|Production||2021.07.1||2021.07.2 Production release is scheduled to begin deployment on August 2|
2021.07.2 Preview release is scheduled to begin deployment on July 28
2021.07.0: Monthly Preview release began deployment on July 8
* Features may not be available in all Okta Product SKUs.
Dedicated help sites for Okta products
Three of Okta’s products — Access Gateway, Advanced Server Access, and Workflows — now have their own dedicated help sites:
This enhancement offers direct access to independent online help sites for these products from help.okta.com. The new sites provide several benefits:
- Compactly designed, product-centric content
- Streamlined navigation
- More efficient content updates and responsiveness to customer feedback
Okta Device Registration Task, version 1.3.2
This release includes internal code refactoring. You can download this version from the Settings > Downloads section of the Admin Console.
New Domains API response properties available
The Domains API includes the new response object properties of certificateSourcetype and expiration. The certificateSourcetype is a required property that indicates whether the Certificate is provided by the user. The accepted value is Manual. The expiration property on the DNSrecord object is an optional property that defines the TXT record expiration. See Domains API.
Default end-user experience
New orgs, including those created through the org creator API or the developer.okta.com website, will have the new end-user experience enabled by default in preparation for the old end-user experience deprecation starting on October 13. Learn more about this migration and other frequently asked questions in our support article.
Disable Import Groups per SCIM integration
Admins can now choose whether or not to import groups with all SCIM integrations. This new option is available when you set up provisioning for a SCIM integration.
Note that you can't disable group imports for an app if:
Import New Users and Profile Updates isn't enabled.
App Assignments based on Group exist.
Group policy rules exist.
Group Push mappings exist.
In these cases, an error is displayed.
Okta Access Gateway customers can now download and deploy the Access Gateway virtual appliance on Nutanix Acropolis Hypervisor (or Nutanix AHV), a hyper-converged infrastructure platform popular among larger organizations. This provides customers with more options for infrastructure services supported by Access Gateway, including AWS, OCI, VMWare, and now Nutanix.
Remove the ability to disable Admin Experience Redesign
You can no longer disable the Admin Experience Redesign feature for your orgs.
Note: This is not applicable for orgs that didn't have Admin Experience Redesign enabled and used the legacy experience until 2021.06.4.
Windows Hello as an MFA factor is not supported for new orgs
Windows Hello as an MFA factor is no longer supported for new orgs. Existing orgs already using this feature can continue using it.
SAML 2.0 Assertion grant flow
You can use the SAML 2.0 Assertion flow to request an access token when you want to use an existing trust relationship without a direct user approval step at the authorization server. The flow enables a client app to reuse an authorization by supplying a valid, signed SAML assertion to the authorization server in exchange for an access token. This flow is often used in migration scenarios from legacy Identity Providers that don't support OAuth. See Create Rules for Each Access Policy.
Root signed PIV certificate support
Certificates signed directly from a root CA certificate, with no intermediates, can now be used for Personal Identity Verification (PIV) authentication.
Schemas API unique attributes
The Schemas API now includes unique attributes for custom properties in Okta user profiles and the Okta Group profile. You can declare a maximum of five unique properties for each user type and five unique properties in the Okta group profile. This feature helps prevent the duplication of data and ensures data integrity.
Create and manage group profiles
You now have the flexibility to manage the default profile for Okta groups in the Profile Editor. This new functionality simplifies group management and lets you quickly add, edit, or remove custom profile attributes to groups. See Work with profiles and attributes. This feature will be gradually made available to all orgs.
Improved New Device Behavior Detection
Improved New Device Behavior Detection provides stronger signals that are now used for the detection of new devices. Devices using web browsers that don't store cookies are treated as new trusted applications and must send a unique identifier, such as a device token, for each device. See Improved New Device Behavior Detection. This feature will be gradually made available to all orgs.
Org Under Attack for ThreatInsight
Okta ThreatInsight now has enhanced attack detection capability. “Org under attack” establishes a base line traffic pattern and adjusts based on legitimate changes in traffic patterns. When a threat is detected, the algorithms are optimized to block all malicious requests while creating a System Log event to alert on the attack. After the attack subsides, threatInsight returns into its normal mode of operation. This capability enables quick blocking action during an attack. See About Okta ThreatInsight. This feature will be gradually made available to all orgs.
Workplace by Facebook new custom attribute
Okta now supports the is_frontline custom attribute in Workplace from Facebook. Supporting user type designations enables access for frontline and deskless workers.
OIN App Catalog UI improvements
For each app integration in the OIN App Catalog, the details page has been updated to use tabs that display the overview and the specific capabilities of the app integration. The details page also shows the Capabilities in the side navigation. Clicking a specific capability returns the administrator to the main Add Application page with that capability pre-selected in the filter. When an admin searches for app integrations, the filter is now persistent through category changes or when they refresh the page.
OIN Manager category selections
For app submissions in the OIN Manager, the category designations have been updated to match the categories available in the OIN App Catalog.
Changes to group assignment options for OIDC apps
Admins can create new OIDC applications without assigning them to a group. See Create an OIDC app integration using AIW.
HTML sanitizer for email templates
Velocity-based email templates are now processed by an HTML sanitizer. Templates that don’t conform to the rules of the sanitizer are corrected before they are sent. See Customize an email template.
Email template events
The creation and deletion of email templates are now logged as events in the System Log.
Rate limit violation event logging
Session-user and User rate violation events are now logged as operation-level events instead of org-wide events. This allows you to distinguish between rate limit violations at an org level and individual level.
Updated branding for End-User Dashboard
Okta branding on the Okta End-User Dashboard has been updated.
FIPS compliance for iOS or Android devices
Federal Information Processing Standards (FIPS) compliance is now available for iOS or Android devices. FIPS can be enabled on the Okta Verify configuration page. When FIPS compliance is enabled, admins can be confident that only FIPS-compliant software is used. See Enable FIPS-mode encryption.
OAuth redirect URI wildcards
Admins can now use a wildcard for multiple redirect URI subdomains when configuring OIDC applications. See Create an OIDC app integration using AIW.
When an admin attempted to add an app integration to their org for which the org was not entitled, the error message didn't display the org's edition name.
A user-created on-the-fly app incorrectly appeared on the Tasks page under Number of apps that can have provisioning enabled.
Sometimes the failed-sign-in counter didn’t reset to zero after an end user successfully signed in, which resulted in improper lockouts.
When OpenLDAP was used with delegated authentication, an error message containing unnecessary information appeared if users attempted to change their password and it didn't meet the LDAP complexity requirements.
LDAP import schedules weren't updated when Relative Distinguished Name (RDN) attribute mapping from Okta to LDAP was missing.
New device notifications weren't sent during passwordless sign-in flows.
Group Push for Slack caused group members to be reset and gradually re-added, during which time group members couldn't access the app.
Some deactivated SAML IdP users whose attributes were updated with Just-in-time Provisioning were activated even though the reactivation JIT setting wasn't selected.
Some users were deactivated instead of deleted in Automations.
Sometimes, during SAML app configuration, the metadata link improperly required a sign-in session.
App Integration Fixes
The following SWA app was not working correctly and is now fixed
San Diego Gas and Electric (OKTA-407572)
New SCIM Integration Applications
The following partner-built provisioning integration apps are now Generally Available in the OIN as partner-built:
- PowerDMS: For configuration information, see Configuring Provisioning for PowerDMS.
- Redprint: For configuration information, see User Provisioning with Okta.
- SkillsHood: For configuration information, see How to Configure Provisioning for SkillsHood.
- Squarespace: For configuration information, see Logging in with single sign-on through Okta (Enterprise).
SWA for the following Okta Verified applications
OIDC for the following Okta Verified applications
QFlow.ai: For configuration information, see How does your Okta Integration work (you need a QFlow.ai account to access this documentation).
ReputationDefender: For configuration information, see OIDC Configuration Guide for Okta.
smart technology group: For configuration information, see smart technology group and Okta OIDC Integration.
Long-running deactivation jobs didn't overwrite user status changes after a user was deleted.
Google Chrome users saw a session lifetime warning if they accessed an end-user dashboard embedded in an iFrame.
In the OpenID Connect (OIDC) app wizard, the default Assignments selection was Allow everyone in your organization to access.
New SCIM Integration Applications
The following partner-built provisioning integration apps are now Generally Available in the OIN catalog as partner-built:
SAML for the following Okta Verified applications
Make Okta the source for Group Push groups
Admins can now make Okta the profile source for all members of a group that is used for Group Push. When this feature is enabled, integrated apps can't change app group memberships. This functionality allows admins to maintain the accuracy of app group membership and prevents changes to group membership after a push. See Manage Group Push.
Litmos supports Advanced Custom Attributes
We’ve enriched our Litmos integration to support Advanced Custom Attributes for the user profile. This allows you to add fields into the Okta user profile. See Litmos Provisioning Guide.
Multiple active user statuses for SuccessFactors integration
Support for multiple active user statuses: When importing users from SuccessFactors into Okta, admins can now select more than one active user status, such as Leave of Absence. See Learn about SAP SuccessFactors Employee Central data provisioning.
End-User Dashboard and Plugin redesign
The Okta End-User Dashboard and Okta Browser Plugin have been redesigned with a modern look and feel that includes new sidebar navigation, fuzzy search, and sections that replaces tabs.
Admins can enable this new design all at once or by groups. The new experience is 50% faster, more intuitive to use, and more responsive to smaller screens. Design changes also improve accessibility and app discovery for end users.
This feature will gradually be made available to all Preview orgs.
Workflows Templates available
Workflows Templates is now available, providing users with access to a searchable catalog of installable Flows that address many common use cases. See © 2021 Okta, Inc. All Rights Reserved. Various trademarks held by their respective owners. .
LDAP password reset option
LDAP delegated authentication settings can now be configured to allow users to reset their passwords. This change reduces the time needed for password management and allows users to reset their passwords quickly and easily. See Delegated authentication.
LDAP admin password reset
For orgs integrated with LDAP, admins can now perform password resets for an active individual end user. See Reset an individual user password.
Windows Device Registration Task, version 1.4.1
This release fixed the following issues:
- If there was a space in the sAMAccountName, an error appeared when installing the Okta Device Registration task and the installation completed but didn't function.
- An unknown publisher warning appeared after double-clicking the Okta Device Registration MSI file.
Affected customers should uninstall the registration task and install 1.4.1 or later.
Incremental Imports for CSV
Incremental imports improve performance by importing only users who were created, updated, or deleted since your last import. See Manage your CSV directory integration. Note that this feature is being re-released having previously been released to Production in 2020.09.0.
Tor Anonymizer recommendation
Admins can see a new HealthInsight recommendation to view failed sign-in rates from IPs categorized as Tor Anonymizer Proxies. Okta recommends using Dynamic Zones to blacklist IPs that are categorized as Tor anonymizer proxies. See and HealthInsight.
RADIUS agents now support vendor specific attributes. With this feature, admins can use optional settings to configure vendor specific attributes to include group membership. Note that no agent update is required for this feature. See Configure group response in the following topics:
Salesforce REST OAuth
Admins can now upgrade to the latest version of our Salesforce integration. OAuth authentication will be now used for Provisioning and Imports. See Configure OAuth and REST integration.This feature is currently available for new orgs only.
Password changed notification email
To eliminate unnecessary email notifications, the Password changed notification email setting is no longer enabled by default on new preview orgs. See Password changed notification for end users.
Generally Available Enhancements
Group Password Policy enhancement
By using Group Password Policies and associated rules, admins can configure and enforce password settings and set account recovery options for groups. See © 2021 Okta, Inc. All Rights Reserved. Various trademarks held by their respective owners. . This feature was already released to a subset of orgs, we are now releasing it to all new Preview orgs.
ThreatInsight security enhancements
ThreatInsight enhancements improve detection of credential-based attacks from malicious IPs. See About Okta ThreatInsight.
New features for HealthInsight
- Administrators can now enable end user email notifications when an end user changes or resets their password. See General Security and HealthInsight.
- HealthInsight now includes a recommendation for admins to enable Password Changed email notifications if the notification isn't yet enabled for the org. See Password changed notification for end users.
- HealthInsight now displays a suspicious sign-in count within the recommendation that users enable ThreatInsight in block mode. See Okta ThreatInsight
OAuth Consent enabled as event hook
The event app.oauth2.as.consent.grant is now eligible for use as an event hook.
Email address change notifications
Users without admin permissions now receive email notifications to confirm an email address change. See Customize an email template.
Office 365 Silent Activation
Using Okta as the Identity Provider, Okta Office 365 Silent Activation allows for a seamless experience for your Microsoft Office 365 end users accessing Office 365 apps on domain joined shared Workstations or VDI environments. Once your end users have logged into a domain-joined Windows machine, no further activation steps are required. See Office 365 Silent Activation: New Implementations.
End-user Welcome emails localized
The ability to localize the Welcome email that Okta sends to new end users by referencing the users' default locale property is now Generally Available. See Configure general customization settings.
People page improvements
The People page has been improved so the people list can be filtered by user type. See Universal Directory custom user types known issues.
Mobile tab available for mobile-capable apps
The Mobile tab available in the Okta Admin Console for mobile-capable OIN apps allows you to publish mobile applications to an App Store and deploy them to your end users.
Provisioning page UI element change
Drop-down menus on the Provisioning page (General Settings) were standardized.
UI element change
Drop-down menus on the Provisioning page (General Settings) are standardized. See Provisioning.
Early Access features, auto-enroll
You can now opt to auto-enroll in all Early Access features, instead of having to enable them as they become available. For more information, see Manage Early Access features.
Connecting Apps to Okta using the LDAP Interface
The LDAP Interface allows you to authenticate legacy LDAP apps to Universal Directory in the cloud. With the LDAP Interface, authentication is done directly against Okta via LDAP, without the need for an on-premise LDAP server. In addition, the LDAP interface supports other LDAP functions like search. See Set up and manage the LDAP Interface.