July 2019

2019.07.0: Monthly Preview release began deployment on July 11

* Features may not be available in all Okta Product SKUs.

Generally Available Features

New Features

Timeout warning added to the Sign-In Widget

A timeout warning has been added to the Sign-In Widget for SMS and Voice Factor enrollment and challenge flows. For more information, see Customize the Okta-hosted sign-in page.

Token expiration window increased to five years

The expiration window of Refresh Tokens can be configured up to five years in custom authorization servers. The minimum expiration is unchanged. For more information, see API Access Management.

Okta Verify factor available for all orgs

All orgs now have the option to configure and enable Okta Verify as a factor. For more information, see Multifactor Authentication or Okta Verify.

Custom Email Template enhancement

To curtail phishing, the custom email template in new free editions of Okta now contains a banner warning recipients of fraudulent free trial users and an email address to report suspicious content. For feature information, see Email and SMS Options.

Okta Browser Plugin for Firefox available from Firefox Add-ons

Okta Browser Plugin version 5.31.0 for Firefox is now available from the Firefox Add-ons. For version history, see Browser Plugin Version History.

OPP agent, version 1.3.2

On Premises ProvisioningProvisioning is the enterprise-wide configuration, deployment, and management of multiple types of IT system resources. Specifically, provisioning provides users access to equipment, software, or services. This involves creating, maintaining and deactivating required business process automation objects and attributes in systems, directories, and applications. AgentA software agent is a lightweight program that runs as a service outside of Okta. It is typically installed behind a firewall and allows Okta to tunnel communication between an on-premises service and Okta's cloud service. Okta employs several agent types: Active Directory, LDAP, RADIUS, RSA, Active Directory Password Sync, and IWA. For example, users can install multiple Active Directory agents to ensure that the integration is robust and highly available across geographic locations. version 1.3.2 supports CSV Directory Integration. For version history, see On Premises Provisioning Agent and SDK Version History.

Generally Available Enhancements

New System Log event for sent emails

A new System Log event has been added to notify admins when an email is sent to a user for verification. When fired, this event contains information about the token lifetime in the debugData.

New System Log event for redeemed credentials in an email

A new System Log event has been added to identify when a credential sent in an email to a user has been redeemed, meaning the link was clicked or the code was entered. When fired, this event contains information about the result and debugData with the action.

Validate service account credentials for Kerberos realm

When configuring the service account credentials for the Kerberos realm, you can now optionally choose to validate these credentials. For more information on Agentless DSSO, see Configure Agentless Desktop SSO.

UI enhancements for Sign-On Policies and Password Policies

When creating a new MFA sign-on policy, the Prompt for Factor option is now selected by default. When creating a new password policy, the option to enforce a password history is now set to the last four passwords by default. For more information about sign-on policies and password policies, see to Security Policies.

System Log events for Behavior Settings

New System Log events now appear when creating, deleting, or updating behavior settings.


Early Access Features

New Features

LDAP agent, version 5.6.1

This version of the agent contains internal improvements. For version history, see Okta Java LDAP agent version history.

Enforce Okta Device Trust for Native Apps and Browsers on MDM-managed Android devices

Okta Device Trust for Native Apps and Browsers on MDM-managed Android devices allows you to prevent unmanaged Android devices from accessing enterprise services through browsers and native applications.

Note: This feature requires Okta Mobile 3.14.1 for Android (or later). For details, see Enforce Okta Device Trust for Native Apps and Browsers on MDM-managed Android devices.

Okta SSO IWA Web App agent, version 1.13.0

This release of the Okta SSO IWA Web App agent includes bug fixes. For version history, see Okta SSO IWA Web App agent Version History.

Admin report CSV changes

The Administrator report containing information about all admins, their roles, and permissions will now be generated asynchronously. Super admins can generate the report by clicking Request Report and they will receive an email with a download link when the report is ready. You can enable this change using the Feature Manager. For details, see The Super admin role .

Okta user profile, enforce custom attribute uniqueness

You can enforce attribute uniqueness across your organization for custom attributes in the Okta user profile. You may mark up to 5 custom attributes as requiring uniqueness. For details, see Work with Okta user profiles and attributes.

Early Access Enhancements

Agentless Desktop SSO, feature dependency

If you are using Agentless Desktop Single Sign On, there is now a dependency on Identity Provider Routing Rules. If you do not have Identity Provider Routing Rules enabled, contact Support. For feature details, see Configure Agentless Desktop SSO and Identity Provider Discovery.

New System Log events for Inline Hooks

  • Log all Inline Hook response events: All inline hook success and failure events are now logged. Logged events provide context around how the response was used.
  • Inline Hook Type events also log the type of Inline Hook.

For more feature information, see Inline Hooks.

New System Log event for ThreatInsight

When ThreatInsight configuration is updated, the System Log now displays a new event to reflect these configuration changes. For more information about this feature, see ThreatInsight.

Widget labeling

The Sign-In Widget has been updated to use labels for form fields instead of placeholder text.

Note: This update applies to the default login page. If you are using a custom login page you need to manually upgrade to the 3.0 version of the Widget to get this update.

For more feature information, see Configure a custom Okta-hosted Sign-In page.





The Downloads page incorrectly reported that some agents needed to be upgraded.


Group rules were not applied to reactivated users.


When MULTIPLE_FACTOR_ENROLLMENTS was enabled and MULTIPLE_OKTA_VERIFY_ENROLLMENTS disabled, changing the Okta Verify factor to REQUIRED returned a 400 error.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed


Application Updates

The following partner-built provisioningThe Provisioning features of some OIN apps are built by a third-party, typically the vendor of the app product or service. These features are Okta Verified through a rigorous Okta review process. Partners-Built EA: Partner-Built EA application features have been verified and tested by Okta but may not have been deployed or used by a customer in an Okta production environment. We recommend that you fully test these integrations for your own provisioning use-cases before deploying in production for your end users. Okta Verified: A Partner-built EA application becomes Okta Verified after a customer has verified the integration in production. integration app is now Generally Available in the OINAn acronym for the Okta Integration Network. The OIN is comprised of thousands of public, pre-integrated business and consumer applications. As an on-demand service, OIN integrations are continuously validated, always up to date, and constantly growing both in number and capability. Okta performs a single integration with an ISV or SP, providing thousands of end users with point-and-click customization for their orgs. as partner-built:

New Integrations

New SCIM Integration Application

The following partner-built provisioning integration app is now available in the OIN as partner-built Early Access:

SAML for the following Okta Verified applications

  • Panorays (OKTA-233837)

  • Teamie (OKTA-233564)

SWA for the following Okta Verified applications

  • A.I.D.A. Virtual Cards (OKTA-229475)

  • Aquera apps (OKTA-232806):

    • AD LDS by Aquera
    • Adobe Cloud by Aquera
    • ADP Workforce Now by Aquera
    • Atlassian by Aquera
    • Box by Aquera
    • Ceridian Dayforce by Aquera
    • Documentum by Aquera
    • Fastly by Aquera
    • InvisionApp by Aquera
    • Jama Software by Aquera
    • LaunchDarkly by Aquera
    • MongoDB by Aquera
    • Runscope by Aquera
    • Smartsheet by Aquera
    • VividCortex by Aquera
  • Avery (OKTA-228198)

  • Cision Communications Cloud (OKTA-231151)

  • Coalfire (OKTA-228801)

  • Correspondent Hub (OKTA-229741)

  • Grip On It (OKTA-224027)

  • Jackson (OKTA-231411)

  • Moneris Gateway (OKTA-228650)

  • Music Vine (OKTA-229245)

  • National Life Group Agents Login (OKTA-231088)

  • Nationwide Financial (OKTA-231408)

  • OneMobile Oath (OKTA-224130)

  • PerfectServe (OKTA-230812)

  • Structural (OKTA-229603)

  • TIAA (OKTA-231409)

  • VPAS Life (OKTA-231407)

  • Zix Customer Support (OKTA-229476)

Weekly Updates

Support for LDAP provisioning

With the addition of the following Provisioning Features, Okta's LDAP integrations now closely match the functionality already available to Okta Active DirectoryActive Directory (AD) is a directory service that Microsoft developed for the Windows domain networks. It is included in most Windows Server operating systems as a set of processes and services. Initially, Active Directory was only in charge of centralized domain management. (AD) integrations.

  • Create Users

  • Update and deactivate LDAP accounts

  • DN customization

  • Profile Masters

For more information, see Provisioning Features.

LDAP settings, user interface changes

The LDAP settings user interface is updated. It is now more consistent with how other application settings are configured. For details, see Configure the Okta Java LDAP Agent: new user interface.

Configure Okta Device Trust for Native Apps and Safari on MDM managed iOS devices

Okta Device Trust for MDM managed iOS devices allows you to prevent unmanaged iOS devices from accessing enterprise services through browsers and native applications:

Note: This feature requires Okta Mobile 5.12 for iOS (or later), available in the App Store beginning February 1st.

For details, see Configure Okta Device Trust for Native Apps and Safari on MDM managed devices.

Scoping admin privileges, AD and LDAP-mastered groups now supported

Super admins can now scopeA scope is an indication by the client that it wants to access some resource. Group and Help Desk admin privileges to AD and LDAP-mastered groupsGroups allow you to organize your end users and the apps they can access. Assigning apps to large sets of end users is made easier with groups. in addition to Okta-mastered groups. This EA Feature can be enabled in the Feature Manager. For details, see Assign Help Desk admin privileges.

Admin console search

Admins can now use a quick search for the names of end users or apps. However you only see search results based on what you have admin permission to view. When the search results are presented, if the name or app you are seeking is listed, you can click on the item and be taken to the corresponding user page or application page. For details, see Admin console search.

Remove Duo from end user settings

Duo may now be removed from end user settings so that end user enrollment takes place only at sign-in, based on the configured MFA enrollment policy. For more information, see Configuring Duo Security.

LinkedIn IdP Creation Re-Enabled

Creation of LinkedIn Identity Providers has been re-enabled in all Preview Orgs. For more information, see Set up a LinkedIn app.

AD Desktop Single-Sign On, interface changes

The user interface for the Security > Delegated Authentication page used to configure Desktop Single-Sign On has been streamlined. There are no functional changes. For details, see Install and configure the Okta IWA Web agent for Desktop SSO.

App condition for MFA enrollment policy

Admins can now use a new condition when setting a rule for an MFA enrollment policy. When this condition is configured, end users are prompted for factor enrollment when accessing all of their applications or only for those selected by their orgThe Okta container that represents a real-world organization. admin. For more information, see App Condition for MFA Enrollment Policy.

Okta Browser Plugin reflects real-time app and profile changes in the end user dashboard

The Okta Browser Plugin now reflects the real-time state of the end user dashboard, eliminating the need to refresh the dashboard for the plugin to reflect the latest app and profile changes. This feature is available on Okta Browser Plugin version 5.29.0 or higher. For more information, see About the Okta Browser Plugin.

Incremental import support for LDAP users

LDAP users can now take advantage of incremental imports, eliminating the need for full imports every time. Incremental imports improve performance by only importing users that were created, updated, or deleted since your last import. For details, see Install and Configure the Okta Java LDAP Agent.

Early Access features, auto-enroll

You can now opt to auto-enroll in all Early Access features, instead of having to enable them as they become available. For more information, see Manage Early Access features .

Connecting Apps to Okta using the LDAP Interface

The LDAP Interface allows you to authenticate legacy LDAP apps to Universal DirectoryUniversal Directory enables you to store an unlimited amount of users and attributes from applications and sources like AD or HR systems. Any type of attributes are supported including linked-objects, sensitive attributes, and pre-defines lists. All of it accessible by all apps in our OIN catalog, over LDAP or via API. in the cloud. With the LDAP Interface, authentication is done directly against Okta via LDAP, without the need for an on-premise LDAP server. In addition, the LDAP interface supports other LDAP functions like search. For details, see Using the LDAP Interface.

Identity Provider Discovery

Using Identity Provider Discovery and routing rules, Okta directs users to different identity providers based on certain criteria. These criteria include location, device, the app being accessed, the user's domainA domain is an attribute of an Okta organization. Okta uses a fully-qualified domain name, meaning it always includes the top-level domain (.com, .eu, etc.), but does not include the protocol (https)., and specific user attributes. For more information see Identity Provider Discovery.

Apps supporting incremental imports

Workday joins Active Directory and LDAP in the ability to run immediate, incremental imports. Okta strives to add this functionality to more and more provisioning-enabled apps.  This feature is currently only available for Preview orgs.

Note: To use this functionality, your org must also have the Workday Incremental Imports (ENG_PROV_WORKDAY_INCREMENTAL_IMPORTS) Early Access feature enabled.