Production release notes
Help us improve our release notes by filling out this short survey.
Current release status
Current | Upcoming | |
---|---|---|
Production | 2023.09.0 | 2023.09.1 Production release is scheduled to begin deployment on September 25 |
Preview | 2023.09.1 |
2023.09.2 Preview release is scheduled to begin deployment on September 27 |
September 2023
2023.09.0: Monthly Production release began deployment on September 18
* Features may not be available in all Okta Product SKUs.
Generally Available Features
Sign-In Widget, version 7.10.0
For details about this release, see the Sign-In Widget Release Notes.
For more information about the Widget, see the Okta Sign-In Widget Guide.
Okta AD agent, version 1.16.0
This release includes:
- Migration of the Windows installer from Internet Explorer to Edge.
- Security enhancements.
- Internal updates.
Okta LDAP agent, version 5.18.0
This version of the agent contains security enhancements.
Note: In Windows, the LDAP Agent auto-update feature isn't capable of deploying all security enhancements that are introduced in version 5.18. To completely deploy all security enhancements from this release, all LDAP agents running version 5.17 or earlier must be uninstalled, and version 5.18 must be manually installed. See Install the Okta LDAP Agent.
Okta MFA Credential Provider for Windows, version 1.3.9
This release includes bug fixes, security enhancements, and support for an additional top-level domain. See Okta MFA Credential Provider for Windows Version History.
Authentication challenge for redirects
Users now receive an authentication challenge for each redirect sent to an Identity Provider with Factor only configured, even if the IdP session is active.
Custom Identity Source app available
The Custom Identity Source app is now available in Okta Integration Network.
Count summary added to report
The User accounts report now displays the total number of records returned for the report.
Product Offers dashboard widget
A Product Offers widget now displays on the Admin Dashboard for super and org admins. The widget provides a cost- and commitment-free way for admins to explore and test the capabilities of various Okta products. When a new free trial is available, admins can click Get started to activate it, or Not interested to dismiss the widget.
Automatically assign the super admin role to an app
Admins can now automatically assign the super admin role to all of their newly created public client apps. See Work with the admin component.
Okta apps and plugin no longer available to certain users
Beta users of the PingFederate MFA plugin can no longer create Okta apps or download the plugin.
Early Access Features
This release doesn't have any Early Access features.
-
OKTA-570804
The RADIUS Server Agent installer for versions 1.3.7 and 1.3.8 didn't prompt users to install missing C++ runtime libraries on Microsoft Windows servers.
-
OKTA-574216
Reconciling group memberships sometimes failed for large groups.
-
OKTA-578184
The inbound delegated authentication endpoint didn't correctly handle errors when the authentication request wasn't associated with an org.
-
OKTA-592745
Full and incremental imports of Workday users took longer than expected.
-
OKTA-605996
A token inline hook secured by an OAuth 2.0 private key returned an error for all users except super admins.
-
OKTA-616604
The password requirements list on the Sign-In Widget contained a grammatical error.
-
OKTA-616905
Events weren't automatically triggered for Add assigned application to group, Remove assigned group from application, and Update Assign application group event hooks.
-
OKTA-619102
Invalid text sometimes appeared in attribute names.
-
OKTA-619179
A timeout error occurred when accessing a custom report for UKG Pro (formerly UltiPro).
-
OKTA-619419
Group admins could see their org’s app sign-in data.
-
OKTA-624387
Sometimes attempting to change an app's username failed due to a timeout.
-
OKTA-627559
Access policy evaluation for custom authorization servers was inconsistent when default scopes were used.
-
OKTA-628944
Email notifications from Okta Verify were sent from the default domain address instead of the email address configured for the brand.
-
OKTA-629774
Some user import jobs failed to restart after interruption.
-
OKTA-631621
Read-only admins couldn't review the details of IdP configurations.
-
OKTA-633431
When an Okta Org2Org integration encountered an API failure, the resulting error message was displayed in Japanese.
-
OKTA-634308
Group app assignment ordering for Office 365 apps couldn't be changed.
-
OKTA-637259
An error occurred when importing users from Solarwinds Service Desk.
-
OKTA-641062
The link to Slack configuration documentation was invalid.
-
OKTA-641447
Super admins couldn’t save new custom admin roles.
-
OKTA-648092
New admins didn't get the Support app in their End-User Dashboard.
Okta Integration Network
App updates
- The CoRise app integration has been rebranded as Cobalt.
New Okta Verified app integrations
- Armis (SCIM)
- Astrix Security (OIDC)
- CloudEagle (API service)
- Darwinbox (SAML)
- DataOne (OIDC)
- Edgility (OIDC)
- Elba SSO (OIDC)
- Experience.com (OIDC)
- GraphOS Studio (SAML)
- HealthKey (OIDC)
- Huntress Security Awareness Training (API service)
- Lifebalance Program (OIDC)
- Mapiq (OIDC)
- Mapiq (SAML)
- OpenComp (OIDC)
- OpsHelm (OIDC)
- OpsHelm (SCIM)
- PlanYear (SAML)
- Spyglass (OIDC)
- Tuvis (SAML)
App integration fixes
- American Express Online (OKTA-637925)
- hoovers_level3 (OKTA-637274)
- MSCI ESG Manager (OKTA-637624)
- PartnerXchange (OKTA-632251)
- Staples Advantage (OKTA-639141)
August 2023
2023.08.0: Monthly Production release began deployment on August 14
* Features may not be available in all Okta Product SKUs.
Generally Available Features
Okta AD agent, version 3.16.0
When the executor.log and coordinator.log files exceed 5 MB in size, the contents roll over into executor.log.old and coordinator.log.old files.
Okta Active Directory Federation Services Plugin, version 1.7.13
Version 1.7.13 of the Okta Active Directory Federation Services (ADFS) Plugin is now available for download. It includes support for Microsoft Windows Server 2022 and includes bug fixes and security hardening. See Okta ADFS Plugin version history.
Redesigned resource set pages
The Create new resource set and Edit resource set pages that are displayed when an admin creates or edit a resource set now provide a simpler, more intuitive user experience. See Create a resource set.
Integrate with any identity source
To get Okta's full HR-driven provisioning and LCM functionality for an HR integration, customers previously had to use one of five pre-integrated HR systems or build complex custom code with the Okta Users API to replicate some of Okta’s LCM functionality for other identity sources.
With Anything-as-a-Source (XaaS), customers now have the flexibility to connect any identity source to Okta and realize the full benefits of HR-driven provisioning with a simpler solution. See Anything-as-a-Source.
Self-service upgrades to Identity Engine
Admins can now reschedule their self-service upgrades for as soon as two hours or up to 30 days in the future. See Upgrade to Okta Identity Engine.
Getting Started video for new orgs
The Getting Started page now displays an introductory video. The video provides a quick overview of the common tasks and functions for new orgs, and helps admins familiarize themselves with the Admin Console. See Get started with Okta.
API service integration client secret rotation in the Admin Console
New in this release is the ability to rotate client secrets for an API service integration through the Admin Console. Previously, if a customer wanted to update the client secret for an API service integration, they had to reinstall the integration to obtain a new client ID and secret. There was no option to revoke the client secret while maintaining the client ID and API service integration instance in Okta. With this new feature, customers can generate a new secret, deactivate an old secret, and remove a deactivated secret from the API service integration instance. These functionalities help customers implement security best practices without service downtime. See API Service Integrations.
New event types for User Auth Events
Two additional event types are now available under User Auth Events:
- User's session was cleared
- User's MFA factor was updated
New application lifecycle event hook
An event hook to deny user access due to a condition in an app sign-on policy is now available to admins. See Create an event hook .
Polling enhancements for Agentless DSSO
When the server is in SAFE_MODE, Agentless DSSO polling signs in a user if they are in ACTIVE state in Okta.
Early Access features from this release are now Generally Available.
-
OKTA-575884
The Okta Active Directory Federation Services (ADFS) Plugin wrote errors to the plugin log when users attempted to sign in.
-
OKTA-595086
The display of the authorization server Access Policies page froze with large numbers of policies.
-
OKTA-610347
Some orgs couldn't add more than 50 global session policies.
-
OKTA-617816
After orgs upgraded to Identity Engine, the application name in OV Push disappeared.
-
OKTA-626699
On the Administrator assignment by admin page, the Role dropdown list sometimes displayed duplicate admin roles.
-
OKTA-631752
Adding some IdPs as Factor only caused errors.
Applications
New Integrations
New SCIM Integration applications
The following partner-built provisioning integration apps are now Generally Available in the OIN:
-
LeaseHawk: For configuration information, see Okta User Provisioning Integration with SCIM.
SAML for the following Okta Verified applications
-
Apache Kafta: For configuration information, see Configure SAML SSO for Confluent Cloud with Okta Identity Provider.
-
CloudSaver - Tag Manager: For configuration information, see How to Configure SAML 2.0 for CloudSaver Tag Manager for Admins.
-
Current: For configuration information, see Current’s Okta Integration.
-
Jasper AI: For configuration information, see Configuring Jasper Single Sign-On (SSO).
-
Kolide: For configuration information, see How to configure SAML for Kolide.
-
Reasons for Access: For configuration information, see Configuring Reasons for Access with Okta.
-
Teamspective: For configuration information, see Okta SAML Single Sign-On (SSO) for Teamspective.
OIDC for the following Okta Verified applications
-
AlphaSOC Console: For configuration information, see Okta SSO Integration.
-
Everlaw: For configuration information, see Organization Admin: Single Sign-On.
-
Flike: For configuration information, see Okta SSO Configuration Guide.
-
LeaseHawk: For configuration information, see How to Configure OIDC for LeaseHawk with Okta.
-
Valos: For configuration information, see Logging in with Okta Single Sign-On (SSO).
-
Yooz: For configuration information, see How to configure OIDC for Yooz.
-
Zello: For configuration information, see Okta SSO Configuration Guidelines.
Weekly Updates

Fixes
-
OKTA-619028
Read-only admins received user reports of suspicious activity email notifications in error.
-
OKTA-632131
OpenID Connect /token requests using the SAML 2.0 Assertion grant type flow failed if the SAML assertion expiry was greater than 30 days.
-
OKTA-632850
Slack provisioning didn't automatically retry after exceeding rate limits.
-
OKTA-633585
The on-demand auto-update banners for the Active Directory agent displayed updates in a random order.
-
OKTA-634923
Users weren't present in the import queue after being unassigned from an app.
-
OKTA-635579
When a super admin went to the Edit group assignments button was mislabeled.
tab, the -
OKTA-636652
The Administrators page wasn’t translated to Japanese.
Applications
Application Update
-
Group push and group import is now available for the Smartsheet SCIM integration.
New Integrations
New SCIM Integration applications
The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:
-
Skippr for Organizations: For configuration information, see Skippr for Organizations with SCIM 2.0.
SAML for the following Okta Verified applications:
-
9Line: For configuration information, see Okta SAML SSO Configuration.
-
Blameless: For configuration information, see How to Configure SAML 2.0 for Blameless for admins.
-
Fathom: For configuration information, see SAML 2.0 Configuration Guide.
-
Y42: For configuration information, see Okta.
OIDC for the following Okta Verified applications:
-
rule5: For configuration information, see rule5 Okta Configuration Guide.
-
QuotaPath: For configuration information, see Okta SSO.
-
Rupert: For configuration information, see Rupert Okta SSO Configuration.

Fixes
-
OKTA-601623
When configuring an API Service Integration (either through the Admin Console or using APIs), admins could set a JWKS URL using HTTP instead of HTTPS.
-
OKTA-621253
Email Change Confirmed Notification messages weren't sent if the audience was set to Admin only.
-
OKTA-627175
Some tasks displayed a greater-than sign (>) instead of the date.
-
OKTA-630368
RADIUS logs showed multiple, repetitious Invalid cookie header warning messages.
-
OKTA-634010
Users who were locked out of Okta but not Active Directory could receive Okta Verify push prompts and sign in to Okta.
-
OKTA-639427
When admins added a new user in Preview orgs, the Realm attribute appeared on the dialog.
Applications
New API Service Integration applications:
-
Sysdig: For configuration information, see Okta Integration.
OIDC for the following Okta Verified applications:
-
AskFora: For configuration information, see AskFora Okta Configuration Guide.

Fixes
-
OKTA-620655
When an error occurred during Identity Engine upgrades, a Customer Config Required message appeared instead of an Okta Assistance Required message.
-
OKTA-641043
Admins could select values from disabled dropdown menus.
Applications
Okta Verified applications:
- Accend: For configuration information, see How do I enable OpenID Connect (OIDC) SSO with Accend?.
- WASP: For configuration information, see SSO Login to WASP via Okta.
July 2023
2023.07.0: Monthly Production release began deployment on July 17
* Features may not be available in all Okta Product SKUs.
Generally Available Features
Sign-In Widget, version 7.8.0
For details about this release, see the Sign-In Widget Release Notes.
For more information about the Widget, see the Okta Sign-In Widget Guide.
Okta LDAP agent, version 5.17.0
This version of the agent contains:
- Migration of the Windows installer from Internet Explorer to Edge
- The service OktaLDAPAgent stop command now correctly terminates agents installed on Red Hat and CentOS platforms
- Security enhancements
Self-Service Okta Identity Engine Upgrades eligibility extended
Okta is enabling self-service Okta Identity Engine upgrade functionality to orgs that require configuration changes. When your org becomes eligible for the upgrade, you receive an email confirming your eligibility, and the self-service upgrade widget is displayed on the Admin Dashboard. The upgrade is free, automatic, and has zero downtime. See Upgrade to Okta Identity Engine. This feature will be gradually made available to all orgs. Note that only Super Admins can view and manage the self-service upgrade widget.
System Log time zone formats updated
In the System Log, the time zone dropdown menu now provides additional information about each available time zone. See System Log.
App Password Health report uses browser time zone
On the App Password Health report, last-reset request dates and times are now based on the browser’s time zone settings. See App Password Health report.
Okta-generated client secret length increase
The length of Okta-generated client secrets is increased from 40 to 64 characters.
Updated Okta logo
A branding update to the Okta groups logo is now available in the Admin Console.
Early Access Features
Redesigned admin role pages
The Create a role and Edit role pages for custom admin-role configuration now provide a simpler, more intuitive user experience. See Create a role.
Admin Console Japanese translation
When you set your display language to Japanese, the Admin Console is now translated. See Supported display languages.
IME support for international characters
Admins can now use an Input Method Editor (IME) to type international characters into the Admin Console.
-
OKTA-414975
Application sign-on policies for deleted apps prevented admins from disabling the last MFA factor in their org.
-
OKTA-602939
The Admin role assignments report email wasn’t translated.
-
OKTA-615453
Some text strings were incorrect on the End-User Dashboard layout page.
Applications
Application Updates
-
The Rybbon app integration has been rebranded as BHN Rewards.
New Integrations
New SCIM Integration applications
The following partner-built provisioning integration apps are now Generally Available in the OIN:
-
Apono: For configuration information, see Okta SCIM.
SAML for the following Okta Verified applications
-
CodeREADr: For configuration information, see Supported Features.
-
Datto File Protection: For configuration information, see Single sign-on integration for Okta.
-
Emeritus: For configuration information, see Supported Features.
-
HackNotice: For configuration information, see Okta SAML Integration (Coming Soon).
-
Whosoff: For configuration information, see How to setup Okta SSO.
App Integration Fixes
The following SWA app was not working correctly and is now fixed:
-
BlueHost (OKTA-620224)
Weekly Updates

Fixes
-
OKTA-599540
HTTP replies to SP-initated SAML requests contained two session IDs, which sometimes caused user sessions to expire unexpectedly.
-
OKTA-605041
An unclear error message appeared when an admin created a role or resource set with a long name.
-
OKTA-611304
In a Device Authorization flow, some text strings on the verification page weren't translated.
-
OKTA-612727
The Admin Dashboard Tasks table displayed an incorrect amount of provisioning capable apps.
-
OKTA-612875
After managerId was removed from the Salesforce schema in Okta, it couldn't be added again.
-
OKTA-613076
In the Sign On tab of Office 365, the Okta MFA from Azure AD option appeared disabled. When the option was switched to edit mode, it was enabled.
-
OKTA-613394
Users couldn't sign in with a PIV in an Org2Org flow.
-
OKTA-615441
Some users couldn't sign in with Agentless Desktop Single Sign-on because routing rules were re-evaluated during the sign-on process.
-
OKTA-615457
The Edit resources to a standard role page didn’t display apps that had the same name.
-
OKTA-615728
Some admins couldn't access the OIE Upgrade Hub.
-
OKTA-617528
The auto-update schedules for the Active Directory and LDAP agents were incorrectly shown as up-to-date, even when a new version was released.
-
OKTA-617817
Admins were sometimes unable to access the Admin Console from a custom domain.
-
OKTA-620153
ACS URL validation failed for orgs that used SAML SSO with Okta-to-Okta IdP configurations and had subdomain names that weren't all lowercase characters.
-
OKTA-621284
Admins with the Manage users permission couldn’t create users with WS-Federation IdPs.
-
OKTA-622541
In the Self-Service Unlock when Account is not Locked email template, the base URL variable wasn’t replaced with the Okta tenant URL.
-
OKTA-626022
Some Active Directory agents that had previously failed to auto-update were incorrectly marked as Queued for update, despite being updated to the latest version.
-
OKTA-627415
On the Features page, the link to access the LDAP Agent Auto-update documentation was broken.
-
OKTA-628522
RADIUS agent libraries contained internal security issues. Fixes require upgrading to agent version 2.19.0 and using Microsoft Edge as the browser.
Applications
Application Update
-
The OpenPath app integration has been rebranded as Avigilon Alta.
New Integrations
New SCIM Integration applications
The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog:
-
Axiad Cloud: For configuration information, see Enable SCIM Provisioning in Okta.
-
Blameless: For configuration information, see Configuring Provisioning for Blameless.
- Diffchecker: For configuration information, see Integrating Diffchecker with Okta.
-
Navan: For configuration information, see How do I set up Okta SCIM.
SAML for the following Okta Verified applications
-
Axiad Cloud: For configuration information, see Add Axiad Cloud Integration and Configure SAML.
-
Diffchecker: For configuration information, see Integrating Diffchecker with Okta.
-
FactSet: For configuration information, see Okta: Adding FactSet Integration.
-
flex: For configuration information, see Okta SAML.
-
redirect.pizza: For configuration information, see SSO via Okta.
-
RubiconMD: For configuration information, see How to Configure SAML 2.0 for RubiconMD.
-
Skippr for Organizations: For configuration information, see Skippr for Organizations with SAML 2.0.
-
Tamnoon: For configuration information, see Tamnoon SAML 2.0.
-
The People Experience Hub: For configuration information, see Single Sign-on for Okta.
OIDC for the following Okta Verified applications
-
Agendalink: For configuration information, see How to configure Okta SSO.
-
Anywell: For configuration information, see Configuration Guide.
-
Batis: For configuration information, see Okta integration Howto.
-
CareerArc: For configuration information, see SSO Login via Okta.
-
Convrs: For configuration information, see Okta OIDC.
-
CultureScience: For configuration information, see Logging in with SSO through Okta.
- Dovetail: For configuration information, see Configure Okta.
-
Gatsby: For configuration information, see Okta Customer Configuration Instructions.
-
Intelo.AI: For configuration information, see Okta Integration with Intelo.

Generally Available
Sign-In Widget, version 7.8.2
For details about this release, see the Sign-In Widget Release Notes.
For more information about the Widget, see the Sign-In Widget Guide.
Fixes
-
OKTA-604448
Some text on the Groups page wasn't translated.
-
OKTA-620583
On the Add Resource dialog, the list of search results was misaligned.
-
OKTA-620873
Admins couldn't upload PEM-formatted certificates containing encrypted private keys for RADIUS apps.
-
OKTA-622783
The initial expiresIn date for the Salesforce authentication token wasn't set from the API.
-
OKTA-626593
Admins couldn’t access the Create new resource set page directly from a URL.
-
OKTA-631303
Admins couldn't access the Administrator assignment by role page. This occurred when a public client app with a custom client ID was assigned a standard admin role.
Applications
New Integrations
SAML for the following Okta Verified applications:
-
Descope: For configuration information, see Setup Okta Integration Application.
-
Valence: For configuration information, see SSO With Okta.
OIDC for the following Okta Verified applications:
- iyarn: For configuration information, see Logging in with Single Sign-On (SSO) through Okta.
- Syndeca: For configuration information, see Okta Single Sign On (SSO) Instructions.
App Integration Fixes
The following SWA apps were not working correctly and are now fixed:
-
E-OSCAR (OKTA-624390)
-
UPS (OKTA-625886)
-
UPS CampusShip (OKTA-624286)