April 2021

2021.04.0: Monthly Preview release began deployment on April 1

* Features may not be available in all Okta Product SKUs.

Generally Available Features

New Features

Okta Sign-In Widget, version 5.5.2

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Okta Sign-In Widget Guide.

Okta Active Directory agent, version 3.6.1

This version of the agent contains:

  • Improved query performance for customers with a large number of organizational units.

  • Security enhancements.

  • Improved logging functionality to assist with issue resolution.

  • Managed service account support for the Okta Active Directory agent.

  • Bug fixes.

See Okta Active Directory agent version history.

New operators available in Advanced Filters for System Log

Admins can now filter using new Advanced Filters operators:

  • ends with

  • not equal

  • is present (value exists)

  • greater than

  • greater than or equal to

  • less than

  • less than or equal to

Additionally, admins can now use the not equal, ends with, and is present operators in the System Log search bar. These operators provide greater flexibility when filtering System Log events. See System Log filters and search.

Agentless Desktop Single Sign-on authentication progress screen updates

Agentless Desktop Single Sign-on (ADSSO) authentication progress screens have been updated to make authorization and verification progress more visible and improve the user experience. See Configure agentless Desktop Single Sign-on.

RADIUS support for EAP-TTLS

The RADIUS agents now support the EAP-TTLS network authentication protocol. See the supported factors section in any RADIUS Integrations. This feature is made available to all orgs.

New Select assignments to convert screen

The addition of a Select assignments to convert screen to the Okta Admin Console makes the conversion of app assignments from individually-managed to group-managed easier. With the click of a button you can now quickly locate, select, and then convert individual users, or convert all eligible assignments. See Convert an individual assignment to a group assignment.

Generally Available Enhancements

TLS certificate update for

The TLS certificate for will be updated beginning on May 6th, 2021, US Pacific Time. The updated certificate will be signed with a new trust chain and Root Certificate Authority (CA) trust anchor. The Root CA will change from the DigiCert High Assurance EV Root CA to the DigiCert Global Root CA. To avoid negative impact and service outages, customers who have a limited or non-standard set of certificates in their trust stores must take action prior to May 6th, 2021. See FAQs.

Email notification settings

Email notification settings for New sign-on, MFA enrolled, and MFA reset are no longer enabled by default for new orgs. This change prevents new orgs from unintentionally sending email notifications to end users. See General Security.

NetSuite integration enhancement

Okta can now import the supervisor/manager ID for an employee from NetSuite, removing the dependency on Active Directory.

OIN Manager supports variable SAML ACS URLs

SAML app integrations that support multiple ACS URLs can now use app instance property variables to create non-static single sign-on URLs in their submissions.

Okta ThreatInsight free trial

Orgs that use free trial editions now see a limited functionality notification in the Okta ThreatInsight Settings section of the Security > General page. See General Security.

End users on new dashboard can request apps

End users can now request an app through the link in the footer of the new Okta End-User Dashboard. To turn this setting on, go to the Okta Admin Console > Applications > Self Service and enable Allow users to email "Technical Contact" to request an app.

Early Access Features

New Features

Customize Okta domains

The ability to customize your Okta domain has now been rolled out to all orgs. With this feature, you can customize your Okta organization by replacing the Okta domain name with your own domain name. This allows you to create a seamless branded experience for your users so that all URLs look like your application. See Custom Domain API.


App Integration Wizard

The App Integration Wizard has been updated with several usability improvements. For quicker access, the wizard is now launched from the Applications page rather than the OIN Catalog (Add Application) page. The platform and sign-on method selection process has been streamlined to remove unnecessary inputs. Help hints in the wizard have been improved to eliminate the need to look up definitions and guidance from the documentation. To save time, trusted origins and group assignment tasks can now be completed as part of the process rather than after the wizard creates the app integration. See Create a new Okta app integration.

Group Push enhancements

Group Push now supports the ability to link to existing groups in NetSuite. You can centrally manage these apps in Okta. This is important because it allows you to set up and push Okta groups into NetSuite instead of recreating them in NetSuite. See About Group Push.


General Fixes


For some orgs, the user activation page didn't display logos correctly if it was accessed through the redirect link in the User Activation email.

OKTA-337030, OKTA-375978, OKTA-378809, OKTA-379613, OKTA-380069, OKTA-380636, OKTA-381076, OKTA-381639

Some orgs that have the Admin Redesign Experience feature enabled had the following issues:

  • Scrolling functionality didn’t work as expected on some pages.

  • The Okta Admin Dashboard reached the rate limit threshold rapidly, causing a failure to load data in the Admin Dashboard widgets.

  • The spotlight search input field had extra padding.

  • Some pages had layout issues.

  • Some dialog boxes had unwanted scrollbars.

  • Some conditions in group rules were unreadable.

  • Group icons weren't display properly on the Group Assignment page.


Self-Service Registration incorrectly appeared in the Directory menu for group admins. This feature is available to super admins only.


The 12-hour timestamp on the Import Monitoring Dashboard didn’t display AM or PM.


The Report Suspicious Activity page didn’t display the geolocation and the IP address of the suspicious request.


Sometimes the public OAuth metadata API responses did not include a Vary: Origin header, resulting in some browsers incorrectly caching the response across Origins.


Some iPhone and iPad users using Okta Mobile couldn’t sign in to Microsoft Teams.


The Okta Workflows app erroneously counted towards an org's app limit.


The Import Safeguard help documentation link on the Directories page was broken.


Some pop-up messages during the OAuth validation process incorrectly had scrollbars.


During creation of a new SPA app integration, the App Integration Wizard incorrectly enabled the Allow Access Token option under the Implicit grant type by default.


Registration Inline Hook sometimes failed during the self-service registration process.


The Applications page in Developer orgs didn't have clear instructions about how to create more custom apps by upgrading to an Enterprise plan.


For some orgs, SAML inline hooks didn’t work as expected.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • AlertLogic (OKTA-380563)

  • Blacklane Car Service (OKTA-380186)

  • Bookmark App (OKTA-377640)

  • DHL Express (OKTA-380565)

  • Fortune (OKTA-380576)

  • ImpactOffice (OKTA-380575)

  • Music Vine (OKTA-380580)

  • mySE: My Schneider Electric (OKTA-375671)

  • Tumblr (OKTA-380562)

  • WordFly (OKTA-380953)

The following SAML app was not working correctly and is now fixed

  • Mimecast Personal Portal v3 (OKTA-381518)


New Integrations

SAML for the following Okta Verified applications

  • Altitude Networks (OKTA-369534)

  • Cerby (OKTA-381104)

  • LogMeOnce (OKTA-376650)

  • Millie (OKTA-378822)

  • Sketchboard (OKTA-377849)

  • Starred (OKTA-379901)

  • Vulcan Cyber (OKTA-366907)

Weekly Updates


Workflows Templates available

Workflows Templates is now available, providing users with access to a searchable catalog of installable Flows that address many common use cases. See Get started with Workflows Templates.

LDAP password reset option

LDAP delegated authentication settings can now be configured to allow users to reset their passwords. This change reduces the time needed for password management and allows users to reset their passwords quickly and easily. See Delegated authentication.

LDAP admin password reset

For orgs integrated with LDAP, admins can now perform password resets for an active individual end user. See Reset an individual user password.

Windows Device Registration Task, version 1.4.1

This release fixed the following issues:

  • If there was a space in the sAMAccountName, an error appeared when installing the Okta Device Registration task and the installation completed but didn't function.
  • An unknown publisher warning appeared after double-clicking the Okta Device Registration MSI file.

Affected customers should uninstall the registration task and install 1.4.1 or later.

See 2.2 — Obtain and install the Device Registration Task and Device Trust for Windows Desktop Registration Task Version History.


Incremental Imports for CSV

Incremental imports improve performance by importing only users who were created, updated, or deleted since your last import. See Manage your CSV directory integration. Note that this feature is being re-released having previously been released to Production in 2020.09.0.

Tor Anonymizer recommendation

Admins can see a new HealthInsight recommendation to view failed sign-in rates from IPs categorized as Tor Anonymizer Proxies. Okta recommends using Dynamic Zones to blacklist IPs that are categorized as Tor anonymizer proxies. See and HealthInsight.

Vendor-specific attributes

RADIUS agents now support vendor specific attributes. With this feature, admins can use optional settings to configure vendor specific attributes to include group membership. Note that no agent update is required for this feature. See Configure group response in the following topics:

Salesforce REST OAuth

Admins can now upgrade to the latest version of our Salesforce integration. OAuth authentication will be now used for Provisioning and Imports. See Configure OAuth and REST integration.This feature is currently available for new orgs only.

Password changed notification email

To eliminate unnecessary email notifications, the Password changed notification email setting is no longer enabled by default on new preview orgs. See Password changed notification for end users.

Generally Available Enhancements

Group Password Policy enhancement

By using Group Password Policies and associated rules, admins can configure and enforce password settings and set account recovery options for groups. See © 2021 Okta, Inc All Rights Reserved. Various trademarks held by their respective owners.. This feature was already released to a subset of orgs, we are now releasing it to all new Preview orgs.

ThreatInsight security enhancements

ThreatInsight enhancements improve detection of credential-based attacks from malicious IPs. See About Okta ThreatInsight.

New features for HealthInsight

  • Administrators can now enable end user email notifications when an end user changes or resets their password. See General Security and HealthInsight.
  • HealthInsight now includes a recommendation for admins to enable Password Changed email notifications if the notification isn't yet enabled for the org. See Password changed notification for end users.
  • HealthInsight now displays a suspicious sign-in count within the recommendation that users enable ThreatInsight in block mode. See Okta ThreatInsight

OAuth Consent enabled as event hook

The event is now eligible for use as an event hook.

Email address change notifications

Users without admin permissions now receive email notifications to confirm an email address change. See Customize an email template.

Office 365 Silent Activation

Using Okta as the Identity Provider, Okta Office 365 Silent Activation allows for a seamless experience for your Microsoft Office 365 end users accessing Office 365 apps on domain joined shared Workstations or VDI environments. Once your end users have logged into a domain-joined Windows machine, no further activation steps are required. See Office 365 Silent Activation: New Implementations.

End-user Welcome emails localized

The ability to localize the Welcome email that Okta sends to new end users by referencing the users' default locale property is now Generally Available. See Configure general customization settings.




People page improvements

The People page has been improved so the people list can be filtered by user type. See Universal Directory custom user types known issues.

Mobile tab available for mobile-capable apps

The Mobile tab available in the Okta Admin Console for mobile-capable OIN apps allows you to publish mobile applications to an App Store and deploy them to your end users.

See Enable access to managed mobile apps



Provisioning page UI element change

Drop-down menus on the Provisioning page (General Settings) were standardized.

Group push mapping change

When admins create a group push mapping and link it to a group whose members were imported through another method, those users are now Okta mastered. See About Group Push.

UI element change

Drop-down menus on the Provisioning page (General Settings) are standardized. See Provisioning.



Early Access features, auto-enroll

You can now opt to auto-enroll in all Early Access features, instead of having to enable them as they become available. For more information, see Manage Early Access features.

Connecting Apps to Okta using the LDAP Interface

The LDAP Interface allows you to authenticate legacy LDAP apps to Universal Directory in the cloud. With the LDAP Interface, authentication is done directly against Okta via LDAP, without the need for an on-premise LDAP server. In addition, the LDAP interface supports other LDAP functions like search. See Set up and manage the LDAP Interface.