January 2020

2020.01.0: Monthly Preview release began deployment on January 8

* Features may not be available in all Okta Product SKUs.

Generally Available Features

New Features

Okta Browser Plugin version 5.36.1 for Chromium-based Microsoft Edge and Mozilla Firefox

This version includes the following:

For version history, see Okta Browser Plugin: Version History

New System Log events for OIDC scope grants

System Log events are now triggered when an administrator grants consent for OpenID Connect scopes.

Rogue Accounts Report End of Life (EOL)

The Rogue Accounts Report feature has been removed due to low usage, high cost of maintenance, and the availability of custom solutions. For example, admins can retrieve similar data by using the List Users Assigned to Application API to see users who were assigned to an appAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in. in Okta, and then using custom code to generate a list of users assigned in the app itself. For more information, see this Support Article.

Send Device Context using Limited Access

Limited Access allows you to configure Okta to pass device context to certain SAMLAn acronym for Security Assertion Markup Language, SAML is an XML-based standard for exchanging authentication and authorization data between an identity provider (IdP) and a service provider (SP). The SAML standard addresses issues unique to the single sign-on (SSO) solution, and defines three roles: the end user, the IdP, and the SP. Here's how SAML works through Okta: SP-initiated flow: the end user requests (principally through a browser) a service from the SP. The SP requests and obtains an identity assertion from the IdP (in this case, Okta). On the basis of this assertion, the SP can decide whether or not to authorize or authenticate the service for the end user. IdP-initiated flow: with Okta as the IdP, an end user goes to the Okta browser and clicks on an app, sending a SAMLResponse to the configured SP. A session is established with the SP, and the end user is authenticated. apps through the SAML assertion during app authentication. The app uses this data to limit access to certain app-specific behaviors. For more information, see Pass Device Context to SAML apps using Limited Access.

Active Directory, new import and provisioning settings experience

The AD settings user interface had been updated. It is now more consistent with how other application settings are configured. All orgs will now use the Okta expression language for the Okta username format field.

If your orgThe Okta container that represents a real-world organization. was created before October 4th (Preview) or October 9th, 2017 (Production), a legacy expression language that is different than the Okta expression language was used for the Okta username format field. For more information, see Configure the Okta Active Directory (AD) agent: new user interface and Updated AD Profile Mapping options.

User Group Reassignments

When a user is moved to a different Okta group, that change is now reflected in Active Directory. For more information, see Enable Okta-mastered user Organizational Unit updates.

Incremental Imports for CSV

Incremental imports improve performance by importing only users who were created, updated, or deleted since your last import. See Configure the CSV Directory Integration.

Generally Available Enhancements

UI Enhancements for HealthInsight

The HealthInsight card on the Admin Console dashboard and HealthInsight actions have been updated for improved usability. For more information about HealthInsight, see HealthInsight.

Additional context in MFA authentication in some apps

We have added an additional target element containing application information to MFA events triggered by authentication to Epic Hyperspace EPCS (MFA) and Microsoft RDP (MFA) apps.

Improved text in single line challenge for RADIUS MFA

The text displayed during the a single line MFA challenge via RADIUS authentication has been improved to fixed grammatical errors.

Notification when adding a user to an Admin group

Admins now see a notification that admin privileges will be granted when adding a user to a group with Admin privileges.

Updated Privacy Policy

Okta has updated its Privacy Policy. See to review the latest version.

Condition update for MFA Enrollment policy rules

The name of the setting for the Any Application condition has been updated to specify app support for MFA Enrollment. For more information, see App Condition for MFA Enrollment Policy.

UI enhancements for profile and attribute selection

The appearance of profile and attribute selection elements is updated to be more consistent with other Okta select elements.

Toggle on/off the end user onboarding screen

In the Settings > Appearance settings in the Admin Console, admins can control whether or not new end usersEnd users are people in your org without administrative control. They can authenticate into apps from the icons on their My Applications home page, but they are provisioned, deprovisioned, assigned, and managed by admins. see the onboarding screen upon their first sign in to the Okta End User dashboard.

Early Access Features

New Feature

Deactivated admin users

When a user who has an admin role and privileges assigned to them is deactivated, their admin privileges are revoked. The deactivated user is removed from the Administrators page and CSV download list of administrators. For information about Admin roles, see Administrators. This feature is available from our Self Service Feature Manager, for more information, see Manage Early Access and Beta features .


General Fixes


The word Password was incorrectly translated in Dutch.


French translation for the Self-Service Unlock when Account is not Locked email template was not intuitive.


Microsoft RDP (MFA) prompts did not display the official Okta logo.


After an application was selected from the Okta Safari plugin toolbar menu, the selection window did not close as expected.


Searching for an app in App Administration Assignment did not display exact matches.


Fido 2.0 (Webauth) set as a secondary factor on Factor Sequencing failed on the user sign-in with the error We found some errors. Please review the form and make corrections.


In Okta Device Trust with VMware Workspace ONE implementations, app sign-on policy denied access on Android 10 even if the device was trusted.


App Admins who were configured to only see a subset of apps in the catalog were able to see all apps.


For orgs that had opted into the New Import and ProvisioningProvisioning is the enterprise-wide configuration, deployment, and management of multiple types of IT system resources. Specifically, provisioning provides users access to equipment, software, or services. This involves creating, maintaining and deactivating required business process automation objects and attributes in systems, directories, and applications. Settings Experience for Active Directory EA feature, placeholder text was displayed instead of the correct text in the warning dialogue when the Profile and Lifecycle Mastering checkbox under Active Directory provisioning settings was checked and the Update Users checkbox was previously enabled.


The Settings tab for app provisioning failed to render in Internet Explorer 11.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • Aha (OKTA-266200)

  • American Express Work Reconciliation (OKTA-266198)

  • Apple ID (OKTA-264195)

  • Aveda (OKTA-266196)

  • Blackbaudhost Citrix (OKTA-266199)

  • Bloomfire (OKTA-266193)

  • Brex (OKTA-266241)

  • Cisco WebEx Meeting Center (OKTA-262750)

  • Citrix RightSignature (OKTA-268537)

  • DoorDash (OKTA-268780)

  • Firefox (OKTA-266201)

  • FullContact Developer Portal (OKTA-268538)

  • Google Analytics (OKTA-266914)

  • Impraise (OKTA-268534)

  • MKB Brandstof (OKTA-267534)

  • Nest (OKTA-267942)

  • NewEgg Business (OKTA-268840)

  • OnePath Advisor (OKTA-266925)

  • Principal Financial Personal (OKTA-268782)

  • RescueTime (OKTA-266197)

  • Rhino3d (OKTA-268531)

  • Seek (AU) - Employer (OKTA-266703)

  • Shipwire (OKTA-266919)

  • Site24x7 (OKTA-268622)

  • Vindicia (OKTA-266192)

  • Wombat Security Awareness (OKTA-268532)

The following SAML app was not working correctly and is now fixed

  • Datadog (OKTA-267430)


Application Updates

  • Zoom provisioning application now supports updating user email addresses.
  • Citrix NetScaler Gateway has changed its name to Citrix Gateway.

New Integrations

New SCIM Integration Application

The following partner-built provisioningThis term is obsolete. See "Okta Verified". integration apps are now Generally Available in the OIN as partner-built:

SAML for the following Okta Verified applications

  • AppOmni (OKTA-266642)

  • Appsian Security Platform for PeopleSoft (Encrypted) (OKTA-265400)

  • Clinical Maestro (OKTA-264130)

  • Cmd (OKTA-266400)

  • Freshworks (OKTA-262038)

  • Grammarly (OKTA-266950)

  • Kisi Physical Security (OKTA-265701)

  • LoanBuddy (OKTA-266952)

  • Mode Analytics (OKTA-260404)

  • Reducer (OKTA-265134)

  • TeamzSkill (OKTA-265665)

SWA for the following Okta Verified application

  • Miniter (OKTA-262048)

Weekly Updates


Profile Mastering and Push can be enabled together

Admins can enable both Profile MasterA profile master is an application (usually a directory service such as Active Directory, or human capital management system such as Workday) that acts as a source of truth for user profile attributes. A user can only be mastered by a single application or directory at any one time. For more details, see the Profile Master page. When users are mastered by attribute, we call this attribute-level mastery (ALM). ALM delivers finer grain control over how profiles are mastered by allowing admins to specify different profile masters for individual attributes. Profile mastering only applies to Okta user profiles, not app user profiles. For more details, see Attribute Level Mastering. and Push for an app. This allows all Okta-to-App mappings to push, regardless of whether Active Directory is the Profile Master.


Early Access features, auto-enroll

You can now opt to auto-enroll in all Early Access features, instead of having to enable them as they become available. For more information, see Manage Early Access and Beta features .

Connecting Apps to Okta using the LDAP Interface

The LDAPLightweight Directory Access Protocol (LDAP) is a lightweight client-server protocol for accessing directory services, specifically X.500-based directory services. LDAP runs over TCP/IP or other connection oriented transfer services. Interface allows you to authenticate legacy LDAP apps to Universal DirectoryUniversal Directory enables you to store an unlimited amount of users and attributes from applications and sources like AD or HR systems. Any type of attributes are supported including linked-objects, sensitive attributes, and pre-defines lists. All of it accessible by all apps in our OIN catalog, over LDAP or via API. in the cloud. With the LDAP Interface, authentication is done directly against Okta via LDAP, without the need for an on-premise LDAP server. In addition, the LDAP interface supports other LDAP functions like search. For details, see Using the LDAP Interface.

Identity Provider Discovery

Using Identity Provider Discovery and routing rules, Okta directs users to different identity providers based on certain criteria. These criteria include location, device, the app being accessed, the user's domainA domain is an attribute of an Okta organization. Okta uses a fully-qualified domain name, meaning it always includes the top-level domain (.com, .eu, etc.), but does not include the protocol (https)., and specific user attributes. For more information see Identity Provider Discovery.