September 2021

2021.09.0: Monthly Production release began deployment on September 7

* Features may not be available in all Okta Product SKUs.

Generally Available Features

New Features

Widget, version 5.10.1

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Okta Sign-In Widget Guide.

MFA Credential Provider for Windows, version 1.3.3

This version includes hardening around certain security vulnerabilities. See Okta MFA Credential Provider for Windows Version History .

Improved new device behavior detection

Stronger signals are now used for the detection of new devices. Devices with web browsers that don't store cookies are treated as new and trusted applications must send a unique identifier for each device as a device token. See Behavior detection. This feature is made available to all orgs.


ThreatInsight default mode for new orgs

For new orgs, the default mode for ThreatInsight is now set to Audit mode. Previously, with no mode set by default, events weren't logged unless Audit mode or Block mode was enabled manually. Now with Audit mode set by default for new orgs, the security.threat.detected event is logged once a malicious request is detected. See Okta ThreatInsight.

OIN Manager enhancements

  • The UI text has been clarified for the group patch batching process in the OIN Manager for SCIM submissions. See the Submit an app integration guide.
  • Partners can now provide multiple support contacts, such as email addresses, support URLs, and phone numbers for customers who need assistance when installing or configuring their app integration. This information is shared with users through the app integration’s details page in the OIN catalog. See the Submit an app integration guide.

PagerDuty SSO Domain Support

Base URL is now used instead of Organization Subdomain for PagerDuty SSO configuration. This enables customers with EU domains to input their URL when they set up SSO.

Updated End-User Dashboard icon for mobile users

The End-User Dashboard icon has been updated for mobile users.

Updated Delete Person and Delete Group dialogs

The Delete Person and Delete Group dialogs now include statements to clarify what is removed when a person or group is deleted. This can include application assignments, sign-on policies, routing rules, and user profiles. This change helps admins better understand the ramifications of deleting people and groups. See Deactivate and delete user accounts and Manage groups.

Early Access Features

New Features

Custom Administrator Roles

The standard admin roles available today don’t always meet all the granular delegated administration requirements, which may result in admins having either more or less permissions than they need.

The Custom Administrator Roles feature allows super admins to:

  • Create admin assignments with granular roles, which include specific user, group, and application permissions.

  • Constrain these admin assignments to resource sets.

Use Custom Administrators Roles to:

  • Increase admin productivity.

  • Decentralize the span of access that any one admin has.

  • Grant autonomy to different business units for self-management.

See Custom Administrator Roles .

Branding now available in the Admin Console

The Okta Brands API was released as support-enabled EA in 2021.08.0. This UI release provides admins and developers with an Admin Console UI to upload brand assets to customize their Okta-hosted pages. The Customizations tab in the Admin Console is also now moved to a top-level menu item in the left-hand navigation, and Branding-related controls have all been moved under it. The Settings > Appearance tab has also been removed, and functionality moved under the Customizations tab for ease of use. See Branding.

OAuth Dynamic Issuer option

An authorization server’s issuer URL can be used to validate whether tokens are issued by the correct authorization server. You can configure the issuer URL to be either the Okta subdomain (such as or a custom domain (such as See Create the Authorization Server.

When there are applications that use Okta’s subdomain and other applications that use the custom domain, the issuer validation breaks because the value is hard-coded to one domain or the other.

With Dynamic Issuer Mode, the issuer value in minted tokens is dynamically updated based on the URL that is used to initiate the original authorize request.

For example, if the authorize request is, the issuer value is

Dynamic Issuer Mode helps with:

  • Split deployment use cases

  • Migration use cases when customers migrate from the Okta domain to a custom domain

  • Support with multiple custom domains

Sort applications on End-User Dashboard

End users can now sort applications alphabetically or by last added on the new Okta End-User Dashboard.

ShareFile REST OAuth

Admins can now upgrade to the latest version of our ShareFile integration. OAuth provides more secure authentication and will be now used for Provisioning and Imports. See Configure ShareFile OAuth and REST integration.


New grant type for native SSO

A new grant type, Token Exchange, is available for Authorization Server configuration. Admins can select the grant type to enable SSO for native apps. For more information see Configure SSO for Native apps.


General Fixes

OKTA-364848, OKTA-364849, OKTA-364921, OKTA-382725, OKTA-382848, OKTA-382907

Some accessibility issues occurred on the Okta End-User Dashboard.


Group Push tasks weren't displayed on the Admin Dashboard.


Custom admins with Manage group permissions could view the Add Rule button on the Groups > Rules tab.


The View IDP Metadata link incorrectly required an active session when application-specific certificates were enabled.


A gap between the deactivation of a contractor and the activation of that user to a full-time employee caused incremental imports for Workday to fail.


On the Directory > Groups page, an icon didn’t appear for the Zendesk application.


Translations weren't provided for some unsuccessful LDAP password update error messages.


Users weren't added to groups when the locale attribute filter was set to equals in the group rule.


If an admin added an app integration but didn't complete the process and subsequently assigned it to a group, then clicking the link for the app integration through the Groups directory opened the Add app integration process instead of the settings page for that app integration.


Sign-in redirect URI requests failed due to wrapping of the designated URI in the Admin Console.


Wildcard OAuth redirect URIs failed if subdomains included underscores.


During an OAuth client lifecycle event, the debug data section of the System Log logged incorrect client IDs.


While loading, the side navigation on the new Okta End-User Dashboard was misaligned.


Some users with a custom domain URL couldn't add or edit resource sets for custom admin roles.


Adding an expiration date macro to the Password Reset email template resulted in an Invalid Expression error.


End users were able to add bookmark apps after their admins configured the App Catalog Setting to allow org-managed apps only.


The number of groups displayed in the Admin Dashboard Overview differed from the correct number of groups reported on the Directory > Groups page.


Text didn't wrap properly in the Note for requester field for app approval requests.

OKTA-425921H, OKTA-425993H

Sometimes, when users signed in to Okta and Agentless Desktop Single Sign-on (ADSSO) was enabled, groups outside of the selected organizational units were retrieved.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed:

  • Avalara (OKTA-415081)

  • Fisher Scientific (OKTA-422646)

  • Microsoft Volume Licensing (OKTA-420160)

  • Quadient Cloud (OKTA-422635)

  • RescueAssist (OKTA-422643)

  • WeWork (OKTA-423570)


New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:

SAML for the following Okta Verified applications:

  • Anomalo (OKTA-421527)

  • Paradime (OKTA-420444)

OIDC for the following Okta Verified application:

Weekly Updates

August 2021

2021.08.0: Monthly Production release began deployment on August 9

* Features may not be available in all Okta Product SKUs.

Generally Available Features

New Features

Widget, version 5.9.0

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Okta Sign-In Widget Guide.

Okta solution visible in footer

To help admins identify their Okta solution, the version number in the footer of the Admin Console is now appended with C for Classic Engine orgs and E for Identity Engine orgs. See Identify your Okta solution.

On-Prem MFA agent, version 1.4.4

This version includes bug fixes, security enhancements, and a new version of the Log4J library. See Okta On-Prem MFA Agent Version History.

ADFS Plugin, version 1.7.8

This version includes bug fixes and security enhancements. See Okta ADFS Plugin Version History.

Root signed PIV certificate support

Certificates signed directly from a root CA certificate, with no intermediates, can now be used for Personal Identity Verification (PIV) authentication.

Multiple active user statuses for SuccessFactors integration

Support for multiple active user statuses: When importing users from SuccessFactors into Okta, admins can now select more than one active user status, such as Leave of Absence. See Learn about SAP SuccessFactors Employee Central data provisioning.

Deleted schema property scrubber

All existing data associated with a schema property is now removed when a schema property is deleted. To prevent data corruption, the property cannot be recreated until the existing data is fully removed. Previous data is no longer restored when recreating a deleted schema property with the same definition. This new functionality prevents the corruption of profile data and the associated Elastic search issues. See Add or remove custom directory schema attributes.

This feature will be gradually made available to all orgs.

LDAP agent, version 5.8.0

This version of the agent contains:

  • Password expiry warning support for Oracle Directory Server Enterprise Edition (ODSEE), Oracle Unified Directory (OUD), OpenDJ, and SunOne 5.2 LDAP directory services

See Okta LDAP Agent version history.


New warning for excessive IP addresses

A warning now appears if a gateway or proxy has an IP range with more than 5 million addresses. See Create an IP Zone.

Start time and end time of rate limit windows

The Rate Limit Dashboard now displays the start time and end time of the rate limit window for each data point. This helps you analyze each data point with more granularity. See Rate limit dashboard.

End-User Dashboard styling

On the new Okta End-User Dashboard, text color in the side navigation has been updated. See Enable the new Okta End-User Experience.

OIN Manager enhancements

The Apps for Good category has been added to the selectable categories list. Also, other category names have been adjusted to match those shown in the OIN App Catalog.

OIN App Catalog UI improvements

If available, support contact information now appears on the details page for app integrations.

Early Access Features

New Features

Third-Party Risk

Okta Risk Eco-System API / Third-Party Risk enables security teams to integrate IP-based risk signals to analyze and orchestrate risk-based access using the authentication layer. Practitioners can step up, reduce friction or block the user based on risk signals across the customer’s security stack. Apart from improving security efficacy, this feature also enhances the user experience by reducing friction for good users based on positive user signals. See Risk Scoring.

Custom domain SSL certificate expiration warnings

To prevent service disruptions, Okta now sends admins a warning email 30, 15, and 7 days before their custom domain’s SSL certificate expires. If no action is taken, an expiration notice is sent when the certificate expires. See Configure a custom URL domain.

Okta Brands API

The Okta Brands API allows customization of the look and feel of pages and templates. It allows you to upload your own brand assets (colors, background image, logo, and favicon) to replace Okta's default brand assets. You can then publish these assets directly to the Okta-hosted Sign-In Page, error pages, email templates, and the Okta End-User Dashboard. See Customize your Okta experience with the Brands API.

Token-based SSO between native apps

Single Sign-On (SSO) between browser-based web applications is achieved by leveraging shared cookies. Unlike web applications, native applications can’t use web cookies. With Native SSO, Okta offers a token-based approach to achieve SSO between native applications.

Native SSO allows you to protect native OpenID Connect applications, such as desktop apps and mobile apps, and achieve SSO and Single Logout (SLO) between these applications. See Configure SSO for native apps.

Device Authorization grant type

Advancements in internet technology have seen an explosion of smart devices and the Internet of Things. Consumers need to sign in to applications that run on these devices, but the devices either lack support for a web browser or have limited ability for input, such as smart TVs, car consoles, and thermostats. As a result, users resort to insecure authentication solutions that are error-prone and time-consuming.

The Device Authorization grant feature is an OAuth 2.0 grant type that allows users to sign in to input-constrained devices and also to devices that lack web browsers. This feature enables users to use a secondary device, such as a laptop or mobile phone, to complete sign-in to applications that run on such devices. See Configure Device Authorization.

Asynchronous Application Reports

When enabled, this self-service feature turns the generation of the Application Usage and the Application Password Health reports into an asynchronous process. Okta generates a report with the results and sends an email to the admin containing a download link for the CSV file. This enhancement is ideal for orgs with large amounts of user activity, as the generated reports can cover a greater range without timing out. See Application Usage report and App Password Health report.


General Fixes


On the Agents page, admins couldn't remove deleted RADIUS agents or hide the ones that weren't in use.


Users were able to make too many attempts to enter an SMS one-time passcode when performing a self-service unlock.


Using an Office 365 thick client to open documents from the SharePoint Server didn't work consistently.


A link was broken on the OIDC Identity Provider profile mapping page.


When updating the provisioning settings for an app integration, some admins had to reload the page because the Admin Console showed a verification message and then stopped responding.


Workflow URLs with the okta-emea subdomain weren’t automatically verified when used as an Event Hook URL.


On the Admin Console Tasks page, the first 10 tasks were duplicated when Show more tasks was selected and 10 or more tasks were already listed.


If an app integration with provisioning enabled was upgraded to support the Push Groups feature, admins were repeatedly prompted to enable provisioning.


The Tasks view was missing from the new Okta End-User Dashboard.

App Integration Fixes

The following SWA apps weren't working correctly and are now fixed:

  • Azure Portal Login (OKTA-411455)

  • Cisco WebEx Meeting Center - Enterprise (OKTA-411543)

  • Matrix Teams (OKTA-415413)


New Integrations

New SCIM Integration Application

The following partner-built provisioning integration app is now Generally Available in the OIN catalog as partner-built:

SAML for the following Okta Verified application:

  • Neptune (OKTA-393740)

Weekly Updates

July 2021

2021.07.0: Monthly Production release began deployment on July 12

* Features may not be available in all Okta Product SKUs.

Generally Available Features

New Features

Dedicated help sites for Okta products

Three of Okta’s products — Access Gateway, Advanced Server Access, and Workflows — now have their own dedicated help sites:

This enhancement offers direct access to independent online help sites for these products from The new sites provide several benefits:

  • Compactly designed, product-centric content
  • Streamlined navigation
  • More efficient content updates and responsiveness to customer feedback

Okta Device Registration Task, version 1.3.2

This release includes internal code refactoring. You can download this version from the Settings > Downloads section of the Admin Console.

New Domains API response properties available

The Domains API includes the new response object properties of certificateSourcetype and expiration. The certificateSourcetype is a required property that indicates whether the Certificate is provided by the user. The accepted value is Manual. The expiration property on the DNSrecord object is an optional property that defines the TXT record expiration. See Domains API.

Default end-user experience

New orgs, including those created through the org creator API or the website, will have the new end-user experience enabled by default in preparation for the old end-user experience deprecation starting on October 13. Learn more about this migration and other frequently asked questions in our support article.

Disable Import Groups per SCIM integration

Admins can now choose whether or not to import groups with all SCIM integrations. This new option is available when you set up provisioning for a SCIM integration.

Note that you can't disable group imports for an app if:

  • Import New Users and Profile Updates isn't enabled.

  • App Assignments based on Group exist.

  • Group policy rules exist.

  • Group Push mappings exist.

In these cases, an error is displayed.

Nutanix support

Okta Access Gateway customers can now download and deploy the Access Gateway virtual appliance on Nutanix Acropolis Hypervisor (or Nutanix AHV), a hyper-converged infrastructure platform popular among larger organizations. This provides customers with more options for infrastructure services supported by Access Gateway, including AWS, OCI, VMWare, and now Nutanix.

Remove the ability to disable Admin Experience Redesign

You can no longer disable the Admin Experience Redesign feature for your orgs.

Note: This is not applicable for orgs that didn't have Admin Experience Redesign enabled and used the legacy experience until 2021.06.4.

Windows Hello as an MFA factor is not supported for new orgs

Windows Hello as an MFA factor is no longer supported for new orgs. Existing orgs already using this feature can continue using it.

Test custom email templates

Admins can send themselves a test email to see how their custom email templates will look and function. This allows them to validate macro attributes and translations in the customized template and to see how the template will render in different email environments. Sending the test email to their primary email address eliminates their need to create a real end-to-end workflow to test customization. For more information, see Test a customized email template .

Create LDAP group password policies

You can now create group password policies for LDAP sourced users. This gives you the flexibility to provide users with the same password policy requirements as your local LDAP directory, easing the user experience of an LDAP integration with Okta. See About group password policies and Sign-on policies.

Event Hook preview

Event Hook preview lets admins easily test and troubleshoot their Event Hooks, as well as send sample requests without manually triggering an actual event. This means admins can preview the payload of a specific Event Hook type and make sure that it's what they need to move forward before a full deployment to production. See Event Hook Preview.


Workplace by Facebook new custom attribute

Okta now supports the is_frontline custom attribute in Workplace from Facebook. Supporting user type designations enables access for frontline and deskless workers.

OIN App Catalog UI improvements

For each app integration in the OIN App Catalog, the details page has been updated to use tabs that display the overview and the specific capabilities of the app integration. The details page also shows the Capabilities in the side navigation. Clicking a specific capability returns the administrator to the main Add Application page with that capability pre-selected in the filter. When an admin searches for app integrations, the filter is now persistent through category changes or when they refresh the page.

OIN Manager category selections

For app submissions in the OIN Manager, the category designations have been updated to match the categories available in the OIN App Catalog.

Changes to group assignment options for OIDC apps

Admins can create new OIDC applications without assigning them to a group. See Create OIDC app integrations using AIW.

HTML sanitizer for email templates

Velocity-based email templates are now processed by an HTML sanitizer. Templates that don’t conform to the rules of the sanitizer are corrected before they are sent. See Customize an email template.

Email template events

The creation and deletion of email templates are now logged as events in the System Log.

Rate limit violation event logging

Session-user and User rate violation events are now logged as operation-level events instead of org-wide events. This allows you to distinguish between rate limit violations at an org level and individual level.

Updated branding for End-User Dashboard

Okta branding on the Okta End-User Dashboard has been updated.

Early Access Features

New Feature

FIPS compliance for iOS or Android devices

Federal Information Processing Standards (FIPS) compliance is now available for iOS or Android devices. FIPS can be enabled on the Okta Verify configuration page. When FIPS compliance is enabled, admins can be confident that only FIPS-compliant software is used. See Enable FIPS-mode encryption.


OAuth redirect URI wildcards

Admins can now use a wildcard for multiple redirect URI subdomains when configuring OIDC applications. See Create OIDC app integrations using AIW.


General Fixes


When an admin attempted to add an app integration to their org for which the org was not entitled, the error message didn't display the org's edition name.


A user-created on-the-fly app incorrectly appeared on the Tasks page under Number of apps that can have provisioning enabled.


Sometimes the failed-sign-in counter didn’t reset to zero after an end user successfully signed in, which resulted in improper lockouts.


When OpenLDAP was used with delegated authentication, an error message containing unnecessary information appeared if users attempted to change their password and it didn't meet the LDAP complexity requirements.


LDAP import schedules weren't updated when Relative Distinguished Name (RDN) attribute mapping from Okta to LDAP was missing.


New device notifications weren't sent during passwordless sign-in flows.


Group Push for Slack caused group members to be reset and gradually re-added, during which time group members couldn't access the app.


Some deactivated SAML IdP users whose attributes were updated with Just-in-time Provisioning were activated even though the reactivation JIT setting wasn't selected.


Some users were deactivated instead of deleted in Automations.


Sometimes, during SAML app configuration, the metadata link improperly required a sign-in session.

App Integration Fixes

The following SWA app was not working correctly and is now fixed

  • San Diego Gas and Electric (OKTA-407572)


New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN as partner-built:

SWA for the following Okta Verified applications

  • Headspace (OKTA-403509)

  • Redprint (OKTA-394718)

  • SCOPE (OKTA-405791)

OIDC for the following Okta Verified applications

Weekly Updates