July 2021

2021.07.0: Monthly Preview release began deployment on July 8

* Features may not be available in all Okta Product SKUs.

Generally Available Features

New Features

Dedicated help sites for Okta products

Three of Okta’s products — Access Gateway, Advanced Server Access, and Workflows — now have their own dedicated help sites:

This enhancement offers direct access to independent online help sites for these products from The new sites provide several benefits:

  • Compactly designed, product-centric content
  • Streamlined navigation
  • More efficient content updates and responsiveness to customer feedback

Okta Device Registration Task, version 1.3.2

This release includes internal code refactoring. You can download this version from the Settings > Downloads section of the Admin Console.

New Domains API response properties available

The Domains API includes the new response object properties of certificateSourcetype and expiration. The certificateSourcetype is a required property that indicates whether the Certificate is provided by the user. The accepted value is Manual. The expiration property on the DNSrecord object is an optional property that defines the TXT record expiration. See Domains API.

Default end-user experience

New orgs, including those created through the org creator API or the website, will have the new end-user experience enabled by default in preparation for the old end-user experience deprecation starting on October 13. Learn more about this migration and other frequently asked questions in our support article.

Disable Import Groups per SCIM integration

Admins can now choose whether or not to import groups with all SCIM integrations. This new option is available when you set up provisioning for a SCIM integration.

Note that you can't disable group imports for an app if:

  • Import New Users and Profile Updates isn't enabled.

  • App Assignments based on Group exist.

  • Group policy rules exist.

  • Group Push mappings exist.

In these cases, an error is displayed.

Nutanix support

Okta Access Gateway customers can now download and deploy the Access Gateway virtual appliance on Nutanix Acropolis Hypervisor (or Nutanix AHV), a hyper-converged infrastructure platform popular among larger organizations. This provides customers with more options for infrastructure services supported by Access Gateway, including AWS, OCI, VMWare, and now Nutanix.

Remove the ability to disable Admin Experience Redesign

You can no longer disable the Admin Experience Redesign feature for your orgs.

Note: This is not applicable for orgs that didn't have Admin Experience Redesign enabled and used the legacy experience until 2021.06.4.

Windows Hello as an MFA factor is not supported for new orgs

Windows Hello as an MFA factor is no longer supported for new orgs. Existing orgs already using this feature can continue using it.

SAML 2.0 Assertion grant flow

You can use the SAML 2.0 Assertion flow to request an access token when you want to use an existing trust relationship without a direct user approval step at the authorization server. The flow enables a client app to reuse an authorization by supplying a valid, signed SAML assertion to the authorization server in exchange for an access token. This flow is often used in migration scenarios from legacy Identity Providers that don't support OAuth. See Create Rules for Each Access Policy.

Root signed PIV certificate support

Certificates signed directly from a root CA certificate, with no intermediates, can now be used for Personal Identity Verification (PIV) authentication.

Schemas API unique attributes

The Schemas API now includes unique attributes for custom properties in Okta user profiles and the Okta Group profile. You can declare a maximum of five unique properties for each user type and five unique properties in the Okta group profile. This feature helps prevent the duplication of data and ensures data integrity.

Create and manage group profiles

You now have the flexibility to manage the default profile for Okta groups in the Profile Editor. This new functionality simplifies group management and lets you quickly add, edit, or remove custom profile attributes to groups. See Work with profiles and attributes. This feature will be gradually made available to all orgs.

Improved New Device Behavior Detection

Improved New Device Behavior Detection provides stronger signals that are now used for the detection of new devices. Devices using web browsers that don't store cookies are treated as new trusted applications and must send a unique identifier, such as a device token, for each device. See Improved New Device Behavior Detection. This feature will be gradually made available to all orgs.

Org Under Attack for ThreatInsight

Okta ThreatInsight now has enhanced attack detection capability. “Org under attack” establishes a base line traffic pattern and adjusts based on legitimate changes in traffic patterns. When a threat is detected, the algorithms are optimized to block all malicious requests while creating a System Log event to alert on the attack. After the attack subsides, threatInsight returns into its normal mode of operation. This capability enables quick blocking action during an attack. See About Okta ThreatInsight. This feature will be gradually made available to all orgs.


Workplace by Facebook new custom attribute

Okta now supports the is_frontline custom attribute in Workplace from Facebook. Supporting user type designations enables access for frontline and deskless workers.

OIN App Catalog UI improvements

For each app integration in the OIN App Catalog, the details page has been updated to use tabs that display the overview and the specific capabilities of the app integration. The details page also shows the Capabilities in the side navigation. Clicking a specific capability returns the administrator to the main Add Application page with that capability pre-selected in the filter. When an admin searches for app integrations, the filter is now persistent through category changes or when they refresh the page.

OIN Manager category selections

For app submissions in the OIN Manager, the category designations have been updated to match the categories available in the OIN App Catalog.

Changes to group assignment options for OIDC apps

Admins can create new OIDC applications without assigning them to a group. See Create an OIDC app integration using AIW.

HTML sanitizer for email templates

Velocity-based email templates are now processed by an HTML sanitizer. Templates that don’t conform to the rules of the sanitizer are corrected before they are sent. See Customize an email template.

Email template events

The creation and deletion of email templates are now logged as events in the System Log.

Rate limit violation event logging

Session-user and User rate violation events are now logged as operation-level events instead of org-wide events. This allows you to distinguish between rate limit violations at an org level and individual level.

Updated branding for End-User Dashboard

Okta branding on the Okta End-User Dashboard has been updated.

Early Access Features

New Feature

FIPS compliance for iOS or Android devices

Federal Information Processing Standards (FIPS) compliance is now available for iOS or Android devices. FIPS can be enabled on the Okta Verify configuration page. When FIPS compliance is enabled, admins can be confident that only FIPS-compliant software is used. See Enable FIPS-mode encryption.


OAuth redirect URI wildcards

Admins can now use a wildcard for multiple redirect URI subdomains when configuring OIDC applications. See Create an OIDC app integration using AIW.


General Fixes


When an admin attempted to add an app integration to their org for which the org was not entitled, the error message didn't display the org's edition name.


A user-created on-the-fly app incorrectly appeared on the Tasks page under Number of apps that can have provisioning enabled.


Sometimes the failed-sign-in counter didn’t reset to zero after an end user successfully signed in, which resulted in improper lockouts.


When OpenLDAP was used with delegated authentication, an error message containing unnecessary information appeared if users attempted to change their password and it didn't meet the LDAP complexity requirements.


LDAP import schedules weren't updated when Relative Distinguished Name (RDN) attribute mapping from Okta to LDAP was missing.


New device notifications weren't sent during passwordless sign-in flows.


Group Push for Slack caused group members to be reset and gradually re-added, during which time group members couldn't access the app.


Some deactivated SAML IdP users whose attributes were updated with Just-in-time Provisioning were activated even though the reactivation JIT setting wasn't selected.


Some users were deactivated instead of deleted in Automations.


Sometimes, during SAML app configuration, the metadata link improperly required a sign-in session.

App Integration Fixes

The following SWA app was not working correctly and is now fixed

  • San Diego Gas and Electric (OKTA-407572)


New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN as partner-built:

SWA for the following Okta Verified applications

  • Headspace (OKTA-403509)

  • Redprint (OKTA-394718)

  • SCOPE (OKTA-405791)

OIDC for the following Okta Verified applications

Weekly Updates

Make Okta the source for Group Push groups

Admins can now make Okta the profile source for all members of a group that is used for Group Push. When this feature is enabled, integrated apps can't change app group memberships. This functionality allows admins to maintain the accuracy of app group membership and prevents changes to group membership after a push. See Manage Group Push.

Litmos supports Advanced Custom Attributes

We’ve enriched our Litmos integration to support Advanced Custom Attributes for the user profile. This allows you to add fields into the Okta user profile. See Litmos Provisioning Guide.


Multiple active user statuses for SuccessFactors integration

Support for multiple active user statuses: When importing users from SuccessFactors into Okta, admins can now select more than one active user status, such as Leave of Absence. See Learn about SAP SuccessFactors Employee Central data provisioning.

End-User Dashboard and Plugin redesign

The Okta End-User Dashboard and Okta Browser Plugin have been redesigned with a modern look and feel that includes new sidebar navigation, fuzzy search, and sections that replaces tabs.

Okta End-User Dashboard redesign

Okta End-User Dashboard redesign

Admins can enable this new design all at once or by groups. The new experience is 50% faster, more intuitive to use, and more responsive to smaller screens. Design changes also improve accessibility and app discovery for end users.

See Create sign-on policies with Okta Applications.

This feature will gradually be made available to all Preview orgs.


Workflows Templates available

Workflows Templates is now available, providing users with access to a searchable catalog of installable Flows that address many common use cases. See © 2021 Okta, Inc. All Rights Reserved. Various trademarks held by their respective owners. .

LDAP password reset option

LDAP delegated authentication settings can now be configured to allow users to reset their passwords. This change reduces the time needed for password management and allows users to reset their passwords quickly and easily. See Delegated authentication.

LDAP admin password reset

For orgs integrated with LDAP, admins can now perform password resets for an active individual end user. See Reset an individual user password.

Windows Device Registration Task, version 1.4.1

This release fixed the following issues:

  • If there was a space in the sAMAccountName, an error appeared when installing the Okta Device Registration task and the installation completed but didn't function.
  • An unknown publisher warning appeared after double-clicking the Okta Device Registration MSI file.

Affected customers should uninstall the registration task and install 1.4.1 or later.

See 2.2 — Obtain and install the Device Registration Task and Device Trust for Windows Desktop Registration Task Version History.


Incremental Imports for CSV

Incremental imports improve performance by importing only users who were created, updated, or deleted since your last import. See Manage your CSV directory integration. Note that this feature is being re-released having previously been released to Production in 2020.09.0.

Tor Anonymizer recommendation

Admins can see a new HealthInsight recommendation to view failed sign-in rates from IPs categorized as Tor Anonymizer Proxies. Okta recommends using Dynamic Zones to blacklist IPs that are categorized as Tor anonymizer proxies. See and HealthInsight.

Vendor-specific attributes

RADIUS agents now support vendor specific attributes. With this feature, admins can use optional settings to configure vendor specific attributes to include group membership. Note that no agent update is required for this feature. See Configure group response in the following topics:

Salesforce REST OAuth

Admins can now upgrade to the latest version of our Salesforce integration. OAuth authentication will be now used for Provisioning and Imports. See Configure OAuth and REST integration.This feature is currently available for new orgs only.

Password changed notification email

To eliminate unnecessary email notifications, the Password changed notification email setting is no longer enabled by default on new preview orgs. See Password changed notification for end users.

Generally Available Enhancements

Group Password Policy enhancement

By using Group Password Policies and associated rules, admins can configure and enforce password settings and set account recovery options for groups. See © 2021 Okta, Inc. All Rights Reserved. Various trademarks held by their respective owners. . This feature was already released to a subset of orgs, we are now releasing it to all new Preview orgs.

ThreatInsight security enhancements

ThreatInsight enhancements improve detection of credential-based attacks from malicious IPs. See About Okta ThreatInsight.

New features for HealthInsight

  • Administrators can now enable end user email notifications when an end user changes or resets their password. See General Security and HealthInsight.
  • HealthInsight now includes a recommendation for admins to enable Password Changed email notifications if the notification isn't yet enabled for the org. See Password changed notification for end users.
  • HealthInsight now displays a suspicious sign-in count within the recommendation that users enable ThreatInsight in block mode. See Okta ThreatInsight

OAuth Consent enabled as event hook

The event is now eligible for use as an event hook.

Email address change notifications

Users without admin permissions now receive email notifications to confirm an email address change. See Customize an email template.

Office 365 Silent Activation

Using Okta as the Identity Provider, Okta Office 365 Silent Activation allows for a seamless experience for your Microsoft Office 365 end users accessing Office 365 apps on domain joined shared Workstations or VDI environments. Once your end users have logged into a domain-joined Windows machine, no further activation steps are required. See Office 365 Silent Activation: New Implementations.

End-user Welcome emails localized

The ability to localize the Welcome email that Okta sends to new end users by referencing the users' default locale property is now Generally Available. See Configure general customization settings.




People page improvements

The People page has been improved so the people list can be filtered by user type. See Universal Directory custom user types known issues.

Mobile tab available for mobile-capable apps

The Mobile tab available in the Okta Admin Console for mobile-capable OIN apps allows you to publish mobile applications to an App Store and deploy them to your end users.

See Enable access to managed mobile apps



Provisioning page UI element change

Drop-down menus on the Provisioning page (General Settings) were standardized.

UI element change

Drop-down menus on the Provisioning page (General Settings) are standardized. See Provisioning.



Early Access features, auto-enroll

You can now opt to auto-enroll in all Early Access features, instead of having to enable them as they become available. For more information, see Manage Early Access features.

Connecting Apps to Okta using the LDAP Interface

The LDAP Interface allows you to authenticate legacy LDAP apps to Universal Directory in the cloud. With the LDAP Interface, authentication is done directly against Okta via LDAP, without the need for an on-premise LDAP server. In addition, the LDAP interface supports other LDAP functions like search. See Set up and manage the LDAP Interface.