Early Access
Current Release Status
| Current | Upcoming | |
|---|---|---|
| Production | 2021.01.1 | 2021.01.2 Production release is scheduled to begin deployment on February 1 |
| Preview | 2021.01.1 |
2021.01.2 Preview release is scheduled to begin deployment on January 27 |
To enable Early Access (EA) features, contact Okta Support.
Generally Available items are listed under the Preview and Production tabs as appropriate.
Currently in Production
January 2021
Early Access Features
New Features
Workplace by Facebook Push AD Manager functionality
Admins can choose to disable Push AD Manager functionality using this self-service Early Access feature. This enables admins to control the manager attribute using Okta Expression Language syntax to avoid being dependent on AD for the field. See Workplace by Facebook.
LDAP agent, new version 5.7.1
This version of the agent contains:
-
Internal improvements
-
Security fixes
To view the agent version history, see Okta LDAP Agent version history.
Manage admin email notification subscriptions using API endpoints
Admins can manage email subscriptions using the Admin Email Subscription API endpoints.
-
Super admins can configure default subscription settings by admin type.
-
All admins can manage their own admin email notification subscriptions.
Enhancements
Skip to Content improvements
End users can now click Skip to Content on the new Okta End-User Dashboard to navigate directly to the Add Apps page.
Options relocation
The Recent Activity tab, End-User preferences, Admin View, and Sign Out options are now displayed in the user drop down menu on the Okta End-User Dashboard.
December 2020
Early Access Features
New Features
Agentless Desktop Single Sign-on authentication progress screen updates
Agentless Desktop Single Sign-on (ADSSO) authentication progress screens have been updated to make authorization and verification progress more visible and improve the user experience. See Configure agentless Desktop Single Sign-on.
Service Principal Name functionality improvement
New Service Principal Name (SPN) functionality allows Agentless Desktop Single Sign-on (ADSSO) authentication to continue without interruption when an SPN is updated. A service account and an SPN are required for ADSSO Kerberos authentication. With this change, you can now update the SPN frequently as an additional security precaution. See Create a service account and configure a Service Principal Name.
One Time Use Refresh Token
One Time Use Refresh Token, also called Refresh Token Rotation, helps a public client to securely rotate refresh tokens after each use. A new refresh token is returned each time the client makes a request to exchange a refresh token for a new access token. See Refresh Token Rotation.
First Party Apps
First Party Apps are now available through EA Self-Service in the Okta Admin Console, allowing admins to create sign-on policies for the Okta Admin Console. See Create sign-on policies with Okta Applications.
Okta Provisioning agent, version 2.0.1
This release of the Okta Provisioning agent includes vulnerability fixes and incremental import support for adding and updating user attributes. See Okta Provisioning agent and SDK version history.
Okta Provisioning agent incremental imports
The option to incrementally import user data is now available for the Okta Provisioning agent. Incremental imports reduce the time required for synchronization by only downloading user information that has changed since the last successful import. See Okta Provisioning Agent incremental import.
Enhancements
End-User Display Preferences
End users can now modify Display Preferences to change the layout of the new Okta End-User Dashboard.
November 2020
Early Access Features
New Features
Okta SSO IWA Web App agent, version 1.13.1
This release of the Okta SSO IWA Web App agent includes security enhancements and internal fixes. See Okta SSO IWA Web App version history.
October 2020
Early Access Features
New Features
Okta Active Directory agent, version 3.6.0
This release includes performance improvements, security enhancements, and bug fixes. See Okta Active Directory agent version history.
On-Prem MFA agent, version 1.4.4
This version includes hardening around certain security vulnerabilities and includes a new version of the Log4J library.
Note: The new Log4J library stores properties in log4j2.xml. Before upgrading, save a copy of C:\Program Files (x86)\Okta\Okta On-Prem MFA Agent\current\user\config\rsa-securid\log4j.properties and enter any changes into the new configuration file. See On-Prem MFA Agent Version History.
RADIUS agent, version 2.14
This version includes hardening around certain security vulnerabilities and includes support for the PEAP-EAP-GTC protocol. See Okta RADIUS Server Agent Version History.
ADFS plugin, version 1.7.8
This version includes bug fixes and hardening around certain security vulnerabilities. See Okta ADFS Plugin Version History.
MFA Credential Provider for Windows, version 1.3.1
This version includes hardening around certain security vulnerabilities. See Okta MFA Credential Provider for Windows Version History .
Custom IdP factor authentication with OIDC support
Custom IdP factor authentication now supports OpenID Connect. See Custom IdP Factor Authentication.
Optional Display Preferences for new Okta End-User Dashboard
Users can now set Display Preferences on the new Okta End-User Dashboard. They can enable or disable the Recently Used section and organize their dashboard as a grid or a list. See New Okta end-user experience.
September 2020
Early Access Features
New Features
New Recent Activity page on the new Okta end-user dashboard
The Recent Activity page provides end users with a summary of recent sign-in and security events for their Okta account. End users can also report suspicious activity to their Okta admin by clicking I don’t recognize this. See Recent Activity.
Multiple active user statuses for SuccessFactors integration
Support for multiple active user statuses: When importing users from SuccessFactors into Okta, admins can now select more than one active user status, such as Leave of Absence.
See Learn about SAP SuccessFactors Employee Central data provisioning.
August 2020
Early Access Features
New Features
LDAP agent, version 5.7.0
This version of the agent contains:
- Support for LDAP group password policies
- Bug fixes
Create LDAP group password policies
You can now create group password policies for LDAP mastered users. Group password policies and associated rules help you enforce password settings at the group level. See About group password policies and © 2021 Okta, Inc All Rights Reserved. Various trademarks held by their respective owners..
MFA for Windows Credential Provider, version 1.3.0
MFA for Windows Credential Provider version 1.3.0 is now available, adding support for Windows Server 2019. See Okta MFA Credential Provider for Windows Version History .
Allow or deny custom clients in Office 365 sign on policy
Admins can filter specific clients in an Office 365 app sign-on rule to allow or deny them access to Office 365 resources. This filter can be used to deny access to untrusted clients or to only allow trusted clients. See Allow or deny custom clients in Office 365 sign on policy.
Enhancements
New Okta End-User Dashboard enhancements
The following improvements have been added to the new Okta End-User Dashboard:
- Improved bookmark creation experience: End users can now create bookmarks for apps that aren’t in their catalog by searching for the app.
- Optional banner prompts: Admins can now choose whether to prompt users to download the Okta Browser Plugin.
- Aesthetic enhancements: The new Okta End-User Dashboard has had its colors and font updated.
July 2020
Early Access Features
New Features
New RADIUS agent, version 2.13
This version includes security enhancements, a buffer overrun fix, and a dialog title change to the RADIUS Agent installer. See Okta RADIUS Server Agent Version History.
Litmos supports Advanced Custom Attributes
The Litmos provisioning app now supports Advanced Custom Attributes. See Litmos Provisioning Guide.
Enhancements
New Okta End-User Dashboard enhancements
The following improvements have been added to the new Okta End-User Dashboard:
- A new onboarding flow is available to users who visit the dashboard for the first time. Admins may disable onboarding guides for the new dashboard in the Okta Admin Console > Settings > Customization > Okta User Communication by enabling Opt out of Okta User Communication for this Org.
- The Quick Access section of the new Okta End-User Dashboard has been renamed as Recently Used. Admins can disable this section for their end users.
- App names now have a maximum length of two lines.
- Apps added by admins are now indicated as New on the dashboard before being used for the first time.
- End users now receive a notification on the dashboard when a new app is assigned to them by an admin.
June 2020
Early Access Features
New Features
Smart Card Authentication
When initially accessing applications using a custom sign-in widget, users have the option to use a PIV/CAC card for authentication. See Identity Providers.
Enhancements
New Okta End-User Dashboard enhancements
- App cards have been resized to create more spacing and shorten the cards.
- When an app card is hovered over, a lock icon notifies users if an admin has denied access to that app.
May 2020
Early Access Features
New Features
Okta RADIUS Server agent, version 2.11.0
This version includes support for EAP-TTLS. See Okta RADIUS Server Agent Version History.
Enhancements
Enhancements to the new Okta End-User Dashboard
The new Okta End-User Dashboard now includes the following enhancements:
- The Add Apps button has been removed.
- Apps can be configured to launch automatically after users sign in to Okta.
- Searches place more relevant options at the top of the search results.
- Sections can be collapsed or expanded.
April 2020
Early Access Features
New Features
Okta RADIUS Server agent, version 2.10.1
This version includes support for Linux, including .rpm and .deb installers. See Okta RADIUS Server Agent Version History.
LDAP agent, version 5.6.4
This version of the agent contains internal improvements. See Okta LDAP Agent version history.
March 2020
Early Access features from this release are now Generally Available.
February 2020
Early Access Features
New Features
New Okta End-User Dashboard and Okta Browser Plugin
The newly redesigned Okta End-User Dashboard and Okta Browser Plugin boost the user productivity and provide faster, more intuitive, and more responsive user experience. For more information, see New Okta end-user experience.
Okta ADFS Plugin version 1.7.5
This version includes:
- A fix that removed an extra scroll bar when integrated on an ADFS page with two or more factors.
- Security enhancements and bug fixes
Okta RADIUS Server Agent for Windows, version 2.9.6
This version includes:
- An update that no longer requires entering a port or shared secret in the installer.
- Various bug fixes
Okta Windows Credential Provider, version 1.2.4
This version includes security enhancements. See Okta MFA Credential Provider for Windows Version History
LDAP agent, version 5.6.3
Support for Oracle Directory Server Enterprise Edition (ODSEE). See Okta LDAP Agent version history
January 2020
This release does not have any Early Access features.
December 2019
This release does not have any Early Access features.
November 2019
Early Access Features
New Features
Okta RADIUS Service Agent Update, version 2.9.5
The Okta RADIUS Server Agent version 2.9.5 is updated to run under the LocalService account, which has lower privileges than LocalSystem. The service has also been configured with a write-restricted token to further restrict access.
For more information, see Okta RADIUS Server Agent Version History.
Okta MFA Credential Provider for Windows, version 1.2.2
The Okta MFA Credential Provider version 1.2.2 includes bug fixes and adds self-service password reset.
For more information, see Okta MFA Credential Provider for Windows Version History .
Admin settings for selecting identity providers
Admins now have the option to configure a sign-on policy based on a specific identity provider.
For more information, see Adding Rules in © 2021 Okta, Inc All Rights Reserved. Various trademarks held by their respective owners..
October 2019
Early Access features from this release are now Generally Available.
September 2019
Early Access Features
New Features
Quick Access tab on the Okta Browser Plugin available through EA feature manager
Quick Access tab on the Okta Browser Plugin is now available through the EA feature manager. See .
MFA for Oracle Access Manager
With Okta MFA for Oracle Access Manager (OAM), customers can use OAM as their Identity Provider (IdP) to applications and also use Okta for MFA to provide a strong method of authentication for applications. For more information, see MFA for Oracle Access Manager.
New Windows Device Registration Task, version 1.4.0
This release includes the following:
- Support for Trusted Platform Module (TPM 1.2 or 2.0) on Windows 10 devices with TPM. Admin action is required. For installation instructions and other details, see Enhance Windows Device Trust security with Trusted Platform Module (TPM).
- Various fixes. See Device Trust for Windows Desktop Registration Task Version History.
Okta On-Prem MFA agent, version 1.4.1
This release of the agent contains security enhancements. See On-Prem MFA Agent Version History.
Factor Sequencing
Admins can now provide end users with the option to sign in to their org using various MFA factors as the primary method of authentication in place of using a standard password. See Factor Sequencing.
August 2019
Early Access Features
New Features
Custom Factor Authentication
Custom Factor Authentication allows admins to enable an Identity Provider factor using SAML authentication. For more information, see Custom IdP Factor Authentication.
Integrate Okta Device Trust with VMware Workspace ONE for iOS and Android devices
The Okta + VMware integration is a SAML-based solution that combines the power of Okta Contextual Access Management with device signals from VMware Workspace ONE to deliver a secure and seamless end-user experience. For details, see Integrate Okta Device Trust with VMware Workspace ONE for iOS and Android devices.
On Premises Provisioning agent, version 1.3.3
This release changes from Oracle JRE to Amazon Corretto JRE 8.202.08.2. The OPP Agent now supports CSV Directory imports from a CSV file with a byte order mark. Additionally, imports will now fail if the OPP Agent attempts to send a message that is too large for Okta. For agent version history, see Okta Provisioning agent and SDK version history.
July 2019
Early Access Features
New Features
LDAP agent, version 5.6.1
This version of the agent contains internal improvements. For version history, see Okta LDAP Agent version history.
Enforce Okta Device Trust for Native Apps and Browsers on MDM-managed Android devices
Okta Device Trust for Native Apps and Browsers on MDM-managed Android devices allows you to prevent unmanaged Android devices from accessing enterprise services through browsers and native applications.
Note: This feature requires Okta Mobile 3.14.1 for Android (or later). For details, see Enforce Okta Device Trust for Native Apps and Browsers on MDM-managed Android devices.
Okta SSO IWA Web App agent, version 1.13.0
This release of the Okta SSO IWA Web App agent includes bug fixes. For version history, see Okta SSO IWA Web App version history.
Okta user profile, enforce custom attribute uniqueness
You can enforce attribute uniqueness across your organization for custom attributes in the Okta user profile. You may mark up to 5 custom attributes as requiring uniqueness. For details, see Work with profiles and attributes.
Early Access Enhancements
Agentless Desktop SSO, feature dependency
If you are using Agentless Desktop Single Sign On, there is now a dependency on Identity Provider Routing Rules. If you do not have Identity Provider Routing Rules enabled, contact Support. For feature details, see Configure agentless Desktop Single Sign-on and Identity Provider Routing Rules.
New System Log events for Inline Hooks
- Log all Inline Hook response events: All inline hook success and failure events are now logged. Logged events provide context around how the response was used.
- Inline Hook Type events also log the type of Inline Hook.
For more feature information, see Inline Hooks.
New System Log event for ThreatInsight
When ThreatInsight configuration is updated, the System Log now displays a new event to reflect these configuration changes. For more information about this feature, see Okta ThreatInsight.
Sign-In Widget labeling
The Sign-In Widget has been updated to use labels for form fields instead of placeholder text.
Note: This update applies to the default login page. If you are using a custom login page you need to manually upgrade to the 3.0 version of the Widget to get this update.
For more feature information, see Configure a custom Okta-hosted sign-in page.
Before:
After:
June 2019
Early Access Features
New Features
Allow end users to quickly access everyday apps
End users can find recently used apps in a separate Quick Access section on their dashboard as well as in the Quick Access tab from the Okta Browser Plugin. For more information, see .
LDAP agent, version 5.6.0
This version of the agent contains internal improvements. For version history, see Okta LDAP Agent version history.
System Log event for Agentless Desktop SSO configuration updates
When changes are made to the Agentless DSSO configuration, the System Log tracks the action as shown below. For more information on Agentless Desktop SSO, see Configure Agentless Desktop SSO.
System Log event for Kerberos realm settings
When changes are made to the Kerberos realm settings, the System Log tracks the action as shown below. This event also indicates the initiator of the event and the current setting for Kerberos Realm. For more information on Agentless Desktop SSO, see Configure agentless Desktop Single Sign-on.
System Log event for Agentless Desktop SSO redirects
When Agentless Desktop SSO redirects to the IWA SSO agent or the default Sign In page, the System Log tracks the action as shown below. For more information on Agentless Desktop SSO, see Configure agentless Desktop Single Sign-on.
Early Access Enhancements
Updated labels in Device Trust enablement flow for Integration types
Some labels in the Admin Console for Device Trust enablement are updated to align with changes in partner branding. Existing functionality is unaffected by this update. For details, see .
Web Authentication security key enrollment
Admins may now enroll a WebAuthn security key on behalf of their end users through user profile settings. For more information about MFA and WebAuthn, see Web Authentication (FIDO2) .
May 2019
Early Access features from this release are now Generally Available.
April 2019
Early Access Features
Early Access Enhancements
Automation Policies enhancement
Run Once Automation policies can be optionally run without any conditions. For more information about Automations, see Automations
March 2019
Early Access Features
New Features
Okta LDAP agent, version 5.5.5
This release contains:
- Support for a configurable number of agent polling threads
- Internal fixes
For details, see Okta LDAP Agent version history and Change the number of Okta LDAP agent threads.
Review prompt on Okta Mobile for iOS
End-users using Okta Mobile on iOS are prompted to provide an App Store rating for the app. When they provide a rating in the app and click Submit, they are taken to the App Store page for the Okta Mobile app to provide more optional feedback about the app. They can click Not now to dismiss the option. For more information, see About Okta Mobile.
Okta On-Prem MFA Agent, version 1.4.0
This release replaces the JRE with the Amazon Corretto 8.0 version of OpenJDK JRE. For the agent version history, see On-Prem MFA Agent Version History.
OIN Manager supports multiple application submissions
When submitting a new application integration for review by Okta, the OIN Manager now supports multiple concurrent application submissions (for new orgs only).
Early Access Enhancements
Custom domain HTTP to HTTPS redirect
Custom domain can redirect from HTTP to HTTPS. For more information about custom domains, see Configure a custom URL domain.
February 2019
Early Access Features
New Features
Okta Active Directory agent, version 3.5.6
This release includes the following changes:
-
Back-end changes to improve how the agent refreshes its DNS entries and connects to servers during disaster recovery.
- The
MaxRetryLimitSleepparameter default is now 8 minutes. - A bug fix resolving group membership issues when a user is created by JIT.
For more information, see Okta Active Directory agent version history.
Okta LDAP agent, version 5.5.4
This release contains internal changes and bug fixes. For more information, see Okta LDAP Agent version history.
Use Okta MFA for Azure AD Conditional Access and Windows Hello for Business Enrollment
- Satisfy Azure AD Conditional Access MFA requirements for your federated Office 365 (O365) app instance.
- Enroll end users into Windows Hello for Business.
For more information, see Use Okta MFA to satisfy Azure AD MFA requirements for Office 365.
MFA for ePCS
Okta provides multifactor authentication for the Electronic Prescribing for Controlled Substances (ePCS) system with its integration to Epic Hyperspace, which is the front-end software that launches ePCS. For more information, see MFA for Electronic Prescribing for Controlled Substances (ePCS)
Mark Okta user profile attribute as sensitive
Okta now allows Super admins to mark an attribute in the Okta user profile as sensitive, which ensures that no one in Okta can view the information stored in that attribute field. You can also use sensitive attributes in SAML assertions to apps, allowing you to pass these sensitive attributes from the source app through Okta to an upstream app. For details, see Hide sensitive attributes.
Early Access Enhancements
Inline MFA Enrollment for RADIUS Apps
Admins can now either allow or prohibit end users to access resources protected by RADIUS to enroll in MFA while authenticating. For more information, see RADIUS applications in Okta.
January 2019
Early Access Features
New Features
Multi-forest support for Windows Device Trust enrollment
IWA web app version 1.12.2 supports cross-forest/cross-domain Windows device trust enrollment. Now an IWA web app running in one forest can detect and assess the trust posture of Windows desktop devices located in another trusted forest and then allow these devices to enroll in Windows Device Trust. For more about Windows Device Trust, see Enforce Okta Device Trust for managed Windows computers.
Okta collecting product feedback from end users
Admins can allow Okta to collect feedback from end users. If this feature is turned on, end users will see a prompt on their Okta dashboard requesting feedback about our products and services. You can opt out of Okta User Communication in Settings > Customization > General. For more information, see End User Communication.
Web Authentication for U2F as a Factor
Admins can enable the factor Web Authentication for U2F, where U2F keys are authenticated using the WebAuthn standard. For more information, see Web Authentication for U2F.
Okta SSO IWA Web App Agent, version 1.12.2
This EA release includes: Security fixes. Support for cross-forest/cross-domain Windows device trust enrollment. Now an IWA web app running in one forest can detect and assess the trust posture of Windows desktop devices located in another trusted forest and then allow these devices to enroll in Windows Device Trust. For details, see Okta SSO IWA Web App version history.
December 2018 (2018.12.0)
New Features
Okta Active Directory agent, version 3.5.5
This release includes:
- A bug fix for errors when importing a group with more than 1,500 users.
- Internal bug fixes
For version history details, see Okta Active Directory agent version history.
View admin list by role
Super admins can now filter the list of admins by role and type for easier searching.
Early Access Enhancements
FIPS-mode encryption enhancement
We have updated the Okta Verify configuration UI label for the FIPS-Mode encryption setting. For more information, see Enabling FIPS-mode encryption.
Social Authentication configuration UI update
We have removed UI elements supporting account link and provisioning Callouts when configuring social authentication.
Note that Callouts are still supported via the APIs. See Identity Provider API reference documentation for more details.
FIPS-mode encryption for Okta Verify
Okta has added a new setting to enable FIPS-mode encryption for all security operations using the FIPS 140-2 standards. For more information about this feature, refer to Using Okta Verify. Screenshot:
Password reverification time interval to update personal information is changed
Okta end users need to reverify their password if they want to update their personal information in Okta five minutes after a successful login. For more information about letting end users manage their personal information in Okta, see Configure whether user passwords and personal information are managed by Okta or externally.
Desktop Device Trust System Log enhancement
For Desktop Device Trust Authentication flows, the System Log now reports the CredentialType as CERTIFICATE. Screenshot:
Global default redirect
This feature enables you to customize where Okta will redirect your users when they visit your org URL directly and the specific app they are attempting to use is unknown. For more details, see Customize your Okta org.
Desktop Device Trust System Log enhancement
The System Log now reports when Windows Device Trust certificates are revoked during certificate renewal (pki.cert.revoke).Screenshot
Proxy IP Usage Reports
Admins can generate a report of proxy IP addresses that have been used by end users who have signed in to Okta. This feature is Generally Available for new orgs that have the Geolocation for Network Zones feature and is available with either of the following Early Access Features:
For more information on Proxy IP Usage Reports, see Reports.
Desktop Device Trust System Log enhancement
Windows and macOS Device Trust certificate issuance and renewal failures are now reported in the System Log. Screenshot:
Desktop Device Trust System Log enhancement
Windows Device Trust certificate renewals are now reported in the System Log by event type pki.cert.renew. This new event type allows you to distinguish certificate renewal events from certificate issue events (pki.cert.issue). Screenshot
Inline MFA enrollment for RADIUS apps
Update to Okta Plug-in for IE
In Okta Plug-in version 5.23.0 for IE, the popover now scales properly to correspond to the window's zoom level. For version history, see Okta Plugin Version History.
Single line MFA prompt is the default for RADIUS apps
When configuring RADIUS applications, the Single line MFA prompt is the default in the Advanced RADIUS Settings section for new RADIUS and VPN app instances. This option controls whether all MFA prompts are displayed on a single line. For more information, see Configuring RADIUS applications in Okta.
Display all RADIUS application prompts on a single line
You can configure RADIUS applications to show prompts on a single line with no line breaks in MFA prompts. Screenshot
Update a username from the Sign On tab
Okta has added an Update Now button that allows admins to update a username from the app’s Sign On tab. For more details, see Overriding the app username.
Test Custom Email Templates
Admins can send themselves a test email to see how their custom email templates will look and function. This allows them to validate macro attributes and translations in the customized template and to see how the template will render in different email environments. This eliminates the need to create a real end-to-end workflow to test customization. The test email will be sent to the primary email address of the admin initiating the test email. For more information, see Email Options. Screenshot
Update to Multiple Smart Card/PIV Identity Providers
Improved IdP lookup when Multiple PIV IdPs are enabled by using the client certificate Issuer to identify the signing certificate, if the Authority Key Identifier property cannot be used. For more details see Identity Providers.
Android Keystore for Okta Verify
A new security feature provides admins with an option to require user data storage in the Android hardware-backed keystore. Enabling this feature offers additional security based on the Federal Identity, Credential, and Access Management architecture. Screenshot:
For more information, see Using Okta Verify.
Applications Access Audit reports update
As a result of reports optimization efforts, our Applications Access Audit reports (Early Access) are now by default ordered by appUserId rather than lastName. For more information about these reports, see Applications Access Audit report.
Sign Up link option in Self Service Registration feature
In Self Service Registration settings you can now select an option to add a Sign Up link in your Okta hosted Sign-In page. This eliminates the need to configure the link via JavaScript in the Custom Sign In page editor. For more information, see Okta Self-Service Registration. Screenshot
IdP Discovery Application selection improvement
Improved configuration of the applicable applications in the IdP policy routing rule in the Identity Provider Discovery EA feature. The application selection is enhanced to show app logos to differentiate between apps and app instances more clearly. For more information see Identity Provider Discovery. Screenshot:
Dynamic mapping of multiple accounts/roles within AWS
This feature allows dynamic mapping of multiple accounts/roles within AWS by using group assignments from Okta. By using the App Filter and Group Filter, we can specify which account and role the user will use to login into AWS. For more information see the Okta AWS Multi-Account Configuration Guide. Screenshot:
Improved enrollment flow for 3rd-party iOS Device Trust
The enrollment flow for 3rd-party iOS Device Trust is improved for end users who are not enrolled in an MDM solution and do not have Okta Mobile installed. In cases where Okta cannot automatically redirect these end users to the admin-provided enrollment link configured in Okta, end users can now copy the link to the clipboard and paste it into Safari. Screenshot:
For more about 3rd-party iOS Device Trust, see Configure Okta Device Trust for Native Apps and Safari on MDM-managed iOS devices.
Time zone-based user deactivation support for Workday
Workday users can be deactivated based on the time zone of their location.
For more information about our Workday integration see our Workday Provisioning Guide.
Enhanced App Catalog Search
We have enhanced OIN app catalog search, extending search capabilities to include partial matches and more attributes of the application metadata.
Example without enhanced search:
Toggle password visibility on the Okta Sign-In page
End users can now toggle visibility of their password on the Okta Sign-In page, allowing end users to check their password before they click Sign In. Note that passwords are visible for 30 seconds and then hidden automatically. For more information about passwords in Okta, see Authentication. Screenshot:
Self Service Registration
Okta Self Service Registration allows end users to self-register into your custom app or the Okta Homepage. Once enabled, a Sign up link appears in the Okta Sign-In widget. This link takes users to a new Create Account registration form based on a customized registration policy. For details, see Self Service Registration. Screenshot:
Enhanced Device Trust enrollment flow for 3rd-party iOS devices
The enrollment flow for 3rd-party iOS Device Trust is improved for unenrolled end users accessing certain native clients such as Outlook. End users can now copy a link to their organization's enrollment instructions and paste it into Safari. For details about this Device Trust solution, see Configure Okta Device Trust for Native Apps and Safari on MDM-managed iOS devices. Screenshot:
Login detection based on geography and login time
This feature expands on existing behavior detection feature for user logins. Close successive user login attempts that are far apart geographically are detected and flagged as suspicious behavior. For more information, see Security Behavior Detection.
OMM enrollment restrictions
Are you tired of end users utilizing "Jaibroken" or "Rooted" devices to access sensitive apps? Admins will be pleased to hear that admins can now deny enrollment to compromised devices and/or any specific OS versions. Compliant users can enroll new devices or retain their current enrollments. See Restrictions based on Device Status and Operating System. Screenshot:
MFA bypass popup removed
A popup that informs users when a policy allows access without MFA, is removed.
System Log API (/logs)
The Okta System Log records system events related to your organization in order to provide an audit trail that can be used to understand platform activity and to diagnose problems.
The Okta System Log API provides near real-time read-only access to your organization’s system log and is the programmatic counterpart of the System Log user interface.
Often the terms “event” and “log event” are used interchangeably. In the context of this API, an “event” is an occurrence of interest within the system and “log” or “log event” is the recorded fact.
Notes:
The System Log API contains much more structured data than the Events API.
The System Log API supports additional SCIM filters and the q query parameter, because of the presence of more structured data than the Events API.
Salted SHA256 algorithm support
Okta supports salted SHA256 algorithms for password import.
Not
Trusted option for Okta Device Trust
Okta Device Trust for Native Apps and Safari on OMM managed iOS devices now supports use of the Not trusted option in Sign-On policy rules. This allows mobile admins to do the following:
- Configure a Not Trusted + MFA rule so that users with untrusted iOS devices must MFA in order to access protected resources.
- Configure a Not Trusted + Deny rule so that users with untrusted iOS devices are redirected to OMM enrollment in order to access protected resources.
This update requires Okta Mobile 5.14 for iOS, available in the App Store. For more information, see Configure Okta Device Trust for Native Apps and Safari on OMM managed iOS devices.
Support for MFA on Windows servers with an RDP client
The Okta Windows Credential Provider prompts users for MFA when signing in to supported Windows servers with an RDP client. It supports all Okta-supported MFA factors except Windows Hello and U2F tokens. For details and setup instructions, see Okta Windows Credential Provider.
Incremental Imports for the Workday app
Okta now supports incremental imports for the Workday app.
Incremental imports improve performance by only importing users that were created, updated, or deleted since your last import.
PIV attribute matching enhanced
Admins can choose from a list of custom attributes to use for matching when using a personal identity verification (PIV) card. Note: This is an enhancement to our support for PIV smart card feature (EA), for more information, see Add a PIV Card.
Add App Notes improvements
The Add Notes screen has design improvements to improve the workflow. For details, see Add Notes to an App (an Early Access feature).
Support for MFA on Windows servers with an RDP client
The Okta Windows Credential Provider prompts users for MFA when signing in to supported Windows servers with an RDP client. It supports all Okta-supported MFA factors except Windows Hello and U2F tokens. For details and setup instructions, see Okta Windows Credential Provider.
Revoke end user Device Trust certificates from the Okta Certificate Authority
You can now revoke an end user's certificate(s) for Okta Device Trust for managed Windows computers through their Applications tab. This is recommended if an end user's Windows computer is lost or stolen. For details, see Revoke Device Trust certificates from the Okta Certificate Authority. Screenshot
System Log tracking for OMM Device Trust for iOS devices
Okta Mobile user and device authentication events for OMM Device Trust for managed iOS devices are now written to the System Log.
JIRA and Confluence apps enhanced
The JIRA and Confluence apps now make use of a unique identifier during Atlassian API calls for profile updates instead of username. This allows users to be renamed.
Federation Broker Mode support for OIDC apps
Along with custom SAML Wizard apps, Federation Broker Mode now allows for OIDC apps. For details about this feature, see Federation Broker Mode.
Configure OMM Device Trust for managed iOS devices
OMM Device Trust for managed iOS devices allows you to prevent unmanaged iOS devices from accessing enterprise services through browsers and native applications. For details, see Configure OMM Device Trust for managed iOS devices.
The security question is an optional factor in the password recovery flow
The security question in the password recovery flow is now an optional factor. This feature requires the use of a group password policy. For more information, see Account Recovery. Screenshot
Federation Broker Mode
The new Federation Broker Mode allows Okta SSO without the need to pre-assign apps to specific users. Access is managed only by sign-on policy and the authorization rules of each app. This mode can improve import performance and can be helpful for larger-scale orgs that manage many users and apps. For details, see Federation Broker Mode.
Unsuspend users during Inbound SAML authentication
During inbound SAML authentication, you can configure the JIT settings for a SAML identity provider (IdP) to unsuspend Okta users. For more information, see the Identity Providers API.
Okta Device Trust for Microsoft Office 365 Exchange ActiveSync for iOS devices
Okta Device Trust for Microsoft Office 365 Exchange ActiveSync for iOS devices lets you:
-
Configure the iOS mail app to use certificates instead of passwords to allow OMM-enrolled users to authenticate to Microsoft Office 365 Exchange ActiveSync.
- Configure the Microsoft Office 365 client access policy to prevent unmanaged devices from accessing Microsoft Office 365 Exchange ActiveSync.
For details, see Configure Okta Device Trust for Microsoft Office 365 Exchange ActiveSync for iOS devices. Screenshot
Certificate-based authentication for iOS devices
Okta's Office 365 Exchange ActiveSync certificate-based authentication (CBA) for iOS devices allows users enrolled in Okta Mobility Management (OMM) to authenticate to iOS native apps without entering their credentials. For details, see Configure Office 365 EAS certificate-based authentication for iOS devices. Screenshot
JIRA Authenticator Toolkit v3.0.1
We have updated the Jira authenticator to support the following events:
- fireLoginEvent
- fireUserAuthenticatedEvent
- userAuthenticatedEvent
This enhancement adds support for Just In Time provisioning of default group memberships when users log in. For details, see the Okta Jira Authenticator 3.x Configuration Guide
We strongly recommend that you download and upgrade the latest SAML toolkit and the necessary Jira or Confluence authenticators. You can access all of these tools from the Okta Downloads page (Settings > Downloads).
System Log enhancement
We’ve enhanced our System Log to take advantage of our new Network Zones feature. Admins can now hover over an IP address that's part of an event and navigate through the series of menus to add that IP address to either the gateway or proxy list of IP addresses:
User reactivation
We now support reactivation of users in the following cases:
- During Just in Time provisioning (JIT), if a user is reactivated in a master app (for example, LDAP, AD), then the user is reactivated in Okta.
- During imports, if a user is reactivated in a master app (for example, LDAP, AD), then the user is reactivated in Okta.
Application Access Request workflow
The Access Request Workflow feature is a complete, multi-step approval workflow through which end users can request access to apps. Admins can select approvers that have the ability to grant access to self-service applications. Access Request Workflow allows you to appoint group and individual approvers, create customized notifications, and add comments, notes, and timeout rules. You perform all setup from the Okta Admin Dashboard and no programming or configuration files are required. For more information, see Access Request Workflow.Screenshot
Note: This Early Access (EA) feature requires either the Enterprise Plus or Provisioning Product editions. To enable it, contact Okta Support.