May 2019

2019.05.0: Monthly Preview release began deployment on May 8

* Features may not be available in all Okta Product SKUs.

Generally Available Features

New Features

LDAP support for Auxiliary Object classes

You can now input a comma-separated list of auxiliary object classes when importing users from LDAP. For more information, see Configuring Your LDAP Settings.

Active Directory agent, version 3.5.7

This version of the AD agentA software agent is a lightweight program that runs as a service outside of Okta. It is typically installed behind a firewall and allows Okta to tunnel communication between an on-premises service and Okta's cloud service. Okta employs several agent types: Active Directory, LDAP, RADIUS, RSA, Active Directory Password Sync, and IWA. For example, users can install multiple Active Directory agents to ensure that the integration is robust and highly available across geographic locations. includes fixes to close and recreate connection groupsGroups allow you to organize your end users and the apps they can access. Assigning apps to large sets of end users is made easier with groups. and add a retry in response to 502 errors during import.

For agent version history, see Okta Active Directory agent version history.

Last factor remembered for authentication

End usersIn Okta literature, we generally refer to "end users" as the people who have their own Okta home page (My Applications), using chiclets to authenticate into all of their apps. End users do not have any administrative control. When we refer to "users" we are generally referring to the individual(s) who have administrative control. who attempt to sign in to their orgThe Okta container that represents a real-world organization. are prompted to authenticate with the last factor they used based on the device or clientEssentially, a client is anything that talks to the Okta service. Within the traditional client-server model, Okta is the server. The client might be an agent, an Okta mobile app, or a browser plugin. . For more information about authentication factors, see Multifactor Authentication .

Enhanced Group Push for Samanage

Group Push now supports the ability to link to existing groups in Samanage. For details about this feature, see Using Group Push

Support for converting contractors to full time employees in Workday

Added support for converting contractors to full time employees within Workday. For more information see Workday Provisioning Guide.

Location zones support blacklisting

You can blacklist an entire location zone to prevent clients in the zone from accessing any URL for your org. For more information on zones, see Networks.

System Log events for blacklisted countries

When a country is added or deleted from a blacklist, the System Log tracks the action, as shown below. For more information on blacklisting, see Networks.

Generally Available Enhancements

Accounts locked after ten successive lockouts without a successful sign-in attempt

If an account has ten successive account lockouts followed by auto-unlocks with no successful sign-in attempts, Okta ceases auto-unlocks for the account and logs an event. For more information on account locking, see Security Policies.  

LDAP incremental imports, new check box

For customers who have the incremental import Early Access (EA) feature enabled there is a new check box to allow LDAP users to enable or disable incremental import. For new and existing LDAP instances, the check box is enabled by default. For details, see Install and Configure the Okta Java LDAP Agent.

UI Improvements for Security Email Notifications

Settings for end user email notifications have been moved to their own section: Security Notification Emails. For more information, see General Security.

WebEx additional attributes

We have added more extensible attributes to the WebEx application. For details, see the WebEx Provisioning Guide.

DocuSign authentication mode change

We are switching the authentication mode of our DocuSign provisioning integration to OAuth. For more information, see the DocuSign Provisioning Guide.

Okta Browser Plug-in version 5.28.0 for all browsers except Internet Explorer

This version includes the following enhancements:

  • Accessibility improvements
    • ARIA attributes for UI elements
    • Alt text for logos and images
    • Access to controls and tooltips through keyboard
  • Real-time reflection of the end user dashboard (currently an Early Access feature). For more information, see Browser Plugin Version History.

Early Access Features

New Features

Okta Browser Plug-in reflects real-time app and profile changes in the end user dashboard

The Okta Browser Plug-in now reflects the real-time state of the end user dashboard, eliminating the need to refresh the dashboard for the plug-in to reflect the latest app and profile changes. This feature is available through EA Feature Manager in the Admin Console to all browsers except Internet Explorer on Okta Browser Plug-in version 5.28.0 or higher. For more information, see About the Okta Browser Plugin.

ThreatInsight Threat Detection

Admins can now configure ThreatInsight — a new feature that detects credential-based attacks from malicious IP addresses. ThreatInsight events can be displayed in the admin system log and also be blocked once this feature is configured. For more information, see ThreatInsight.

Web Authentication for MFA

Admins can enable Web Authentication as a factor as defined by WebAuthn standards. Web Authentication supports both security key authentication such as YubiKey devices and platform authenticators. For more information, see Web Authentication (FIDO2) .

New macOS Device Trust Registration Task, version 1.2.1

This release provides the following:

  • The enrollment process is halted if the default keychain is unavailable for some reason (for example, is corrupted or missing). This ensures that end users are not prompted to reset the keychain.
  • An improved Registration Task update process ensures that enrolled devices are not inadvertently unenrolled in the event the update itself fails.
  • Provides support for a query allowing admins to determine which version of the Registration Task is installed on the device.

For details, see Device Trust for macOS Registration Task Version History.

Early Access Enhancements

Microsoft Intune selection now available in Okta Device Trust for managed iOS devices

Along with other popular MDM options already available for enabling Device Trust, you can now select Microsoft Intune as your MDM provider when you configure the Device Trust solution for Native Apps and Safari on managed iOS devices. While it was possible to configure Intune prior to this change by selecting the Other option, the addition of an Intune option simplifies the implementation. For more about this Okta Device Trust solution, see Enforce Okta Device Trust for Native Apps and Safari on MDM-managed iOS devices.

Note: This notice was updated in 2019.05.1 to more accurately describe this enhancement.

Schema Discovery for Cornerstone On Demand

The Cornerstone On Demand provisioning app now supports Universal Directory and Schema DiscoveryAbility to import additional attributes to Okta. For more information, see the Cornerstone On Demand Provisioning Guide.


General Fixes


Email templates translations for MFA Factor Enrolled and MFA Factor Reset did not work when the Thai language was selected.


For Self Service app registration for apps with provisioning enabled, when admins changed the Approval setting from Required to Not Required the resulting error message was misleading.


System Log entries for Device Trust displayed incorrect spacing for some entries.


The SuccessFactors app import API did not work.


Routing rules for Identity Provider discovery were ignored when both IWA Desktop SSO and Agentless SSO were enabled.


Identity Provider routing rules that set User Matches to User Attribute matches Regex were not evaluated correctly.


CSV Directory scheduled incremental imports failed.


Admins who manage two groups, one granted via individual assignment, and the other via group assignment, could not assign users from one group into the other.


When using the LDAP interface, pagination on groups containing more than 1000 users failed.


Users assigned admin roles by group did not get assigned the correct default admin email settings.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • Adobe Fonts (OKTA-222877)

  • Air France (OKTA-223010)

  • The Australian (OKTA-221618)

  • FINRA IARD (OKTA-223775)

  • Keap (OKTA-222416)

  • LastPass (OKTA-206231)

  • Metropolitan Bank US (OKTA-222451)

  • Mimecast Personal Portal v2 (OKTA-221490)

  • Nationale Nederlanden: Pensioen Service Online for Business (OKTA-222412)

  • Nextdoor (OKTA-223774)

  • Nmbrs (OKTA-223801)

  • Oakland Public Library Catalog (OKTA-222415)

  • Onfido (OKTA-223804)

  • Optimal Blue (OKTA-223500)

  • Plooto (OKTA-223747)

  • Poll Everywhere (OKTA-223776)

  • The San Diego Union-Tribune (OKTA-223015)

  • WhiteHat Sentinel (OKTA-222784)

  • Wrike (OKTA-223803)


New Integrations

New SCIM Integration Application

The following partner-built provisioningThe Provisioning features of some OIN apps are built by a third-party, typically the vendor of the app product or service. These features are Okta Verified through a rigorous Okta review process. Partners-Built EA: Partner-Built EA application features have been verified and tested by Okta but may not have been deployed or used by a customer in an Okta production environment. We recommend that you fully test these integrations for your own provisioning use-cases before deploying in production for your end users. Okta Verified: A Partner-built EA application becomes Okta Verified after a customer has verified the integration in production. integration apps are now available in the OINAn acronym for the Okta Integration Network. The OIN is comprised of thousands of public, pre-integrated business and consumer applications. As an on-demand service, OIN integrations are continuously validated, always up to date, and constantly growing both in number and capability. Okta performs a single integration with an ISV or SP, providing thousands of end users with point-and-click customization for their orgs. as partner-built Early Access:

SAML for the following Okta Verified applications

SWA for the following Okta Verified applications

  • Dynatrace (OKTA-221851)

  • Legislative Tracking System (OKTA-219355)

  • Park-line (OKTA-222807)

  • Tax Workflow (OKTA-222999)

Mobile application for use with Okta Mobility Management (OMM) (Android and iOS)

  • RescueAssist (OKTA-220114)

Weekly Updates

Connecting Apps to Okta using the LDAP Interface

The LDAP Interface allows you to authenticate legacy LDAP apps to Universal Directory in the cloud. With the LDAP Interface, authentication is done directly against Okta via LDAP, without the need for an on-premise LDAP server. In addition, the LDAP interface supports other LDAP functions like search. For details, see Using the LDAP Interface.

Identity Provider Discovery

Using Identity Provider Discovery and routing rules, Okta directs users to different identity providers based on certain criteria. These criteria include location, device, the app being accessed, the user's domainA domain is an attribute of an Okta organization. Okta uses a fully-qualified domain name, meaning it always includes the top-level domain (.com, .eu, etc.), but does not include the protocol (https)., and specific user attributes. For more information see Identity Provider Discovery.

Apps supporting incremental imports

Workday joins Active Directory and LDAP in the ability to run immediate, incremental imports. Okta strives to add this functionality to more and more provisioning-enabled apps.  This feature is currently only available for Preview orgs.

Note: To use this functionality, your org must also have the Workday Incremental Imports (ENG_PROV_WORKDAY_INCREMENTAL_IMPORTS) Early Access feature enabled.

Multifactor Authentication for admins

MFA for Admins allows Super admins to enable mandatory multifactor authentication for all administrators accessing admin functionality. For details see Authentication. This feature is currently available for new orgs only.