|Production||2019.07.0||2019.07.1 Production release is scheduled to begin deployment on July 22|
2019.07.2 Preview release is scheduled to begin deployment on July 31
To enable Early AccessEarly Access (EA) features are opt-in features that you can try out in your org by asking Okta Support to enable them. Additionally, the Features page in the Okta Admin Console (Settings > Features) allows Super Admins to enable and disable some EA features themselves. (EA) features, contact Okta Support.
Currently in Production
LDAP agent, version 5.6.1
This version of the agentA software agent is a lightweight program that runs as a service outside of Okta. It is typically installed behind a firewall and allows Okta to tunnel communication between an on-premises service and Okta's cloud service. Okta employs several agent types: Active Directory, LDAP, RADIUS, RSA, Active Directory Password Sync, and IWA. For example, users can install multiple Active Directory agents to ensure that the integration is robust and highly available across geographic locations. contains internal improvements. For version history, see Okta Java LDAP agent version history.
Enforce Okta Device Trust for Native Apps and Browsers on MDM-managed Android devices
Okta Device Trust for Native Apps and Browsers on MDM-managed Android devices allows you to prevent unmanaged Android devices from accessing enterprise services through browsers and native applications.
Note: This feature requires Okta Mobile 3.14.1 for Android (or later). For details, see Enforce Okta Device Trust for Native Apps and Browsers on MDM-managed Android devices.
Okta SSO IWA Web App agent, version 1.13.0
This release of the Okta SSOAn acronym for single sign-on. In a SSO system, a user logs in once to the system and can access multiple systems without being prompted to sign in for each one. Okta is a cloud-based SSO platform that allows users to enter one name and password to access multiple applications. Users can access all of their web applications, both behind the firewall and in the cloud, with a single sign in. Okta provides a seamless experience across PCs, laptops, tablets, and smartphones. IWA Web AppAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in. agent includes bug fixes. For version history, see Okta SSO IWA Web App agent Version History.
Admin report CSV changes
The Administrator report containing information about all admins, their roles, and permissions will now be generated asynchronously. Super admins can generate the report by clicking Request Report and they will receive an email with a download link when the report is ready. You can enable this change using the Feature Manager. For details, see The Super admin role .
Okta user profile, enforce custom attribute uniqueness
You can enforce attribute uniqueness across your organization for custom attributes in the Okta user profile. You may mark up to 5 custom attributes as requiring uniqueness. For details, see Work with Okta user profiles and attributes.
Early Access Enhancements
Agentless Desktop SSO, feature dependency
If you are using Agentless Desktop Single Sign On, there is now a dependency on Identity Provider Routing Rules. If you do not have Identity Provider Routing Rules enabled, contact Support. For feature details, see Configure Agentless Desktop SSO and Identity Provider Discovery.
New System Log events for Inline Hooks
- Log all Inline Hook response events: All inline hook success and failure events are now logged. Logged events provide context around how the response was used.
- Inline Hook Type events also log the type of Inline Hook.
For more feature information, see Inline Hooks.
New System Log event for ThreatInsight
When ThreatInsight configuration is updated, the System Log now displays a new event to reflect these configuration changes. For more information about this feature, see ThreatInsight.
Sign-In Widget labeling
The Sign-In Widget has been updated to use labels for form fields instead of placeholder text.
Note: This update applies to the default login page. If you are using a custom login page you need to manually upgrade to the 3.0 version of the Widget to get this update.
For more feature information, see Configure a custom Okta-hosted Sign-In page.
DocuSign Provisioning enhancement
Users created in DocuSign with a status of ActivationSent couldn't be provisioned in Okta until now. This feature adds support to link such users in Okta while provisioning. For more provisioning information, see the DocuSign Provisioning Guide.
Allow end users to quickly access everyday apps
End usersIn Okta literature, we generally refer to "end users" as the people who have their own Okta home page (My Applications), using chiclets to authenticate into all of their apps. End users do not have any administrative control. When we refer to "users" we are generally referring to the individual(s) who have administrative control. can find recently used apps in a separate Quick Access section on their dashboard as well as in the Quick Access tab from the Okta Browser Plugin. For more information, see Allow end-users to quickly access apps.
Incremental Imports for CSV
Incremental imports improve performance by importing only users who were created, updated, or deleted since your last import. See Configure the CSV Directory Integration.
LDAP agent, version 5.6.0
This version of the agent contains internal improvements. For version history, see Okta Java LDAP agent version history.
System Log event for Agentless Desktop SSO configuration updates
When changes are made to the Agentless DSSO configuration, the System Log tracks the action as shown below. For more information on Agentless Desktop SSO, see Configure Agentless Desktop SSO.
System Log event for Kerberos realm settings
When changes are made to the Kerberos realm settings, the System Log tracks the action as shown below. This event also indicates the initiator of the event and the current setting for Kerberos Realm. For more information on Agentless Desktop SSO, see Configure Agentless Desktop SSO.
System Log event for Agentless Desktop SSO redirects
When Agentless Desktop SSO redirects to the IWA SSO agent or the default Sign In page, the System Log tracks the action as shown below. For more information on Agentless Desktop SSO, see Configure Agentless Desktop SSO.
Early Access Enhancements
Updated labels in Device Trust enablement flow for Integration types
Some labels in the AdminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button on the upper right side of the My Applications page. Console for Device Trust enablement are updated to align with changes in partner branding. Existing functionality is unaffected by this update. For details, see Desktop Device Trust.
Web Authentication security key enrollment
Admins may now enroll a WebAuthn security key on behalf of their end users through user profile settings. For more information about MFA and WebAuthn, see Web Authentication (FIDO2) .
Add Inline Hooks
Admins can now add Inline Hooks from the admin console. Inline Hooks enable admins to integrate custom functionality into Okta process flows. For more information, see Inline Hooks.
ThreatInsight Threat Detection
Admins can now configure ThreatInsight — a new feature that detects credential-based attacks from malicious IP addresses. ThreatInsight events can be displayed in the admin system log and also be blocked once this feature is configured. For more information, see ThreatInsight.
Web Authentication for MFA
Admins can enable Web Authentication as a factor as defined by WebAuthn standards. Web Authentication supports both security key authentication such as YubiKey devices and platform authenticators. For more information, see Web Authentication (FIDO2) .
Early Access Enhancements
Microsoft Intune selection now available in Okta Device Trust for managed iOS devices
Along with other popular MDM options already available for enabling Device Trust, you can now select Microsoft Intune as your MDM provider when you configure the Device Trust solution for Native Apps and Safari on managed iOS devices. While it was possible to configure Intune prior to this change by selecting the Other option, the addition of an Intune option simplifies the implementation. For more about this Okta Device Trust solution, see Enforce Okta Device Trust for Native Apps and Safari on MDM-managed iOS devices.
Note: This notice was updated in 2019.05.1 to more accurately describe this enhancement.
Schema Discovery for Cornerstone On Demand
The Cornerstone On Demand provisioning app now supports Universal DirectoryUniversal Directory enables you to store an unlimited amount of users and attributes from applications and sources like AD or HR systems. Any type of attributes are supported including linked-objects, sensitive attributes, and pre-defines lists. All of it accessible by all apps in our OIN catalog, over LDAP or via API. and Schema DiscoveryAbility to import additional attributes to Okta. For more information, see the Cornerstone On Demand Provisioning Guide.
SAML Inline Hook
The SAMLAn acronym for Security Assertion Markup Language, SAML is an XML-based standard for exchanging authentication and authorization data between an identity provider (IdP) and a service provider (SP). The SAML standard addresses issues unique to the single sign-on (SSO) solution, and defines three roles: the end user, the IDP, and the SP. Here's how SAML works through Okta: SP-initiated flow: the end user requests (principally through a browser) a service from the SP. The SP requests and obtains an identity assertion from the IdP (in this case, Okta). On the basis of this assertion, the SP can decide whether or not to authorize or authenticate the service for the end user. IdP-initiated flow: with Okta as the IdP, an end user goes to the Okta browser and clicks on a chiclet, sending a SAMLResponse to the configured SP. A session is established with the SP, and the end user is authenticated. Inline Hook enables you to customize the authentication flow by allowing you to add attributes or modify existing attributes in outbound SAML assertions. For details, see our SAML Inline Hook page.
Early Access Enhancements
Automation Policies enhancement
Run Once Automation policies can be optionally run without any conditions. For more information about Automations, see Add a new automation
Okta LDAP agent, version 5.5.5
This release contains:
- Support for a configurable number of agent polling threads
- Internal fixes
Review prompt on Okta Mobile for iOS
End-users using Okta Mobile on iOS are prompted to provide an App Store rating for the app. When they provide a rating in the app and click Submit, they are taken to the App Store page for the Okta Mobile app to provide more optional feedback about the app. They can click Not now to dismiss the option. For more information, see Review prompt on Okta Mobile (iOS only).
Schedule user imports
When you set up ProvisioningProvisioning is the enterprise-wide configuration, deployment, and management of multiple types of IT system resources. Specifically, provisioning provides users access to equipment, software, or services. This involves creating, maintaining and deactivating required business process automation objects and attributes in systems, directories, and applications. to import users from an app or from a CSV directory to Okta, you can set up a schedule for imports at regular intervals on an hourly, daily, or weekly basis. If your app supports incremental imports, then you can set up both full and incremental import schedules. This integration applies to all non-AD and LDAP applications that support imports such as CSV directory, Workday, SuccessFactors, BambooHR, Salesforce, and so on. For more information, see Schedule imports.
Okta On-Prem MFA Agent, version 1.4.0
This release replaces the JRE with the Amazon Corretto 8.0 version of OpenJDK JRE. For the agent version history, see Okta On-Prem MFA Agent Version History.
OIN Manager supports multiple application submissions
When submitting a new application integration for review by Okta, the OIN Manager now supports multiple concurrent application submissions (for new orgs only).
Early Access Enhancements
Custom domain HTTP to HTTPS redirect
Custom domainA domain is an attribute of an Okta organization. Okta uses a fully-qualified domain name, meaning it always includes the top-level domain (.com, .eu, etc.), but does not include the protocol (https). can redirect from HTTP to HTTPS. For more information about custom domains, see Configure a custom URL domain.
Okta Active Directory agent, version 3.5.6
This release includes the following changes:
Back-end changes to improve how the agent refreshes its DNS entries and connects to servers during disaster recovery.
MaxRetryLimitSleepparameter default is now 8 minutes.
- A bug fix resolving group membership issues when a user is created by JIT.
For more information, see Okta Active Directory agent version history.
Okta LDAP agent, version 5.5.4
This release contains internal changes and bug fixes. For more information, see Okta Java LDAP agent version history.
Use Okta MFA for Azure AD Conditional Access and Windows Hello for Business Enrollment
- Satisfy Azure AD Conditional Access MFA requirements for your federated Office 365 (O365) app instance.
- Enroll end users into Windows Hello for Business.
For more information, see Use Okta MFA to satisfy Azure AD MFA requirements for Office 365.
MFA for ePCS
Okta provides multifactor authentication for the Electronic Prescribing for Controlled Substances (ePCS) system with its integration to Epic Hyperspace, which is the front-end software that launches ePCS. For more information, see Okta MFA for Electronic Prescribing for Controlled Substances (ePCS)
Automations enable you to quickly prepare and respond to situations that occur during the lifecycle of Okta-mastered end users. You can set up and schedule the following automations to perform actions upon the groupsGroups allow you to organize your end users and the apps they can access. Assigning apps to large sets of end users is made easier with groups. you select:
- User inactivity
- User password expiration
For more information, see Automations .
Prevent web browsers from saving sign-in credentials
You can prevent browsers such as Chrome from saving an end user's sign-in credentials for Okta as well as for third-party apps accessed through the Okta Dashboard. For more information, see Prevent web browsers from saving sign-in credentials.
Mark Okta user profile attribute as sensitive
Okta now allows Super admins to mark an attribute in the Okta user profile as sensitive, which ensures that no one in Okta can view the information stored in that attribute field. You can also use sensitive attributes in SAML assertions to apps, allowing you to pass these sensitive attributes from the source app through Okta to an upstream app. For details, see Hide sensitive attributes.
Early Access Enhancements
Inline MFA Enrollment for RADIUS Apps
Admins can now either allow or prohibit end users to access resources protected by RADIUS to enroll in MFA while authenticating. For more information, see Configuring RADIUS applications in Okta.
Multi-forest support for Windows Device Trust enrollment
IWA web app version 1.12.2 supports cross-forest/cross-domain Windows device trust enrollment. Now an IWA web app running in one forest can detect and assess the trust posture of Windows desktop devices located in another trusted forest and then allow these devices to enroll in Windows Device Trust. For more about Windows Device Trust, see Enforce Okta Device Trust for managed Windows computers.
Okta collecting product feedback from end users
Admins can allow Okta to collect feedback from end users. If this feature is turned on, end users will see a prompt on their Okta dashboard requesting feedback about our products and services. You can opt out of Okta User Communication in Settings > Customization > General. For more information, see End User Communication.
Web Authentication for U2F as a Factor
Admins can enable the factor Web Authentication for U2F, where U2F keys are authenticated using the WebAuthn standard. For more information, see Web Authentication for U2F.
Okta SSO IWA Web App Agent, version 1.12.2
This EA release includes: Security fixes. Support for cross-forest/cross-domain Windows device trust enrollment. Now an IWA web app running in one forest can detect and assess the trust posture of Windows desktop devices located in another trusted forest and then allow these devices to enroll in Windows Device Trust. For details, see Okta SSO IWA Web App agent Version History.
Support for Salesforce Government Cloud
You can create instances of the Salesforce app that can integrate with Salesforce Government Cloud. For more details, see the Salesforce Provisioning Guide.
Okta Active Directory agent, version 3.5.5
This release includes:
- A bug fix for errors when importing a group with more than 1,500 users.
- Internal bug fixes
For version history details, see Okta Active Directory agent version history.
PIV Card authentication option added to identifier first Sign In page
A PIV Card authentication option is now provided on the identifier firstInstead of presenting both a Username and a Password field, "identifier first" sign in pages present only a Username field. As used in Okta IdP Routing Rule scenarios, "identifier first" sign in pages submit usernames to Okta for determining which IdP should be used to authenticate an end user. Sign In page when you configure a Smart Card Identity Provider and a corresponding IdPAn acronym for Identity Provider. It is a service that manages end user accounts analogous to user directories such as LDAP and Active Directory, and can send SAML responses to SPs to authenticate end users. Within this scenario, the IdP is Okta. Routing Rule in the Okta Admin console. For more about Okta's support for PIV card authentication, see Add a Smart Card/PIV Card.
View admin list by role
Super admins can now filter the list of admins by role and type for easier searching.
Early Access Enhancements
ASN Support for Dynamic Zones
Admins can now enter ASNs (Autonomous System Numbers) when creating or editing a dynamic zone. For more information about using ASNs, see Dynamic Zones.
FIPS-mode encryption enhancement
We have updated the Okta Verify configuration UI label for the FIPS-Mode encryption setting. For more information, see Enabling FIPS-mode encryption.
We have removed UI elements supporting account link and provisioning Callouts when configuring social authentication.
Note that Callouts are still supported via the APIs. See Identity Provider API reference documentation for more details.
This version contains a fix for log messages that displayed an incorrect response code for requests that were successful. For version history information, see Okta RADIUS Server Agent Version History.
This release of the On-Prem MFA agent uses an updated JRE (version 1.8.182). For version history, see Okta On-Prem MFA Agent Version History.
This release contains an updated JRE (version 1.8.182). For version history information, see Okta RADIUS Server Agent Version History.
Okta end users need to reverify their password if they want to update their personal information in Okta five minutes after a successful login. For more information about letting end users manage their personal information in Okta, see Configure whether user passwords and personal information are managed by Okta or externally.
This release includes a security fix and memory performance improvements when streaming data. For agent version history, see Okta Active Directory Agent Version History.
This release provides a security fix and internal fixes. For agent version history, see Okta SSO IWA Web App Agent Version History.
For Desktop Device Trust Authentication flows, the System Log now reports the CredentialType as CERTIFICATE. Screenshot:
MFA for Admins allows Super admins to enable mandatory multifactor authentication for all administrators accessing admin functionality. This feature is currently available for new orgs in Preview, for all others it remains EA. For details see Authentication.
This feature enables you to customize where Okta will redirect your users when they visit your orgThe Okta container that represents a real-world organization. URL directly and the specific app they are attempting to use is unknown. For more details, see Customize your Okta org.
The System Log now reports when Windows Device Trust certificates are revoked during certificate renewal (pki.cert.revoke).Screenshot
This release contains the following fixes:
- Changes to the debug logging levels were not captured
- Okta authentication with JIT failed when the user ID contained ASCII extended characters
- Agent did not recognize pwd expired error for ODSEE server
For version history, see Okta Java LDAP agent version history.
Admins can generate a report of proxy IP addresses that have been used by end users who have signed in to Okta. This feature is Generally Available for new orgs that have the Geolocation for Network Zones feature and is available with either of the following Early Access Features:
For more information on Proxy IP Usage Reports, see Reports.
Windows and macOS Device Trust certificate issuance and renewal failures are now reported in the System Log. Screenshot:
Windows Device Trust certificate renewals are now reported in the System Log by event type pki.cert.renew. This new event type allows you to distinguish certificate renewal events from certificate issue events (pki.cert.issue). Screenshot
In Okta Plug-in version 5.23.0 for IE, the popover now scales properly to correspond to the window's zoom level. For version history, see Okta Plugin Version History.
This release provides the following:
- Organizations that have complex proxy configuration rules defined in a proxy auto-config (PAC) file can now specify the PAC location instead of the server address. For details, see Enforce Okta Device Trust for managed Windows computers.
- Prevents the Device Trust certificate installation prompt from appearing to end users using 32-bit versions of Internet Explorer.
For version history, see Device Trust for Windows Desktop Registration Task Version History.
This EA version updates the embedded JRE to JRE 1.8 version 181. For history, see On Premises Provisioning Agent and SDK Version History.
When configuring RADIUS applications, the Single line MFA prompt is the default in the Advanced RADIUS Settings section for new RADIUS and VPN app instances. This option controls whether all MFA prompts are displayed on a single line. For more information, see Configuring RADIUS applications in Okta.
You can configure RADIUS applications to show prompts on a single line with no line breaks in MFA prompts. Screenshot
- The Okta plugin version 5.22.1 for the Chrome browser is GA. This version is functionally equivalent to version 5.19.0.
- The Okta plugin for Edge, Firefox, IE, and Safari browsers is updated to version 5.22.0. This version provides support for the End-User Plugin Settings (an Early Access feature; to enable it, contact Okta Support). Version 5.22.0 is GA for Edge browsers and EA for Firefox, IE, and Safari browsers. For history, see Browser Plugin Version History.
Okta has added an Update Now button that allows admins to update a username from the app’s Sign On tab. For more details, see Overriding the app username.
Admins can send themselves a test email to see how their custom email templates will look and function. This allows them to validate macro attributes and translations in the customized template and to see how the template will render in different email environments. This eliminates the need to create a real end-to-end workflow to test customization. The test email will be sent to the primary email address of the admin initiating the test email. For more information, see Email Options. Screenshot
Improved IdP lookup when Multiple PIV IdPs are enabled by using the clientEssentially, a client is anything that talks to the Okta service. Within the traditional client-server model, Okta is the server. The client might be an agent, an Okta mobile app, or a browser plugin. certificate Issuer to identify the signing certificate, if the Authority Key Identifier property cannot be used. For more details see Identity Providers.
This release provides functionality to restrict the network interface on which RADIUS request can be received.
For version history see Radius Agent version history.
Our Multiple Certificate Chain Support for PIV Auth feature allows you to leverage multiple Smart Card/PIV Card IdPs, each with different certificate chains, to allow access to a single Okta org. The correct IdP will be automatically selected based on matching the user's chosen certificate to a configured certificate chain.
For more details see Identity Providers.
A new security feature provides admins with an option to require user data storage in the Android hardware-backed keystore. Enabling this feature offers additional security based on the Federal Identity, Credential, and Access Management architecture. Screenshot:
For more information, see Using Okta Verify.
Okta has removed the delete user actions from the list of Early Access deprovisioning options. Administrators continue to have granularity when deactivating/unassigning users from Microsoft Office 365.
The Box integration is enabled for Universal Directory and is enhanced by the following additional properties in the User Profile:
- space_amount (RO)
- max_upload_size (RO)
- avatar_url (RO)
- space_used (RO)
See the Box Provisioning Guide for more information.
As a result of reports optimization efforts, our Applications Access Audit reports (Early Access) are now by default ordered by appUserId rather than lastName. For more information about these reports, see Applications Access Audit report.
Agentless desktop SSO eliminates the need to deploy IWA agents across Active Directory domains to enable DSSO. This reduces maintenance overhead and also removes the burden of worrying about High Availability as Okta handles the Kerberos validation. For details, see Configuring Agentless SSO.
Improved configuration of the applicable applications in the IdP policy routing rule in the Identity Provider Discovery EA feature. The application selection is enhanced to show app logos to differentiate between apps and app instances more clearly. For more information see Identity Provider Discovery. Screenshot:
This feature allows dynamic mapping of multiple accounts/roles within AWS by using group assignments from Okta. By using the App Filter and Group Filter, we can specify which account and role the user will use to login into AWS. For more information see the Okta AWS Multi-Account Configuration Guide. Screenshot:
The enrollment flow for 3rd-party iOS Device Trust is improved for end users who are not enrolled in an MDM solution and do not have Okta Mobile installed. In cases where Okta cannot automatically redirect these end users to the admin-provided enrollment link configured in Okta, end users can now copy the link to the clipboard and paste it into Safari. Screenshot:
For more about 3rd-party iOS Device Trust, see Configure Okta Device Trust for Native Apps and Safari on MDM-managed iOS devices.
Workday users can be deactivated based on the time zone of their location.
For more information about our Workday integration see our Workday Provisioning Guide.
We have enhanced OINAn acronym for the Okta Integration Network. The OIN is comprised of thousands of public, pre-integrated business and consumer applications. As an on-demand service, OIN integrations are continuously validated, always up to date, and constantly growing both in number and capability. Okta performs a single integration with an ISV or SP, providing thousands of end users with point-and-click customization for their orgs. app catalog search, extending search capabilities to include partial matches and more attributes of the application metadata.
End users can now toggle visibility of their password on the Okta Sign-In page, allowing end users to check their password before they click Sign In. Note that passwords are visible for 30 seconds and then hidden automatically. For more information about passwords in Okta, see Authentication. Screenshot:
The Okta ADFS (Active Directory Federaton Services) Plugin version 1.5.9 is available. This version contains two features:
- UI option and silent command line option to register the plugin during install. Screenshot:
- The client IP address is forwarded during a request from the ADFS plugin to Okta.
For version history, see Okta ADFS Plugin Version History.
Okta Self Service Registration allows end users to self-register into your custom app or the Okta Homepage. Once enabled, a Sign up link appears in the Okta Sign-In widget. This link takes users to a new Create Account registration form based on a customized registration policy. For details, see Self Service Registration. Screenshot:
The enrollment flow for 3rd-party iOS Device Trust is improved for unenrolled end users accessing certain native clients such as Outlook. End users can now copy a link to their organization's enrollment instructions and paste it into Safari. For details about this Device Trust solution, see Configure Okta Device Trust for Native Apps and Safari on MDM-managed iOS devices. Screenshot:
This feature expands on existing behavior detection feature for user logins. Close successive user login attempts that are far apart geographically are detected and flagged as suspicious behavior. For more information, see Security Behavior Detection.
Okta Office 365 Silent Activation allows for a seamless experience for your Microsoft Office 365 end users accessing Office 2016. Using Okta as an identity provider, this option enables silent activation of Office 2016 on shared workstation or VDI environments. Once your end users have logged into a domain-joined Windows machine, no further activation steps are required. For more details, see Office 365 Silent Activation.
This feature provides support for Okta-mastered users to move across Organizational Units (OUs) when the group that provisions the user to AD changes. As part of this update, the People tab within each AD instance has been renamed to Assignments. For more details, see Enable Okta-mastered user OU changes. Screenshot:
This release provides performance and security enhancements. To obtain them, contact Okta Support. For version history, see Browser Plugin Version History.
Are you tired of end users utilizing "Jaibroken" or "Rooted" devices to access sensitive apps? Admins will be pleased to hear that admins can now deny enrollment to compromised devices and/or any specific OS versions. Compliant users can enroll new devices or retain their current enrollments. See Restrictions based on Device Status and Operating System. Screenshot:
A popup that informs users when a policy allows access without MFA, is removed.
This release includes the following:
- The context menu is removed from the Okta sign-in widget for RDP connections to avoid opening an Explorer file dialog.
- There are two additional options: RDP only and filter credential provider. For more information, see Okta Windows Credential Provider.
The Okta System Log records system events related to your organization in order to provide an audit trail that can be used to understand platform activity and to diagnose problems.
The Okta System Log API provides near real-time read-only access to your organization’s system log and is the programmatic counterpart of the System Log user interface.
Often the terms “event” and “log event” are used interchangeably. In the context of this API, an “event” is an occurrence of interest within the system and “log” or “log event” is the recorded fact.
The System Log API contains much more structured data than the Events API.
The System Log API supports additional SCIMSystem for Cross-domain Identity Management (SCIM) is an open standard that allows for the automation of user provisioning. It was created in 2011 as it became clear that the technology of the future would be cloud-based. SCIM communicates user identity data between identity providers (such as companies with multiple individual users) and service providers requiring user identity information (such as enterprise SaaS apps). In short, SCIM makes user data more secure and simplifies the user experience by automating the user identity lifecycle management process. filters and the q query parameter, because of the presence of more structured data than the Events API.
Okta supports salted SHA256 algorithms for password import.
A consent represents a user’s explicit permission to allow an application to access resources protected by scopes. As part of an OAuth 2.0 or OpenID Connect authentication flow, you can prompt the user with a popup or window to approve your app's access to specified resources.
Consent grants are different from tokens because a consent can outlast a token, and there can be multiple tokens with varying sets of scopes derived from a single consent. When an application comes back and needs to get a new access token, it may not need to prompt the user for consent if they have already consented to the specified scopes. Consent grants remain valid until the user manually revokes them, or until the user, application, authorization server or scopeA scope is an indication by the client that it wants to access some resource. is deactivated or deleted. Screenshot:
Okta Device Trust for Native Apps and Safari on OMMAn acronym for Okta Mobility Management. OMM enables you to manage your users' mobile devices, applications, and data. Your users enroll in the service and can then download and use managed apps from the Apps Store. Managed apps are typically work-related, such as Box or Expensify. As an administrator, you can remove managed apps and associated data from users' devices at any time. You can configure policies, such as data sharing controls, on any of your managed apps. See Configuring Okta Mobility Management for more information. managed iOS devices now supports use of the Not trusted option in Sign-On policy rules. This allows mobile admins to do the following:
- Configure a Not Trusted + MFA rule so that users with untrusted iOS devices must MFA in order to access protected resources.
- Configure a Not Trusted + Deny rule so that users with untrusted iOS devices are redirected to OMM enrollment in order to access protected resources.
This update requires Okta Mobile 5.14 for iOS, available in the App Store. For more information, see Configure Okta Device Trust for Native Apps and Safari on OMM managed iOS devices.
The Okta On-Prem MFA Agent Version 1.3.6 adds additional NAS-IP identifiers, including the NAS-IP-Address field, to find client configurations in server policies. For version information, see Okta On-Prem MFA Agent Version History.
The Okta Windows Credential Provider prompts users for MFA when signing in to supported Windows servers with an RDP client. It supports all Okta-supported MFA factors except Windows Hello and U2F tokens. For details and setup instructions, see Okta Windows Credential Provider.
To provide additional security without overburdening your end users, you can configure a Sign On policy for your organization to require additional authentication for behaviors defined as higher risk based on variance from individual users' prior sign ins. Admins can configure the system so that individual end users are only prompted for an additional MFA factor when there is a change in behavior that the admin defines. For more information, see Security Behavior Detection. Screenshot:
Okta now supports incremental imports for the Workday app.
Incremental imports improve performance by only importing users that were created, updated, or deleted since your last import.
Admins can choose from a list of custom attributes to use for matching when using a personal identity verification (PIV) card. Note: This is an enhancement to our support for PIV smart card feature (EA), for more information, see Add a PIV Card.
Admins can configure a single personal identity verification (PIV) card as an identity provider that matches tje username or email. This allows users to authenticate using certificates or PIV hardware. For more information, see Identity Providers.
By default, when a user signs out of Office 365 they remain logged into Okta. With this feature enabled, when a user signs out of O365, they are simultaneously signed out of their Okta org.
Administrators can use granularity when deactivating/unassigning users from Office 365. Specifically administrators have the option to block sign-in, block sign-in and remove licenses immediately or block sign-in and remove licenses after grace period of time (up to 180 days). Screenshot
The Add Notes screen has design improvements to improve the workflow. For details, see Add Notes to an App (an Early Access feature).
The Okta Windows Credential Provider prompts users for MFA when signing in to supported Windows servers with an RDP client. It supports all Okta-supported MFA factors except Windows Hello and U2F tokens. For details and setup instructions, see Okta Windows Credential Provider.
You can now revoke an end user's certificate(s) for Okta Device Trust for managed Windows computers through their Applications tab. This is recommended if an end user's Windows computer is lost or stolen. For details, see Revoke Device Trust certificates from the Okta Certificate Authority. Screenshot
Okta Mobile user and device authentication events for OMM Device Trust for managed iOS devices are now written to the System Log.
The JIRA and Confluence apps now make use of a unique identifier during Atlassian API calls for profile updates instead of username. This allows users to be renamed.
Along with custom SAML Wizard apps, Federation Broker Mode now allows for OIDCOpenID Connect (OIDC) is an authentication layer on top of OAuth 2.0, an authorization framework. The standard is controlled by the OpenID apps. For details about this feature, see Federation Broker Mode.
Okta now supports Password Push for LDAP. This allows each user's LDAP password to be synced to their Okta password. Any subsequent password changes users make are pushed to their user profile in LDAP. In addition to simplifying password management for orgs using LDAP, organizations using both Active Directory (AD) and LDAP can now synchronize their user passwords from AD through Okta to LDAP. For details, see the Provisioning section in Install and Configure the Okta Java LDAP Agent.
We are transitioning the Profile Sync provisioning type for Microsoft Office 365 over to the Microsoft Graph API. While this is mostly a transparent change to Okta customers, it will enable a wealth of new attribute mappings for Office 365. You can now go beyond the base set of attributes to map a new set of custom attributes that are present in Microsoft’s Graph. For more information, see the Office 365 Deployment Guide. Screenshot
OMM Device Trust for managed iOS devices allows you to prevent unmanaged iOS devices from accessing enterprise services through browsers and native applications. For details, see Configure OMM Device Trust for managed iOS devices.
You can compare user assignments in Okta to user accounts in a specified app and list the discrepancies. Once corrected, you will only have to look in one place to see who has access and what type of access for all the applications that you manage. For details, see Rogue Accounts report.
The Okta plugin for the IE browser has been updated to version 5.13.0. This release provides performance and security enhancements. For version history, see Browser Plugin Version History.
The new Federation Broker Mode allows Okta SSO without the need to pre-assign apps to specific users. Access is managed only by sign-on policy and the authorization rules of each app. This mode can improve import performance and can be helpful for larger-scale orgs that manage many users and apps. For details, see Federation Broker Mode.
Email is now an accepted factor for multifactor authentication for convenience and to expedite migration from legacy identity platforms. After setup, your end users receive a code in an email message to use during Okta sign in. For details on setting up this factor, see Factor Types.
During inbound SAML authentication, you can configure the JIT settings for a SAML identity provider (IdP) to unsuspend Okta users. For more information, see the Identity Providers API.
Okta Device Trust for Microsoft Office 365 Exchange ActiveSync for iOS devices lets you:
Configure the iOS mail app to use certificates instead of passwords to allow OMM-enrolled users to authenticate to Microsoft Office 365 Exchange ActiveSync.
- Configure the Microsoft Office 365 client access policy to prevent unmanaged devices from accessing Microsoft Office 365 Exchange ActiveSync.
Okta's Office 365 Exchange ActiveSync certificate-based authentication (CBA) for iOS devices allows users enrolled in Okta Mobility Management (OMM) to authenticate to iOS native apps without entering their credentials. For details, see Configure Office 365 EAS certificate-based authentication for iOS devices. Screenshot
This feature automatically provisions a user in Okta upon successful login through a Office365 thick client if the user is AD-mastered and is a member of an AD-mastered group in Okta being assigned a valid Office 365 application instance.
We have updated the Jira authenticator to support the following events:
This enhancement adds support for Just In Time provisioning of default group memberships when users log in. For details, see the Okta Jira Authenticator 3.x Configuration Guide
We strongly recommend that you download and upgrade the latest SAML toolkit and the necessary Jira or Confluence authenticators. You can access all of these tools from the Okta Downloads page (Settings > Downloads).
We’ve enhanced our System Log to take advantage of our new Network Zones feature. Admins can now hover over an IP address that's part of an event and navigate through the series of menus to add that IP address to either the gateway or proxy list of IP addresses:
We have enhanced the landing URL for the Office 365 CRM chiclet; after the end user signs in and authenticates themselves into Dynamics 365, they are now able to see all of their CRM instances.
- We have enhanced user group synchronization for Microsoft Office 365 instances that are configured with Universal Sync to ensure that newly provisioned AD-mastered O365 users are synchronized as members of AD-mastered Groups in O365 correctly.
We now support reactivation of users in the following cases:
- During Just in Time provisioning (JIT), if a user is reactivated in a master app (for example, LDAP, AD), then the user is reactivated in Okta.
- During imports, if a user is reactivated in a master app (for example, LDAP, AD), then the user is reactivated in Okta.
The Access Request WorkflowThe Access Request Workflow feature is a complete, multi-step approval workflow through which end users can request access to apps. Admins can designate approvers to grant users access for self-service applications. This feature enhances Okta's provisioning solution, which typically is used by IT teams to automate account provisioning and SSO access for users on their first day of employment. Later, users need access to job-specific applications that are often beyond an IT team's purview. The Access Request Workflow feature allows business application owners — rather than IT — to grant users access to apps and assign entitlements in apps that require them. feature is a complete, multi-step approval workflow through which end users can request access to apps. Admins can select approvers that have the ability to grant access to self-service applications. Access Request Workflow allows you to appoint group and individual approvers, create customized notifications, and add comments, notes, and timeout rules. You perform all setup from the Okta Admin Dashboard and no programming or configuration files are required. For more information, see Access Request Workflow.Screenshot
Note: This Early Access (EA) feature requires either the Enterprise Plus or Provisioning Product editions. To enable it, contact Okta Support.