, and exempt network zones. A new Negative IP Reputation reason is available for high security.threat.detected events. See System Log events for Okta ThreatInsight.
Application Entitlement Policy
Administrators can now override attribute mapping when assigning apps to individuals or groups. Attributes can also be reverted to their default mappings. See Override application attribute mapping. This feature will be gradually made available to all orgs.
Assign admin roles to an app
Orgs can now assign admin roles to their custom API Service Integrations. Apps with assigned admin roles are constrained to the permissions and resources that are included in the role assignment. This helps ensure that apps only have access to the resources that are needed to perform their tasks, and improves orgs' overall security. See Work with the admin component.
Descriptive System Log events
When Okta identifies a security threat, the resulting security.threat.detected entry now provides a descriptive reason for the event. See System Log.
New App Drawer
The updated app settings panel on the Okta End-User Dashboard allows end users to see all app details in a single view without having to expand multiple sections. End users can quickly differentiate between SWA apps where they have set a username and password and SAML / OIDC apps that are admin-managed with no additional user settings. The updated app settings panel also provides accessibility improvements with better screen reader support and color contrast. See View the app settings page.
SSO apps dashboard widget
The new SSO apps widget displays the number of user sign-in events across each of your org’s apps over a selected period of time. You can use it to see which apps are used most frequently and to easily monitor the authentication activity across your org. See Monitor your apps.
Toggle password visibility on the Okta Sign-In page
End users can now toggle visibility of their password on the Sign-In Widget, allowing them to check their password before they click Sign In. Note that passwords are visible for 30 seconds and then hidden automatically. See Authentication. See Delegated authentication.
Email failure events in the System Log
Admins can now view email delivery failure events in the System Log. This helps admins better monitor the email event activity in their org. See System Log.
Federation Broker Mode
The new Federation Broker Mode allows Okta SSO without the need to pre-assign apps to specific users. Access is managed only by the authentication policy and the authorization rules of each app. This mode can improve import performance and can be helpful for larger-scale orgs that manage many users and apps. See Manage Federation Broker Mode.
User Import Scheduling
When importing users from an app to Okta, you can now schedule imports to occur at hourly, daily, or weekly intervals. Scheduling imports at a time that is convenient for your org reduces the likelihood of service disruptions and eliminates the need to start imports manually. If an application allows incremental imports, you can create both full and incremental import schedules. This is a self-service feature. See Edit app provisioning settings.
Choose additional filters for Office 365 sign-on policy
Filters have been added to enable admins to distinguish between web browsers and Modern Authentication clients when creating an app sign-on policy. See Office 365 sign-on rules options.
Device Authorization grant type
Advancements in internet technology have seen an explosion of smart devices and the Internet of Things. Consumers need to sign in to applications that run on these devices, but the devices either lack support for a web browser or have limited ability for input, such as smart TVs, car consoles, and thermostats. As a result, users resort to insecure authentication solutions that are error-prone and time-consuming.
The Device Authorization grant feature is an OAuth 2.0 grant type that allows users to sign in to input-constrained devices and also to devices that lack web browsers. This feature enables users to use a secondary device, such as a laptop or mobile phone, to complete sign-in to applications that run on such devices. See Configure Device Authorization.
Null values for SCIM provisioning
Null values for any attribute type can now be submitted to Okta when using SCIM provisioning. This change reduces the error messages customers receive and simplifies end user identity management. See Manage profiles.
Manage admin email notification subscriptions using API endpoints
Admins can manage email subscriptions using the Admin Email Subscription API endpoints.
-
Super admins can configure default subscription settings by admin type.
-
All admins can manage their own admin email notification subscriptions.
End-User Dashboard and Plugin redesign
The Okta End-User Dashboard and Okta Browser Plugin have been redesigned with a modern look and feel that includes new sidebar navigation, fuzzy search, and sections that replaces tabs.
Admins can enable this new design all at once or by groups. The new experience is 50% faster, more intuitive to use, and more responsive to smaller screens. Design changes also improve accessibility and app discovery for end users.
See Create sign-on policies with Okta Applications.
This feature will gradually be made available to all Preview orgs.
Workflows Templates available
Workflows Templates is now available, providing users with access to a searchable catalog of installable Flows that address many common use cases. See Get started with Workflows Templates.
LDAP password reset option
LDAP delegated authentication settings can now be configured to allow users to reset their passwords. This change reduces the time needed for password management and allows users to reset their passwords quickly and easily. See Delegated authentication.
LDAP admin password reset
For orgs integrated with LDAP, admins can now perform password resets for an active individual end user. See Reset a user password.
Windows Device Registration Task, version 1.4.1
This release fixed the following issues:
- If there was a space in the sAMAccountName, an error appeared when installing the Okta Device Registration task and the installation completed but didn't function.
- An unknown publisher warning appeared after double-clicking the Okta Device Registration MSI file.
Affected customers should uninstall the registration task and install 1.4.1 or later.
See Enforce Okta Device Trust for managed Windows computers and Device Trust for Windows Desktop Registration Task Version History.
Incremental Imports for CSV
Incremental imports improve performance by importing only users who were created, updated, or deleted since your last import. See Manage your CSV directory integration. Note that this feature is being re-released having previously been released to Production in 2020.09.0.
Password changed notification email
To eliminate unnecessary email notifications, the Password changed notification email setting is no longer enabled by default on new preview orgs. See Password changed notification for end users.
Office 365 Silent Activation
Using Okta as the Identity Provider, Okta Office 365 Silent Activation allows for a seamless experience for your Microsoft Office 365 end users accessing Office 365 apps on domain joined shared Workstations or VDI environments. Once your end users have logged into a domain-joined Windows machine, no further activation steps are required. See Office 365 Silent Activation: New Implementations.
End-user Welcome emails localized
The ability to localize the Welcome email that Okta sends to new end users by referencing the users' default locale property is now Generally Available. See Configure general customization settings.
People page improvements
The People page has been improved so the people list can be filtered by user type. See Universal Directory custom user types known issues.
Mobile tab available for mobile-capable apps
The Mobile tab available in the Okta Admin Console for mobile-capable OIN apps allows you to publish mobile applications to an App Store and deploy them to your end users.
Provisioning page UI element change
Drop-down menus on the Provisioning page (General Settings) were standardized.
UI element change
Drop-down menus on the Provisioning page (General Settings) are standardized. See Provision applications.
Early Access features, auto-enroll
You can now opt to auto-enroll in all Early Access features, instead of having to enable them as they become available. For more information, see Manage Early Access features.
Connecting Apps to Okta using the LDAP Interface
The LDAP Interface allows you to authenticate legacy LDAP apps to Universal Directory in the cloud. With the LDAP Interface, authentication is done directly against Okta via LDAP, without the need for an on-premise LDAP server. In addition, the LDAP interface supports other LDAP functions like search. See Set up and manage the LDAP Interface.