Preview

May 2019

2019.05.0: Monthly Preview release began deployment on May 8

* Features may not be available in all Okta Product SKUs.

Content

Generally Available Features

New Features

LDAP support for Auxiliary Object classes

You can now input a comma-separated list of auxiliary object classes when importing users from LDAP. For more information, see Configuring Your LDAP Settings.

Active Directory agent, version 3.5.7

This version of the AD agentA software agent is a lightweight program that runs as a service outside of Okta. It is typically installed behind a firewall and allows Okta to tunnel communication between an on-premises service and Okta's cloud service. Okta employs several agent types: Active Directory, LDAP, RADIUS, RSA, Active Directory Password Sync, and IWA. For example, users can install multiple Active Directory agents to ensure that the integration is robust and highly available across geographic locations. includes fixes to close and recreate connection groupsGroups allow you to organize your end users and the apps they can access. Assigning apps to large sets of end users is made easier with groups. and add a retry in response to 502 errors during import.

For agent version history, see Okta Active Directory agent version history.

Last factor remembered for authentication

End usersIn Okta literature, we generally refer to "end users" as the people who have their own Okta home page (My Applications), using chiclets to authenticate into all of their apps. End users do not have any administrative control. When we refer to "users" we are generally referring to the individual(s) who have administrative control. who attempt to sign in to their orgThe Okta container that represents a real-world organization. are prompted to authenticate with the last factor they used based on the device or clientEssentially, a client is anything that talks to the Okta service. Within the traditional client-server model, Okta is the server. The client might be an agent, an Okta mobile app, or a browser plugin. . For more information about authentication factors, see Multifactor Authentication .

Enhanced Group Push for Samanage

Group Push now supports the ability to link to existing groups in Samanage. For details about this feature, see Using Group Push

Support for converting contractors to full time employees in Workday

Added support for converting contractors to full time employees within Workday. For more information see Workday Provisioning Guide.

Location zones support blacklisting

You can blacklist an entire location zone to prevent clients in the zone from accessing any URL for your org. For more information on zones, see Networks.

System Log events for blacklisted countries

When a country is added or deleted from a blacklist, the System Log tracks the action, as shown below. For more information on blacklisting, see Networks.

Generally Available Enhancements

Accounts locked after ten successive lockouts without a successful sign-in attempt

If an account has ten successive account lockouts followed by auto-unlocks with no successful sign-in attempts, Okta ceases auto-unlocks for the account and logs an event. For more information on account locking, see Security Policies.  

LDAP incremental imports, new check box

For customers who have the incremental import Early Access (EA) feature enabled there is a new check box to allow LDAP users to enable or disable incremental import. For new and existing LDAP instances, the check box is enabled by default. For details, see Install and Configure the Okta Java LDAP Agent.

UI Improvements for Security Email Notifications

Settings for end user email notifications have been moved to their own section: Security Notification Emails. For more information, see General Security.

WebEx additional attributes

We have added more extensible attributes to the WebEx application. For details, see the WebEx Provisioning Guide.

DocuSign authentication mode change

We are switching the authentication mode of our DocuSign provisioning integration to OAuth. For more information, see the DocuSign Provisioning Guide.

Okta Browser Plug-in version 5.28.0 for all browsers except Internet Explorer

This version includes the following enhancements:

  • Accessibility improvements
    • ARIA attributes for UI elements
    • Alt text for logos and images
    • Access to controls and tooltips through keyboard
  • Real-time reflection of the end user dashboard (currently an Early Access feature). For more information, see Browser Plugin Version History.

Early Access Features

New Features

Okta Browser Plug-in reflects real-time app and profile changes in the end user dashboard

The Okta Browser Plug-in now reflects the real-time state of the end user dashboard, eliminating the need to refresh the dashboard for the plug-in to reflect the latest app and profile changes. This feature is available through EA Feature Manager in the Admin Console to all browsers except Internet Explorer on Okta Browser Plug-in version 5.28.0 or higher. For more information, see About the Okta Browser Plugin.

ThreatInsight Threat Detection

Admins can now configure ThreatInsight — a new feature that detects credential-based attacks from malicious IP addresses. ThreatInsight events can be displayed in the admin system log and also be blocked once this feature is configured. For more information, see ThreatInsight.

Web Authentication for MFA

Admins can enable Web Authentication as a factor as defined by WebAuthn standards. Web Authentication supports both security key authentication such as YubiKey devices and platform authenticators. For more information, see Web Authentication (FIDO2) .

New macOS Device Trust Registration Task, version 1.2.1

This release provides the following:

  • The enrollment process is halted if the default keychain is unavailable for some reason (for example, is corrupted or missing). This ensures that end users are not prompted to reset the keychain.
  • An improved Registration Task update process ensures that enrolled devices are not inadvertently unenrolled in the event the update itself fails.
  • Provides support for a query allowing admins to determine which version of the Registration Task is installed on the device.

For details, see Device Trust for macOS Registration Task Version History.

Early Access Enhancements

Microsoft Intune selection now available in Okta Device Trust for managed iOS devices

Along with other popular MDM options already available for enabling Device Trust, you can now select Microsoft Intune as your MDM provider when you configure the Device Trust solution for Native Apps and Safari on managed iOS devices. While it was possible to configure Intune prior to this change by selecting the Other option, the addition of an Intune option simplifies the implementation. For more about this Okta Device Trust solution, see Enforce Okta Device Trust for Native Apps and Safari on MDM-managed iOS devices.

Note: This notice was updated in 2019.05.1 to more accurately describe this enhancement.

Schema Discovery for Cornerstone On Demand

The Cornerstone On Demand provisioning app now supports Universal Directory and Schema DiscoveryAbility to import additional attributes to Okta. For more information, see the Cornerstone On Demand Provisioning Guide.

Fixes

General Fixes

OKTA-215983

Email templates translations for MFA Factor Enrolled and MFA Factor Reset did not work when the Thai language was selected.

OKTA-217878

For Self Service app registration for apps with provisioning enabled, when admins changed the Approval setting from Required to Not Required the resulting error message was misleading.

OKTA-218001

System Log entries for Device Trust displayed incorrect spacing for some entries.

OKTA-220849

The SuccessFactors app import API did not work.

OKTA-221717

Routing rules for Identity Provider discovery were ignored when both IWA Desktop SSO and Agentless SSO were enabled.

OKTA-221914

Identity Provider routing rules that set User Matches to User Attribute matches Regex were not evaluated correctly.

OKTA-222256

CSV Directory scheduled incremental imports failed.

OKTA-222632

Admins who manage two groups, one granted via individual assignment, and the other via group assignment, could not assign users from one group into the other.

OKTA-222660

When using the LDAP interface, pagination on groups containing more than 1000 users failed.

OKTA-224104

Users assigned admin roles by group did not get assigned the correct default admin email settings.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • Adobe Fonts (OKTA-222877)

  • Air France (OKTA-223010)

  • The Australian (OKTA-221618)

  • FINRA IARD (OKTA-223775)

  • Keap (OKTA-222416)

  • LastPass (OKTA-206231)

  • Metropolitan Bank US (OKTA-222451)

  • Mimecast Personal Portal v2 (OKTA-221490)

  • Nationale Nederlanden: Pensioen Service Online for Business (OKTA-222412)

  • Nextdoor (OKTA-223774)

  • Nmbrs (OKTA-223801)

  • Oakland Public Library Catalog (OKTA-222415)

  • Onfido (OKTA-223804)

  • Optimal Blue (OKTA-223500)

  • Plooto (OKTA-223747)

  • Poll Everywhere (OKTA-223776)

  • The San Diego Union-Tribune (OKTA-223015)

  • WhiteHat Sentinel (OKTA-222784)

  • Wrike (OKTA-223803)

Applications

New Integrations

New SCIM Integration Application

The following partner-built provisioningThe Provisioning features of some OIN apps are built by a third-party, typically the vendor of the app product or service. These features are Okta Verified through a rigorous Okta review process. Partners-Built EA: Partner-Built EA application features have been verified and tested by Okta but may not have been deployed or used by a customer in an Okta production environment. We recommend that you fully test these integrations for your own provisioning use-cases before deploying in production for your end users. Okta Verified: A Partner-built EA application becomes Okta Verified after a customer has verified the integration in production. integration apps are now available in the OINAn acronym for the Okta Integration Network. The OIN is comprised of thousands of public, pre-integrated business and consumer applications. As an on-demand service, OIN integrations are continuously validated, always up to date, and constantly growing both in number and capability. Okta performs a single integration with an ISV or SP, providing thousands of end users with point-and-click customization for their orgs. as partner-built Early Access:

SAML for the following Okta Verified applications

SWA for the following Okta Verified applications

  • Dynatrace (OKTA-221851)

  • Legislative Tracking System (OKTA-219355)

  • Park-line (OKTA-222807)

  • Tax Workflow (OKTA-222999)

Mobile application for use with Okta Mobility Management (OMM) (Android and iOS)

  • RescueAssist (OKTA-220114)

Weekly Updates

Closed2019.05.1: Update 1 started deployment on May 15

Fixes

General Fixes

OKTA-211631

Active Directory imports failed when federation broker mode was disabled for the app.

OKTA-212278

The Japanese translation of the end-user activation page needed improvement.

OKTA-213647

The System Log advanced search returned a 500 error when processing search terms containing the percent character (%).

OKTA-221535

Admins saw a loop when they enabled Multifactor Authentication for admins with no MFA factor set as Optional or Required in the corresponding MFA policy.

OKTA-221914

In cases where IdPAn acronym for Identity Provider. It is a service that manages end user accounts analogous to user directories such as LDAP and Active Directory, and can send SAML responses to SPs to authenticate end users. Within this scenario, the IdP is Okta. Discovery was enabled, when a routing rule was configured to use User Attribute matches Regex for User Matches, the regular expression would be evaluated improperly.

OKTA-222183

If an Event Hook name was changed after it had been verified, users were asked to verify the Event Hook again.

OKTA-224205

Local users not assigned the RDP app were able to sign in to the app without being prompted for MFA if their user account on the server had rights to connect to RDP sessions and InternetFailOpenOption was set to True. Okta Windows Credential Provider version 1.1.4.0 needs to be downloaded for this fix.

OKTA-225805

The Security > General > Security Email Notifications page briefly displayed incorrect values after the email fields were set to Enabled and then the page was refreshed.

OKTA-225584H

When using the LDAP interface if a soft token was specified as a part of a bind request’s credentials, a push notification may have been erroneously sent to the user’s phone while normal authentication using the soft token was taking place.

App Integration Fixes

The following SAML app was not working correctly and is now fixed

  • RedLock (OKTA-213155)

The following SWA apps were not working correctly and are now fixed

  • Cisco (OKTA-218994)

  • Visual Website Optimizer (OKTA-224230)

Applications

New Integrations

SAML for the following Okta Verified applications

  • CloudAcademy (OKTA-220845)

  • Druva 2.0 (OKTA-224318)

  • PitchBook (OKTA-222083)

  • Squadcast (OKTA-223018)

SWA for the following Okta Verified applications

  • CodySoft (OKTA-223598)

  • iAuditor (OKTA-225943)

  • Medi-Cal (OKTA-225406)

  • Saia (OKTA-223491)

Closed2019.05.2: Update 2 started deployment on May 22

Fixes

General Fixes

OKTA-220205

Failed authentication using FIDO factors were counted towards account lockout limit.

OKTA-222410

Mobile admins could not edit native apps despite having necessary permissions.

OKTA-223821

An IWA Auth event was incorrectly triggered in the System Log when a user logged in via Agentless Desktop SSO. The Authenticate User via IWA event has been removed from this flow. No other events in the flow are impacted.

OKTA-224002

Changing the LDAP configuration did not convert the next LDAP incremental import to a full import as expected.

OKTA-226976H

Setting up JAMF failed when testing the API credentials for On-Premises JAMF server that uses SSL certificate signed by by USERTrust RSA Certification Authority.

OKTA-227307

A user identifier condition evaluation for IdP Discovery sometimes returned an HTTP 400 bad request error when either the user or the attribute being evaluated was not found.

OKTA-228350H

When the EA feature, OFFICE365_USE_GRAPH_API_FOR_PROVISIONING was enabled, in certain cases Office 365 groups were deleted during an import.

OKTA-2285347H

Imports from Office 365 failed if the EA feature, OFFICE365_USE_GRAPH_API_FOR_PROVISIONING was enabled.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • Boxed (OKTA-226698)

  • CBT Nuggets (OKTA-226697)

  • Contract Express (OKTA-225826)

  • Copper (OKTA-223771)

  • Customer Service Portal (OKTA-225821)

  • Mimecast Personal Portal v2 (OKTA-226257)

  • Nextiva NextOS 3.0 (OKTA-225822)

  • Prosperworks (OKTA-225823)

  • Rackspace Admin Control Panel (OKTA-225820)

  • WP Engine (OKTA-225575)

Applications

Application Updates

The MaestroQA application integration now supports Just In Time (JIT) provisioningusers are created/updated on the fly using the SAML attributes sent as part of the SAML response coming from the Identity Provider. The A user is created during initial login to the Service Provider and updated during subsequent logins. Turning on JIT Provisioning is normally a configuration value in the Service Provider..

New Integrations

The following partner-built provisioning integration apps are now available in the OIN as partner-built Early Access:

SAML for the following Okta Verified applications

  • Activaire Curator (OKTA-226658)

  • Aqua Cloud Security Platform (OKTA-220542)

  • CallPlease (OKTA-225465)

SWA for the following Okta Verified applications

  • Cisco Webex Teams (OKTA-221715)

  • Healthx (OKTA-226236)

  • Key Travel (OKTA-223497)

  • Technology Review (OKTA-225508)

Connecting Apps to Okta using the LDAP Interface

The LDAP Interface allows you to authenticate legacy LDAP apps to Universal Directory in the cloud. With the LDAP Interface, authentication is done directly against Okta via LDAP, without the need for an on-premise LDAP server. In addition, the LDAP interface supports other LDAP functions like search. For details, see Using the LDAP Interface.

Identity Provider Discovery

Using Identity Provider Discovery and routing rules, Okta directs users to different identity providers based on certain criteria. These criteria include location, device, the app being accessed, the user's domainA domain is an attribute of an Okta organization. Okta uses a fully-qualified domain name, meaning it always includes the top-level domain (.com, .eu, etc.), but does not include the protocol (https)., and specific user attributes. For more information see Identity Provider Discovery.

Apps supporting incremental imports

Workday joins Active Directory and LDAP in the ability to run immediate, incremental imports. Okta strives to add this functionality to more and more provisioning-enabled apps.  This feature is currently only available for Preview orgs.

Note: To use this functionality, your org must also have the Workday Incremental Imports (ENG_PROV_WORKDAY_INCREMENTAL_IMPORTS) Early Access feature enabled.

Multifactor Authentication for admins

MFA for Admins allows Super admins to enable mandatory multifactor authentication for all administrators accessing admin functionality. For details see Authentication. This feature is currently available for new orgs only.

Top

© 2019 Okta, Inc All Rights Reserved. Various trademarks held by their respective owners.