2019.07.0: Monthly Preview release began deployment on July 11
* Features may not be available in all Okta Product SKUs.
Timeout warning added to the Sign-In Widget
A timeout warning has been added to the Sign-In Widget for SMS and Voice Factor enrollment and challenge flows. For more information, see Customize the Okta-hosted sign-in page.
Token expiration window increased to five years
The expiration window of Refresh Tokens can be configured up to five years in custom authorization servers. The minimum expiration is unchanged. For more information, see API Access Management.
Okta Verify factor available for all orgs
ADFS app support for OIDC authentication
The ADFS appAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in. now provides support for OIDCOpenID Connect (OIDC) is an authentication layer on top of OAuth 2.0, an authorization framework. The standard is controlled by the OpenID authentication. For more information, see Enable Open ID Connect with existing ADFS installations.
Custom Email Template enhancement
To curtail phishing, the custom email template in new free editions of Okta now contains a banner warning recipients of fraudulent free trial users and an email address to report suspicious content. For feature information, see Email and SMS Options.
Okta Browser Plugin for Firefox available from Firefox Add-ons
OPP agent, version 1.3.2
On Premises ProvisioningProvisioning is the enterprise-wide configuration, deployment, and management of multiple types of IT system resources. Specifically, provisioning provides users access to equipment, software, or services. This involves creating, maintaining and deactivating required business process automation objects and attributes in systems, directories, and applications. AgentA software agent is a lightweight program that runs as a service outside of Okta. It is typically installed behind a firewall and allows Okta to tunnel communication between an on-premises service and Okta's cloud service. Okta employs several agent types: Active Directory, LDAP, RADIUS, RSA, Active Directory Password Sync, and IWA. For example, users can install multiple Active Directory agents to ensure that the integration is robust and highly available across geographic locations. version 1.3.2 supports CSV Directory Integration. For version history, see On Premises Provisioning Agent and SDK Version History.
Generally Available Enhancements
New System Log event for sent emails
A new System Log event has been added to notify admins when an email is sent to a user for verification. When fired, this event contains information about the token lifetime in the
New System Log event for redeemed credentials in an email
A new System Log event has been added to identify when a credential sent in an email to a user has been redeemed, meaning the link was clicked or the code was entered.
When fired, this event contains information about the result and
debugData with the action.
Validate service account credentials for Kerberos realm
When configuring the service account credentials for the Kerberos realm, you can now optionally choose to validate these credentials. For more information on Agentless DSSO, see Configure Agentless Desktop SSO.
UI enhancements for Sign-On Policies and Password Policies
When creating a new MFA sign-on policy, the Prompt for Factor option is now selected by default. When creating a new password policy, the option to enforce a password history is now set to the last four passwords by default. For more information about sign-on policies and password policies, see to Security Policies.
System Log events for Behavior Settings
New System Log events now appear when creating, deleting, or updating behavior settings.
LDAP agent, version 5.6.1
This version of the agent contains internal improvements. For version history, see Okta Java LDAP agent version history.
Enforce Okta Device Trust for Native Apps and Browsers on MDM-managed Android devices
Okta Device Trust for Native Apps and Browsers on MDM-managed Android devices allows you to prevent unmanaged Android devices from accessing enterprise services through browsers and native applications.
Note: This feature requires Okta Mobile 3.14.1 for Android (or later). For details, see Enforce Okta Device Trust for Native Apps and Browsers on MDM-managed Android devices.
Okta SSO IWA Web App agent, version 1.13.0
This release of the Okta SSO IWA Web App agent includes bug fixes. For version history, see Okta SSO IWA Web App agent Version History.
Admin report CSV changes
The Administrator report containing information about all admins, their roles, and permissions will now be generated asynchronously. Super admins can generate the report by clicking Request Report and they will receive an email with a download link when the report is ready. You can enable this change using the Feature Manager. For details, see The Super admin role .
Okta user profile, enforce custom attribute uniqueness
You can enforce attribute uniqueness across your organization for custom attributes in the Okta user profile. You may mark up to 5 custom attributes as requiring uniqueness. For details, see Work with Okta user profiles and attributes.
Early Access Enhancements
Agentless Desktop SSO, feature dependency
If you are using Agentless Desktop Single Sign On, there is now a dependency on Identity Provider Routing Rules. If you do not have Identity Provider Routing Rules enabled, contact Support. For feature details, see Configure Agentless Desktop SSO and Identity Provider Discovery.
New System Log events for Inline Hooks
- Log all Inline Hook response events: All inline hook success and failure events are now logged. Logged events provide context around how the response was used.
- Inline Hook Type events also log the type of Inline Hook.
For more feature information, see Inline Hooks.
New System Log event for ThreatInsight
When ThreatInsight configuration is updated, the System Log now displays a new event to reflect these configuration changes. For more information about this feature, see ThreatInsight.
Sign-In Widget labeling
The Sign-In Widget has been updated to use labels for form fields instead of placeholder text.
Note: This update applies to the default login page. If you are using a custom login page you need to manually upgrade to the 3.0 version of the Widget to get this update.
For more feature information, see Configure a custom Okta-hosted Sign-In page.
The Downloads page incorrectly reported that some agents needed to be upgraded.
Group rules were not applied to reactivated users.
When MULTIPLE_FACTOR_ENROLLMENTS was enabled and MULTIPLE_OKTA_VERIFY_ENROLLMENTS disabled, changing the Okta Verify factor to REQUIRED returned a
App Integration Fixes
The following SWA apps were not working correctly and are now fixed
Amgen FIRST STEP (OKTA-234000)
Bank of America CashPro (OKTA-234532)
Bullhorn Jobscience (OKTA-233305)
Credible Behavioral Health (OKTA-236584)
eFax Corporate AdminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button on the upper right side of the My Applications page. (OKTA-232145)
HRConnection by Zywave (OKTA-234054)
Mimecast Personal Portal v3 (OKTA-235247)
Thomson Reuters Legal Tracker (OKTA-228672)
The following partner-built provisioningThe Provisioning features of some OIN apps are built by a third-party, typically the vendor of the app product or service. These features are Okta Verified through a rigorous Okta review process. Partners-Built EA: Partner-Built EA application features have been verified and tested by Okta but may not have been deployed or used by a customer in an Okta production environment. We recommend that you fully test these integrations for your own provisioning use-cases before deploying in production for your end users. Okta Verified: A Partner-built EA application becomes Okta Verified after a customer has verified the integration in production. integration app is now Generally Available in the OINAn acronym for the Okta Integration Network. The OIN is comprised of thousands of public, pre-integrated business and consumer applications. As an on-demand service, OIN integrations are continuously validated, always up to date, and constantly growing both in number and capability. Okta performs a single integration with an ISV or SP, providing thousands of end users with point-and-click customization for their orgs. as partner-built:
- Twic: For configuration information, see the Twic SCIM Integration Guide.
New SCIM Integration Application
The following partner-built provisioning integration app is now available in the OIN as partner-built Early Access:
- Zapier: For Configuration information, see the Zapier User Provisioning with SCIM guide.
SAML for the following Okta Verified applications
SWA for the following Okta Verified applications
A.I.D.A. Virtual Cards (OKTA-229475)
Aquera apps (OKTA-232806):
- AD LDS by Aquera
- Adobe Cloud by Aquera
- ADP Workforce Now by Aquera
- Atlassian by Aquera
- Box by Aquera
- Ceridian Dayforce by Aquera
- Documentum by Aquera
- Fastly by Aquera
- InvisionApp by Aquera
- Jama Software by Aquera
- LaunchDarkly by Aquera
- MongoDB by Aquera
- Runscope by Aquera
- Smartsheet by Aquera
- VividCortex by Aquera
Cision Communications Cloud (OKTA-231151)
Correspondent Hub (OKTA-229741)
Grip On It (OKTA-224027)
Moneris Gateway (OKTA-228650)
Music Vine (OKTA-229245)
National Life Group Agents Login (OKTA-231088)
Nationwide Financial (OKTA-231408)
OneMobile Oath (OKTA-224130)
VPAS Life (OKTA-231407)
Zix Customer Support (OKTA-229476)
A deleted LDAP instance was still visible on the Profile Editor page.
A SCIMSystem for Cross-domain Identity Management (SCIM) is an open standard that allows for the automation of user provisioning. It was created in 2011 as it became clear that the technology of the future would be cloud-based. SCIM communicates user identity data between identity providers (such as companies with multiple individual users) and service providers requiring user identity information (such as enterprise SaaS apps). In short, SCIM makes user data more secure and simplifies the user experience by automating the user identity lifecycle management process. Patch request did not handle a 204
No content response as expected.
In some cases, email notification settings for Helpdesk admins were not honored.
Instructions in Okta Verify to upgrade to Push Notifications mistakenly instructed end usersIn Okta literature, we generally refer to "end users" as the people who have their own Okta home page (My Applications), using chiclets to authenticate into all of their apps. End users do not have any administrative control. When we refer to "users" we are generally referring to the individual(s) who have administrative control. to click Edit instead of + (plus) on Android devices.
Using the System Log Advanced Filter feature generated errant rate limit events.
App Integration Fixes
The following SWA app was not working correctly and is now fixed
The following partner-built provisioning integration app is now Generally Available in the OIN as partner-built:
- Spoke (www.askspoke.com) : For configuration information, see Configuring Provisioning for Spoke.
The following partner-built provisioning integration apps are now available in the OIN as partner-built Early Access:
- FuseLogic: For Configuration information, see Configuring Provisioning for FuseLogic.
- AFAS by FuseLogic: For Configuration information, see Configuring Provisioning from Afas.
- Leapsome: For Configuration information, see User provisioning via Okta from Leapsome.
- HackerRank For Work: For Configuration information, see Setting up SCIM Provisioning with Okta from HackerRank.
- iObeya: For Configuration information, see Configuring user provisioning with Okta from iObeya.
- New Relic (Limited Release): For Configuration information, see Configure SCIM provisioning from New Relic.
- PlusPlus: For Configuration information, see Configuring User Provisioning with OKTA and SCIM from PlusPlus.
SAML for the following Okta Verified applications
InVision V7 (OKTA-227283)
Pathmatics Explorer (OKTA-236215)
Small Batch Learning (OKTA-237044)
Springer Link (OKTA-235129)
SWA for the following Okta Verified applications
Typography Hoefler and Co (OKTA-233903)
Mobile application for use with Okta Mobility Management (OMM) (iOS)
Citrix Netscaler Gateway (OKTA-227497)
Support for LDAP provisioning
With the addition of the following Provisioning Features, Okta's LDAP integrations now closely match the functionality already available to Okta Active DirectoryActive Directory (AD) is a directory service that Microsoft developed for the Windows domain networks. It is included in most Windows Server operating systems as a set of processes and services. Initially, Active Directory was only in charge of centralized domain management. (AD) integrations.
Update and deactivate LDAP accounts
For more information, see Provisioning Features.
LDAP settings, user interface changes
The LDAP settings user interface is updated. It is now more consistent with how other application settings are configured. For details, see Configure the Okta Java LDAP Agent: new user interface.
Configure Okta Device Trust for Native Apps and Safari on MDM managed iOS devices
Okta Device Trust for MDM managed iOS devices allows you to prevent unmanaged iOS devices from accessing enterprise services through browsers and native applications:
Note: This feature requires Okta Mobile 5.12 for iOS (or later), available in the App Store beginning February 1st.
Scoping admin privileges, AD and LDAP-mastered groups now supported
Super admins can now scopeA scope is an indication by the client that it wants to access some resource. Group and Help Desk admin privileges to AD and LDAP-mastered groupsGroups allow you to organize your end users and the apps they can access. Assigning apps to large sets of end users is made easier with groups. in addition to Okta-mastered groups. This EA Feature can be enabled in the Feature Manager. For details, see Assign Help Desk admin privileges.
Admin console search
Admins can now use a quick search for the names of end users or apps. However you only see search results based on what you have admin permission to view. When the search results are presented, if the name or app you are seeking is listed, you can click on the item and be taken to the corresponding user page or application page. For details, see Admin console search.
Remove Duo from end user settings
Duo may now be removed from end user settings so that end user enrollment takes place only at sign-in, based on the configured MFA enrollment policy. For more information, see Configuring Duo Security.
LinkedIn IdP Creation Re-Enabled
Creation of LinkedIn Identity Providers has been re-enabled in all Preview Orgs. For more information, see Set up a LinkedIn app.
AD Desktop Single-Sign On, interface changes
The user interface for the Security > Delegated Authentication page used to configure Desktop Single-Sign On has been streamlined. There are no functional changes. For details, see Install and configure the Okta IWA Web agent for Desktop SSO.
App condition for MFA enrollment policy
Admins can now use a new condition when setting a rule for an MFA enrollment policy. When this condition is configured, end users are prompted for factor enrollment when accessing all of their applications or only for those selected by their orgThe Okta container that represents a real-world organization. admin. For more information, see App Condition for MFA Enrollment Policy.
Okta Browser Plugin reflects real-time app and profile changes in the end user dashboard
The Okta Browser Plugin now reflects the real-time state of the end user dashboard, eliminating the need to refresh the dashboard for the plugin to reflect the latest app and profile changes. This feature is available on Okta Browser Plugin version 5.29.0 or higher. For more information, see About the Okta Browser Plugin.
Incremental import support for LDAP users
LDAP users can now take advantage of incremental imports, eliminating the need for full imports every time. Incremental imports improve performance by only importing users that were created, updated, or deleted since your last import. For details, see Install and Configure the Okta Java LDAP Agent.
Early Access features, auto-enroll
You can now opt to auto-enroll in all Early Access features, instead of having to enable them as they become available. For more information, see Manage Early Access features .
Connecting Apps to Okta using the LDAP Interface
The LDAP Interface allows you to authenticate legacy LDAP apps to Universal DirectoryUniversal Directory enables you to store an unlimited amount of users and attributes from applications and sources like AD or HR systems. Any type of attributes are supported including linked-objects, sensitive attributes, and pre-defines lists. All of it accessible by all apps in our OIN catalog, over LDAP or via API. in the cloud. With the LDAP Interface, authentication is done directly against Okta via LDAP, without the need for an on-premise LDAP server. In addition, the LDAP interface supports other LDAP functions like search. For details, see Using the LDAP Interface.
Identity Provider Discovery
Using Identity Provider Discovery and routing rules, Okta directs users to different identity providers based on certain criteria. These criteria include location, device, the app being accessed, the user's domainA domain is an attribute of an Okta organization. Okta uses a fully-qualified domain name, meaning it always includes the top-level domain (.com, .eu, etc.), but does not include the protocol (https)., and specific user attributes. For more information see Identity Provider Discovery.
Apps supporting incremental imports
Workday joins Active Directory and LDAP in the ability to run immediate, incremental imports. Okta strives to add this functionality to more and more provisioning-enabled apps. This feature is currently only available for Preview orgs.
Note: To use this functionality, your org must also have the Workday Incremental Imports (ENG_PROV_WORKDAY_INCREMENTAL_IMPORTS) Early Access feature enabled.