Preview
November 2019
2019.11.0: Monthly Preview release began deployment on November 6
* Features may not be available in all Okta Product SKUs.
Generally Available Features
New Features
Agentless Desktop SSO migration
Customers who enabled Agentless Desktop SSOAn acronym for single sign-on. In a SSO system, a user logs in once to the system and can access multiple systems without being prompted to sign in for each one. Okta is a cloud-based SSO platform that allows users to enter one name and password to access multiple applications. Users can access all of their web applications, both behind the firewall and in the cloud, with a single sign in. Okta provides a seamless experience across PCs, laptops, tablets, and smartphones. using the registry key configuration method must migrate to the KerberosKerberos is a computer-network authentication protocol that works on the basis of tickets to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner. alias supported configuration. Contact Support to enable ENG_ADSSO_MIGRATION_READINESS_CHECK which allows you to check your readiness prior to migrating.
For a list of complete migration steps refer to Migrate your Agentless Desktop SSO configuration.
Admin Getting Started tasks
The new AdminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button on the upper right side of the My Applications page. Getting Started page helps super admins begin configuring their new Okta orgThe Okta container that represents a real-world organization..
For more information, see Get Started with Okta.
New System Log events for Okta user groups
System Log events have been added to indicate when Okta user groupsGroups allow you to organize your end users and the apps they can access. Assigning apps to large sets of end users is made easier with groups. are successfully created or deleted.
Multifactor Authentication for admins
MFA for Admins allows Super admins to enable mandatory multifactor authentication for all administrators accessing admin functionality. For details see Authentication.
Beta features available in Feature Manager
You can now enroll your Preview org in Open Betas in the Feature Manager. When you enroll in a Beta feature, you receive an email with further details. For details, see Manage Early Access and Beta features .
Suspicious Activity Reporting
End usersIn Okta literature, we generally refer to "end users" as the people who have their own Okta home page (My Applications), using apps to authenticate into all of their apps. End users do not have any administrative control. When we refer to "users" we are generally referring to the individual(s) who have administrative control. can now report unrecognized activity to their org admins when they receive an account activity email notification. This feature is now available through the EA feature manager. See Suspicious Activity Reporting.
HealthInsight
HealthInsight audits an organization’s security settings and suggests recommended tasks to improve an org's security posture. Security tasks and recommendations are intended for admins who manage employee security within their organization.
HealthInsight may now be accessed directly from the Admin Console dashboard.
Fore more information, see HealthInsight.
Group rules triggered by user reactivations
Group rules are now triggered when a user is reactivated. See Group rules for more information.
Token Inline Hook
The Token Inline Hook enables you to integrate your own custom functionality into the process of minting OAuth 2.0 and OpenID Connect tokens. For details, see our Token Inline Hook page.
SAML Inline Hook
The SAMLAn acronym for Security Assertion Markup Language, SAML is an XML-based standard for exchanging authentication and authorization data between an identity provider (IdP) and a service provider (SP). The SAML standard addresses issues unique to the single sign-on (SSO) solution, and defines three roles: the end user, the IdP, and the SP. Here's how SAML works through Okta: SP-initiated flow: the end user requests (principally through a browser) a service from the SP. The SP requests and obtains an identity assertion from the IdP (in this case, Okta). On the basis of this assertion, the SP can decide whether or not to authorize or authenticate the service for the end user. IdP-initiated flow: with Okta as the IdP, an end user goes to the Okta browser and clicks on an app, sending a SAMLResponse to the configured SP. A session is established with the SP, and the end user is authenticated. Inline Hook enables you to customize the authentication flow by allowing you to add attributes or modify existing attributes in outbound SAML assertions. For details, see our SAML Inline Hook page.
Schedule user imports
When you set up ProvisioningProvisioning is the enterprise-wide configuration, deployment, and management of multiple types of IT system resources. Specifically, provisioning provides users access to equipment, software, or services. This involves creating, maintaining and deactivating required business process automation objects and attributes in systems, directories, and applications. to import users from an appAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in. or from a CSV directory to Okta, you can set up a schedule for imports at regular intervals on an hourly, daily, or weekly basis. If your app supports incremental imports, then you can set up both full and incremental import schedules. This integration applies to all non-AD and LDAPLightweight Directory Access Protocol (LDAP) is a lightweight client-server protocol for accessing directory services, specifically X.500-based directory services. LDAP runs over TCP/IP or other connection oriented transfer services. applications that support imports such as CSV directory, Workday, SuccessFactors, BambooHR, Salesforce, and so on. For more information, see Schedule imports.
Resumable Import
Resumable Import is a performance enhancement that prevents imports from starting over in the event of a deployment or infrastructure issue. Instead, the import automatically pauses and continues from the most recently completed step. For information on importing users, see Import users from an app.
Generally Available Enhancements
Admin roles for groups
Admin roles can now only be granted to groups with less than 5000 members.
For more information, see Assign admin privileges.
Admin settings for end-user suspicious activity reporting
In account settings, admins now have the option to exclude themselves or other admins from receiving user-reported notifications about suspicious account activity.
For more information, see Suspicious Activity Reporting.
WebAuthn UI enhancement
The description and icon for the WebAuthn factor have been updated both in the Admin Console and Sign-in Widget.
For more information, see Web Authentication (FIDO2) .
Early Access Features
New Features
Workday Field Overrides
As part of our new Workday connector, Field Overrides are an alternate way to pull custom attribute information from Workday that replaces the existing custom report facility.
For more information, see Workday Field Overrides.
OAuth for Okta
With OAuth for Okta, you are able to interact with Okta APIs using scoped OAuth 2.0 access tokens. Each access token enables the bearer to perform specific actions on specific Okta endpoints, with that ability controlled by scopes that the access token contains.
For more information, see OAuth for Okta guide.
Okta RADIUS Service Agent Update, version 2.9.5
The Okta RADIUS Server AgentA software agent is a lightweight program that runs as a service outside of Okta. It is typically installed behind a firewall and allows Okta to tunnel communication between an on-premises service and Okta's cloud service. Okta employs several agent types: Active Directory, LDAP, RADIUS, RSA, Active Directory Password Sync, and IWA. For example, users can install multiple Active Directory agents to ensure that the integration is robust and highly available across geographic locations. version 2.9.5 is updated to run under the LocalService account, which has lower privileges than LocalSystem. The service has also been configured with a write-restricted token to further restrict access.
For more information, see Okta RADIUS Server Agent Version History.
Okta MFA Credential Provider for Windows, version 1.2.2
The Okta MFA Credential Provider version 1.2.2 includes bug fixes and adds self-service password reset.
For more information, see Okta MFA Credential Provider for Windows Version History .
Admin settings for selecting identity providers
Admins now have the option to configure a sign-on policy based on a specific identity provider.
For more information, see Adding Rules in Security Policies.
Disable Import Groups per app
Admins have the option to choose whether groups are included in imports from apps. This new option is available when setting up provisioning for an app.
This feature should be used with care as disabling group imports will have the result of deleting all groups from the app you are configuring. As such, we provide a warning prior to disabling group imports:
Note that you will be unable to disable group imports for an app if the following conditions exist:
- App Assignments based on Group exist
- Group policy rules exist
- Group Push mappings exist
In these cases, an error is displayed.
Fixes
General Fixes
OKTA-212852
Group rules were not applied to reactivated users.
OKTA-221328
With Routing Rules enabled, users saw the message This is the first time you are connecting to [an application] from this browser even though they had logged in before.
OKTA-240039
With Routing Rules enabled, users saw the message This is the first time you are connecting to [an application] from this browser even though they had logged in before.
OKTA-241929
Custom TOTP factors were not supported as part of the authentication flow in Factor Sequencing.
OKTA-254641
Changes to Max Import Unassignment settings were not logged in the System Log.
OKTA-254723
WebAuthn factor types were incorrectly named as Windows Hello in the MFA Usage Report.
OKTA-255688
The Reset via Email button on a custom sign-in page was visible and active even when that option was disabled for custom URL domains.
OKTA-257032
The Agentless Desktop SSO flow failed to authenticate users accessing custom-domainA domain is an attribute of an Okta organization. Okta uses a fully-qualified domain name, meaning it always includes the top-level domain (.com, .eu, etc.), but does not include the protocol (https). URLs.
OKTA-257269
In some cases, end users registering for Okta Verify were enrolled in One-Time Password but not in Push.
OKTA-257277
Some admins with MFA for Admin configured entered an infinite page-loading loop when signing into the Admin Console.
OKTA-257315
The HealthInsight page did not load properly for certain Okta orgs.
OKTA-56159
Re-authentication defined in sign-on policies only supported SAML-based apps and did not support SWAAn acronym for Secure Web Authentication. SWA is a SSO system developed by Okta to provide single sign-on for apps that don't support proprietary federated sign-on methods or SAML. Users can enter their credentials for these apps on their homepage. These credentials are stored such that users can access their apps without entering their credentials each time. When users first sign-in to a SWA app from their homepage, they see a pop-up message asking if they were able to sign-in successfully..
App Integration Fixes
The following SWA apps were not working correctly and are now fixed
-
Adobe Stock (OKTA-257769)
-
GoToWebinar (OKTA-255869)
-
Grammarly (OKTA-258776)
-
Instacart (OKTA-258045)
-
Sainsburys Groceries (OKTA-258041)
-
Twenty20 Stock (OKTA-257496)
-
Twilio (OKTA-258047)
Applications
Application Updates
Provisioning support has been removed from the following apps due to low customer usage, lack of standards based integration, and high supportability cost:
- OutSystems
- ExactTarget
- RightnowCX
- SugarCRM
New Integrations
SAML for the following Okta Verified application
-
GainsightPX (OKTA-253926)
SWA for the following Okta Verified applications
-
Ontario MC EDT (OKTA-244471)
-
ParcelQuest (OKTA-249541)
-
WatchGuard Evidence Library (OKTA-244478)
Profile Mastering and Push can be enabled together
Admins can enable both Profile MasterA profile master is an application (usually a directory service such as Active Directory, or human capital management system such as Workday) that acts as a source of truth for user profile attributes. A user can only be mastered by a single application or directory at any one time. For more details, see the Profile Master page. When users are mastered by attribute, we call this attribute-level mastery (ALM). ALM delivers finer grain control over how profiles are mastered by allowing admins to specify different profile masters for individual attributes. Profile mastering only applies to Okta user profiles, not app user profiles. For more details, see Attribute Level Mastering. and Push for an app. This allows all Okta-to-App mappings to push, regardless of whether Active DirectoryActive Directory (AD) is a directory service that Microsoft developed for the Windows domain networks. It is included in most Windows Server operating systems as a set of processes and services. Initially, Active Directory was only in charge of centralized domain management. is the Profile Master.
Early Access features, auto-enroll
You can now opt to auto-enroll in all Early Access features, instead of having to enable them as they become available. For more information, see Manage Early Access and Beta features .
Connecting Apps to Okta using the LDAP Interface
The LDAP Interface allows you to authenticate legacy LDAP apps to Universal DirectoryUniversal Directory enables you to store an unlimited amount of users and attributes from applications and sources like AD or HR systems. Any type of attributes are supported including linked-objects, sensitive attributes, and pre-defines lists. All of it accessible by all apps in our OIN catalog, over LDAP or via API. in the cloud. With the LDAP Interface, authentication is done directly against Okta via LDAP, without the need for an on-premise LDAP server. In addition, the LDAP interface supports other LDAP functions like search. For details, see Using the LDAP Interface.
Identity Provider Discovery
Using Identity Provider Discovery and routing rules, Okta directs users to different identity providers based on certain criteria. These criteria include location, device, the app being accessed, the user's domain, and specific user attributes. For more information see Identity Provider Discovery.
