Production

July 2020

2020.07.0: Monthly Production release began deployment on July 13

* Features may not be available in all Okta Product SKUs.

Generally Available Features

New Features

LDAP agent, version 5.6.6

This release provides the same functionality as release 5.6.5. Some default settings have been updated. See Okta LDAP agent version history.

Reduced LDAP Interface inactive connection time out

The time out for inactive LDAP Interface connections that don't receive LDAP operations has been reduced from 120 seconds to 30 seconds, and they are now disconnected after 30 seconds of inactivity. Connections that receive an LDAP bind operation time out after 120 seconds.

Warning message added to the Import Settings page

A warning message now appears on the Active Directory Import Settings page to warn users that changing the user and group organizational unit settings can result in the deprovisioning of users.

App integration logos

The maximum size for an app integration logo has been increased from 100 KB to 1 MB. For best results, use a PNG file with a minimum resolution of 420 x 120 pixels, with landscape orientation, and with a transparent background.

Terms of Service acceptance required

Terms of Service acceptance is required from the first super admin to initiate access to OCC (Okta Cloud Connect), Developer, and Free Trial editions of Okta.

New Group Membership Admin role

The new Group Membership Admin role grants permission to view all users in an org and manage the membership of groups. See The Group Membership Admin role.

Dynamic authentication context for SAML apps

Admins can configure a custom attribute statement for SAML assertions to send user's authentication context to SAML apps during the app authentication process. The app uses this information to limit access to certain app-specific behaviors and calculate the risk profile for the signed-in user. See Pass Dynamic Authentication Context to SAML Apps.

Prevent web browsers from saving sign-in credentials

You can prevent browsers such as Chrome from saving  an end user's sign-in credentials for Okta as well as for third-party apps accessed through the Okta Dashboard. See Prevent web browsers from saving sign-in credentials.

ASN Support for Dynamic Zones

Admins can now enter ASNs (Autonomous System Numbers) when creating or editing a dynamic zone. See Dynamic Zones.

DocuSign support update

DocuSign now supports workers who have an Activation Sent status in DocuSign.

Schema Discovery for Cornerstone On Demand

The Cornerstone On Demand provisioning app now supports Universal Directory and Schema Discovery. See the Cornerstone On Demand Provisioning Guide.

Profile Mastering and Push can be enabled together

Admins can enable both Profile Master and Push for an app. This allows all Okta-to-App mappings to push, regardless of whether Active Directory is the Profile Master.

OIN Manager supports multiple application submissions

When submitting a new application integration for review by Okta, the OIN Manager now supports multiple concurrent application submissions:

 

Risk Scoring sign-on policy rule

Admins can now set a risk level as part of a sign-on policy rule. Setting a risk level helps determine potential security risks that are associated with an end user when they attempt to sign in to their org. This feature will be gradually made available to all orgs.

see Risk Scoring.

Generally Available Enhancements

Okta Browser Plugin enhancements

The following improvements have been added to the Okta Browser Plugin:

  • The plugin icon displays a green exclamation point (!) to alert users of new plugin features that have been added.
  • The plugin settings highlights new opt-in features when they are made available.
  • In Firefox, the Close tab button, shown to users after granting privacy-related permissions for the Okta Browser Plugin, is removed due to browser limitations.
  • In Chrome, when the Offer to Save Passwords setting is controlled by a group policy, the popover setting to prevent the browser from prompting to save passwords is hidden from end-users.

Inline Hook links to Overview page

In the Okta Admin Console > Inline Hooks page, clicking an Inline Hook now directly opens the Overview page. See Inline Hooks.

File size and file hash information for Okta Active Directory and LDAP agents

File size and file hash information is now provided for the Okta Active Directory and Okta LDAP agents on the Okta Admin Console > Downloads page.

Early Access Features

New Features

Tor Anonymizer recommendation

Admins can see a new HealthInsight recommendation to view failed sign-in rates from IPs categorized as Tor Anonymizer Proxies. Okta recommends using Dynamic Zones to blacklist IPs that are categorized as Tor anonymizer proxies. See Blacklist proxies with high sign-in failure rates.

New RADIUS agent, version 2.13

This version includes security enhancements, a buffer overrun fix, and a dialog title change to the RADIUS Agent installer. See Okta RADIUS Server Agent Version History.

Litmos supports Advanced Custom Attributes

The Litmos provisioning app now supports Advanced Custom Attributes. See Litmos Provisioning Guide.

Enhancements

New Okta End-User Dashboard enhancements

The following improvements have been added to the new Okta End-User Dashboard:

  • A new onboarding flow is available to users who visit the dashboard for the first time. Admins may disable onboarding guides for the new dashboard in the Okta Admin Console > Settings > Customization > Okta User Communication by enabling Opt out of Okta User Communication for this Org.
  • The Quick Access section of the new Okta End-User Dashboard has been renamed as Recently Used. Admins can disable this section for their end users.
  • App names now have a maximum length of two lines.
  • Apps added by admins are now indicated as New on the dashboard before being used for the first time.
  • End users now receive a notification on the dashboard when a new app is assigned to them by an admin.

Fixes

General Fixes

OKTA-290791

Users who switched to a new app section in the Okta Browser Plugin weren't redirected to the top of that section.

OKTA-292056

The percentage listed in messages on the Okta Admin Dashboard occasionally contained an extra percentage symbol.

OKTA-292816

Group membership roles on the Assignments tab didn't reflect the actual membership roles of users in the Confluence app.

OKTA-296301

Users configuring voice call as an MFA factor were redirected to a wrong page if they refreshed the page during the setup.

OKTA-302908

Admins received a 404 error when opening the Rules tab on the Groups page in a new tab.

OKTA-304503

Users repeatedly received prompts to reinstall or update the Okta Browser Plugin regardless of its version and were given false warnings that the plugin was infected or unsafe.

OKTA-304770

The publisher for the Okta Browser Plugin for Internet Explorer was incorrectly listed as Internal Okta CA instead of Okta, Inc. in Internet Explorer > Tools > Manage add-ons.

OKTA-306546

The incorrect plugin version number was displayed for the Okta Browser Plugin in Internet Explorer > Tools > Manage add-ons.

OKTA-306663

Custom string attributes couldn't be updated for NetSuite.

App Integration Fixes

The following SWA app was not working correctly and is now fixed

  • Meraki Dashboard (OKTA-305864)

Applications

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN as partner-built:

New RADIUS integration

The Cisco Meraki RADIUS app is now available.

SAML for the following Okta Verified applications

  • Catalyser (OKTA-304474)

  • Flux (OKTA-306648)

  • InSights (OKTA-296073)

SWA for the following Okta Verified applications

  • Openpath (OKTA-296212)

  • United HealthCare Oxford (OKTA-306125)

OIDC for the following Okta Verified application

Weekly Updates

June 2020

2020.06.0: Monthly Production release began deployment on June 8

* Features may not be available in all Okta Product SKUs.

Generally Available Features

New Features

Deprecated metrics removed from the Okta Admin Dashboard

The following aggregated metrics have been removed from the Okta Admin Dashboard:

  • Count users who have never signed in
  • Count users who have signed in
  • Count apps with unused assignments
  • Count unused app assignments

All reports are still available. See The Administrator Dashboard.

Okta Browser Plugin for Internet Explorer, version 5.38.1

This version includes the following:

  • With the Okta Browser Plugin, end users can prevent browsers from prompting to save their sign-in credentials for Okta or any third-party apps accessed through the Okta End User Dashboard. See Prevent web browsers from saving sign-in credentials. Note that this feature is only available in Preview orgs.
  • For the new Okta End-User Dashboard: Search in the Okta Browser Plugin is updated to have the same search accuracy as the Okta End-User Dashboard.
  • Font sizes in the Okta Browser Plugin popover are updated.

See Okta Browser Plugin: Version History.

Okta Browser Plugin: Password Suppression UI changes

The two plugin UI elements that configure blocking browsers from saving passwords are now managed by end users in the plugin popover, and have been removed from the Admin customization settings.

Old UI

New UI

Improvements to the Disconnect People from Active Directory page

In the Okta Admin Console, the Disconnect People from Active Directory page now displays all users and not just those from the first app instance. See Disconnect users from Active Directory.

ODSEE LDAP Support

Okta now supports Oracle Directory Server Enterprise Edition (ODSEE) LDAP integrations with the upgrade to LDAP agent version 5.6.3 and later. See Oracle Directory Server Enterprise Edition LDAP integration reference.

Extensibility Inline Hooks usage metrics

Hook metrics display all successful and unsuccessful executions of enabled Inline Hooks. Admins can use metrics to assess the performance of their hooks and troubleshoot unexpected behavior. See Inline hooks.

Generally Available Enhancements

Improved Risk Scoring model

Risk scoring evaluation has been enhanced to improve the detection of high risk sign-on activity. See Risk Scoring.

Improvements to developer onboarding experience

The Okta developer site has enhanced the onboarding experience for new developers:

  • Added task for customizing developer goals
  • Updated text on the developer profile panel
  • Added numbering to tasks
  • Improved usability and process flow

File size and hash added to Downloads page

The Downloads page now displays the file size and SHA-512 hash for the RADIUS and OPP agents. Admins can use the file size and hash to verify the integrity of the files. See Install and configure the Okta RADIUS Server agent and Okta Provisioning Agent and SDK Version History.

Box integration enhancement

When Box users are deactivated, and the option Transfer user’s files to account user is selected, the following warning is displayed: Caution: Files owned by the user will be inaccessible while they are being transferred. This also means that any shared content owned by the user may be inaccessible to all collaborators during the move. Depending on the volume of content, this operation may take a significant amount of time.

Early Access Features

New Features

Smart Card Authentication

When initially accessing applications using a custom sign-in widget, users have the option to use a PIV/CAC card for authentication. See Identity Providers.

Enhancements

New Okta End-User Dashboard enhancements

  • App cards have been resized to create more spacing and shorten the cards.
  • When an app card is hovered over, a lock icon notifies users if an admin has denied access to that app.

Fixes

General Fixes

OKTA-280844

In some Group Rules, if the User Attribute was very long, the value field didn't display properly.

OKTA-282532

In the new Okta End-User Dashboard, after dragging and dropping an app, end users were scrolled to the top of the dashboard.

OKTA-284835

The new Applications page used the term WS-Fed instead of WS-Federation.

OKTA-292924

User import from Workday failed if a username exceeded 100 characters.

OKTA-299093/299098

The Email as an MFA Factor for Authentication feature was not made available for some orgs when it was released earlier. Some customers who were eligible to use the Email factor with the factor API could not use the Email factor with the authentication API.

OKTA-299102

The Importing People page had the wrong documentation link.

OKTA-300069

When creating an event hook, if Subscribe to events was set to any of the Application life cycle events options, it resulted in the error Invalid list of events provided.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • Acorns (OKTA-299038)

  • Adobe.com (OKTA-299039)

  • Aetna Health Insurance (OKTA-301364)

  • AT& T (OKTA-299679)

  • Bitdefender (OKTA-301600)

  • Chase (OKTA-299437)

  • Delighted (OKTA-300045)

  • Expensify (OKTA-299222)

  • iHeartRadio (OKTA-301357)

  • iOvation (OKTA-300980)

  • Jetblue (OKTA-301355)

  • Kace (OKTA-299033)

  • LucidPress (OKTA-300843)

  • Mathworks (OKTA-299040)

  • myuhc - United Healthcare (OKTA-301360)

  • Sophos Partner Portal (OKTA-300844)

  • Staples Advantage (OKTA-297714)

Applications

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN as partner-built:

SAML for the following Okta Verified application

  • Otter.ai (OKTA-298298)

OIDC for the following Okta Verified applications

Weekly Updates

May 2020

2020.05.0: Monthly Production release began deployment on May 11

* Features may not be available in all Okta Product SKUs.

Generally Available Features

New Features

LDAP agent, version 5.6.5

This version of the agent contains internal improvements, including updating the JDK to Amazon Corretto and eDirectory support. See Okta LDAP agent version history.

Application Lifecycle Event Hook

Application Lifecycle events are now available for use as Event Hooks. See Event Types for a list of Events that can be used with Event Hooks.

Assign users to multiple groups in one group rule

Users can be assigned to multiple groups in one group rule. It is no longer necessary to set up multiple rules for the same criteria to accommodate different groups. See About group rules. This feature is now available for more orgs.

Rate limit behavior for SAML sign-ins

When Just-In-Time provisioning is enabled and the number of users attempting to sign in using SAML or a Social Identity Provider exceeds rate limits, Okta displays a message that it will automatically retry the JIT request after waiting a few seconds.

Disable Import Groups per app

Admins have the option to choose whether groups are included in imports from apps. This new option is available when setting up provisioning for an app.

This feature should be used with care as disabling group imports will have the result of deleting all groups from the app you are configuring. As such, we provide a warning prior to disabling group imports:

Note that you will be unable to disable group imports for an app if the following conditions exist:

  • App Assignments based on Group exist
  • Group policy rules exist
  • Group Push mappings exist

In these cases, an error is displayed.

OIN App Catalog V2 available for Developer Edition and SKU Edition orgs

The enhanced OIN Catalog is now enabled for all new and existing Developer Edition or SKU Edition orgs.

This feature will be gradually made available to all orgs.

Enhancement: MFA phone-number enrollment restricted

End users are now prevented from enrolling premium numbers for SMS and phone multifactor authentication. Premiums numbers are those reserved for various services. In the U.S., they include numbers that begin with a zero or use area codes 900, 911, and 411. Internationally, the following phone-number types are restricted: Audiotext, Carrier selection, National rate, Premium rate, Shared cost, Satellite, and Short Code.

eDirectory LDAP support

Okta now supports eDirectory LDAP integrations with the upgrade to the LDAP agent version 5.6.2 or later. See eDirectory LDAP integration reference.

OUD LDAP Support

Okta now supports Oracle Unified Directory (OUD) LDAP integrations. See Oracle Unified Directory LDAP integration reference.

Deactivated admin users

When a user who has an admin role and privileges assigned to them is deactivated, their admin privileges are revoked. The deactivated user is removed from the Administrators page and from the CSV download list of administrators. See Administrators.

App-level safeguard

To guard against an unusual number of app un-assignments during user import, the admin can set the safeguard to org-level, app-level, or both. See About import safeguards.

This feature will be gradually made available to all orgs.

Generally Available Enhancements

New HealthInsight recommendation and updates

HealthInsight now recommends enabling Okta Verify for MFA. The existing recommendation to enable strong MFA factors now also recommends disabling weaker factors. See HealthInsight.

Copy and paste groups for admin permissions

You can now copy and paste group assignments when creating admin permissions. See Grant admin privileges.

Early Access Features

New Features

Okta RADIUS Server agent, version 2.11.0

This version includes support for EAP-TTLS. See Okta RADIUS Server Agent Version History.

Enhancements

Enhancements to the new Okta End-User Dashboard

The new Okta End-User Dashboard now includes the following enhancements:

  • The Add Apps button has been removed.
  • Apps can be configured to launch automatically after users sign in to Okta.
  • Searches place more relevant options at the top of the search results.
  • Sections can be collapsed or expanded.

Fixes

General Fixes

OKTA-210751

GitHub import into Okta only updated a subset of users.

OKTA-249695

The filter on the Directory > Profile Editor > Apps page didn't work for Org2Org and Bookmark apps.

OKTA-257761

Email templates that contain invalid or unknown expressions didn't display the right error message and were still saved.

OKTA-276226

Application group assignment windows didn't resize correctly when input was added.

OKTA-278184

In some cases, when a large number of groups were assigned to an application, assigning users to these groups took longer than usual.

OKTA-282594

Users couldn't use the arrow keys to navigate through app search results on the new Okta End-User Dashboard.

OKTA-282919

End users using the new Okta End-User Dashboard were incorrectly prompted to install or upgrade the Okta Browser Plugin even if it was IT-managed.

OKTA-284665

CSV files generated in the System Log sometimes incorrectly included carriage returns.

OKTA-284954

Search results were incorrectly sorted when searching for an app on the new Okta End-User Dashboard.

OKTA-286081

When Factor Sequencing was enabled and the authentication policy contained a method set to Password / Any IDP, the sign-in window froze when users reset their password.

OKTA-287673

Some users became stuck in an authentication loop when trying to access an app from the new Okta End-User Dashboard.

OKTA-288389

Some admins received errors when trying to approve app requests from end users made through the new Okta End-User Dashboard.

OKTA-289511

The Smart card sign-in button was visible without a Smart Card Identity Provider configured within the customer org.

OKTA-291259

Some identity providers didn't show up in the Device Identity Provider list when configuring Device Trust.

OKTA-291935

Users were prevented from disabling both app-level and org-level roadblocks.

OKTA-293240

When profile mastering was enabled, the Update application username field under the AD Provisioning settings tab didn't render correctly.

OKTA-294767

The Email as an MFA Factor feature was not made available for some orgs when it was released earlier. We are re-releasing it in 2020.05.0.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • 1Password Business (OKTA-291540)

  • 2020 Spaces (OKTA-293863)

  • Airship (OKTA-292749)

  • Bill.com (OKTA-292940)

  • CalPERS (OKTA-294342)

  • Cisco Webes (OKTA-292505)

  • IBM Cloud (OKTA-293426)

  • Sauce Labs (OKTA-292506)

  • Thomson Reuters MyAccount (OKTA-291630)

  • Twitter (OKTA-287886)

  • WP Engine (OKTA-293338)

Applications

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN as partner-built:

SAML for the following Okta Verified applications

  • ACALL (OKTA-292094)

  • BigChange (OKTA-294316)

  • Freshworks (OKTA-290904)

  • Kintaba (OKTA-291174)

  • Lingotek (OKTA-292197)

  • Mapbox (OKTA-294374)

  • Odo (OKTA-294315)

  • Prezi (OKTA-293858)

  • Seculio (OKTA-293141)

  • Statusbrew (OKTA-292827)

SWA for the following Okta Verified application

  • Spreadshirt (OKTA-291601)

OIDC for the following Okta Verified application

  • FiveToNine: For configuration information, see FiveToNine documentation (note you need appropriate permissions to view this doc).

Weekly Updates