September 2019

2019.09.0: Monthly Preview release began deployment on September 4

* Features may not be available in all Okta Product SKUs.

Generally Available Features

New Features

Customizable email template for LDAP users

The LDAPLightweight Directory Access Protocol (LDAP) is a lightweight client-server protocol for accessing directory services, specifically X.500-based directory services. LDAP runs over TCP/IP or other connection oriented transfer services. Forgot Password Denied email template can now be customized for LDAP users who have requested a password reset but must have their password reset by an adminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button on the upper right side of the My Applications page.. See Email and SMS Options.

New System Log event for event hooks

Event hook eligible System Log events now display the event hook ID in the Debug Context object under the TargetEventHookId field.

For a list of event hook eligible System Log events, filter our Event Types Catalog by the event-hook tag.

Add event hooks from the Admin Console

Admins can now add event hooks from the Admin Console. Event hooks send outbound calls from Okta that trigger asynchronous process flows in admins' own software. For more details, see Event Hooks.

Okta Browser Plugin, version 5.32.0 for all browsers

This version includes the following:

See Browser Plugin Version History.

End of support for Okta Mobile Connect on iOS 13 and iPad OS 13

Okta Mobile Connect will not function on iPhones and iPads that upgrade to iOS 13 and iPad OS 13, respectively, because version 13 introduces changes that affect the way an Apple API handles external requests to open Okta Mobile. See Okta Mobile Connect.

Agentless Desktop SSO

Agentless desktop SSOAn acronym for single sign-on. In a SSO system, a user logs in once to the system and can access multiple systems without being prompted to sign in for each one. Okta is a cloud-based SSO platform that allows users to enter one name and password to access multiple applications. Users can access all of their web applications, both behind the firewall and in the cloud, with a single sign in. Okta provides a seamless experience across PCs, laptops, tablets, and smartphones. and Silent Activation now support KerberosKerberos is a computer-network authentication protocol that works on the basis of tickets to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner. alias authentication for customers implementing these features for the first time. See Configure Agentless Desktop SSO - new implementations and Office 365 Silent Activation.

Group push mapping change

When admins create a group push mapping and link it to a group whose members were imported through another method, those users are now Okta mastered. See Using Group Push.

Required update for Microsoft Dynamics CRM, admin consent needed

We have updated the landing URL for the Microsoft Dynamics 365 appAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in. to use OAuth and to be accessible globally. The updated app resolves the issue where end-users outside the USA could not access Dynamics 365 and were redirected to an error page.

You need to provide or renew Admin consent within the Okta Office 365 app instance to continue using Dynamics 365 app in your Okta orgThe Okta container that represents a real-world organization..

See Provide Microsoft admin consent for Okta.

Early Access Features

New Features

Suspicious Activity Reporting

End users can now report unrecognized activity to their org admins when they receive an account activity email notification. This feature is now available through the EA feature manager. See Suspicious Activity Reporting.

Custom URL domain support for the Okta Browser Plugin

This support enables the Okta Browser Plugin to work on the configured custom URL domain. See Configure a custom URL domain.

Quick Access tab on the Okta Browser Plugin available through EA feature manager

Quick Access tab on the Okta Browser Plugin is now available through the EA feature manager. See Allow end-users to quickly access apps.

Resumable Import

Resumable Import is a performance enhancement that prevents imports from starting over in the event of a deployment or infrastructure issue. Instead, the import automatically pauses and continues from the most recently completed step. For information on importing users, see Import users from an app.

MFA for Oracle Access Manager

With Okta MFA for Oracle Access Manager (OAM), customers can use OAM as their Identity Provider (IdPAn acronym for Identity Provider. It is a service that manages end user accounts analogous to user directories such as LDAP and Active Directory, and can send SAML responses to SPs to authenticate end users. Within this scenario, the IdP is Okta.) to applications and also use Okta for MFA to provide a strong method of authentication for applications. For more information, see MFA for Oracle Access Manager.

New Windows Device Registration Task, version 1.4.0

This release includes the following:

Factor Sequencing

Admins can now provide end users with the option to sign in to their org using various MFA factors as the primary method of authentication in place of using a standard password. See Factor Sequencing.


General Fixes


The translations were missing for the API AM User Consent buttons.


The Self-Service Create Account Registration form did not clear a failed password validation status even after the password was updated to meet complexity requirements.


The last MFA factor used was not remembered for some orgs that use app-level MFA rules and a custom URL domain for sign-in attempts initiated by a Service Provider.


The Active Directory Settings page was slow or unresponsive for directories with more than 10,000 Organizational Units (OUs). To obtain the fix for this bug, contact Support.


When Factor Sequencing was enabled and a user clicked Sign Out from the sign-in widget, the browser page had to be refreshed manually for the user to sign in again.


Some authentication error messages for the custom IdP factor were not displayed by the sign-in widget.


Some sign-on policies and rules for IWA were not applied when a user signed in.


An extra character > appeared in the Admin navigation header.


The temporary password was not displayed in developer account activation emails.


Web Authentication factor names were not displayed correctly under Extra Verification in end user settings.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • Active Campaign (OKTA-245468)

  • Aegify (OKTA-245093)

  • BSPlink (OKTA-239934)

  • Check Point (OKTA-244812)

  • CultureIQ (OKTA-245092)

  • DesignCrowd (OKTA-245635)

  • Google Play Developer Console (OKTA-241992)

  • Hippo CMMS (OKTA-246930)

  • Key Bank (OKTA-245091)

  • MyFax (OKTA-244628)

  • OnePath Advisor (OKTA-243552)

  • (OKTA-244279)

  • Shutterfly (OKTA-245801)

  • Wells Fargo Funding (OKTA-244825)


Application Updates

To reflect Webex name changes we have updated our documentation as follows:

  • Webex (Cisco) is renamed to Cisco Webex Meetings

New Integrations

SAML for the following Okta Verified applications

  • 15five (OKTA-245730)

  • Centrify Privilege Access Service (OKTA-244805)

  • COMPASS by Bespoke Metrics (OKTA-246403)

  • Gateway Software Solutions (OKTA-231714)

  • Good2Give (OKTA-244842)

  • Legal Diary (OKTA-231714)

  • Wellness360 (OKTA-242402)

SWA for the following Okta Verified application

  • United Capital (OKTA-240147)

Weekly Updates


Security Behavior Detection

To provide additional security without overburdening your end users, you can configure a Sign On policy for your organization to require additional authentication for behaviors defined as higher risk based on variance from individual users' prior sign ins. Admins can configure the system so that individual end users are only prompted for an additional MFA factor when there is a change in behavior that the admin defines. For more information, see Security Behavior Detection.

Profile Mastering and Push can be enabled together

Admins can enable both Profile MasterA profile master is an application (usually a directory service such as Active Directory, or human capital management system such as Workday) that acts as a source of truth for user profile attributes. A user can only be mastered by a single application or directory at any one time. For more details, see the Profile Master page. When users are mastered by attribute, we call this attribute-level mastery (ALM). ALM delivers finer grain control over how profiles are mastered by allowing admins to specify different profile masters for individual attributes. Profile mastering only applies to Okta user profiles, not app user profiles. For more details, see Attribute Level Mastering. and Push for an app. This allows all Okta-to-App mappings to push, regardless of whether Active Directory is the Profile Master.


App condition for MFA enrollment policy

Admins can now use a new condition when setting a rule for an MFA enrollment policy. When this condition is configured, end users are prompted for factor enrollment when accessing all of their applications or only for those selected by their org admin. For more information, see App Condition for MFA Enrollment Policy.

Okta Browser Plugin reflects real-time app and profile changes in the end user dashboard

The Okta Browser Plugin now reflects the real-time state of the end user dashboard, eliminating the need to refresh the dashboard for the plugin to reflect the latest app and profile changes. This feature is available on Okta Browser Plugin version 5.29.0 or higher. For more information, see About the Okta Browser Plugin.

Early Access features, auto-enroll

You can now opt to auto-enroll in all Early Access features, instead of having to enable them as they become available. For more information, see Manage Early Access and Beta features .

Connecting Apps to Okta using the LDAP Interface

The LDAP Interface allows you to authenticate legacy LDAP apps to Universal DirectoryUniversal Directory enables you to store an unlimited amount of users and attributes from applications and sources like AD or HR systems. Any type of attributes are supported including linked-objects, sensitive attributes, and pre-defines lists. All of it accessible by all apps in our OIN catalog, over LDAP or via API. in the cloud. With the LDAP Interface, authentication is done directly against Okta via LDAP, without the need for an on-premise LDAP server. In addition, the LDAP interface supports other LDAP functions like search. For details, see Using the LDAP Interface.

Identity Provider Discovery

Using Identity Provider Discovery and routing rules, Okta directs users to different identity providers based on certain criteria. These criteria include location, device, the app being accessed, the user's domain, and specific user attributes. For more information see Identity Provider Discovery.