Preview

Current | Upcoming | |
---|---|---|
Production | 2021.04.0 | 2021.04.1 Production release is scheduled to begin deployment on April 19 |
Preview | 2021.04.1 |
2021.04.2 Preview release is scheduled to begin deployment on April 28 |
April 2021
2021.04.0: Monthly Preview release began deployment on April 1
* Features may not be available in all Okta Product SKUs.
Generally Available Features
New Features
Okta Sign-In Widget, version 5.5.2
For details about this release, see the Sign-In Widget Release Notes.
For more information about the Widget, see the Okta Sign-In Widget Guide.
Okta Active Directory agent, version 3.6.1
This version of the agent contains:
-
Improved query performance for customers with a large number of organizational units.
-
Security enhancements.
-
Improved logging functionality to assist with issue resolution.
-
Managed service account support for the Okta Active Directory agent.
-
Bug fixes.
New operators available in Advanced Filters for System Log
Admins can now filter using new Advanced Filters operators:
-
ends with
-
not equal
-
is present (value exists)
-
greater than
-
greater than or equal to
-
less than
-
less than or equal to
Additionally, admins can now use the not equal, ends with, and is present operators in the System Log search bar. These operators provide greater flexibility when filtering System Log events. See System Log filters and search.
Agentless Desktop Single Sign-on authentication progress screen updates
Agentless Desktop Single Sign-on (ADSSO) authentication progress screens have been updated to make authorization and verification progress more visible and improve the user experience. See Configure agentless Desktop Single Sign-on.
RADIUS support for EAP-TTLS
The RADIUS agents now support the EAP-TTLS network authentication protocol. See the supported factors section in any RADIUS Integrations. This feature is made available to all orgs.
New Select assignments to convert screen
The addition of a Select assignments to convert screen to the Okta Admin Console makes the conversion of app assignments from individually-managed to group-managed easier. With the click of a button you can now quickly locate, select, and then convert individual users, or convert all eligible assignments. See Convert an individual assignment to a group assignment.
Generally Available Enhancements
TLS certificate update for okta.com
The TLS certificate for okta.com will be updated beginning on May 6th, 2021, US Pacific Time. The updated certificate will be signed with a new trust chain and Root Certificate Authority (CA) trust anchor. The Root CA will change from the DigiCert High Assurance EV Root CA to the DigiCert Global Root CA. To avoid negative impact and service outages, customers who have a limited or non-standard set of certificates in their trust stores must take action prior to May 6th, 2021. See FAQs.
Email notification settings
Email notification settings for New sign-on, MFA enrolled, and MFA reset are no longer enabled by default for new orgs. This change prevents new orgs from unintentionally sending email notifications to end users. See General Security.
NetSuite integration enhancement
Okta can now import the supervisor/manager ID for an employee from NetSuite, removing the dependency on Active Directory.
OIN Manager supports variable SAML ACS URLs
SAML app integrations that support multiple ACS URLs can now use app instance property variables to create non-static single sign-on URLs in their submissions.
Okta ThreatInsight free trial
Orgs that use free trial editions now see a limited functionality notification in the Okta ThreatInsight Settings section of the Security > General page. See General Security.
End users on new dashboard can request apps
End users can now request an app through the link in the footer of the new Okta End-User Dashboard. To turn this setting on, go to the Okta Admin Console > Applications > Self Service and enable Allow users to email "Technical Contact" to request an app.
Early Access Features
New Features
Customize Okta domains
The ability to customize your Okta domain has now been rolled out to all orgs. With this feature, you can customize your Okta organization by replacing the Okta domain name with your own domain name. This allows you to create a seamless branded experience for your users so that all URLs look like your application. See Custom Domain API.
Enhancements
App Integration Wizard
The App Integration Wizard has been updated with several usability improvements. For quicker access, the wizard is now launched from the Applications page rather than the OIN Catalog (Add Application) page. The platform and sign-on method selection process has been streamlined to remove unnecessary inputs. Help hints in the wizard have been improved to eliminate the need to look up definitions and guidance from the documentation. To save time, trusted origins and group assignment tasks can now be completed as part of the process rather than after the wizard creates the app integration. See Create a new Okta app integration.
Group Push enhancements
Group Push now supports the ability to link to existing groups in NetSuite. You can centrally manage these apps in Okta. This is important because it allows you to set up and push Okta groups into NetSuite instead of recreating them in NetSuite. See About Group Push.
Fixes
General Fixes
OKTA-336939
For some orgs, the user activation page didn't display logos correctly if it was accessed through the redirect link in the User Activation email.
OKTA-337030, OKTA-375978, OKTA-378809, OKTA-379613, OKTA-380069, OKTA-380636, OKTA-381076, OKTA-381639
Some orgs that have the Admin Redesign Experience feature enabled had the following issues:
-
Scrolling functionality didn’t work as expected on some pages.
-
The Okta Admin Dashboard reached the rate limit threshold rapidly, causing a failure to load data in the Admin Dashboard widgets.
-
The spotlight search input field had extra padding.
-
Some pages had layout issues.
-
Some dialog boxes had unwanted scrollbars.
-
Some conditions in group rules were unreadable.
-
Group icons weren't display properly on the Group Assignment page.
OKTA-362647
Self-Service Registration incorrectly appeared in the Directory menu for group admins. This feature is available to super admins only.
OKTA-363849
The 12-hour timestamp on the Import Monitoring Dashboard didn’t display AM or PM.
OKTA-369992
The Report Suspicious Activity page didn’t display the geolocation and the IP address of the suspicious request.
OKTA-373689H
Sometimes the public OAuth metadata API responses did not include a Vary: Origin
header, resulting in some browsers incorrectly caching the response across Origins.
OKTA-373957
Some iPhone and iPad users using Okta Mobile couldn’t sign in to Microsoft Teams.
OKTA-375702
The Okta Workflows app erroneously counted towards an org's app limit.
OKTA-375878
The Import Safeguard help documentation link on the Directories page was broken.
OKTA-376041
Some pop-up messages during the OAuth validation process incorrectly had scrollbars.
OKTA-376281
During creation of a new SPA app integration, the App Integration Wizard incorrectly enabled the Allow Access Token option under the Implicit grant type by default.
OKTA-376795
Registration Inline Hook sometimes failed during the self-service registration process.
OKTA-378045H
The Applications page in Developer orgs didn't have clear instructions about how to create more custom apps by upgrading to an Enterprise plan.
OKTA-378989
For some orgs, SAML inline hooks didn’t work as expected.
App Integration Fixes
The following SWA apps were not working correctly and are now fixed
-
AlertLogic (OKTA-380563)
-
Blacklane Car Service (OKTA-380186)
-
Bookmark App (OKTA-377640)
-
DHL Express (OKTA-380565)
-
Fortune (OKTA-380576)
-
ImpactOffice (OKTA-380575)
-
Music Vine (OKTA-380580)
-
mySE: My Schneider Electric (OKTA-375671)
-
Tumblr (OKTA-380562)
-
WordFly (OKTA-380953)
The following SAML app was not working correctly and is now fixed
-
Mimecast Personal Portal v3 (OKTA-381518)
Weekly Updates

Generally Available Features
Okta Sign-In Widget, version 5.5.2
For details about this release, see the Sign-In Widget Release Notes.
For more information about the Widget, see the Okta Sign-In Widget Guide.
Generally Available Enhancements
Password Health Report enhancement
Date columns in the Password Health Report are now in ISO 8601 format to improve readability.
Increased authorization code lifetime
The OAuth authorization code lifetime is increased from 1 to 5 minutes.
Fixes
General Fixes
OKTA-360669
Errors on the App Sign On Policy page were displayed at the top of the page rather than near the respective fields.
OKTA-360937
In some cases, Okta didn't import all users from ServiceNow.
OKTA-362325
Attributes with the number data type were reported to have been updated after CSV Directory imports even if nothing had changed.
OKTA-362647
Self-Service Registration, a super admin feature, incorrectly appeared in the Directory menu for group admins.
OKTA-372730
Org admins were unable to add IdPs.
OKTA-375536
Developer org admins were incorrectly redirected to the user app page instead of the Admin Dashboard.
OKTA-375698
In some cases, the OAuth access token for Salesforce expired daily, which caused issues with provisioning.
OKTA-377265
In some cases, admins received a 500 error while creating a new user with JIT provisioning.
OKTA-379879
When signing in to a third-party identity provider (IdP), the sign in hint wasn’t provided as a request parameter to the IdP.
OKTA-380356
The Trusted Origin field in the new App Integration Wizard appeared even if the user didn't have the permission to manage the field.
OKTA-380892
Some help documentation links in the Agentless Desktop SSO and Silent Activation section didn't work.
OKTA-382214
In some cases, Group Administrators were incorrectly displayed as User Administrators in the Email Notification dropdown on the Account Settings page.
OKTA-382433
The text in the App Embed Link section of the Custom SAML App page was misaligned.
OKTA-385342
The new App Integration Wizard showed an error when creating an API Services app due to incorrect response type validation.
App Integration Fixes
The following SWA apps were not working correctly and are now fixed
-
Carta (OKTA-380324)
Applications
Updates
-
The Nature.com SWA integration is deprecated from the OIN.
Use the Nature Research SAML app instead.
New Integrations
SAML for the following Okta Verified applications
-
Productive.io (OKTA-377469)
-
TigerConnect (OKTA-382369)
OIDC for the following Okta Verified application
- Tera: For configuration information, see Logging in with Single Sign-On (SSO) through Okta.
Workflows Templates available
Workflows Templates is now available, providing users with access to a searchable catalog of installable Flows that address many common use cases. See Get started with Workflows Templates.
LDAP password reset option
LDAP delegated authentication settings can now be configured to allow users to reset their passwords. This change reduces the time needed for password management and allows users to reset their passwords quickly and easily. See Delegated authentication.
LDAP admin password reset
For orgs integrated with LDAP, admins can now perform password resets for an active individual end user. See Reset an individual user password.
Windows Device Registration Task, version 1.4.1
This release fixed the following issues:
- If there was a space in the sAMAccountName, an error appeared when installing the Okta Device Registration task and the installation completed but didn't function.
- An unknown publisher warning appeared after double-clicking the Okta Device Registration MSI file.
Affected customers should uninstall the registration task and install 1.4.1 or later.
See 2.2 — Obtain and install the Device Registration Task and Device Trust for Windows Desktop Registration Task Version History.
Incremental Imports for CSV
Incremental imports improve performance by importing only users who were created, updated, or deleted since your last import. See Manage your CSV directory integration. Note that this feature is being re-released having previously been released to Production in 2020.09.0.
Tor Anonymizer recommendation
Admins can see a new HealthInsight recommendation to view failed sign-in rates from IPs categorized as Tor Anonymizer Proxies. Okta recommends using Dynamic Zones to blacklist IPs that are categorized as Tor anonymizer proxies. See and HealthInsight.
Vendor-specific attributes
RADIUS agents now support vendor specific attributes. With this feature, admins can use optional settings to configure vendor specific attributes to include group membership. Note that no agent update is required for this feature. See Configure group response in the following topics:
Salesforce REST OAuth
Admins can now upgrade to the latest version of our Salesforce integration. OAuth authentication will be now used for Provisioning and Imports. See Configure OAuth and REST integration.This feature is currently available for new orgs only.
Password changed notification email
To eliminate unnecessary email notifications, the Password changed notification email setting is no longer enabled by default on new preview orgs. See Password changed notification for end users.
Generally Available Enhancements
Group Password Policy enhancement
By using Group Password Policies and associated rules, admins can configure and enforce password settings and set account recovery options for groups. See © 2021 Okta, Inc All Rights Reserved. Various trademarks held by their respective owners.. This feature was already released to a subset of orgs, we are now releasing it to all new Preview orgs.
ThreatInsight security enhancements
ThreatInsight enhancements improve detection of credential-based attacks from malicious IPs. See About Okta ThreatInsight.
New features for HealthInsight
- Administrators can now enable end user email notifications when an end user changes or resets their password. See General Security and HealthInsight.
- HealthInsight now includes a recommendation for admins to enable Password Changed email notifications if the notification isn't yet enabled for the org. See Password changed notification for end users.
- HealthInsight now displays a suspicious sign-in count within the recommendation that users enable ThreatInsight in block mode. See Okta ThreatInsight
OAuth Consent enabled as event hook
The event app.oauth2.as.consent.grant is now eligible for use as an event hook.
Email address change notifications
Users without admin permissions now receive email notifications to confirm an email address change. See Customize an email template.
Office 365 Silent Activation
Using Okta as the Identity Provider, Okta Office 365 Silent Activation allows for a seamless experience for your Microsoft Office 365 end users accessing Office 365 apps on domain joined shared Workstations or VDI environments. Once your end users have logged into a domain-joined Windows machine, no further activation steps are required. See Office 365 Silent Activation: New Implementations.
End-user Welcome emails localized
The ability to localize the Welcome email that Okta sends to new end users by referencing the users' default locale property is now Generally Available. See Configure general customization settings.
People page improvements
The People page has been improved so the people list can be filtered by user type. See Universal Directory custom user types known issues.
Mobile tab available for mobile-capable apps
The Mobile tab available in the Okta Admin Console for mobile-capable OIN apps allows you to publish mobile applications to an App Store and deploy them to your end users.
See Enable access to managed mobile apps
Provisioning page UI element change
Drop-down menus on the Provisioning page (General Settings) were standardized.
Group push mapping change
When admins create a group push mapping and link it to a group whose members were imported through another method, those users are now Okta mastered. See About Group Push.
UI element change
Drop-down menus on the Provisioning page (General Settings) are standardized. See Provisioning.
Early Access features, auto-enroll
You can now opt to auto-enroll in all Early Access features, instead of having to enable them as they become available. For more information, see Manage Early Access features.
Connecting Apps to Okta using the LDAP Interface
The LDAP Interface allows you to authenticate legacy LDAP apps to Universal Directory in the cloud. With the LDAP Interface, authentication is done directly against Okta via LDAP, without the need for an on-premise LDAP server. In addition, the LDAP interface supports other LDAP functions like search. See Set up and manage the LDAP Interface.