Preview

  Current Upcoming
Production 2020.06.3 2020.06.4 Production release is scheduled to begin deployment on July 6
Preview 2020.07.0

2020.06.4 Preview release is scheduled to begin deployment on July 9

June 2020

2020.06.0: Monthly Preview release began deployment on June 3

* Features may not be available in all Okta Product SKUs.

Content

Generally Available Features

New Features

Deprecated metrics removed from the Okta Admin Dashboard

The following aggregated metrics have been removed from the Okta Admin Dashboard:

  • Count users who have never signed in
  • Count users who have signed in
  • Count apps with unused assignments
  • Count unused app assignments

All reports are still available. See The Administrator Dashboard.

Okta Browser Plugin for Internet Explorer, version 5.38.1

This version includes the following:

  • With the Okta Browser Plugin, end users can prevent browsers from prompting to save their sign-in credentials for Okta or any third-party apps accessed through the Okta End User Dashboard. See Prevent web browsers from saving sign-in credentials. Note that this feature is only available in Preview orgs.
  • For the new Okta End-User Dashboard: Search in the Okta Browser Plugin is updated to have the same search accuracy as the Okta End-User Dashboard.
  • Font sizes in the Okta Browser Plugin popover are updated.

See Okta Browser Plugin: Version History.

Okta Browser Plugin: Password Suppression UI changes

The two plugin UI elements that configure blocking browsers from saving passwords are now managed by end users in the plugin popover, and have been removed from the Admin customization settings.

Old UI

New UI

Group push for Active Directory

You can now use group push on the Okta Admin Console to copy groups and their members to Active Directory. See Push groups from Okta to Active Directory.

Okta IWA Web agent Just-In-Time operation failures

When using the Okta IWA Web agent, Just-In-Time (JIT) operations fail when users are disconnected from Active Directory (AD) and the Profile and Lifecycle Mastering settings don’t allow user reactivation. This behavior is expected, and consistent with JIT operations in non-IWA AD environments. See Install and configure the Okta IWA Web agent for Desktop Single Sign-on.

Custom TOTP Factor for MFA

Admins can now enable a custom MFA factor based on the Time-based One-time Password (TOTP) algorithm. See Custom TOTP Factor.

New Group Membership Admin role

The new Group Membership Admin role grants permission to view all users in an org and manage the membership of groups. See Group membership admin role.

Dynamic authentication context for SAML apps

Admins can configure a custom attribute statement for SAML assertions to send user's authentication context to SAML apps during the app authentication process. The app uses this information to limit access to certain app-specific behaviors and calculate the risk profile for the signed-in user. See Pass Dynamic Authentication Context to SAML Apps.

ASN Support for Dynamic Zones

Admins can now enter ASNs (Autonomous System Numbers) when creating or editing a dynamic zone. See Dynamic Zones.

Improved auto-complete functionality

To improve the accuracy and speed of user searches, the auto-complete functionality on the Okta Admin Console administrator pages is updated.

Prevent web browsers from saving sign-in credentials

You can prevent browsers such as Chrome from saving  an end user's sign-in credentials for Okta as well as for third-party apps accessed through the Okta Dashboard. See Prevent web browsers from saving sign-in credentials.

Generally Available Enhancements

Improved Risk Scoring model

Risk scoring evaluation has been enhanced to improve the detection of high risk sign-on activity. See Risk Scoring.

Improvements to developer onboarding experience

The Okta developer site has enhanced the onboarding experience for new developers:

  • Added task for customizing developer goals
  • Updated text on the developer profile panel
  • Added numbering to tasks
  • Improved usability and process flow

File size and hash added to Downloads page

The Downloads page now displays the file size and SHA-512 hash for the RADIUS and OPP agents. Admins can use the file size and hash to verify the integrity of the files. See Install and configure the Okta RADIUS Server agent and On Premises Provisioning Agent and SDK Version History.

Box integration enhancement

When Box users are deactivated, and the option Transfer user’s files to account user is selected, the following warning is displayed: Caution: Files owned by the user will be inaccessible while they are being transferred. This also means that any shared content owned by the user may be inaccessible to all collaborators during the move. Depending on the volume of content, this operation may take a significant amount of time.

Early Access Features

New Features

Improved new device behavior detection

When this feature is enabled, stronger signals are used for the detection of new devices. Devices with web browsers that don't store cookies are treated as new and trusted applications must send a unique identifier for each device as a device token. See  Improved New Device Behavior Detection.

Smart Card Authentication

When initially accessing applications using a custom sign-in widget, users have the option to use a PIV/CAC card for authentication. See Identity Providers.

Enhancements

New Okta End-User Dashboard enhancements

  • App cards have been resized to create more spacing and shorten the cards.
  • When an app card is hovered over, a lock icon notifies users if an admin has denied access to that app.

Fixes

General Fixes

OKTA-280844

In some Group Rules, if the User Attribute was very long, the value field didn't display properly.

OKTA-282532

In the new Okta End-User Dashboard, after dragging and dropping an app, end users were scrolled to the top of the dashboard.

OKTA-284835

The new Applications page used the term WS-Fed instead of WS-Federation.

OKTA-292924

User import from Workday failed if a username exceeded 100 characters.

OKTA-299093/299098

The Email as an MFA Factor for Authentication feature was not made available for some orgs when it was released earlier. Some customers who were eligible to use the Email factor with the factor API could not use the Email factor with the authentication API.

OKTA-299102

The Importing People page had the wrong documentation link.

OKTA-300069

When creating an event hook, if Subscribe to events was set to any of the Application life cycle events options, it resulted in the error Invalid list of events provided.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • Acorns (OKTA-299038)

  • Adobe.com (OKTA-299039)

  • Aetna Health Insurance (OKTA-301364)

  • AT& T (OKTA-299679)

  • Bitdefender (OKTA-301600)

  • Chase (OKTA-299437)

  • Delighted (OKTA-300045)

  • Expensify (OKTA-299222)

  • iHeartRadio (OKTA-301357)

  • iOvation (OKTA-300980)

  • Jetblue (OKTA-301355)

  • Kace (OKTA-299033)

  • LucidPress (OKTA-300843)

  • Mathworks (OKTA-299040)

  • myuhc - United Healthcare (OKTA-301360)

  • Sophos Partner Portal (OKTA-300844)

  • Staples Advantage (OKTA-297714)

Applications

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN as partner-built:

SAML for the following Okta Verified application

  • Otter.ai (OKTA-298298)

OIDC for the following Okta Verified applications

Weekly Updates

June 10

Fixes

General Fixes

OKTA-277693

When the Application Entitlement Policy feature was enabled and the admin was prompted to Reapply Mapping for some fields on the App Assignment page, the Username field appeared blank.

OKTA-282323

Editing the single sign-on URL for a custom SAML app sometimes resulted in an internal server error.

OKTA-286106

When the Application Entitlement Policy feature was enabled, some attribute types in the Provisioning tab of an app displayed incorrect values.

OKTA-287941

Group names and descriptions on the Assignments page were incorrectly auto-capitalized.

OKTA-287962

When using Okta Verify for MFA, users received duplicate error messages if they clicked the Verify button without entering a code.

OKTA-287972

Admins using Internet Explorer 11 didn't get user-reported suspicious activity notifications in the Okta Admin Dashboard.

OKTA-305356H

Default settings for the LDAP agent version 5.6.5 were incorrect. To obtain the new, correct default settings, please download LDAP agent version 5.6.6.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • Markel Insurance (OKTA-302146)

  • Palo Alto Networks (OKTA-301935)

  • Replicon (OKTA-302143)

  • Sherweb (OKTA-302150)

  • Zscaler (OKTA-301359)

Applications

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN as partner-built:

SAML for the following Okta Verified applications

  • Ally.io (OKTA-300334)

  • Clue (OKTA-299668)

  • VictorOps (Beta) (OKTA-299182)

SWA for the following Okta Verified application

  • CitiDirect BE (OKTA-298279)

OIDC for the following Okta Verified application

June 17

Fixes

General Fixes

OKTA-258780

Admins were unable to properly scroll in the Edit Group Assignment and Edit App User Assignment pop-up windows.

OKTA-285380

When using the override with mapping feature, username was incorrectly editable on the Profile Editor > Edit Mappings > App to Okta page.

OKTA-291912

For end user password resets, the Password is managed by a different application customization option didn't work if a custom URL domain was also configured.

OKTA-299448

When the new provisioning settings UI for Active Directory was enabled on the Active Directory Settings > Assignments tab, the Assign button was incorrectly displayed.

OKTA-299708

Some deactivated end users weren't deprovisioned from their applications.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • Bank of America (OKTA-294552)

  • Barracuda Networks (OKTA-303543)

  • General Motors GlobalConnect (OKTA-303400)

  • LastPass (OKTA-303982)

  • Polygon (OKTA-304216)

Applications

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN as partner-built:

SAML for the following Okta Verified applications

  • Greenhouse Recruiting (Subdomain) (OKTA-303238)

  • Kisi Physical Security (OKTA-303807)

  • Pymetrics (OKTA-299069)

  • TeamMood (OKTA-302178)

  • Valotalive (OKTA-298057)

OIDC for the following Okta Verified application

June 24

Fixes

General Fixes

OKTA-292734

The System Log didn't log an entry when a push notification for MFA was sent to a user.

OKTA-297792

When using email as an MFA factor, for some languages the text on the Sign-In page didn't display properly.

OKTA-298362

Workday imports sometimes failed when the Incremental Imports feature was enabled and used with Constrained Security Users (not recommended by Okta) instead of Unconstrained Security Users.

OKTA-301607

The Cancel and Request buttons on the Request Apps dialog in the new Okta End-User Dashboard were placed too closely together.

OKTA-301654

Some icons for MFA factor resets and enrollment policies were outdated.

OKTA-305633

When requests to the /auth/services/devicefingerprint failed, users trying to authenticate got stuck on the Sign-In page.

App Integration Fixes

The following SWA app was not working correctly and is now fixed

  • Nice inContact (OKTA-303178)

Applications

New Integrations

SAML for the following Okta Verified applications

  • aapi (OKTA-303606)

  • Github (OKTA-304435)

  • Go Moment (OKTA-302199)

  • Ironclad (OKTA-305082)

  • ProProfs Knowledgebase (OKTA-297807)

  • Rewatch (OKTA-303581)

  • S&P CapitalIQ (OKTA-300125)

Mobile application for use with Okta Mobility Management (OMM) (Android and iOS)

  • 1Password Business (OKTA-297855)

OIDC for the following Okta Verified applications

July 1

Fixes

General Fixes

OKTA-289516

When configuring the AWS application with AWS China Connected Accounts, and then trying to save the Provisioning tab settings, the following error was displayed: The security token included in the request is invalid.

OKTA-298403

Users that were assigned custom SAML apps through group assignment incorrectly retained custom attributes in their user profiles after the group was deleted.

OKTA-300720

The interstitial page during the Agentless Desktop SSO sign-in flow incorrectly displayed a server status banner when the server was in read-only.

OKTA-303164

The Using Groups Claim documentation link in the OIDC Application Settings page was outdated.

OKTA-303168

The Learn more documentation link for SAML settings on a SAML app page > General Settings tab was outdated.

OKTA-306103

The password icon for the Okta sign-in widget was inconsistent with the look and feel of other authentication factors.

OKTA-306978

The password icon in the Okta Admin Console was outdated.

App Integration Fixes

The following SWA app was not working correctly and is now fixed

  • App Store Connect (OKTA-302169)

  • YM Careers Partner (OKTA-304814)

Applications

New Integrations

New SCIM Integration Application

The following partner-built provisioning integration app is now Generally Available in the OIN as partner-built:

SWA for the following Okta Verified applications

  • Kamer van Koophandel (OKTA-304857)

  • Snap-on B2B (OKTA-285600)

SAML for the following Okta Verified applications

  • Adaptive Shield (OKTA-306991)

  • Charthop (OKTA-305581)

  • Clarizen One (OKTA-306617)

  • Lightstep (OKTA-305088)

  • Segment (OKTA-304217)

  • Spendesk (OKTA-303931)

OIDC for the following Okta Verified applications

MFA for reactivated accounts

End users are now prompted for MFA before landing on the Welcome page if their accounts were reactivated and already enrolled in one or more MFA factors. This feature is currently available to new orgs only.

DocuSign support update

DocuSign now supports workers who have an Activation Sent status in DocuSign.

Schema Discovery for Cornerstone On Demand

The Cornerstone On Demand provisioning app now supports Universal Directory and Schema Discovery. See the Cornerstone On Demand Provisioning Guide.

User Consent for OAuth 2.0 Flows in API Access Management

A consent represents a user’s explicit permission to allow an application to access resources protected by scopes. As part of an OAuth 2.0 or OpenID Connect authentication flow, you can prompt the user with a popup window to approve your app's access to specified resources.

Consent grants are different from tokens because a consent can outlast a token, and there can be multiple tokens with varying sets of scopes derived from a single consent. When an application comes back and needs to get a new access token, it may not need to prompt the user for consent if they have already consented to the specified scopes. Consent grants remain valid until the user manually revokes them, or until the user, application, authorization server or scope is deactivated or deleted.

See User Consent for OAuth 2.0 and OpenID Connect Flows.

Provision out of sync users

If you enable provisioning for an app that already has users assigned to it, Okta can sync these users so they now have provisioning capabilities. See Provisioning in applications.

People page improvements

The People page has been improved so the people list can be filtered by user type. See Universal Directory custom user types known issues.

Mobile tab available for mobile-capable apps

The Mobile tab available in the Okta Admin Console for mobile-capable OIN apps allows you to publish mobile applications to an App Store and deploy them to your end users.

See Enable access to managed mobile apps

Risk Scoring sign-on policy rule

Admins can now set a risk level as part of a sign-on policy rule. Setting a risk level helps determine potential security risks that are associated with an end user when they attempt to sign in to their org.

see Risk Scoring.

Incremental Imports for CSV

Incremental imports improve performance by importing only users who were created, updated, or deleted since your last import. See Configure the CSV Directory Integration.

 

Provisioning page UI element change

Drop-down menus on the Provisioning page (General Settings) were standardized.

Group push mapping change

When admins create a group push mapping and link it to a group whose members were imported through another method, those users are now Okta mastered. See About Group Push.

UI element change

Drop-down menus on the Provisioning page (General Settings) are standardized. See Provisioning in applications.

Profile Mastering and Push can be enabled together

Admins can enable both Profile Master and Push for an app. This allows all Okta-to-App mappings to push, regardless of whether Active Directory is the Profile Master.

 

Early Access features, auto-enroll

You can now opt to auto-enroll in all Early Access features, instead of having to enable them as they become available. For more information, see Manage Early Access and Beta features .

Connecting Apps to Okta using the LDAP Interface

The LDAP Interface allows you to authenticate legacy LDAP apps to Universal Directory in the cloud. With the LDAP Interface, authentication is done directly against Okta via LDAP, without the need for an on-premise LDAP server. In addition, the LDAP interface supports other LDAP functions like search. For details, see Using the LDAP Interface.

Identity Provider Discovery

Using Identity Provider Discovery and routing rules, Okta directs users to different identity providers based on certain criteria. These criteria include location, device, the app being accessed, the user's domain, and specific user attributes. For more information see Identity Provider Discovery.