Check the version numberVersion numbers indicate the year and week of the year that releases are pushed to orgs. For example, release 2017.02 was pushed the second week of 2017. The week numbers follow the ISO Week Date convention. at the bottom of your Okta Administrator page to see your current version. Screenshot
Changes to the platform are published in the Platform Release Notes.
Okta Production Release 2017.26 will begin deployment on July 10.
2017.25 Production Release began deployment on June 26.
You can now customize the placeholder text that appears in dialog boxes when end usersIn Okta literature, we refer to "end users" as the people who have their own Okta home page (My Applications), using chiclets to authenticate into all of their apps. End users do not have any administrative control. When we refer to "users" we are generally referring to the individual(s) who have administrative control. click account recovery links on the Sign-In page. For details, see Customize the placeholder text in account recovery dialog boxes. Screenshot
The Mobile Policies and Wifi config security options are now only available on the Devices menu, as shown below. Previously, they were also available on the Security menu. For details, see the Devices menu.
To allow Okta to grant authorization requests to apps that do not specify scopes on an authorization request, you can now configure scopes as defaults. If the client omits the scopeA scope is an indication by the client that it wants to access some resource. parameter in an authorization request, Okta returns all default scopes in the Access Token that are permitted by the access policy rule. For details, see Create Scopes. Screenshot
The wizard for creating an OpenID Connect appAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in. has been improved and consolidatedonto a single screen. Screenshot
The Settings Page for AD-mastered usersIn Okta literature, we generally refer to "users" as the people who serve as Okta administrators. When we refer to "end users" we are generally referring to the people who the administrators serve. That is, those who use Okta chiclets to access their apps, but have no administrative control. matches the Settings Page for Okta-mastered users to show the security question whether or not password reset or self-service unlock is available. Screenshot
Okta plugin version 5.12.0 is GA for the Chrome browser. This version updates how we describe the plugin in the Chrome web store, and provides several internal improvements. For version history, see Browser Plugin Version History.
Query string is now supported in the definition of an IdPAn acronym for Identity Provider. It is a service that manages end user accounts analogous to user directories such as LDAP and Active Directory, and can send SAML responses to SPs to authenticate end users. Within this scenario, the IdP is Okta. Login URL:
- The IDP Login URL field in the Add/Edit Endpoint wizard.
- The IdP Single Sign-On URL for Inbound SAMLAn acronym for Security Assertion Markup Language, SAML is an XML-based standard for exchanging authentication and authorization data between an identity provider (IdP) and a service provider (SP). The SAML standard addresses issues unique to the single sign-on (SSO) solution, and defines three roles: the end user, the IDP, and the SP.. Reserved SAML parameters (SAMLRequest, RelayState, SigAlg, Signature) in the query strings are ignored.
The Okta Java LDAP agentA software agent is a lightweight program that runs as a service outside of Okta. It is typically installed behind a firewall and allows Okta to tunnel communication between an on-premises service and Okta's cloud service. Okta employs several agent types: Active Directory, LDAP, RADIUS, RSA, Active Directory Password Sync, and IWA. For example, users can install multiple Active Directory agents to ensure that the integration is robust and highly available across geographic locations. version 5.3.10 is Generally Available. This version provides various improvements to the agent log, as well as fixes to the following issues:
- Imports from LDAP failed in some orgs due to way the Okta LDAP agent handled unicode characters.
- Imports from LDAP failed in some orgs due to randomly dropped connections between the LDAP agent and Okta.
- We have finished migrating all customers to our enhanced System Log as part of our on-going GA rollout. With this release, when navigating to the System Log in your Okta Administrator Dashboard, all orgs will now see the new System Log.
- We have enhanced our System Log by logging an event (security.session.detect_client_roaming) when a session roaming event is detected.
- The Okta Expression Language function getFilteredGroups events can be tracked with the /api/v1/events call, in addition to tracking in System Log v2.
- There is additional logging for an invalid OAuth 2.0 client. If we detect five or more consecutive authentication attempts with the wrong client secret, Okta logs the events as suspicious:
- The requests may be to any OAuth 2.0 endpoint that accepts client credentials.
- The counter resets after 14 days of no invalid authentication attempts, or after a successful authentication..
- The message is Multiple requests with invalid client secret for client id.
The ability to localize the Welcome email that Okta sends to new end users by referencing the users' default locale property is now Generally Available. For more information, see Configure the display language.
When configuring an LDAP provisioning group, you must now enter a DN attribute in the Provisioning Destination DN field to specify the container in which new users are created in LDAP (Directory > GroupsGroups allow you to organize your end users and the apps they can access. Assigning apps to large sets of end users is made easier with groups. > LDAP > Manage Directories). Before this change, leaving this field unpopulated meant that Okta automatically created new users in the container specified in the User Search Base field (Directory > Directory Integrations > LDAP > Settings > LDAP Configuration). This fallback method may have produced unexpected results. For more information, see Groups.
When configuring an authorization server, you can now specify when ID token claims are included in ID tokens sent from an authorization server. For details, see Create Claims.
The Okta screens contain additional links. There is a link to the Okta Trust page from the bottom of the screen and the word Okta at the left of the menu bar is now a link to the Dashboard. Additionally, any links from an AdminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button (shown below) on the upper right side of the My Applications page. banner page open in a new window by default.
The word Okta is a link.
The Group Password Policy feature is now GA. For details, see Security Policies.
The Group Administrator role, previously known as the User Administrator role, is Generally Available. This role provides granular people management features and has enhanced capabilities for managing users within groups to which they are scoped. Super OrgAn abbreviation of organization, but can also be thought of as a company. A company that uses Okta as their SSO portal is generally referred to as an org. As an administrator, you decide how Okta should be displayed and/or integrated with your org. Admins can assign this role to isolate control over certain groups and teams within their organization. For details, see The Group Admin Role.
We are switching from the SHA-1 signature algorithm to the SHA-256 algorithm for signing assertions used to sign in to Microsoft Office apps, both for browser-based and thick client use cases.
Note: This is a phased rollout to Production that is expected to be complete by 2017.26.
The enhanced Application Page Search is now GA. If your org has 50+ apps, you can now use a Search bar that accepts app names and instances. You can also complete more tasks directly on the page, such as assigning users and groups. Finally, you can copy embedded links straight to the clipboard from specific apps without the need to scroll through the app list to find them.
An enhanced app assignment screen is available for all preview orgs. You can toggle between people and groups on the same screen, view an error message if an assignment cannot be completed, and select Assign to people or Assign to groups from the Assign button, as shown below. For details, see Assign Applications on the Using the Applications Page.
You can unlock your user accounts in bulk in the same way that you can reset passwords and MFA in bulk. For details, see Unlock User Accounts in Bulk.
Authentication whitelisting and blacklisting based on Network zones is now Generally Available (GA). Network zones are sets of IP address ranges. You can use this feature in policies, application sign-in rules, and VPN notifications. This expands the use of Gateway IP Addresses. For more information, see Network. Screenshot
There are no Generally Available features in Production 2017.22
The following message now displays in the end users' Display Language setting if they have not specified a language preference.
We have updated the Okta Confluence Authenticator to version 2.0.5. This version adds support for custom base URLs (for example, http://confluence.onprem.com/my-confluence). For version history, see the Okta Confluence Authenticator Version History.
As both the JIRA Authenticator and the Confluence Authenticator are built on the Okta SAML Toolkit for Java, all three components are incremented to version 2.0.5 to maintain version consistency. For more details on these integrations, see Using the Confluence On Premises SAML App and Using the JIRA On-Premises SAML App. We strongly recommend that customers download and upgrade the latest SAML toolkit and the relevant Jira or Confluence authenticators. You can access all of these tools from Settings > Downloads.
The requirement that the Universal Directory locale property can only contain ISO/SCIM locale values is enforced for all new app instances. For details of this requirement, see UD Enforcement of ISO-compliant Locale Values.
We have updated the following Okta authenticators:
- Okta JIRA Authenticator to version 1.0.15 for the JIRA On-Premises app version 6.x.x.
- Okta JIRA Authenticator to version 2.0.4 for the JIRA On-Premises app version 7.x.x
- Okta Confluence Authenticator to version 2.0.4 for the Confluence On-Premises SAML app
- Okta SAML Toolkit for Java to version 2.0.4
We strongly recommend that you download and upgrade to the latest SAML toolkit and the necessary Jira or Confluence authenticators. You can access all of these tools from the Okta Downloads page (Settings > Downloads). For version history, see Version History Tables.
We have enhanced our Workday integration to support Profile Updates. For more information about Workday provisioning, see the Workday Provisioning Guide.
You can now use an HTTP redirect for SAML single log-out requests.
The ServiceNow SAML application now supports Single Logout (SLO). This is an optional feature, and it is not enabled by default. To set up SLO for ServiceNow, follow the steps in the ServiceNow SAML guide.
We have updated our Jira and Confluence Cloud provisioning integrations to match with Atlassian's new identity structure using Atlassian Accounts. As part of this update, we have disabled/removed Sync Password and Update User Attributes functionality because Atlassian no longer supports them.
Atlassian is migrating all JIRA Cloud and Confluence Cloud customers by May 26th, 2017 to a new single identity called Atlassian Account. When you are ready, contact Atlassian to have your account migrated. If you do not contact Atlassian your account will be migrated automatically starting May 29th, 2017.
For details, see Migration to Atlassian Account for Jira Cloud and Confluence Cloud Customers for details.
We are migrating a significant number of our customers to our enhanced System Log as a part of our on-going GA rollout. In the next release, you may see the new System Log when navigating to Security System Log in your Okta Administrator Dashboard.
We have an enhancement for admins using .csv templates for user app assignments in lieu of provisioning. Along with importing users with Base attributes using a .csv template, you can import users with Custom attributes defined in the Profile Editor. For details on using this robust feature, see Importing People from a CSV File.
If a task is created from a group app assignment, you can change it to an individual assignment. All group assignment tasks contain an option for this permanent conversion. For details, see the Tasks Page section in The Administrator Dashboard.
The User Administrator role is now GA, including the people management features. This role has enhanced capabilities for managing groups. Super Admins can assign this role to isolate control over certain groups and teams within their organization. For details, see The User Admin Role.
To support our Concur integration, we now support TLS v1.2.
We have updated Egnyte provisioning so that once a user is provisioned into Egnyte by Okta and assigned the SSOAn acronym for single sign-on. In a SSO system, a user logs in once to the system and can access multiple systems without being prompted to sign in for each one. Okta is a cloud-based SSO platform that allows users to enter one name and password to access multiple applications. Users can access all of their web applications, both behind the firewall and in the cloud, with a single sign in. Okta provides a seamless experience across PCs, laptops, tablets, and smartphones. authentication type, no further email validation is required. If you still want to receive a validation email from Egnyte for new SSO users, check the Send Egnyte Validation Email for SSO users box under the Provisioning tab.
We've updated the visual progress indicators that appear in the Okta platform (spinners, progress bars).
Okta is enabling two features, macOS MDM and Android for Work, for OMMAn acronym for Okta Mobility Management. OMM enables you to manage your users' mobile devices, applications, and data. Your users enroll in the service and can then download and use managed apps from the Apps Store. Managed apps are typically work-related, such as Box or Expensify. As an administrator, you can remove managed apps and associated data from users' devices at any time. You can configure policies, such as data sharing controls, on any of your managed apps. See Configuring Okta Mobility Management for more information. customers that have not switched to our SKU packaging. For OMM customers with SKU packaging, these features are already enabled.
The Welcome email that Okta sends to new end users is localized in the language in the users' default locale property (if specified) instead of the display language configured for your org (if different). For more information, see Configure the display language.
Group Password Policy is now Generally Available for all Preview orgs. It is still an Early Access feature for Production orgs.
Okta Admins can upload their own SAML certificates to sign the assertion for Outbound SAML apps and to sign the AuthNRequest and decrypt the assertion for Inbound SAML. For more information, see the Bring Your Own SAML App Certificate guide.
Version 1.11.0 of the Okta Sign-In Widget is available for Preview orgs. For more information, see Okta Sign-In Widget.
Okta now supports TLS v1.2 communication between Okta and the Jira-On Premises server. We recommend updating your server as soon as possible, in accordance with security best practice.
We have updated the On-Premises Provisioning (OPP) agent to version 1.01.00. This update adds an http option and makes UTF-8 encoding the default. Previously the default encoding was the one set on the OS/system on which the OPP agent was installed. After upgrading the agent, the default encoding becomes UTF-8, unless you override the default.
We have enhanced our System Log to now log the actual raw user agent string in the RawUserAgent string field.
We have updated the On-Premises Provisioning (OPP) agent to version 1.0.13. This allows the OPP agent to use the TLS v1.2 protocol, and deprecates TLSv1.0. We recommend updating your OPP agent as soon as possible, as TLSv1.0 is no longer considered secure.
Click Expand All to expand the left side event categories. This link then toggles to Collapse All.
More information about an event is now displayed when the category is collapsed. The following additional details are displayed (if available):
- Actor: user id
- Client: ip address
- Event: transaction id
- Target: target resource type and target resource id Screenshot
In addition to displaying the Outcome of an event, when the Outcome is failure, we now also display the reason why Screenshot
We have introduced a new Atlassian Cloud app integration that supports SAML for both JIRA Cloud and Confluence Cloud. In order to use SAML you will need to:
Switch your JIRA/Confluence Cloud tenants to Atlassian Account.
Switch to the Atlassian Cloud app integration in Okta.
For details, see How to Configure SAML 2.0 for Atlassian Cloud.
As part of Okta's Section 508 Compliance, links and buttons in certain areas of the Okta service are now illuminated when they're in focus. For more information about focus changes, see Testing HTML for Section 508 Compliance.
Our Universal Directory-enabled provisioning integrations for British Telecom (BT) Cloud Phone Production and BT Cloud Phone User Acceptance Testing (UAT) environments are now Generally Available (GA) (note that the UAT app is available in Preview orgs only). The BT Cloud Phone applications support attribute-level mastering, which allows BT Cloud Phone to act as a master for users ' direct and extension numbers while other attributes are mastered by a different source, such as Active Directory (AD). For details, see British Telecom Cloud Phone configuration guide.
Our Universal Directory-enabled provisioning integrations for RingCentral Office @ Hand for AT&T Production and RingCentral Office @ Hand for AT&T User Acceptance Testing (UAT) environments are now GA (note that the UAT app is available in Preview orgs only). The RingCentral Office @ Hand for AT&T applications support attribute-level mastering, which allows Office @ Hand for AT&T to act as a master for users ' direct and extension numbers while other attributes are mastered by a different source, such as Active Directory. For details, see RingCentral Office @ Hand for AT&T configuration guide.
Essentially, an end user can sign into SAML apps without re-entering their Okta credentials on their mobile device. This feature can be disabled if you'd rather not allow seamless SAML access to Safari. For details, see Okta Mobile SafariExtension.
We have added a new option to our current list of VPN profiles viaOMM. Admins can now provision Pulse Connect Secure as a VPN client. For details, see Configuring VPN Profiles. This feature is currently only available for iOS devices.
The cell in which your org is running now appears at the bottom of the page. A cell is an independent collection of multi-tiered, redundant hardware and software designed to effectively manage service traffic and requests for a subset of Okta tenants. Okta is comprised of multiple cells strategically deployed across several geographic regions. You may be asked to provide your cell number whenever you contact Okta Support.
This release combines features from Okta Preview Sandbox (oktapreview.com) 2017.03, 2017.04, and 2017.05.
As with Domain local and Global groups, you can now push Universal groups to Active Directory. Screenshot
When creating a new OpenID Connect app and configuring an Implicit grant type, you can now specify whether to include ID Tokens, Access Tokens, or both. Screenshot
Per SAML standards, we now send Universal Directory (UD) array attributes in SAML 1.1 assertions as multi attribute values.
We have enhanced our System Log to now include more granular Microsoft Office 365 events.
You can configure an end-user fingerprint request that appears after the initial MFA challenge. If the user's device is lost or stolen, no one else can gain access to it. This feature is currently available only for iOS devices. For details, see Okta Verify with Touch ID.
We have improved text in the end user Welcome screen and Settings page in the Japanese language.
In addition to the index, we now support requesting the SAML ACS Endpoint by URL. For information about allowing apps to request other URLs, see Using the App Integration Wizard.
You can set an authorization server to manually rotate keys. Keys are rotated automatically by default. For more information, see API Access Management.
Important: Automatic key rotation is more secure than manual. Use manual key rotation only if you can't use automatic.
You can now search on the exact name of an authorization server or resource URI from the Authorization Servers tab (Security > API). Screenshot
We have enhanced the Amazon Web Services SAML SSO to allow setting of a configurable AWS ACS URL and AWS API URL. These fields are optional, and give the you added control over the app configuration. Note that if you already have an Amazon Web Services app configured, it will continue to work as-is. (This feature was hotfixed in Preview Release 2017.02).
The Okta plugin version 5.9.3 is now Generally Available (GA) for Firefox and Internet Explorer (IE) browsers. This release provides performance and security enhancements and is available to all customers via Settings > Downloads. For version history, see Browser Plugin Version History.
- The Okta IWA Web App version 1.10.1 is now GA. This release includes internal improvements as well as all the fixes and enhancements contained in EA versions 1.10.0 and 1.10.1. It is available to all customers via Settings > Downloads. For version history, see SSO IWA Web App Version History.
Unless otherwise noted, these features are available for all organizations with release 2017.02.
The Okta end user Dashboard now supports skip navigation to allow users and screen readers to bypass links at the top of the page and go directly to their desired content such as app chicletsThe "buttons" that appear on an end user's Home page and represent each application they wish to access through Okta. Clicking the chiclet allows the end user to instantly sign in and authenticate themselves into their chosen app., the Add App button, and end user Settings. For more information about skip navigation technology, see here.
- To allow more granular control of outbound provisioning to Active Directory (AD), admins can now deactivate the accounts of unassigned AD users and update user attributes in AD during app assignment and profile updates. For details, see Configuring Import and Provisioning Settings. Screenshot
You can permanently delete a deactivated user with the Delete button that appears in the directory screen for that user, as shown below. You cannot undo this deletion. After deletion you can reuse the username and other identifiers; however, log entries are retained. For more information, see Deactivating and Deleting People.