Preview

March
Additional Preview-only features

March 2019

2019.03.0: Monthly Preview release began deployment on March 6

* Features may not be available in all Okta Product SKUs.

Content

Generally Available Features
Early Access Features
Fixes
Applications
Weekly Updates

Generally Available Features

New Features

Connecting Apps to Okta using the LDAP Interface

The LDAP Interface allows you to authenticate legacy LDAP apps to Universal Directory in the cloud. With the LDAP Interface, authentication is done directly against Okta via LDAP, without the need for an on-premise LDAP server. In addition, the LDAP interface supports other LDAP functions like search. For details, see Using the LDAP Interface.

Enhanced Group Push for Litmos

Group Push now supports the ability to link to existing groupsGroups allow you to organize your end users and the apps they can access. Assigning apps to large sets of end users is made easier with groups. in Litmos. While this option is currently only available for some apps, we’ll periodically add this functionality to more provisioning-enabled apps. For details about this feature, see Using Group Push.

Schema Discovery for Litmos

The Litmos provisioning appAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in. now supports UD and Schema DiscoveryAbility to import additional attributes to Okta. For more information, see the Litmos Provisioning Guide.

Assign admin privileges to an Okta group

Super admins can now assign Okta adminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button on the upper right side of the My Applications page. privileges to Okta groups, making it easier to onboard large numbers of admins quickly. Everyone in the group receives the admin privileges assigned to the group. For details, see Assign admin privileges.

System Log events for YubiKey Seed

New System Log events have been added when a user uploads or revokes a YubiKey Seed successfully.

System Log events for Active Directory imports

A new System Log event appears when an Active Directory import is converted from an incremental to a full import.

A new System Log event appears when a full Active Directory import is required.

Admin role behavior changes

Admin roles assigned by adding a user to an Admin group can no longer be edited or customized for individual usersIn Okta literature, we generally refer to "users" as the people who serve as Okta administrators. When we refer to "end users" we are generally referring to the people who the administrators serve. That is, those who use Okta chiclets to access their apps, but have no administrative control.. To edit or remove admin privileges from a user that were assigned by adding the user to an admin group, you must remove the user from the group. Additionally, if a user has individual admin privileges assigned to them as well as admin privileges they received due to being in an admin group, each admin privilege will be listed separately. The icons indicate whether the privilege was assigned individually or as a result of group membership. For details, see Admin assignment page overview and Assign admin privileges.

Use Expression Language (EL) to map AD attribute to Workplace by Facebook

Okta now uses EL to map manager from AD to the Workplace by Facebook app for all new apps. For more information about Workplace by Facebook provisioning, see the Workplace by Facebook Provisioning Guide.

CPC app operations throttling

To ensure execution of all customers’ provisioning operations in a timely manner, operations for CPC apps are now throttled on a per orgThe Okta container that represents a real-world organization. basis.

Enhanced Okta Mobile Security Settings for Android and iOS

Applies to:

Okta Mobile 3.8.1+ for Android
Okta Mobile 5.22.0+ for iOS

From the admin console, you can configure the following security settings for devices running specific versions of Okta Mobile:

Specify the PIN length.
Allow/disallow use of a simple PIN (repeating/ascending/descending numeric sequences).
(Android only) Allow/disallow users taking screenshots, recording videos, or sharing their screen.

For details, see Okta Mobile Settings.

Generic OIDC

Generic OpenID Connect (OIDC) allows users to sign in to an Okta org using their credentials from their existing account at an OIDC Identity Provider (IdPAn acronym for Identity Provider. It is a service that manages end user accounts analogous to user directories such as LDAP and Active Directory, and can send SAML responses to SPs to authenticate end users. Within this scenario, the IdP is Okta.). A generic OIDC IdP can be a third-party IdP that supports OIDC, such as Salesforce or Yahoo or your own custom IdP. You can also configure federation between Okta orgs using OIDC as a replacement for SAMLAn acronym for Security Assertion Markup Language, SAML is an XML-based standard for exchanging authentication and authorization data between an identity provider (IdP) and a service provider (SP). The SAML standard addresses issues unique to the single sign-on (SSO) solution, and defines three roles: the end user, the IDP, and the SP.. For more information, see Generic OpenID Connect.

Generally Available Enhancements

Enhanced search for Group membership rules

You can now search for group rules by name, target groups, and expression conditions. For more information about Group membership rules, see Using group membership rules.

Change to Reset Password page

When Administrators navigate to Directory > People > Reset Password, the default view is now Locked Out users instead of All. This has been changed for performance reasons. For details, see Reset end user passwords.

Documentation links for Security Checklist

The Security Checklist on the admin console is updated to include documentation links for each setting. For more information about this feature, see Security Checklist.

Region codes updated for network zones

Network zones region codes are updated to adhere to the specifications of the ISO-3166 standard. This update includes changes to region names within Mexico, the Democratic Republic of the Congo, and Czech Republic. For more information about using country and region codes, see Networks.

Early Access Features

New Features

Okta LDAP agent, version 5.5.5

This release contains:

For details, see Okta Java LDAP agent version history and Change the number of Okta LDAP agent threads.

App condition for MFA enrollment policy

Admins can now use a new condition when setting a rule for an MFA enrollment policy. When this condition is configured, end-users are prompted for factor enrollment when accessing all of their applications or only for those selected by their org admin. For more information, see App Condition for MFA Enrollment Policy.

Review prompt on Okta Mobile for iOS

End-users using Okta Mobile on iOS are prompted to provide an App Store rating for the app. When they provide a rating in the app and click Submit, they are taken to the App Store page for the Okta Mobile app to provide more optional feedback about the app. They can click Not now to dismiss the option. For more information, see Review prompt on Okta Mobile (iOS only).

Schedule user imports

When you set up Provisioning to import users from an app or from a CSV directory to Okta, you can set up a schedule for imports at regular intervals on an hourly, daily, or weekly basis. If your app supports incremental imports, then you can set up both full and incremental import schedules. This integration applies to all non-AD and LDAP applications that support imports such as CSV directory, Workday, SuccessFactors, BambooHR, Salesforce, and so on. For more information, see Scheduling imports.

Okta On-Prem MFA Agent, version 1.4.0

This release replaces the JRE with the Amazon Corretto 8.0 version of OpenJDK JRE. For the agent version history, see Okta On-Prem MFA Agent Version History.

OIN Manager supports multiple application submissions

When submitting a new application integration for review by Okta, the OIN Manager now supports multiple concurrent application submissions (for new orgs only).

Early Access Enhancements

Custom domain certificate update

Custom domainA domain is an attribute of an Okta organization. Okta uses a fully-qualified domain name, meaning it always includes the top-level domain (.com, .eu, etc.), but does not include the protocol (https). setup can support up to 4096-bit certificates in the certificate chain. For more information about custom domains, see Configure a custom URL domain.

Custom domain HTTP to HTTPS redirect

Custom domain can redirect from HTTP to HTTPS. For more information about custom domains, see Configure a custom URL domain.

Fixes

General Fixes

OKTA-135037

Disabled users in the Roambi app were incorrectly imported into Okta.

OKTA-205616

The tooltip for username was missing on the Identifier-first login page when using IdP Discovery.

OKTA-205713

The Okta Interstitial page used an incorrect font on Windows OS.

OKTA-205734

The authentication process took more time than expected when the "Permit Automatic Push for Okta Verify Enrolled Users option for the RADIUS application was activated.

OKTA-207282

End-users could not see the Zip Code on the Personal Information page on the end-user dashboard despite having read-write permissions.

OKTA-207634

Customers were not properly redirected to the correct JIRA On-Prem instance after updating to JIRA On-Prem version 3.0.7.

OKTA-208446

Updates to the Okta Reporting Path were not saved on the first attempt and failed with errors when configuring API integration for the UltiPro app.

OKTA-209118

When configuring an OPP app with a SCIM connector, authentication headers were sometimes misconfigured.

OKTA-210624

For Desktop Device Trust flows, authentication failures reported in the System Log lacked sufficient detail.

OKTA-211769

When Single Line Prompt was enabled in the Radius app, login using a soft token generated duplicate events in the System Log.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

Allegra False Creek (OKTA-211577)
Amazon Web Services (OKTA-200754)
Basecamp (OKTA-210785)
Bitbucket (OKTA-209277)
Citi Velocity (OKTA-211570)
CrazyEgg (OKTA-208795)
Expensify (SWAAn acronym for Secure Web Authentication. SWA is a SSO system developed by Okta to provide single sign-on for apps that don't support proprietary federated sign-on methods or SAML. Users can enter their credentials for these apps on their homepage. These credentials are stored such that users can access their apps without entering their credentials each time. When users first sign-in to a SWA app from their homepage, they see a pop-up message asking if they were able to sign-in successfully. Only) (OKTA-209343)
Glance (OKTA-211569)
Google AdSense (OKTA-208416)
Meetup (OKTA-208796)
MSCI ESG Manager (OKTA-210231)
SecureMail Cloud (OKTA-210230)
Stamps.com (OKTA-211576)
T. Rowe Price (OKTA-208929)

Applications

Application Updates

The following partner-builtPartner-Built Provisioning: The Provisioning features of some OIN apps are built by a third-party, typically the vendor of the app product or service. These features are Okta Verified through a rigorous Okta review process. Partners-Built EA: Partner-Built EA application features have been verified and tested by Okta but may not have been deployed or used by a customer in an Okta production environment. We recommend that you fully test these integrations for your own provisioning use-cases before deploying in production for your end users. Okta Verified: A Partner-built EA application becomes Okta Verified after a customer has verified the integration in production. provisioning integration app is now Generally Available in the OINAn acronym for the Okta Integration Network. The OIN is comprised of thousands of public, pre-integrated business and consumer applications. As an on-demand service, OIN integrations are continuously validated, always up to date, and constantly growing both in number and capability. Okta performs a single integration with an ISV or SP, providing thousands of end users with point-and-click customization for their orgs. as partner-built:
- WorkRamp: For configuration information, see Configuring SCIM Provisioning for WorkRamp.
- Expensify: For configuration information, see Expensify's Deactivating User's with Okta.
Namely now supports the following Provisioning features (in addition to the Profile MasterA profile master is an application (usually a directory service such as Active Directory, or human capital management system such as Workday) that acts as a source of truth for user profile attributes. A user can only be mastered by a single application or directory at any one time. For more details, see Using the Okta People Page. feature that it already supports):
- Create users
- Update user attributes
For users that have set-up the Namely integration and enabled Provisioning before July 23, 2018, they have to follow the migration steps detailed in the Namely Configuration Guide if they want to use the new feature.

New Integrations

New SCIM Integration Application

The following partner-built provisioning integration apps are now available in the OIN as partner-built Early Access:

LogMeIn: For configuration Information, see Configuring Provisioning for LogMeIn Products.
SendSafely: For configuration Information, see Configuring SCIM Provisioning for SendSafely.

Mobile application for use with Okta Mobility Management (OMM) (Android and iOS)

Zscaler 2.0 (OKTA-210280)

SAML for the following Okta Verified applications

Idiomatic (OKTA-210213)
Stack Overflow Enterprise (OKTA-211271)

SWA for the following Okta Verified applications

1st Global: Identity Server (OKTA-203266)
Amazon Incentives (OKTA-205373)
ClickToTweet (OKTA-206100)
Cumberland (OKTA-202677)
ForeScout (OKTA-203181)
Fremont Bank (OKTA-205715)
GoodHabitz (OKTA-206150)
HR Certification Institute (OKTA-204048)
Johnson & Johnson (OKTA-207334)
LinkedIn Sales Navigator (OKTA-202984)
LivePerson LiveEngage (OKTA-206681)
Lutron (OKTA-206149)
PNC Retirement Directions Participant Login (OKTA-206676)
SagicoreLife: Agent Login (OKTA-202262)
SecurePay (OKTA-210232)
Supermetrics (OKTA-205909)
Template Two Page Plugin App (OKTA-207162)
Texas Mutual (OKTA-207028)
Zscaler 2.0 (OKTA-210280)

Weekly Updates

2019.03.1: Update 1 started deployment on March 13

Fixes

General Fixes

OKTA-184126

Custom domains were incorrectly reserved before being verified.

OKTA-194918H

Password credentials for the Paychex Online app were not inserted into the Password field in Edge browsers.

OKTA-204814

Certain group membership rules to assign AD-mastered users to an Okta group did not remove the users from the group when they were deactivated in AD.

OKTA-207871

Editing certain existing custom SAML app configurations resulted in errors.

OKTA-209615

In some cases, the EA Feature Manager page on the Admin Console had mismatched or empty feature descriptions.

OKTA-211237H

The complex password generator was able to generate passwords in the format of an <html> tag.

OKTA-212828

Resetting Web Authentication from the end-user Settings page displayed errors even when the action was successful.

OKTA-212890

The Getting Started page on the Admin Console displayed errors for Internet Explorer 10 users.

OKTA-213551H

Push Group failed for the Zscaler 2.0 app and no Retry task was available in the admin console.

App Integration Fixes

The following SAML app was not working correctly and is now fixed

NetSuite (OKTA-209499)

The following SWA apps were not working correctly and are now fixed

MileIq (OKTA-212466)
Ncontracts (OKTA-209463)
Ray Wenderlich (OKTA-212010)
Sequr (OKTA-212548)
Skillshare (OKTA-211690)
WorkFlowy (OKTA-212464)
WP Engine (OKTA-210832)

Applications

New Integrations

SAML for the following Okta Verified applications

Casetabs (OKTA-212169)
Projector PSA (OKTA-212170)
Sqreen (OKTA-211580)
UWV Employer Portal (OKTA-209228)

SWA for the following Okta Verified applications

Arrowhead Auto: Producer Login (OKTA-203718)
Citi Investor Reporting For Structured Finance (OKTA-194263)
ClinPhone (OKTA-211579)
IDShield Plus (OKTA-207842)
Salt Lake Tribune (OKTA-203950)
Taleo Enterprise User Login (OKTA-211578)
Wright National Flood Insurance Company (OKTA-207916)

Mobile application for use with Okta Mobility Management (OMM) (Android and iOS)

Microsoft Office 365 (OKTA-199395)

2019.03.2: Update 2 started deployment on March 20

Enhancements

System Log event for LDAP

New System Log events have been added for when an LDAP schema import succeeds or fails.

System Log event for user import

New System Log events have been added for when a user import fails due to email constraints and when users are unsuspended and suspended using real time sync.

Failed user import:

Suspended and unsuspended users:

Fixes

General Fixes

OKTA-130296

When configuring JIT settings for a social identity provider, the Everyone group could erroneously be selected as one of the Group Assignments.

OKTA-139818

Attempting to set user credentials for an AppUser to a string longer than the permitted maximum length displayed an Internal Server Error instead of a Forbidden message.

OKTA-204598

Some successful MFA events did not appear in the System Log for some Orgs.

OKTA-205976

In some cases, Web Authentication FIDO2 appeared as Windows Hello (Web Authentication) while resetting factors on the Admin Console.

OKTA-209194

First time import of Namely-mastered users into Active Directory failed.

OKTA-209332

An app's Current Assignments report did not autopopulate the app's name even when the report was accessed through the app page.

OKTA-213567

Sometimes Okta Verify took too long to respond back to the browser, resulting in time-outs.

OKTA-214003

Certain invalid state token values caused the AuthN API to return an internal server error.

OKTA-214175

Okta Verify push did not work when authenticating via the LDAP Interface.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

Dell Premier (OKTA-213974)
Drift (OKTA-213975)
Fidelity & Guarantee Life (OKTA-213252)
Fitbit (OKTA-213976)
Flurry (OKTA-213977)
IBM Cloud (OKTA-214031)
NoMachine: Workbench (OKTA-210779)
Poll Everywhere (OKTA-213315)
RingCentral (OKTA-213133)
Safari Online Learning (OKTA-213099)
T. Rowe Price (OKTA-212189)

Applications

New Integrations

SAML for the following Okta Verified applications

Automox (OKTA-212528)
HealthKick (OKTA-212505)
Hive (OKTA-213326)
Sapling HR (OKTA-212512)
Workpath Platform (OKTA-213337)

SWA for the following Okta Verified applications

2020 Spaces (OKTA-210855)
Alabama Power (OKTA-211825)
Atlassian Service Desk (OKTA-206555)
BuildingConnected (OKTA-210302)
Cat SIS (OKTA-210839)
CoSchedule (OKTA-210164)
Fidelity Funds Network (OKTA-209733)
Interxion (OKTA-211723)
IOI Payroll V2 (OKTA-210854)
John Deere Service Advisor (OKTA-210838)
LexisNexis Bridger Insight XG (OKTA-195697)
LexisNexis Member Login (OKTA-209424)
Rabobank Internetbankieren (OKTA-209208)
Regus (OKTA-209724)
Rhino3d (OKTA-209991)
Salesforce (force.com) (OKTA-209752)
Steelcase Americas Village (OKTA-207490)
Steelcase Product Reference (OKTA-213961)
Thomson Reuters Practical Law (OKTA-209079)
Traackr (OKTA-210193)

Identity Provider Discovery

Using Identity Provider Discovery and routing rules, Okta directs users to different identity providers based on certain criteria. These criteria include location, device, the app being accessed, the user's domain, and specific user attributes. For more information see Identity Provider Discovery.

Apps supporting incremental imports

Workday joins Active Directory and LDAP in the ability to run immediate, incremental imports. Okta strives to add this functionality to more and more provisioning-enabled apps. This feature is currently only available for Preview orgs.

Note: To use this functionality, your org must also have the Workday Incremental Imports (ENG_PROV_WORKDAY_INCREMENTAL_IMPORTS) Early Access feature enabled.

Multifactor Authentication for admins

MFA for Admins allows Super admins to enable mandatory multifactor authentication for all administrators accessing admin functionality. For details see Authentication. This feature is currently available for new orgs only.

Top