March 2019

2019.03.0: Monthly Preview release began deployment on March 6

* Features may not be available in all Okta Product SKUs.

Generally Available Features

New Features

Connecting Apps to Okta using the LDAP Interface

The LDAP Interface allows you to authenticate legacy LDAP apps to Universal Directory in the cloud. With the LDAP Interface, authentication is done directly against Okta via LDAP, without the need for an on-premise LDAP server. In addition, the LDAP interface supports other LDAP functions like search. For details, see Using the LDAP Interface.

Enhanced Group Push for Litmos

Group Push now supports the ability to link to existing groupsGroups allow you to organize your end users and the apps they can access. Assigning apps to large sets of end users is made easier with groups. in Litmos. While this option is currently only available for some apps, we’ll periodically add this functionality to more provisioning-enabled apps. For details about this feature, see Using Group Push.

System Log events for YubiKey Seed

New System Log events have been added when a user uploads or revokes a YubiKey Seed successfully.

System Log events for Active Directory imports

A new System Log event appears when an Active Directory import is converted from an incremental to a full import.

A new System Log event appears when a full Active Directory import is required.

Admin role behavior changes

Admin roles assigned by adding a user to an Admin group can no longer be edited or customized for individual usersIn Okta literature, we generally refer to "users" as the people who serve as Okta administrators. When we refer to "end users" we are generally referring to the people who the administrators serve. That is, those who use Okta chiclets to access their apps, but have no administrative control.. To edit or remove admin privileges from a user that were assigned by adding the user to an admin group, you must remove the user from the group. Additionally, if a user has individual admin privileges assigned to them as well as admin privileges they received due to being in an admin group, each admin privilege will be listed separately. The icons indicate whether the privilege was assigned individually or as a result of group membership. For details, see Admin assignment page overview and Assign admin privileges.

Use Expression Language (EL) to map AD attribute to Workplace by Facebook

Okta now uses EL to map manager from AD to the Workplace by Facebook app for all new apps. For more information about Workplace by Facebook provisioning, see the Workplace by Facebook Provisioning Guide.

CPC app operations throttling

To ensure execution of all customers’ provisioning operations in a timely manner, operations for CPC apps are now throttled on a per orgThe Okta container that represents a real-world organization. basis.

Enhanced Okta Mobile Security Settings for Android and iOS

Applies to:

  • Okta Mobile 3.8.1+ for Android
  • Okta Mobile 5.22.0+ for iOS

From the admin console, you can configure the following security settings for devices running specific versions of Okta Mobile:

  • Specify the PIN length.
  • Allow/disallow use of a simple PIN (repeating/ascending/descending numeric sequences).
  • (Android only) Allow/disallow users taking screenshots, recording videos, or sharing their screen.

For details, see Okta Mobile Settings.

Generic OIDC

Generic OpenID Connect (OIDC) allows users to sign in to an Okta org using their credentials from their existing account at an OIDC Identity Provider (IdPAn acronym for Identity Provider. It is a service that manages end user accounts analogous to user directories such as LDAP and Active Directory, and can send SAML responses to SPs to authenticate end users. Within this scenario, the IdP is Okta.). A generic OIDC IdP can be a third-party IdP that supports OIDC, such as Salesforce or Yahoo or your own custom IdP. You can also configure federation between Okta orgs using OIDC as a replacement for SAMLAn acronym for Security Assertion Markup Language, SAML is an XML-based standard for exchanging authentication and authorization data between an identity provider (IdP) and a service provider (SP). The SAML standard addresses issues unique to the single sign-on (SSO) solution, and defines three roles: the end user, the IDP, and the SP.. For more information, see Generic OpenID Connect.

Generally Available Enhancements

Enhanced search for Group membership rules

You can now search for group rules by name, target groups, and expression conditions. For more information about Group membership rules, see Using group membership rules.

Change to Reset Password page

When Administrators navigate to Directory > People > Reset Password, the default view is now Locked Out users instead of All. This has been changed for performance reasons. For details, see Reset end user passwords.

Documentation links for Security Checklist

The Security Checklist on the admin console is updated to include documentation links for each setting. For more information about this feature, see Security Checklist.

Region codes updated for network zones

Network zones region codes are updated to adhere to the specifications of the ISO-3166 standard. This update includes changes to region names within Mexico, the Democratic Republic of the Congo, and Czech Republic. For more information about using country and region codes, see Networks.

Early Access Features

New Features

App condition for MFA enrollment policy

Admins can now use a new condition when setting a rule for an MFA enrollment policy. When this condition is configured, end-users are prompted for factor enrollment when accessing all of their applications or only for those selected by their org admin. For more information, see App Condition for MFA Enrollment Policy.

Review prompt on Okta Mobile for iOS

End-users using Okta Mobile on iOS are prompted to provide an App Store rating for the app. When they provide a rating in the app and click Submit, they are taken to the App Store page for the Okta Mobile app to provide more optional feedback about the app. They can click Not now to dismiss the option. For more information, see Review prompt on Okta Mobile (iOS only).

Schedule user imports

When you set up Provisioning to import users from an app or from a CSV directory to Okta, you can set up a schedule for imports at regular intervals on an hourly, daily, or weekly basis. If your app supports incremental imports, then you can set up both full and incremental import schedules. This integration applies to all non-AD and LDAP applications that support imports such as CSV directory, Workday, SuccessFactors, BambooHR, Salesforce, and so on. For more information, see Scheduling imports.

Okta On-Prem MFA Agent, version 1.4.0

This release replaces the JRE with the Amazon Corretto 8.0 version of OpenJDK JRE. For the agent version history, see Okta On-Prem MFA Agent Version History.

OIN Manager supports multiple application submissions

When submitting a new application integration for review by Okta, the OIN Manager now supports multiple concurrent application submissions (for new orgs only).


Early Access Enhancements

Custom domain certificate update

Custom domainA domain is an attribute of an Okta organization. Okta uses a fully-qualified domain name, meaning it always includes the top-level domain (.com, .eu, etc.), but does not include the protocol (https). setup can support up to 4096-bit certificates in the certificate chain. For more information about custom domains, see Configure a custom URL domain.

Custom domain HTTP to HTTPS redirect

Custom domain can redirect from HTTP to HTTPS. For more information about custom domains, see Configure a custom URL domain.


General Fixes


Disabled users in the Roambi app were incorrectly imported into Okta.


The tooltip for username was missing on the Identifier-first login page when using IdP Discovery.


The Okta Interstitial page used an incorrect font on Windows OS.


The authentication process took more time than expected when the "Permit Automatic Push for Okta Verify Enrolled Users option for the RADIUS application was activated.


End-users could not see the Zip Code on the Personal Information page on the end-user dashboard despite having read-write permissions.


Customers were not properly redirected to the correct JIRA On-Prem instance after updating to JIRA On-Prem version 3.0.7.


Updates to the Okta Reporting Path were not saved on the first attempt and failed with errors when configuring API integration for the UltiPro app.


When configuring an OPP app with a SCIM connector, authentication headers were sometimes misconfigured.


For Desktop Device Trust flows, authentication failures reported in the System Log lacked sufficient detail.


When Single Line Prompt was enabled in the Radius app, login using a soft token generated duplicate events in the System Log.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed


Application Updates

New Integrations

New SCIM Integration Application

The following partner-built provisioning integration apps are now available in the OIN as partner-built Early Access:

Mobile application for use with Okta Mobility Management (OMM) (Android and iOS)

  • Zscaler 2.0 (OKTA-210280)

SAML for the following Okta Verified applications

  • Idiomatic (OKTA-210213)

  • Stack Overflow Enterprise (OKTA-211271)

SWA for the following Okta Verified applications

  • 1st Global: Identity Server (OKTA-203266)

  • Amazon Incentives (OKTA-205373)

  • ClickToTweet (OKTA-206100)

  • Cumberland (OKTA-202677)

  • ForeScout (OKTA-203181)

  • Fremont Bank (OKTA-205715)

  • GoodHabitz (OKTA-206150)

  • HR Certification Institute (OKTA-204048)

  • Johnson & Johnson (OKTA-207334)

  • LinkedIn Sales Navigator (OKTA-202984)

  • LivePerson LiveEngage (OKTA-206681)

  • Lutron (OKTA-206149)

  • PNC Retirement Directions Participant Login (OKTA-206676)

  • SagicoreLife: Agent Login (OKTA-202262)

  • SecurePay (OKTA-210232)

  • Supermetrics (OKTA-205909)

  • Template Two Page Plugin App (OKTA-207162)

  • Texas Mutual (OKTA-207028)

  • Zscaler 2.0 (OKTA-210280)

Weekly Updates

Identity Provider Discovery

Using Identity Provider Discovery and routing rules, Okta directs users to different identity providers based on certain criteria. These criteria include location, device, the app being accessed, the user's domain, and specific user attributes. For more information see Identity Provider Discovery.

Apps supporting incremental imports

Workday joins Active Directory and LDAP in the ability to run immediate, incremental imports. Okta strives to add this functionality to more and more provisioning-enabled apps.  This feature is currently only available for Preview orgs.

Note: To use this functionality, your org must also have the Workday Incremental Imports (ENG_PROV_WORKDAY_INCREMENTAL_IMPORTS) Early Access feature enabled.

Multifactor Authentication for admins

MFA for Admins allows Super admins to enable mandatory multifactor authentication for all administrators accessing admin functionality. For details see Authentication. This feature is currently available for new orgs only.