Preview

  Current Upcoming
Production 2021.01.1 2021.01.2 Production release is scheduled to begin deployment on February 1
Preview 2021.01.1

2021.01.2 Preview release is scheduled to begin deployment on January 27

January 2021

2021.01.0: Monthly Preview release began deployment on January 7

* Features may not be available in all Okta Product SKUs.

Content

Generally Available Features

New Features

New phone rate limits

Users who attempt Voice and SMS enrollment can now be rate limited. Voice and SMS enrollment rate-limit events are now logged in the System Log. See Rate Limits.

WebAuthn feature validation updates with Trusted Origins API

The WebAuthn feature now supports trusted cross-origin and cross-Relying Party Identifier (RP ID) validation when using the Trusted Origins API. Trusted Origins are configured in the Okta Trusted Origins framework either through the Admin UI or the API. These Trusted Origins, configured with the CORS scope, now support orgs using WebAuthn for sign-in pages hosted at Trusted Origins distinct from the org's Okta URL (that is, different from the org's Okta or custom domain URL).

User authentication with MFA can be used as an Event Hook

The user.authentication.auth_via_mfa event type is now available for use as an event hook. See Event Types for a list of events that can be used with event hooks.

Browser Plugin notification expiration

Notifications for new features in the Okta Browser Plugin now expire after three months. See Okta Browser Plugin: Version history.

Okta Provisioning agent, version 2.0.2

This release of the Okta Provisioning agent includes vulnerability and security fixes. See Okta Provisioning agent and SDK version history.

Workflows Templates available

Workflows Templates is now available, providing users with access to a searchable catalog of installable Flows that address many common use cases. See Get started with Workflows Templates.

LDAP password reset option

LDAP delegated authentication settings can now be configured to allow users to reset their passwords. This change reduces the time needed for password management and allows users to reset their passwords quickly and easily. See Delegated authentication.

LDAP admin password reset

For orgs integrated with LDAP, admins can now perform password resets for an active individual end user. See Reset an individual user password.

Generally Available Enhancements

Group Membership System Log enhancement

The Add user to group membership and Remove user from group membership events have been updated. When triggered by group rules, these events now display the group rule ID in the TriggeredByGroupRuleId field under the Debug Context object.

Extra Verification UI enhancement for end users

The Extra Verification section under End-User Dashboard Settings is now displayed in the right column.

Inclusive language updates

As part of the Okta inclusive language initiative, the following is changed:

  • Application provisioning documentation and UI elements have been updated with inclusive language.

  • Allow list has replaced whitelist, block list has replaced blacklist, and source has replaced master.

  • Instances of profile masters, profile master, and profile mastering on the Okta Admin Console Profile Masters page have been updated to profile source and profile sourcing. The administrator documentation has been updated to reflect this change.

Risk Scoring settings

When enabled, Risk Scoring settings now appear in the Okta sign-on policy rule. See © 2021 Okta, Inc All Rights Reserved. Various trademarks held by their respective owners..

Early Access Features

New Features

Workplace by Facebook Push AD Manager functionality

Admins can choose to disable Push AD Manager functionality using this self-service Early Access feature. This enables admins to control the manager attribute using Okta Expression Language syntax to avoid being dependent on AD for the field. See Workplace by Facebook.

LDAP agent, new version 5.7.1

This version of the agent contains:

  • Internal improvements

  • Security fixes

To view the agent version history, see Okta LDAP Agent version history.

Manage admin email notification subscriptions using API endpoints

Admins can manage email subscriptions using the Admin Email Subscription API endpoints.

  • Super admins can configure default subscription settings by admin type.

  • All admins can manage their own admin email notification subscriptions.

Enhancements

Skip to Content improvements

End users can now click Skip to Content on the new Okta End-User Dashboard to navigate directly to the Add Apps page.

Options relocation

The Recent Activity tab, End-User preferences, Admin View, and Sign Out options are now displayed in the user drop down menu on the Okta End-User Dashboard.

Fixes

General Fixes

OKTA-329862

Indonesian translations and templates were displayed in English.

OKTA-330432

The Okta Browser Plugin continued to recommend strong passwords for apps after the setting was disabled.

OKTA-345311

The sign-in page auto refresh sometimes didn't work when factor sequencing was used.

OKTA-347526

Information text in Settings > Update Credentials was incorrect for bookmarked apps.

OKTA-352737

Self-Service Registration with inline hooks failed for some orgs.

OKTA-354151

Some users were unable to enroll in Okta Verify through TOTP and PUSH methods in some orgs.

OKTA-354967

When defined for an MFA Enrollment policy, the App Condition was not enforced when a user signed in to an application.

OKTA-355035

Security methods for Safari web authentication did not allow for biometric authentication.

OKTA-355482

When super admins edited a group admin role in Security > Administrators, only the first 10 groups were displayed.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • Adobe Sign Provisioning (OKTA-352597)

  • FIS E-ACCESS (OKTA-346510)

  • Google Analytics (OKTA-348673)

  • Nationwide Financial (OKTA-355417)

Applications

New Integrations

New SCIM Integration Application

The following partner-built provisioning integration app is now Generally Available in the OIN as partner-built:

SAML for the following Okta Verified applications

  • Culture Connect (OKTA-354618)

  • hCaptcha (OKTA-352403)

  • LinkedIn Talent Solutions (OKTA-343875)

  • Process Bolt (OKTA-353096)

SWA for the following Okta Verified applications

  • Adweek (OKTA-350720)

  • Amazon Payee Central (OKTA-347803)

  • CenturyLink (OKTA-350562)

  • TechCrunch (OKTA-343939)

  • Vue Mastery (OKTA-342948)

OIDC for the following Okta Verified applications

Weekly Updates

January 13

Generally Available Features

delAuthTimeout value now available in the System Log

The delAuthTimeout value now appears in the System Log to identify the authentication timeout value. The delegated authentication timeout value is the time in milliseconds that Okta waits for delegated authentication responses. Knowing this value can help identify when timeout values are too high and consuming system resources unnecessarily. See System Log.

End-User Dashboard and Plugin redesign

The Okta End-User Dashboard and Okta Browser Plugin have been redesigned with a modern look and feel that includes new sidebar navigation, fuzzy search, and sections that replaces tabs.

Okta End-User Dashboard redesign

Okta End-User Dashboard redesign

Admins can enable this new design all at once or by groups. The new experience is 50% faster, more intuitive to use, and more responsive to smaller screens. Design changes also improve accessibility and app discovery for end users.

See Create sign-on policies with Okta Applications.

Okta Applications

Okta admins can now create app-based sign-on policies for the Okta Dashboard, Okta Admin Console, and Okta Browser Plugin.

Previously, sign-on policies couldn't be configured for these first party applications. With this release, policy based on context such as user location, device, behavior, risk level, group membership, and more is included. This gives admins more flexibility and granular control over sign-on requirements for these first party apps. For example, different MFA requirements might apply to the Okta Admin Console for different groups of people.

See Enable the new Okta End-User Experience.

Okta End-User Dashboard redesign

Fixes

General Fixes

OKTA-336092

The import of user accounts from Adobe Experience Manager to Okta failed if there were duplicate entries in the database.

OKTA-336966

The password requirements presented to LDAP-sourced users during password reset didn’t match the password policy definition.

OKTA-337515

In some cases, the link to activate an account through self-service registration led to an empty page.

OKTA-340836

When admins enabled password change notification, end users going through self-service registration erroneously received a password change notification in addition to the account activation email.

OKTA-341729

In some cases, when a role was deleted from the Amazon Web Services (AWS) console, refreshing the app data in Okta removed group assignments causing users to lose access to AWS.

OKTA-343739

Some users received notifications for new app assignments although no new apps had been assigned to them.

OKTA-346826

In the SmartSheet provisioning profile, when admins tried to change the Group Priority setting to Combine values across groups for the variable smartsheet.userPermissions, the error message: Not allowed to modify property userPermissions from the base schema was returned.

OKTA-354279

In some orgs, after account activation, Active Directory users were redirected to a blank page instead of the Okta End-User Dashboard.

OKTA-355574

Some generic or anonymized WebAuthn factors were inaccurately labeled YubiKey.

OKTA-358425

When evaluating risk using device token as a signal, some new users signing in to Okta were incorrectly marked as high risk.

OKTA-359363

Reactivated users from AD did not maintain their group memberships after import.

OKTA-361020H

Updating licenses to Google app users sometimes failed if the app was already assigned to them.

App Integration Fixes

The following SWA app was not working correctly and is now fixed

  • Cisco Webex Meetings (OKTA-356220)

Applications

Integration Updates

The Tableau Online SAML app has been updated to add support for Single Logout (SLO). Customers who previously added the integration should refer to the SAML Setup Instructions to enable this new feature.

New Integrations

New SCIM Integration Application

The following partner-built provisioning integration app is now Generally Available in the OIN as partner-built:

SAML for the following Okta Verified applications

  • Communifire (OKTA-353568)

  • LabLog (OKTA-356012)

  • Ybug (OKTA-356075)

SWA for the following Okta Verified applications

  • eClinical Works (OKTA-349360)

  • SiteLink myHub (OKTA-354952)

 

Incremental Imports for CSV

Incremental imports improve performance by importing only users who were created, updated, or deleted since your last import. See Manage your CSV directory integration. Note that this feature is being re-released having previously been released to Production in 2020.09.0.

Tor Anonymizer recommendation

Admins can see a new HealthInsight recommendation to view failed sign-in rates from IPs categorized as Tor Anonymizer Proxies. Okta recommends using Dynamic Zones to blacklist IPs that are categorized as Tor anonymizer proxies. See Blacklist proxies with high sign-in failure rates and HealthInsight.

Vendor-specific attributes

RADIUS agents now support vendor specific attributes. With this feature, admins can use optional settings to configure vendor specific attributes to include group membership. Note that no agent update is required for this feature. See Configure group response in the following topics:

Salesforce REST OAuth

Admins can now upgrade to the latest version of our Salesforce integration. OAuth authentication will be now used for Provisioning and Imports. See Configure OAuth and REST integration.This feature is currently available for new orgs only.

Password changed notification email

To eliminate unnecessary email notifications, the Password changed notification email setting is no longer enabled by default on new preview orgs. See Password changed notification for end users.

Generally Available Enhancements

Group Password Policy enhancement

By using Group Password Policies and associated rules, admins can configure and enforce password settings and set account recovery options for groups. See © 2021 Okta, Inc All Rights Reserved. Various trademarks held by their respective owners.. This feature was already released to a subset of orgs, we are now releasing it to all new Preview orgs.

ThreatInsight security enhancements

ThreatInsight enhancements improve detection of credential-based attacks from malicious IPs. See About Okta ThreatInsight.

New features for HealthInsight

  • Administrators can now enable end user email notifications when an end user changes or resets their password. See General Security and HealthInsight.
  • HealthInsight now includes a recommendation for admins to enable Password Changed email notifications if the notification isn't yet enabled for the org. See Password changed notification for end users.
  • HealthInsight now displays a suspicious sign-in count within the recommendation that users enable ThreatInsight in block mode. See Okta ThreatInsight

OAuth Consent enabled as event hook

The event app.oauth2.as.consent.grant is now eligible for use as an event hook.

Email address change notifications

Users without admin permissions now receive email notifications to confirm an email address change. See Customize an email template.

Office 365 Silent Activation

Using Okta as the Identity Provider, Okta Office 365 Silent Activation allows for a seamless experience for your Microsoft Office 365 end users accessing Office 365 apps on domain joined shared Workstations or VDI environments. Once your end users have logged into a domain-joined Windows machine, no further activation steps are required. See Office 365 Silent Activation: New Implementations.

Enhanced Admin Console search

Admins can now search for user email addresses in the spotlight search field. See Admin Console search.

End-user Welcome emails localized

The ability to localize the Welcome email that Okta sends to new end users by referencing the users' default locale property is now Generally Available. See Configure general customization settings.

Improved auto-complete functionality

To improve the accuracy and speed of user searches, the auto-complete functionality on the Okta Admin Console administrator pages is updated.

 

 

People page improvements

The People page has been improved so the people list can be filtered by user type. See Universal Directory custom user types known issues.

Mobile tab available for mobile-capable apps

The Mobile tab available in the Okta Admin Console for mobile-capable OIN apps allows you to publish mobile applications to an App Store and deploy them to your end users.

See Enable access to managed mobile apps

 

 

Provisioning page UI element change

Drop-down menus on the Provisioning page (General Settings) were standardized.

Group push mapping change

When admins create a group push mapping and link it to a group whose members were imported through another method, those users are now Okta mastered. See About Group Push.

UI element change

Drop-down menus on the Provisioning page (General Settings) are standardized. See Provisioning.

 

 

Early Access features, auto-enroll

You can now opt to auto-enroll in all Early Access features, instead of having to enable them as they become available. For more information, see Manage Early Access features.

Connecting Apps to Okta using the LDAP Interface

The LDAP Interface allows you to authenticate legacy LDAP apps to Universal Directory in the cloud. With the LDAP Interface, authentication is done directly against Okta via LDAP, without the need for an on-premise LDAP server. In addition, the LDAP interface supports other LDAP functions like search. See Set up and manage the LDAP Interface.