September 2020

2020.09.0: Monthly Preview release began deployment on September 2

* Features may not be available in all Okta Product SKUs.

Generally Available Features

New Features

New features for SuccessFactors integration

The following new features have been added to the SuccessFactors integration:

  • Time zone based pre-hires and deactivations: Admins can deactivate SuccessFactors users and import pre-hires into Okta based on the time zone of their location.
  • Incremental imports: Incremental imports improve performance by importing only users who were created, updated, or deleted since the last import.

See Learn about SAP SuccessFactors Employee Central data provisioning.

Default sign on rule set to Deny in Client Access Policies for new Office 365 app instances

In Client Access Policies for new Office 365 app instances, the Default sign on rule is now set to Deny access (formerly set to Allow). Additionally, we've provided a rule above the Default sign on rule that allows access to only web browsers and apps that support Modern Authentication. This change is designed to help customers implement more secure policies by default. Note: Existing O365 app instances are unaffected by this change. For more information, see Get started with Office 365 sign on policies.

New features for HealthInsight

  • Administrators can now enable end user email notifications when an end user changes or resets their password. See General Security and HealthInsight.
  • HealthInsight now includes a recommendation for admins to enable Password Changed email notifications if the notification isn't yet enabled for the org. See Password changed notification for end users.
  • HealthInsight now displays a suspicious sign-in count within the recommendation that users enable ThreatInsight in block mode. See Okta ThreatInsight

Password requirements formatting

When setting a password, requirements are now shown in a list format rather than a sentence format.

Self-Service improved plugin onboarding experience

The improved Okta Browser Plugin onboarding experience for new end users is now available on all web browsers except Safari. After installing the plugin, new end users will be automatically directed to the sign in page or will have their dashboard refreshed, and will be shown an introduction banner on their dashboard. See Install the Okta Browser Plugin.

OAuth Consent enabled as event hook

The event is now eligible for use as an event hook.

Early Access Features

New Features

New Recent Activity page on the new Okta end-user dashboard

The Recent Activity page provides end users with a summary of recent sign-in and security events for their Okta account. End users can also report suspicious activity to their Okta admin by clicking I don’t recognize this. See Recent Activity.

Multiple active user statuses for SuccessFactors integration

Support for multiple active user statuses: When importing users from SuccessFactors into Okta, admins can now select more than one active user status, such as Leave of Absence.

See Learn about SAP SuccessFactors Employee Central data provisioning.

Vendor-specific attributes

RADIUS agents now support vendor specific attributes. With this feature, admins can use optional settings to configure vendor specific attributes to include group membership. See Configure group response in the following topics:

Salesforce REST OAuth

Admins can now upgrade to the latest version of Salesforce. OAuth authentication will be now used for Provisioning and Imports.


General Fixes


Filtering groups that were pushed by group also displayed groups that were pushed by name.


On the Activate User page, Search by Group didn't work if the search term included the vertical bar sign |.


In some cases, creating a custom SAML or SWA app using a bearer token failed.


Okta Workflows didn’t restrict application assignment to super admins.


When defined for an MFA Enrollment policy, the App Condition was not enforced when a user signed in to an application.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • Autotask (OKTA-318506)

  • ccLink Provider Portal (OKTA-324140)

  • Chubb Personal Insurance (OKTA-323264)

  • Earth Class Mail (OKTA-322840)

  • Jobvite (OKTA-318586)


Application Updates

  • The Zoom SCIM app schema is updated. See Configuring Zoom with Okta for more information.
  • Provisioning support has been removed from the BigMachines and GoToMeeting apps due to their low customer usage, lack of standards based integration, and high supportability cost.

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN as partner-built:

SAML for the following Okta Verified applications

  • Australian Access Federation (OKTA-317867)

  • Estateably (OKTA-324912)

  • Hopin (OKTA-324248)

  • Signal AI (OKTA-322928)

  • SocialHP (OKTA-322572)

  • Thematic (OKTA-322576)

OIDC for the following Okta Verified applications

Weekly Updates

Email address change notification templates

Email address change notification templates are now available. These templates notify users of an email address change and let them confirm the change. See Customize an email template.

Email address change notifications

Users without admin permissions now receive email notifications to confirm an email address change. See Customize an email template.

Office 365 Silent Activation

Using Okta as the Identity Provider, Okta Office 365 Silent Activation allows for a seamless experience for your Microsoft Office 365 end users accessing Office 365 apps on domain joined shared Workstations or VDI environments. Once your end users have logged into a domain-joined Windows machine, no further activation steps are required. See Office 365 Silent Activation: New Implementations.

Enhanced Admin Console search

Admins can now search for user email addresses in the spotlight search field. See Admin Console search.

End-user Welcome emails localized

The ability to localize the Welcome email that Okta sends to new end users by referencing the users' default locale property is now Generally Available. See General customization options.

Improved auto-complete functionality

To improve the accuracy and speed of user searches, the auto-complete functionality on the Okta Admin Console administrator pages is updated.


User Consent for OAuth 2.0 Flows in API Access Management

A consent represents a user’s explicit permission to allow an application to access resources protected by scopes. As part of an OAuth 2.0 or OpenID Connect authentication flow, you can prompt the user with a popup window to approve your app's access to specified resources.

Consent grants are different from tokens because a consent can outlast a token, and there can be multiple tokens with varying sets of scopes derived from a single consent. When an application comes back and needs to get a new access token, it may not need to prompt the user for consent if they have already consented to the specified scopes. Consent grants remain valid until the user manually revokes them, or until the user, application, authorization server or scope is deactivated or deleted.

See User Consent for OAuth 2.0 and OpenID Connect Flows.

Provision out of sync users

If you enable provisioning for an app that already has users assigned to it, Okta can sync these users so they now have provisioning capabilities. See Provisioning in applications.

People page improvements

The People page has been improved so the people list can be filtered by user type. See Universal Directory custom user types known issues.

Mobile tab available for mobile-capable apps

The Mobile tab available in the Okta Admin Console for mobile-capable OIN apps allows you to publish mobile applications to an App Store and deploy them to your end users.

See Enable access to managed mobile apps



Provisioning page UI element change

Drop-down menus on the Provisioning page (General Settings) were standardized.

Group push mapping change

When admins create a group push mapping and link it to a group whose members were imported through another method, those users are now Okta mastered. See About Group Push.

UI element change

Drop-down menus on the Provisioning page (General Settings) are standardized. See Provisioning in applications.



Early Access features, auto-enroll

You can now opt to auto-enroll in all Early Access features, instead of having to enable them as they become available. For more information, see Manage Early Access features.

Connecting Apps to Okta using the LDAP Interface

The LDAP Interface allows you to authenticate legacy LDAP apps to Universal Directory in the cloud. With the LDAP Interface, authentication is done directly against Okta via LDAP, without the need for an on-premise LDAP server. In addition, the LDAP interface supports other LDAP functions like search. See Set up and manage the LDAP Interface.