June 2020

2020.06.0: Monthly Preview release began deployment on June 3

* Features may not be available in all Okta Product SKUs.

Generally Available Features

New Features

Deprecated metrics removed from the Okta Admin Dashboard

The following aggregated metrics have been removed from the Okta Admin Dashboard:

  • Count users who have never signed in
  • Count users who have signed in
  • Count apps with unused assignments
  • Count unused app assignments

All reports are still available. See The Administrator Dashboard.

Okta Browser Plugin for Internet Explorer, version 5.38.1

This version includes the following:

  • With the Okta Browser Plugin, end users can prevent browsers from prompting to save their sign-in credentials for Okta or any third-party apps accessed through the Okta End User Dashboard. See Prevent web browsers from saving sign-in credentials. Note that this feature is only available in Preview orgs.
  • For the new Okta End-User Dashboard: Search in the Okta Browser Plugin is updated to have the same search accuracy as the Okta End-User Dashboard.
  • Font sizes in the Okta Browser Plugin popover are updated.

See Okta Browser Plugin: Version History.

Okta Browser Plugin: Password Suppression UI changes

The two plugin UI elements that configure blocking browsers from saving passwords are now managed by end users in the plugin popover, and have been removed from the Admin customization settings.

Old UI

New UI

Group push for Active Directory

You can now use group push on the Okta Admin Console to copy groups and their members to Active Directory. See Push groups from Okta to Active Directory.

Okta IWA Web agent Just-In-Time operation failures

When using the Okta IWA Web agent, Just-In-Time (JIT) operations fail when users are disconnected from Active Directory (AD) and the Profile and Lifecycle Mastering settings don’t allow user reactivation. This behavior is expected, and consistent with JIT operations in non-IWA AD environments. See Install and configure the Okta IWA Web agent for Desktop Single Sign-on.

Custom TOTP Factor for MFA

Admins can now enable a custom MFA factor based on the Time-based One-time Password (TOTP) algorithm. See Custom TOTP Factor.

New Group Membership Admin role

The new Group Membership Admin role grants permission to view all users in an org and manage the membership of groups. See Group membership admin role.

Dynamic authentication context for SAML apps

Admins can configure a custom attribute statement for SAML assertions to send user's authentication context to SAML apps during the app authentication process. The app uses this information to limit access to certain app-specific behaviors and calculate the risk profile for the signed-in user. See Pass Dynamic Authentication Context to SAML Apps.

ASN Support for Dynamic Zones

Admins can now enter ASNs (Autonomous System Numbers) when creating or editing a dynamic zone. See Dynamic Zones.

Improved auto-complete functionality

To improve the accuracy and speed of user searches, the auto-complete functionality on the Okta Admin Console administrator pages is updated.

Prevent web browsers from saving sign-in credentials

You can prevent browsers such as Chrome from saving  an end user's sign-in credentials for Okta as well as for third-party apps accessed through the Okta Dashboard. See Prevent web browsers from saving sign-in credentials.

Generally Available Enhancements

Improved Risk Scoring model

Risk scoring evaluation has been enhanced to improve the detection of high risk sign-on activity. See Risk Scoring.

Improvements to developer onboarding experience

The Okta developer site has enhanced the onboarding experience for new developers:

  • Added task for customizing developer goals
  • Updated text on the developer profile panel
  • Added numbering to tasks
  • Improved usability and process flow

File size and hash added to Downloads page

The Downloads page now displays the file size and SHA-512 hash for the RADIUS and OPP agents. Admins can use the file size and hash to verify the integrity of the files. See Install and configure the Okta RADIUS Server agent and On Premises Provisioning Agent and SDK Version History.

Box integration enhancement

When Box users are deactivated, and the option Transfer user’s files to account user is selected, the following warning is displayed: Caution: Files owned by the user will be inaccessible while they are being transferred. This also means that any shared content owned by the user may be inaccessible to all collaborators during the move. Depending on the volume of content, this operation may take a significant amount of time.

Early Access Features

New Features

Improved new device behavior detection

When this feature is enabled, stronger signals are used for the detection of new devices. Devices with web browsers that don't store cookies are treated as new and trusted applications must send a unique identifier for each device as a device token. See  Improved New Device Behavior Detection.

Smart Card Authentication

When initially accessing applications using a custom sign-in widget, users have the option to use a PIV/CAC card for authentication. See Identity Providers.


New Okta End-User Dashboard enhancements

  • App cards have been resized to create more spacing and shorten the cards.
  • When an app card is hovered over, a lock icon notifies users if an admin has denied access to that app.


General Fixes


In some Group Rules, if the User Attribute was very long, the value field didn't display properly.


In the new Okta End-User Dashboard, after dragging and dropping an app, end users were scrolled to the top of the dashboard.


The new Applications page used the term WS-Fed instead of WS-Federation.


User import from Workday failed if a username exceeded 100 characters.


The Email as an MFA Factor for Authentication feature was not made available for some orgs when it was released earlier. Some customers who were eligible to use the Email factor with the factor API could not use the Email factor with the authentication API.


The Importing People page had the wrong documentation link.


When creating an event hook, if Subscribe to events was set to any of the Application life cycle events options, it resulted in the error Invalid list of events provided.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • Acorns (OKTA-299038)

  • (OKTA-299039)

  • Aetna Health Insurance (OKTA-301364)

  • AT& T (OKTA-299679)

  • Bitdefender (OKTA-301600)

  • Chase (OKTA-299437)

  • Delighted (OKTA-300045)

  • Expensify (OKTA-299222)

  • iHeartRadio (OKTA-301357)

  • iOvation (OKTA-300980)

  • Jetblue (OKTA-301355)

  • Kace (OKTA-299033)

  • LucidPress (OKTA-300843)

  • Mathworks (OKTA-299040)

  • myuhc - United Healthcare (OKTA-301360)

  • Sophos Partner Portal (OKTA-300844)

  • Staples Advantage (OKTA-297714)


New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN as partner-built:

SAML for the following Okta Verified application

  • (OKTA-298298)

OIDC for the following Okta Verified applications

Weekly Updates

MFA for reactivated accounts

End users are now prompted for MFA before landing on the Welcome page if their accounts were reactivated and already enrolled in one or more MFA factors. This feature is currently available to new orgs only.

DocuSign support update

DocuSign now supports workers who have an Activation Sent status in DocuSign.

Schema Discovery for Cornerstone On Demand

The Cornerstone On Demand provisioning app now supports Universal Directory and Schema Discovery. See the Cornerstone On Demand Provisioning Guide.

User Consent for OAuth 2.0 Flows in API Access Management

A consent represents a user’s explicit permission to allow an application to access resources protected by scopes. As part of an OAuth 2.0 or OpenID Connect authentication flow, you can prompt the user with a popup window to approve your app's access to specified resources.

Consent grants are different from tokens because a consent can outlast a token, and there can be multiple tokens with varying sets of scopes derived from a single consent. When an application comes back and needs to get a new access token, it may not need to prompt the user for consent if they have already consented to the specified scopes. Consent grants remain valid until the user manually revokes them, or until the user, application, authorization server or scope is deactivated or deleted.

See User Consent for OAuth 2.0 and OpenID Connect Flows.

Provision out of sync users

If you enable provisioning for an app that already has users assigned to it, Okta can sync these users so they now have provisioning capabilities. See Provisioning in applications.

People page improvements

The People page has been improved so the people list can be filtered by user type. See Universal Directory custom user types known issues.

Mobile tab available for mobile-capable apps

The Mobile tab available in the Okta Admin Console for mobile-capable OIN apps allows you to publish mobile applications to an App Store and deploy them to your end users.

See Enable access to managed mobile apps

Risk Scoring sign-on policy rule

Admins can now set a risk level as part of a sign-on policy rule. Setting a risk level helps determine potential security risks that are associated with an end user when they attempt to sign in to their org.

see Risk Scoring.

Incremental Imports for CSV

Incremental imports improve performance by importing only users who were created, updated, or deleted since your last import. See Configure the CSV Directory Integration.


Provisioning page UI element change

Drop-down menus on the Provisioning page (General Settings) were standardized.

Group push mapping change

When admins create a group push mapping and link it to a group whose members were imported through another method, those users are now Okta mastered. See About Group Push.

UI element change

Drop-down menus on the Provisioning page (General Settings) are standardized. See Provisioning in applications.

Profile Mastering and Push can be enabled together

Admins can enable both Profile Master and Push for an app. This allows all Okta-to-App mappings to push, regardless of whether Active Directory is the Profile Master.


Early Access features, auto-enroll

You can now opt to auto-enroll in all Early Access features, instead of having to enable them as they become available. For more information, see Manage Early Access and Beta features .

Connecting Apps to Okta using the LDAP Interface

The LDAP Interface allows you to authenticate legacy LDAP apps to Universal Directory in the cloud. With the LDAP Interface, authentication is done directly against Okta via LDAP, without the need for an on-premise LDAP server. In addition, the LDAP interface supports other LDAP functions like search. For details, see Using the LDAP Interface.

Identity Provider Discovery

Using Identity Provider Discovery and routing rules, Okta directs users to different identity providers based on certain criteria. These criteria include location, device, the app being accessed, the user's domain, and specific user attributes. For more information see Identity Provider Discovery.