Production

July
June
May
Archive

July 2019

2019.07.0: Monthly Production release began deployment on July 15

* Features may not be available in all Okta Product SKUs.

Content

Generally Available Features
Early Access Features
Fixes
Applications

Generally Available Features

New Features

Timeout warning added to the Sign-In Widget

A timeout warning has been added to the Sign-In Widget for SMS and Voice Factor enrollment and challenge flows. For more information, see Customize the Okta-hosted sign-in page.

Token expiration window increased to five years

The expiration window of Refresh Tokens can be configured up to five years in custom authorization servers. The minimum expiration is unchanged. For more information, see API Access Management.

Okta Verify factor available for all orgs

All orgs now have the option to configure and enable Okta Verify as a factor. For more information, see Multifactor Authentication or Okta Verify.

ADFS app support for OIDC authentication

The ADFS appAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in. now provides support for OIDCOpenID Connect (OIDC) is an authentication layer on top of OAuth 2.0, an authorization framework. The standard is controlled by the OpenID authentication. For more information, see Enable Open ID Connect with existing ADFS installations.

Custom Email Template enhancement

To curtail phishing, the custom email template in new free editions of Okta now contains a banner warning recipients of fraudulent free trial users and an email address to report suspicious content. For feature information, see Email and SMS Options.

Okta Browser Plugin for Firefox available from Firefox Add-ons

Okta Browser Plugin version 5.31.0 for Firefox is now available from the Firefox Add-ons. For version history, see Browser Plugin Version History.

OPP agent, version 1.3.2

On Premises ProvisioningProvisioning is the enterprise-wide configuration, deployment, and management of multiple types of IT system resources. Specifically, provisioning provides users access to equipment, software, or services. This involves creating, maintaining and deactivating required business process automation objects and attributes in systems, directories, and applications. AgentA software agent is a lightweight program that runs as a service outside of Okta. It is typically installed behind a firewall and allows Okta to tunnel communication between an on-premises service and Okta's cloud service. Okta employs several agent types: Active Directory, LDAP, RADIUS, RSA, Active Directory Password Sync, and IWA. For example, users can install multiple Active Directory agents to ensure that the integration is robust and highly available across geographic locations. version 1.3.2 supports CSV Directory Integration. For version history, see On Premises Provisioning Agent and SDK Version History.

Email as an MFA Factor

Email is now available as an MFA factor. See the Email section of Multifactor Authentication for more details.

Prevent end users from choosing commonly used passwords

Admins can restrict the use of commonly used passwords through the group password policy. For more information, see Configuring an Organization-wide Password Policy.

Multifactor Authentication for admins

MFA for Admins allows Super admins to enable mandatory multifactor authentication for all administrators accessing adminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button on the upper right side of the My Applications page. functionality. For details see Authentication. This feature is currently available for new orgs only.

New admin role, Report admin

The Report admin role grants a user read-only access to all reports and the System Log. Report admins do not have edit access to any data. For more information, see The Report admin role.

Reauthentication prompts

All prompts for reauthentication now use the Sign In widget rather than the Classic UI.

Dynamic network zones

You can define dynamic network zones that match IP type and geolocation specifications. For more information, see Network Zones.

Configure a custom Okta-hosted sign-in page

You can customize the text and the look and feel of the Okta-hosted sign-in page using form controls and an embedded HTML editor. When used together with a custom URL domainA domain is an attribute of an Okta organization. Okta uses a fully-qualified domain name, meaning it always includes the top-level domain (.com, .eu, etc.), but does not include the protocol (https). (required) and a custom Okta-hosted error page, this feature offers a fully customized end user sign-in experience hosted by Okta. For details, see Configure a custom Okta-hosted sign-in page.

Configure a custom error page

You can customize the text and the look and feel of error pages using an embedded HTML editor. When used together with a custom URL domain (required) and a custom Okta-hosted sign-in page, this feature offers a fully customized error page. For details, see Configure a custom error page.

LDAP support for Auxiliary Object classes

You can now input a comma-separated list of auxiliary object classes when importing users from LDAPLightweight Directory Access Protocol (LDAP) is a lightweight client-server protocol for accessing directory services, specifically X.500-based directory services. LDAP runs over TCP/IP or other connection oriented transfer services.. For more information, see Configuring Your LDAP Settings.

Current Assignments and Recent Unassignments reports added to the Reports page

Current Assignments and Recent Unassignments reports are now linked from the Application Access Audit section of the Reports page. These match the reports available from the Applications tab. For information, see Reports.

Generally Available Enhancements

New System Log event for sent emails

A new System Log event has been added to notify admins when an email is sent to a user for verification. When fired, this event contains information about the token lifetime in the debugData.

New System Log event for redeemed credentials in an email

A new System Log event has been added to identify when a credential sent in an email to a user has been redeemed, meaning the link was clicked or the code was entered. When fired, this event contains information about the result and debugData with the action.

Validate service account credentials for Kerberos realm

When configuring the service account credentials for the Kerberos realm, you can now optionally choose to validate these credentials. For more information on Agentless DSSO, see Configure Agentless Desktop SSO.

UI enhancements for Sign-On Policies and Password Policies

When creating a new MFA sign-on policy, the Prompt for Factor option is now selected by default. When creating a new password policy, the option to enforce a password history is now set to the last four passwords by default. For more information about sign-on policies and password policies, see to Security Policies.

System Log events for Behavior Settings

New System Log events now appear when creating, deleting, or updating behavior settings.

Early Access Features

New Features

LDAP agent, version 5.6.1

This version of the agent contains internal improvements. For version history, see Okta Java LDAP agent version history.

Enforce Okta Device Trust for Native Apps and Browsers on MDM-managed Android devices

Okta Device Trust for Native Apps and Browsers on MDM-managed Android devices allows you to prevent unmanaged Android devices from accessing enterprise services through browsers and native applications.

Note: This feature requires Okta Mobile 3.14.1 for Android (or later). For details, see Enforce Okta Device Trust for Native Apps and Browsers on MDM-managed Android devices.

Okta SSO IWA Web App agent, version 1.13.0

This release of the Okta SSO IWA Web App agent includes bug fixes. For version history, see Okta SSO IWA Web App agent Version History.

Admin report CSV changes

The Administrator report containing information about all admins, their roles, and permissions will now be generated asynchronously. Super admins can generate the report by clicking Request Report and they will receive an email with a download link when the report is ready. You can enable this change using the Feature Manager. For details, see The Super admin role .

Okta user profile, enforce custom attribute uniqueness

You can enforce attribute uniqueness across your organization for custom attributes in the Okta user profile. You may mark up to 5 custom attributes as requiring uniqueness. For details, see Work with Okta user profiles and attributes.

Early Access Enhancements

Agentless Desktop SSO, feature dependency

If you are using Agentless Desktop Single Sign On, there is now a dependency on Identity Provider Routing Rules. If you do not have Identity Provider Routing Rules enabled, contact Support. For feature details, see Configure Agentless Desktop SSO and Identity Provider Discovery.

New System Log events for Inline Hooks

Log all Inline Hook response events: All inline hook success and failure events are now logged. Logged events provide context around how the response was used.
Inline Hook Type events also log the type of Inline Hook.

For more feature information, see Inline Hooks.

New System Log event for ThreatInsight

When ThreatInsight configuration is updated, the System Log now displays a new event to reflect these configuration changes. For more information about this feature, see ThreatInsight.

Sign-In Widget labeling

The Sign-In Widget has been updated to use labels for form fields instead of placeholder text.

Note: This update applies to the default login page. If you are using a custom login page you need to manually upgrade to the 3.0 version of the Widget to get this update.

For more feature information, see Configure a custom Okta-hosted Sign-In page.

Before:

After:

Fixes

OKTA-215899

The Downloads page incorrectly reported that some agents needed to be upgraded.

OKTA-221328

Group rules were not applied to reactivated users.

OKTA-235794

When MULTIPLE_FACTOR_ENROLLMENTS was enabled and MULTIPLE_OKTA_VERIFY_ENROLLMENTS disabled, changing the Okta Verify factor to REQUIRED returned a 400 error.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

Amgen FIRST STEP (OKTA-234000)
Bank of America CashPro (OKTA-234532)
Bullhorn Jobscience (OKTA-233305)
Credible Behavioral Health (OKTA-236584)
eFax Corporate Admin (OKTA-232145)
HRConnection by Zywave (OKTA-234054)
Mimecast Personal Portal v3 (OKTA-235247)
Percolate (OKTA-235361)
Thomson Reuters Legal Tracker (OKTA-228672)
Xfinity (OKTA-234737)

Applications

Application Updates

The following partner-built provisioningThe Provisioning features of some OIN apps are built by a third-party, typically the vendor of the app product or service. These features are Okta Verified through a rigorous Okta review process. Partners-Built EA: Partner-Built EA application features have been verified and tested by Okta but may not have been deployed or used by a customer in an Okta production environment. We recommend that you fully test these integrations for your own provisioning use-cases before deploying in production for your end users. Okta Verified: A Partner-built EA application becomes Okta Verified after a customer has verified the integration in production. integration app is now Generally Available in the OINAn acronym for the Okta Integration Network. The OIN is comprised of thousands of public, pre-integrated business and consumer applications. As an on-demand service, OIN integrations are continuously validated, always up to date, and constantly growing both in number and capability. Okta performs a single integration with an ISV or SP, providing thousands of end users with point-and-click customization for their orgs. as partner-built:

Twic: For configuration information, see the Twic SCIM Integration Guide.

New Integrations

New SCIM Integration Application

The following partner-built provisioning integration app is now available in the OIN as partner-built Early Access:

Zapier: For Configuration information, see the Zapier User Provisioning with SCIM guide.

SAML for the following Okta Verified applications

Panorays (OKTA-233837)
Teamie (OKTA-233564)

SWA for the following Okta Verified applications

A.I.D.A. Virtual Cards (OKTA-229475)
Aquera apps (OKTA-232806):
- AD LDS by Aquera
- Adobe Cloud by Aquera
- ADP Workforce Now by Aquera
- Atlassian by Aquera
- Box by Aquera
- Ceridian Dayforce by Aquera
- Documentum by Aquera
- Fastly by Aquera
- InvisionApp by Aquera
- Jama Software by Aquera
- LaunchDarkly by Aquera
- MongoDB by Aquera
- Runscope by Aquera
- Smartsheet by Aquera
- VividCortex by Aquera
Avery (OKTA-228198)
Cision Communications Cloud (OKTA-231151)
Coalfire (OKTA-228801)
Correspondent Hub (OKTA-229741)
Grip On It (OKTA-224027)
Jackson (OKTA-231411)
Moneris Gateway (OKTA-228650)
Music Vine (OKTA-229245)
National Life Group Agents Login (OKTA-231088)
Nationwide Financial (OKTA-231408)
OneMobile Oath (OKTA-224130)
PerfectServe (OKTA-230812)
Structural (OKTA-229603)
TIAA (OKTA-231409)
VPAS Life (OKTA-231407)
Zix Customer Support (OKTA-229476)

June 2019

2019.06.0: Monthly Production release began deployment on June 10

* Features may not be available in all Okta Product SKUs.

Content

Generally Available Features
Early Access Features
Fixes
Applications
Weekly Updates

Generally Available Features

New Features

Matching imported users

When you import users, you now can set up Okta rules to match any attribute that is currently mapped from an AppUser profile to an OktaUser profile. This helps you sync identities across systems and determine whether an imported user is new or if the user profile already exists in Okta. For more information, see Match imported users.

Location zones support blacklisting

You can blacklist an entire location zone to prevent clients in the zone from accessing any URL for your org. For more information on zones, see Networks.

LDAP support for Auxiliary Object classes

You can now input a comma-separated list of auxiliary object classes when importing users from LDAP. For more information, see Configuring Your LDAP Settings.

New macOS Device Trust Registration Task, version 1.2.1

This release provides the following:

The enrollment process is halted if the default keychain is unavailable for some reason (for example, is corrupted or missing). This ensures that end users are not prompted to reset the keychain.
An improved Registration Task update process ensures that enrolled devices are not inadvertently unenrolled in the event the update itself fails.
Provides support for a query allowing admins to determine which version of the Registration Task is installed on the device.

For details, see Device Trust for macOS Registration Task Version History.

New Windows Device Trust Registration Task, version 1.3.1

This release includes the following:

Improved handling of private keys to ensure successful certificate renewal.
To fix an issue in earlier versions where a failed certificate renewal could leave computers in a bad state, this version allows admins to trigger certificate renewal on a per-computer basis. For details, see Force certificate renewal in some circumstances.

For version history, see Device Trust for Windows Desktop Registration Task Version History.

Okta Windows Credential Provider, version 1.1.4

This version contains bug fixes and general improvements

For more details, see Okta Credential Provider for Windows.

Okta Browser Plugin version 5.29.0 for all browsers

This version includes the following:

Quick Access apps tab (currently available as Early Access)
Real time reflection of apps and profile changes in the end-user dashboard (currently Generally Available for Preview orgs)
Back-end enhancements

For more information, see Allow end-users to quickly access apps.

Generally Available Enhancements

Password policy default for new orgs

The default password policy for new orgs is updated to enforce that a password may not be reused if it matches one of four previously used passwords. For more information, see Security Policies.

Early Access Feature Manager enhancement

The EA Feature Manager now displays a dialog box detailing any known limitations for that Early Access feature. Admins will be prompted to acknowledge they have read and accept these limitations. For more information, see Manage Early Access features .

Aquera apps timeout increased

We have increased the SCIMSystem for Cross-domain Identity Management (SCIM) is an open standard that allows for the automation of user provisioning. It was created in 2011 as it became clear that the technology of the future would be cloud-based. SCIM communicates user identity data between identity providers (such as companies with multiple individual users) and service providers requiring user identity information (such as enterprise SaaS apps). In short, SCIM makes user data more secure and simplifies the user experience by automating the user identity lifecycle management process. API timeout value for Aquera and Aquera (Basic Auth) apps to 5 minutes.

Okta Sign-on widget improvements

The look and feel of the Okta Sign-on Widget has been improved for accessibility and readability.

Early Access Features

New Features

DocuSign Provisioning enhancement

Users created in DocuSign with a status of ActivationSent couldn't be provisioned in Okta until now. This feature adds support to link such users in Okta while provisioning. For more provisioning information, see the DocuSign Provisioning Guide.

Allow end users to quickly access everyday apps

End users can find recently used apps in a separate Quick Access section on their dashboard as well as in the Quick Access tab from the Okta Browser Plugin. For more information, see Allow end-users to quickly access apps.

Incremental Imports for CSV

Incremental imports improve performance by importing only users who were created, updated, or deleted since your last import. See Configure the CSV Directory Integration.

LDAP agent, version 5.6.0

This version of the agent contains internal improvements. For version history, see Okta Java LDAP agent version history.

System Log event for Agentless Desktop SSO configuration updates

When changes are made to the Agentless DSSO configuration, the System Log tracks the action as shown below. For more information on Agentless Desktop SSO, see Configure Agentless Desktop SSO.

System Log event for Kerberos realm settings

When changes are made to the Kerberos realm settings, the System Log tracks the action as shown below. This event also indicates the initiator of the event and the current setting for Kerberos Realm. For more information on Agentless Desktop SSO, see Configure Agentless Desktop SSO.

System Log event for Agentless Desktop SSO redirects

When Agentless Desktop SSO redirects to the IWA SSO agent or the default Sign In page, the System Log tracks the action as shown below. For more information on Agentless Desktop SSO, see Configure Agentless Desktop SSO.

Early Access Enhancements

Updated labels in Device Trust enablement flow for Integration types

Some labels in the Admin Console for Device Trust enablement are updated to align with changes in partner branding. Existing functionality is unaffected by this update. For details, see Desktop Device Trust.

Web Authentication security key enrollment

Admins may now enroll a WebAuthn security key on behalf of their end users through user profile settings. For more information about MFA and WebAuthn, see Web Authentication (FIDO2) .

Fixes

General Fixes

OKTA-145726

Admins were able to enter more than one name into the Add Administrator dialog box.

OKTA-198019

Okta didn't push the user reactivation to Salesforce when a user was reassigned to the application in Okta.

OKTA-214457

Report admins were able to view the Directory > People tab.

OKTA-218387

Super admins were able to assign Org admin notifications to include Rate limit warning and violation emails.

OKTA-222666

When a user was mastered by both LDAP and AD, group rules that are dependent on the second master's group membership weren't triggered.

OKTA-225931

Inline hooks weren't called when importing data using a CSV Directory integration.

OKTA-227137

In the Device Trust set up for iOS and Android, the Reset Secret Key dialog box was too wide.

OKTA-227449

When using Internet Explorer to view Step 2 of the Device Trust Setup wizard in the Admin Console, the Previous button was missing.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

Airbnb (OKTA-223490)
Atlassian Jira Service Desk (OKTA-225796)
Butler University (OKTA-225109)
Comerica Business Connect (OKTA-228368)
Corporate Traveler (OKTA-228370)
Curalate (OKTA-228373)
Go365 (OKTA-229492)
HighBond (OKTA-228038)
HM Revenue and Customs (HMRC) (OKTA-229496)
Hyatt Legal Plans (OKTA-229498)
InVision (OKTA-227444)
Lifeworks (OKTA-225685)
Lucky Orange (OKTA-228407)
Okta Help Center (OKTA-229494)
PowerDMS (OKTA-228367)
Safari Online Learning (OKTA-228404)
Schwab StockPlanManager (OKTA-226694)
Sonic Boom (OKTA-229495)
Squarespace V5 (OKTA-228400)
The Trade Desk (OKTA-219683)
TigerText (OKTA-229690)

The following SAML apps were not working correctly and are now fixed

HighBond (OKTA-228037)
Service-Now UD (OKTA-210568)

Applications

Application Updates

The following partner-built provisioning integration app is now Generally Available in the OIN as partner-built:

TOPdesk Person by FuseLogic: For configuration information, see The TOPdesk Person Configuration Guide.
TOPdesk Operator by FuseLogic: For configuration information, see The TOPdesk Operator Configuration Guide.

New Integrations

New SCIM Integration Application

The following partner-built provisioning integration app is now available in the OIN as partner-built Early Access:

SalesLoft: For Configuration information, see the SCIM Guide for SalesLoft - Okta.

SAML for the following Okta Verified applications

Bamboo by miniOrange (OKTA-225331)
Chargebee (OKTA-228025)
COR (OKTA-223779)
Fisheye/Crucible by miniOrange (OKTA-225341)
MindTouch (OKTA-222766)
QuestionPro (OKTA-229101)
StatusHub Admin (OKTA-228032)
Synerion Enterprise (OKTA-229100)

SWA for the following Okta Verified applications

Barracuda Email Security Service (OKTA-223499)
Constellation Energy Manager (OKTA-217426)
Greenbyte Breeze (OKTA-226657)
ISACA (OKTA-220349)
NetFortris HUD Web (OKTA-221616)
Techsmith (OKTA-221549)
UHOne Broker Portal (OKTA-224243)

Weekly Updates

2019.06.1: Update 1 started deployment on June 17

Fixes

General Fixes

OKTA-207466

When locked-out user emails were sent to all admins, not just those able to unlock the users, the emails did not include user information.

OKTA-218823

When editing an existing Device Trust configuration using the new mobile Device Trust wizard, the Mobile device management provider field was blank instead of containing the vendor name.

OKTA-219430

When using the Radius app for authentication, after the initial push notification, subsequent notifications from Okta Verify listed the incorrect location.

OKTA-220139

The Send test email feature attempted to send emails to admin’s username instead of their email address.

OKTA-221079

Not all zones were displayed in the Exempt Zones search filter when there were more than 10 search results.

OKTA-224052

When users tried to sign in but chose the incorrect PIV card, clicking Retry displayed the Okta 404 error page instead of the custom error page.

OKTA-224158

Trying to access custom apps on Okta Mobile Android browser failed.

OKTA-225869

Group admins were able to add a user to an administrator group upon user creation.

OKTA-226049

If no Device Trust platform was configured in Security > Device Trust, an incorrect message was displayed in the Device Trust section of the Add Rule dialog box when creating a Sign On policy.

OKTA-226145

LDAP provisioning failed when trying to deactivate users in the AD Lightweight Directory Services (LDS) server.

OKTA-226369

The documentation icon and link on the FIDO2 (WebAuthn) factor type page was formatted incorrectly.

OKTA-229440

When a user attempted to reset the Webauthn factor and the reset failed, the wrong error message was shown.

OKTA-229725

Two System Log events were generated instead of one when the name of an Inline Hook was changed.

App Integration Fixes

The following SAML app was not working correctly and is now fixed

HighBond (OKTA-230762)

The following SWA apps were not working correctly and are now fixed

American Express - Work (OKTA-230058)
Appsee (OKTA-230282)
GitHub (OKTA-229516)
PowerDMS (OKTA-230286)
Spiceworks (OKTA-230304)

Applications

New Integrations

SAML for the following Okta Verified application

Way We Do (OKTA-229995)

SWA for the following Okta Verified applications

Amgen FIRST STEP (OKTA-217876)
Apptio (OKTA-223714)
BSPlink (OKTA-224041)
Flightradar24 (OKTA-71196)
GitHub.com (OKTA-229516)
Notion (OKTA-220840)
Snowflake (OKTA-227090)
Synopsys eLearning (OKTA-226662)

2019.06.2: Update 2 started deployment on June 24

Fixes

General Fixes

OKTA-218818

Identity Provider Routing Rules produced unnecessary System Log events.

OKTA-227097

The SMS Usage Report categorized messages to Canada as international instead of domestic.

OKTA-230756

Navigating the System Log and maps generated rate limit warnings and violations.

OKTA-231842

The Windows Hello factor was listed as enabled when only the U2F factor was enrolled.

OKTA-232420

On the Okta Privacy page, information in the Introduction and Contact Us sections was out of date.

App Integration Fixes

The following SAML app was not working correctly and is now fixed

RedLock (OKTA-228626)

The following SWA apps were not working correctly and are now fixed

AT&T Business Direct (OKTA-225556)
Bing Ads (OKTA-230606)
Carta (OKTA-231435)
Commuter Check Direct (OKTA-230032)
Flexential Portal (OKTA-231722)
Intel - Supplier (OKTA-229135)
MyRackspace Portal (OKTA-231264)

Applications

Application Updates

We are updating the names of some app integrations as follows:
- Jira On-premise > Atlassian Jira Server
- Confluence On-premise SAMLAn acronym for Security Assertion Markup Language, SAML is an XML-based standard for exchanging authentication and authorization data between an identity provider (IdP) and a service provider (SP). The SAML standard addresses issues unique to the single sign-on (SSO) solution, and defines three roles: the end user, the IDP, and the SP. Here's how SAML works through Okta: SP-initiated flow: the end user requests (principally through a browser) a service from the SP. The SP requests and obtains an identity assertion from the IdP (in this case, Okta). On the basis of this assertion, the SP can decide whether or not to authorize or authenticate the service for the end user. IdP-initiated flow: with Okta as the IdP, an end user goes to the Okta browser and clicks on a chiclet, sending a SAMLResponse to the configured SP. A session is established with the SP, and the end user is authenticated. > Atlassian Confluence Server
- Atlassian Confluence Server > Atlassian Confluence Cloud
- Jira Cloud (Atlassian) > Atlassian Jira Cloud
Tableau Online now supports the following Provisioning features (this is in addition to the other provisioning features that it already supports):
- Update user attributes
- New attribute: Site Role
Users that set up the Tableau Online integration and enabled Provisioning before June 12, 2019 need to follow the steps detailed in the Tableau Online Configuration Guide in order to use this new feature and/or attribute.

New Integrations

The following partner-built provisioning integration app is now available in the OIN as partner-built Early Access:

OrgWiki (SCIM): For Configuration information, see the OrgWiki Okta SCIM Configuration Guide.

SAML for the following Okta Verified applications

Avochato (OKTA-228020)
Stack Overflow for Teams (OKTA-229999)
Whimsical (OKTA-232056)

SWA for the following Okta Verified applications

American Banker (OKTA-227046)
Ivanti Partners (OKTA-228205)

2019.06.3: Update 3 started deployment on July 1

Fixes

General Fixes

OKTA-145001

When a user entered an invalid country code in a user profile, the error message was not specific enough.

OKTA-221804

Reports listing App adminAn app admin can be granted access to all instances of an app, or just specific instances of that application. This allows for more granular access control. application assignments incorrectly displayed All <appname> Apps instead of only the scoped applications that the admin had access to.

OKTA-222453

Org admins were able to access the Getting Started page.

OKTA-224240

End users authenticating with Inbound SAMLWhen Okta is used as a service provider, it integrates with an identity provider outside of Okta using SAML. Inbound SAML allows users from external identity providers to SSO into Okta. into Okta could not edit their profiles from the end-user dashboard.

OKTA-225137

The IWA web app redirected user sessions to the incorrect user when the web app was located behind AWS Network Load Balancer.

OKTA-228723

Updating more than one inline hook field created a System Log entry for each changed field.

OKTA-229765

Sign-in attempts that were prevented by the Pre Authentication Sign-On Policy Evaluation were not identified correctly in the System Log.

OKTA-231465

Searching for groups using the LDAP Interface worked only when the Paged Search option was enabled in the LDAP settings.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

Comcast Business (OKTA-229067)
Toggl (OKTA-230708)
CloudAlly (OKTA-232109)
Synopsys eLearning (OKTA-232254)

Applications

Application Updates

We have made the following changes to our OrgWiki SCIM OAuth integration:
- Changed the assignedID attribute to assignedId
- Changed attribute mapping for assignedId attribute from user.employeeNumber to user.email
We have added the following SAML attribute to our Zapier integration:
- Name: internalId, value: user.id
We have added the following SAML endpoints to our Sumologic integration:
- https://service.ca.sumologic.com
- https://service.de.sumologic.com
- https://service.jp.sumologic.com

New Integrations

SAML for the following Okta Verified applications

Jumpstart (OKTA-225579)
ClickUp (OKTA-231641)
Atatus (OKTA-231643)
Auryc (OKTA-231655)
Postman (OKTA-233559)
Cloud Management Suite (OKTA-204349)
ChurnZero (OKTA-207112)
Sigma (OKTA-231716)
BigID (OKTA-231654)

2019.06.4: Update 4 started deployment on July 8

Fixes

General Fixes

OKTA-155522

The Get access with Okta mobile link was underlined inconsistently in webview.

OKTA-205368

When an app sign-on policy rule was set to deny not-in-zone authentications, users who were denied the access were not redirected to the contact admin page as expected.

OKTA-221617

When using the group search API to search based on group names, if the group name contained a %(percentage) symbol the API call failed and returned no value.

OKTA-227706

api/v1/groups endpoint did not return the next page header unless limit was specified and defaulted to 10,000, even when more than 10,000 groups existed.

OKTA-227747

Downloading the list of admins in CSV format from the Devices > Devices tab failed with a 500 error.

OKTA-228245

The default new user activation emails were not formatted correctly when viewed inside Outlook 2016 client on Windows 10.

OKTA-229130

If an app name was bigger than 50 characters, a POST call to /api/v1/meta/schemas/apps/$instanceId/default failed with the error name: The field is too long.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

Betterment (OKTA-232680)
GoAnywhere Login (OKTA-233563)
Iheart Radio (OKTA-233013)
Microsoft Office 365 (OKTA-232668)
PlanGuru (OKTA-233010)
ServiceM8 (OKTA-233011)
Shopify (OKTA-231343)
Solarwinds (OKTA-233164)
Udacity (OKTA-233012)

Applications

New Integrations

SAML for the following Okta Verified applications

BigID (OKTA-231654)
New Relic (Limited Release) (OKTA-233359)
SWBC - AutoPilot Portal (OKTA-226704)
Wandera (OKTA-233317)
Zscaler Private Access 2.0 (OKTA-193443)

Mobile application for use with Okta Mobility Management (OMM) (Android and iOS)

Aquera (OKTA-230755)

SWA for the following Okta Verified application

Aquera (OKTA-230755)

May 2019

2019.05.0: Monthly Production release began deployment on May 13

* Features may not be available in all Okta Product SKUs.

Content

Generally Available Features
Early Access Features
Fixes
Applications
Weekly Updates

Generally Available Features

New Features

Password Expiry settings for Active Directory

You can specify the password expiry policies for Active Directory for all preview organizations to set the number of days before password expiry when the user receives a warning.

Improved mobile Device Trust enablement flow for admins

The new mobile Device Trust enablement flow uses a 2-step wizard for a clearer, more consistent admin experience. Existing enablement settings are migrated automatically to the new flow, so there's no need for customers with existing Device Trust deployments to change their configuration. For details, see Okta Device Trust for Mobile Devices.

Assign admin privileges to an Okta group

Super admins can now assign Okta admin privileges to Okta groups, making it easier to onboard large numbers of admins quickly. Everyone in the group receives the admin privileges assigned to the group. For details, see Assign admin privileges.

IdP Extensible Matching Rules

IdPAn acronym for Identity Provider. It is a service that manages end user accounts analogous to user directories such as LDAP and Active Directory, and can send SAML responses to SPs to authenticate end users. Within this scenario, the IdP is Okta. extensible matching rules allow you to define a regular expression pattern to filter untrusted IdP usernames. For details, see our IdPs page.

Configure a custom URL domain

You can customize your Okta org by replacing the Okta domain name with a custom URL domain name that you specify. For example, if the URL of your Okta org is https://example.okta.com, you can configure a custom URL for the org such as https://id.example.com. For details, see Configure a custom URL domain.

CSV Directory Integration

The CSV directory integration is a lightweight out-of-the-box option that enables you to build custom integrations for on-premises systems using the Okta On-Premises Provisioning agent. For more information, see Configure the CSV Directory Integration.

Active Directory agent, version 3.5.7

This version of the AD agent includes fixes to close and recreate connection groups and add a retry in response to 502 errors during import.

For agent version history, see Okta Active Directory agent version history.

System Log events for blacklisted countries

When a country is added or deleted from a blacklist, the System Log tracks the action, as shown below. For more information on blacklisting, see Network Security.

Generally Available Enhancements

Accounts locked after ten successive lockouts without a successful sign-in attempt

If an account has ten successive account lockouts followed by auto-unlocks with no successful sign-in attempts, Okta ceases auto-unlocks for the account and logs an event. For more information on account locking, see Security Policies.

Okta SSO IWA Web agent, new version 1.12.3

This version of the Okta SSO IWA Web agent contains internal fixes. For version history, see Okta SSO IWA Web App agent Version History.

UI Improvements for Security Email Notifications

Settings for end user email notifications have been moved to their own section: Security Notification Emails. For more information, see General Security.

WebEx additional attributes

We have added more extensible attributes to the WebEx application. For details, see the WebEx Provisioning Guide.

DocuSign authentication mode change

We are switching the authentication mode of our DocuSign provisioning integration to OAuth. For more information, see the DocuSign Provisioning Guide.

Okta Browser Plug-in version 5.28.0 for all browsers except Internet Explorer

This version includes the following enhancements:

Accessibility improvements
- ARIA attributes for UI elements
- Alt text for logos and images
- Access to controls and tooltips through keyboard
Real-time reflection of the end user dashboard (currently an Early Access feature). For more information, see Browser Plugin Version History.

Early Access Features

New Features

Add Inline Hooks

Admins can now add Inline Hooks from the admin console. Inline Hooks enable admins to integrate custom functionality into Okta process flows. For more information, see Inline Hooks.

ThreatInsight Threat Detection

Admins can now configure ThreatInsight — a new feature that detects credential-based attacks from malicious IP addresses. ThreatInsight events can be displayed in the admin system log and also be blocked once this feature is configured. For more information, see ThreatInsight.

Web Authentication for MFA

Admins can enable Web Authentication as a factor as defined by WebAuthn standards. Web Authentication supports both security key authentication such as YubiKey devices and platform authenticators. For more information, see Web Authentication (FIDO2) .

Early Access Enhancements

Microsoft Intune selection now available in Okta Device Trust for managed iOS devices

Along with other popular MDM options already available for enabling Device Trust, you can now select Microsoft Intune as your MDM provider when you configure the Device Trust solution for Native Apps and Safari on managed iOS devices. While it was possible to configure Intune prior to this change by selecting the Other option, the addition of an Intune option simplifies the implementation. For more about this Okta Device Trust solution, see Enforce Okta Device Trust for Native Apps and Safari on MDM-managed iOS devices.

Note: This notice was updated in 2019.05.1 to more accurately describe this enhancement.

Schema Discovery for Cornerstone On Demand

The Cornerstone On Demand provisioning app now supports Universal DirectoryUniversal Directory enables you to store an unlimited amount of users and attributes from applications and sources like AD or HR systems. Any type of attributes are supported including linked-objects, sensitive attributes, and pre-defines lists. All of it accessible by all apps in our OIN catalog, over LDAP or via API. and Schema Discovery. For more information, see the Cornerstone On Demand Provisioning Guide.

Fixes

General Fixes

OKTA-215983

Email templates translations for MFA Factor Enrolled and MFA Factor Reset did not work when the Thai language was selected.

OKTA-217878

For Self Service app registration for apps with provisioning enabled, when admins changed the Approval setting from Required to Not Required the resulting error message was misleading.

OKTA-218001

System Log entries for Device Trust displayed incorrect spacing for some entries.

OKTA-220849

The SuccessFactors app import API did not work.

OKTA-221717

Routing rules for Identity Provider discovery were ignored when both IWA Desktop SSO and Agentless SSO were enabled.

OKTA-221914

Identity Provider routing rules that set User Matches to User Attribute matches Regex were not evaluated correctly.

OKTA-222256

CSV Directory scheduled incremental imports failed.

OKTA-222632

Admins who manage two groups, one granted via individual assignment, and the other via group assignment, could not assign users from one group into the other.

OKTA-222660

When using the LDAP interface, pagination on groups containing more than 1000 users failed.

OKTA-224104

Users assigned admin roles by group did not get assigned the correct default admin email settings.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

Adobe Fonts (OKTA-222877)
Air France (OKTA-223010)
The Australian (OKTA-221618)
FINRA IARD (OKTA-223775)
Keap (OKTA-222416)
LastPass (OKTA-206231)
Metropolitan Bank US (OKTA-222451)
Mimecast Personal Portal v2 (OKTA-221490)
Nationale Nederlanden: Pensioen Service Online for Business (OKTA-222412)
Nextdoor (OKTA-223774)
Nmbrs (OKTA-223801)
Oakland Public Library Catalog (OKTA-222415)
Onfido (OKTA-223804)
Optimal Blue (OKTA-223500)
Plooto (OKTA-223747)
Poll Everywhere (OKTA-223776)
The San Diego Union-Tribune (OKTA-223015)
WhiteHat Sentinel (OKTA-222784)
Wrike (OKTA-223803)

Applications

New Integrations

New SCIM Integration Application

The following partner-built provisioning integration apps are now available in the OIN as partner-built Early Access:

TeamViewer: For configuration information, see Configure Provisioning for TeamViewer
Zerotek: For configuration information, see the Zerotek SCIM Configuration Guide Instructions.
Drafted: For configuration information, see the Drafted Okta Provisioning (SCIM) Step-by-Step Guide.
Spoke (www.askspoke.com): For configuration information, see Configuring Provisioning for Spoke.

SAML for the following Okta Verified applications

Buildkite (OKTA-215231)
ExpenseIn (OKTA-223019)
FireHydrant (OKTA-221216)
StoriesOnBoard (OKTA-223754)
Syndio (OKTA-221802)
Zoom SAML (OKTA-223027)

SWA for the following Okta Verified applications

Dynatrace (OKTA-221851)
Legislative Tracking System (OKTA-219355)
Park-line (OKTA-222807)
Tax Workflow (OKTA-222999)

Mobile application for use with Okta Mobility Management (OMM) (Android and iOS)

RescueAssist (OKTA-220114)

Weekly Updates

2019.05.1: Update 1 started deployment on May 20

Fixes

General Fixes

OKTA-211631

Active Directory imports failed when federation broker mode was disabled for the app.

OKTA-212278

The Japanese translation of the end-user activation page needed improvement.

OKTA-213647

The System Log advanced search returned a 500 error when processing search terms containing the percent character (%).

OKTA-221535

Admins saw a loop when they enabled Multifactor Authentication for admins with no MFA factor set as Optional or Required in the corresponding MFA policy.

OKTA-221914

In cases where IdP Discovery was enabled, when a routing rule was configured to use User Attribute matches Regex for User Matches, the regular expression would be evaluated improperly.

OKTA-222183

If an Event Hook name was changed after it had been verified, users were asked to verify the Event Hook again.

OKTA-224205

Local users not assigned the RDP app were able to sign in to the app without being prompted for MFA if their user account on the server had rights to connect to RDP sessions and InternetFailOpenOption was set to True. Okta Windows Credential Provider version 1.1.4.0 needs to be downloaded for this fix.

OKTA-225805

The Security > General > Security Email Notifications page briefly displayed incorrect values after the email fields were set to Enabled and then the page was refreshed.

OKTA-225584H

When using the LDAP interface if a soft token was specified as a part of a bind request’s credentials, a push notification may have been erroneously sent to the user’s phone while normal authentication using the soft token was taking place.

App Integration Fixes

The following SAML app was not working correctly and is now fixed

RedLock (OKTA-213155)

The following SWA apps were not working correctly and are now fixed

Cisco (OKTA-218994)
Visual Website Optimizer (OKTA-224230)

Applications

New Integrations

SAML for the following Okta Verified applications

CloudAcademy (OKTA-220845)
Druva 2.0 (OKTA-224318)
PitchBook (OKTA-222083)
Squadcast (OKTA-223018)

SWA for the following Okta Verified applications

CodySoft (OKTA-223598)
iAuditor (OKTA-225943)
Medi-Cal (OKTA-225406)
Saia (OKTA-223491)

2019.05.2: Update 2 started deployment on May 28

Fixes

General Fixes

OKTA-220205

Failed authentication using FIDO factors were counted towards account lockout limit.

OKTA-222410

Mobile admins could not edit native apps despite having necessary permissions.

OKTA-223821

An IWA Auth event was incorrectly triggered in the System Log when a user logged in via Agentless Desktop SSO. The Authenticate User via IWA event has been removed from this flow. No other events in the flow are impacted.

OKTA-224002

Changing the LDAP configuration did not convert the next LDAP incremental import to a full import as expected.

OKTA-226976H

Setting up JAMF failed when testing the API credentials for On-Premises JAMF server that uses SSL certificate signed by by USERTrust RSA Certification Authority.

OKTA-227307

A user identifier condition evaluation for IdP Discovery sometimes returned an HTTP 400 bad request error when either the user or the attribute being evaluated was not found.

OKTA-228350H

When the EA feature, OFFICE365_USE_GRAPH_API_FOR_PROVISIONING was enabled, in certain cases Office 365 groups were deleted during an import.

OKTA-2285347H

Imports from Office 365 failed if the EA feature, OFFICE365_USE_GRAPH_API_FOR_PROVISIONING was enabled.

OKTA-230034H

Agentless Desktop SSO failed to authenticate on misconfigured Chrome browsers, resulting in a 400 Bad Request error.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

Boxed (OKTA-226698)
CBT Nuggets (OKTA-226697)
Contract Express (OKTA-225826)
Copper (OKTA-223771)
Customer Service Portal (OKTA-225821)
Mimecast Personal Portal v2 (OKTA-226257)
Nextiva NextOS 3.0 (OKTA-225822)
Prosperworks (OKTA-225823)
Rackspace Admin Control Panel (OKTA-225820)
WP Engine (OKTA-225575)

Applications

Application Updates

The MaestroQA application integration now supports Just In Time (JIT) provisioningusers are created/updated on the fly using the SAML attributes sent as part of the SAML response coming from the Identity Provider. The A user is created during initial login to the Service Provider and updated during subsequent logins. Turning on JIT Provisioning is normally a configuration value in the Service Provider..

New Integrations

The following partner-built provisioning integration apps are now available in the OIN as partner-built Early Access:

Syndio: For configuration information, see Syndio SSO Configuration.
Status Hero: For configuration information, see Configuring Okta SCIM Provisioning for Status Hero.

SAML for the following Okta Verified applications

Activaire Curator (OKTA-226658)
Aqua Cloud Security Platform (OKTA-220542)
CallPlease (OKTA-225465)

SWA for the following Okta Verified applications

Cisco Webex Teams (OKTA-221715)
Healthx (OKTA-226236)
Key Travel (OKTA-223497)
Technology Review (OKTA-225508)

2019.05.3: Update 3 started deployment on June 03

Fixes

General Fixes

OKTA-193320

When Agentless Desktop SSO was denied due to Network Zone settings, the default Okta Sign In page was presented instead of defaulting to agent-based Desktop SSO.

OKTA-218719

No more than five applications could be created through the Admin Console for developer production orgs.

OKTA-219246

Users were unable to sign in to Okta when using Chrome browsers on Chromebooks.

OKTA-220360

The Identity Provider (IdP) admin page encountered a rate limit error when there were a large number of IdPs configured and an admin clicked through the list quickly.

OKTA-220640

Deactivated admins were not listed on the Administrators page.

OKTA-222413

Clicking the Resend Activation Email button sent the Password Reset email instead of the User Activation email.

OKTA-225581

The System Log did not log the User account unlock by admin event when a bulk account unlock action was performed by an admin.

OKTA-226272

After an OAuth2 authorize flow, ID Tokens were missing the nonce claim if a routing rule was configured to default to a social IdP.

OKTA-229525H

When a user tried to sign in to an IdP that was set up as a profile masterA profile master is an application (usually a directory service such as Active Directory, or human capital management system such as Workday) that acts as a source of truth for user profile attributes. A user can only be mastered by a single application or directory at any one time. For more details, see the Profile Master page. When users are mastered by attribute, we call this attribute-level mastery (ALM). ALM delivers finer grain control over how profiles are mastered by allowing admins to specify different profile masters for individual attributes. Profile mastering only applies to Okta user profiles, not app user profiles. For more details, see Attribute Level Mastering., it sometimes resulted in incorrectly creating a new user instead of linking to the existing user.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

Amazon UK (OKTA-226343)
Bing Ads (OKTA-226105)
IBM Cloud (OKTA-226062)
Northern Trust (OKTA-225827)
Sterling HSA (OKTA-223769)
UBS One Source (OKTA-226305)

Applications

Application Updates

The following partner-built provisioning integration app is now Generally Available in the OIN as partner-built:

Syndio: For configuration information, see Syndio SSO Configuration Guide.

New Integrations

The following partner-built provisioning integration app is now available in the OIN as partner-built Early Access:

Cybsafe: For configuration information, see CYBSAFE-Okta SCIM App Configuration.
Druva 2.0: For configuration information, see Manage Users from Okta using SCIM.
Snowflake: For configuration information, see Configuring Provisioning for Snowflake.

SAML for the following Okta Verified applications

Aspen Mesh (OKTA-223014)
BitBucket by miniOrange (OKTA-225246)
Confluence by miniOrange (OKTA-225240)
Jira by miniOrange (OKTA-225231)
Juno (OKTA-227096)
productboard (OKTA-225440)

SWA for the following Okta Verified application

GoToMeeting (OKTA-226649)

2019
2018
2017

April 2019

2019.04.0: Monthly Production release began deployment on April 15

* Features may not be available in all Okta Product SKUs.

Content

Generally Available Features
Early Access Features
Fixes
Applications
Weekly Updates

Generally Available Features

New Features

Enhanced Group Push for Litmos

Group Push now supports the ability to link to existing groups in Litmos. While this option is currently only available for some apps, we’ll periodically add this functionality to more provisioning-enabled apps. For details about this feature, see Using Group Push.

Schema Discovery for Litmos

The Litmos provisioning app now supports UD and Schema Discovery. For more information, see the Litmos Provisioning Guide.

Enhanced Okta Mobile Security Settings for Android and iOS

Applies to:

Okta Mobile 3.8.1+ for Android
Okta Mobile 5.22.0+ for iOS

From the admin console, you can configure the following security settings for devices running specific versions of Okta Mobile:

Specify the PIN length.
Allow/disallow use of a simple PIN (repeating/ascending/descending numeric sequences).
(Android only) Allow/disallow users taking screenshots, recording videos, or sharing their screen.

For details, see Okta Mobile Settings.

Enhanced search for Group membership rules

You can now search for group rules by name, target groups, and expression conditions. For more information about Group membership rules, see Create group rules.

Change to Reset Password page

When Administrators navigate to Directory > People > Reset Password, the default view is now Locked Out users instead of All. This has been changed for performance reasons. For details, see Reset user passwords.

LDAP Agent, version 5.5.7

This release includes the following:

Bug fixes for incremental import.
A new System Log event fires when the modifyTimestamp attribute in LDAP is null for users or groups, which causes incremental import to be converted to a full import. One event per import session is logged:

For agent version history, see Okta Java LDAP agent version history.

Admin change to org settings requires additional reauthentication

To increase security on admin accounts, additional authentication is required when an admin makes changes to the org's User Account settings (Settings > Customization > User Account). If it has been more than 15 minutes since they last entered their pass- word, the admin is asked to enter their password again to reauthenticate. If multifactor authentication is configured, the admin will be prompted for MFA verification as well. For details, see Customize your Okta org.

New Template App

The Template Two Page Plug-in App has been added to the OIN. This plugin template app enables org admins to create private SWAAn acronym for Secure Web Authentication. SWA is a SSO system developed by Okta to provide single sign-on for apps that don't support proprietary federated sign-on methods or SAML. Users can enter their credentials for these apps on their homepage. These credentials are stored such that users can access their apps without entering their credentials each time. When users first sign-in to a SWA app from their homepage, they see a pop-up message asking if they were able to sign-in successfully. apps for the two-page sign in flow, where the username field is on the first page, and the password field is on the second page. It works much like the Template Plug-in App and Template Plug-in App 3 Fields. For more information about Template apps, see Configure the Okta Template App and Okta Plugin Template App.

Okta Browser Plug-in version 5.27.0 for Chrome and Internet Explorer

This version includes the following enhancements:

For Chrome and Internet Explorer, a keyboard shortcut to open the Okta Browser Plug-in. Users will see a recommendation to use the shortcut when they click on the plugin popover window. This recommendation is only shown once.
For Internet Explorer, you can disable the shortcut in the Registry Editor.
Users can also close Okta Browser Plug-in popups using keyboard shortcuts.
For Chrome, the Okta Secure Web Authentication Plug-in is renamed to the Okta Browser Plug-in.

For more information about these shortcuts, see Keyboard shortcuts for Okta Browser Plugin.

Okta Browser Plug-in version 5.26.2 for Safari

This version includes backend enhancements. For version history, see Browser Plugin Version History

Generally Available Enhancements

EA Feature Manager enhancement

The EA Feature Manager now allows you to more easily discover and enable functional dependencies for EA product features. Any EA product feature with dependencies highlights its dependencies and provides a link to that dependency so that you can enable the dependencies before enabling the EA product feature. For details, see Manage Early Access features

Trust site links renamed to Status

The Trust site links in the Admin footer and error pages have been renamed to Status.

Sensitive values masked

For values of attributes marked as sensitive, the values are masked with asterisks in OpenID Connect and Access Token Preview. For more information on these types of tokens, see Test Your Authorization Server Configuration.

Custom Sign-in Pages can use Sign-in Widget version 2.18

Custom Sign-in Pages can now use Sign-in Widget version 2.18. Selecting the latest option automatically uses 2.18. For more information on the Sign-In Widget, see Okta Sign-in Widget.

Self-service OIDC Apps

OIDC apps are eligible for self-service registration. For more information about self-service registration, see Enable self-service registration.

Amazon AWS app updates

The Amazon AWS app integration has been updated as follows:

Dynamic mapping of multiple accounts/roles within AWS: This feature allows dynamic mapping of multiple accounts/roles within AWS by using group assignments from Okta. For more information, see Connect Okta to Multiple AWS Instances via User Groups. Note that previously this was available as an Early Access feature. This functionality is now available as a option on the Sign On tab.
Join all roles: A new Join all roles option is available on the Amazon AWS app Sign On page that allows admins to specify that AWS SAML uses all roles (users and groups).
Improved security: The Amazon AWS app integration's App Filter application property on the Sign On tab is updated to provide better security and maintainability.

Rate Limits Updated

Okta's API rate limits have been updated: OAuth 2 rate limits were updated and clarified for all orgs. The limit for the api/v1/apps endpoint was updated for Enterprise orgs. For more information, see Rate Limits at Okta.

Enhanced user experience on end user dashboard

This includes the following enhancements:

End-user dashboard UI elements respond better to mobile screen sizes.
Launch App box is available on mobile screens. The dashboard chicletsThe "buttons" that appear on an end user's Home page and represent each application they wish to access through Okta. Clicking the chiclet allows the end user to instantly sign in and authenticate themselves into their chosen app. have a new appearance.

For more information about the dashboard, see Manage dashboard tabs for end users

Early Access Features

New Features

SAML Inline Hook

The SAML Inline Hook enables you to customize the authentication flow by allowing you to add attributes or modify existing attributes in outbound SAML assertions. For details, see our SAML Inline Hook page.

Early Access Enhancements

Automation Policies enhancement

Run Once Automation policies can be optionally run without any conditions. For more information about Automations, see Add a new automation

Fixes

General Fixes

OKTA-191963

Some G Suite license options were missing from the Okta Integration Network.

OKTA-198767

Loading a Custom Sign On Page with a configured Custom Domain returned a 404 error if the web browser was configured with a primary language other than English.

OKTA-207897

When importing user profiles from WebEx, the country code did not convert to the country name.

OKTA-208292

While creating a new contact in the SFDC Customer Portal, Okta provisioning did not search for matching existing Contact objects in Salesforce.

OKTA-208907

When a new LDAP instance was configured, settings related to Delegated Authentication were overwritten.

OKTA-209762

End users could not upgrade from Okta Verify with a One Time Passcode (OTP) to Okta Verify with Push if their org Sign On policy did not prompt for an MFA, but their app Sign On policy did.

OKTA-210250

The lastDownloadToken field in agent logs did not update after incremental imports.

OKTA-210873

When BambooHR was Profile Master, expression mappings were not updated for Office 365.

OKTA-211709

Litmos did not automatically reschedule and import a job once a rate limit was reached.

OKTA-213074

The App Admin role could not be assigned when an org had a significantly large number of deleted apps.

OKTA-213122

Pushing groups from Okta to G Suite failed when group member was already in a group, or had been already removed.

OKTA-213291

When importing users via a CSV file, the Do not create a password and only allow login via Identity Provider option could not be selected.

OKTA-213293

When conducting an import from Workday to Okta, boolean properties were not handled properly and did not map to the actual values.

OKTA-214020

In Agentless Desktop SSO settings, only the first 20 instances were editable.

OKTA-216082

When pushing users from Okta to Salesforce Federated ID, the profile attribute could not be set to not required.

OKTA-218007

Identity Providers did not support matching the user with an Okta username or email when the IdP Extensible Matching Rules feature was enabled.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

Amadeus Selling Platform Connect (OKTA-217081)
Amplitude (OKTA-215291)
Answer 1 Zapier (OKTA-215720)
AT&T Cybersecurity (formerly AlienVault) (OKTA-217657)
Atlassian (OKTA-215304)
Basecamp (OKTA-215286)
BB&T (OKTA-217648)
Buffer (OKTA-217890)
CareFirst (OKTA-215296)
CyberSource (OKTA-217636)
FINRA Web CRD (OKTA-215277)
HipChat (OKTA-215244)
IBM Partner World (OKTA-215287)
Loggly (OKTA-215999)
Pacer (OKTA-216799)
RingCentral (OKTA-215283)
Smallpdf (OKTA-217685)
SmartyStreets (OKTA-217661)
T. Rowe Price (OKTA-214661)
TruQu (OKTA-216808)
Vungle (OKTA-215348)
WePay (OKTA-215245)
WP Engine (OKTA-217760)
Yelp Biz (OKTA-215074)
YouCanBook.me (OKTA-215253)

Applications

Application Updates

The following partner-built provisioning integration app is now Generally Available in the OIN as partner-built:

Idiomatic: For configuration information, see Configuring Provisioning for Idiomatic.

New Integrations

New SCIM Integration Application

The following partner-built provisioning integration apps are now available in the OIN as partner-built Early Access:

Infor CloudSuite: For configuration information, see Infor CloudSuite Provisioning for Okta Online Help.
Egnyte: For configuration information, see Configuring Okta SCIM Provisioning for Egnyte.
Fin Analytics: : For configuration information, see Using Okta for Fin SSO.

SAML for the following Okta Verified applications

Area 1 Security (OKTA-216838)
BuiltWith (OKTA-216847)
Kiva (OKTA-215932)
Palo Alto Networks - Aperture (Reverse Proxy) (OKTA-214670)
Workable (OKTA-212879)

SWA for the following Okta Verified applications

American Express vPayment (OKTA-212465)
B of A Automative Dealer Services (OKTA-214379)
BigBlueOnline (OKTA-214709)
BrickFTP for Las Vegas Nevada (OKTA-214142)
Cal Bank Trust (OKTA-213107)
Comcast Payment Center (OKTA-217425)
Connect CDK Global (OKTA-216063)
DigiDip (OKTA-217112)
European Union (OKTA-209889)
FIS E-Banking Services: Generic Login Flow (OKTA-209723)
Frontier Communications (OKTA-214708)
Frontier Communications (OKTA-217302)
FSRS gov Awardees (OKTA-217427)
Greenwaste (OKTA-217198)
IOI Payroll V2 (OKTA-214471)
Leumi Bank UK (OKTA-215922)
Metropolitan Bank US (OKTA-215923)
MyMerrill (OKTA-213642)
Nationale Nederlanden: Pensioen Service Online for Business (OKTA-214224)
Obeo (OKTA-210256)
PNC Foreign Currency (OKTA-215697)
Premium Haystack (OKTA-215438)
Rookout (OKTA-213093)
Schoox (OKTA-215053)
Signature Bank (OKTA-201621)
Silvergate Bank (OKTA-201618)
Ski Data for 2145 Parkplace (OKTA-214361)
Van Lanschot (OKTA-214922)

Weekly Updates

2019.04.1: Update 1 started deployment on April 22

Fixes

General Fixes

OKTA-213061

Group admins scoped to manage a group that was assigned an admin role did not display user or group pages properly.

OKTA-214827

After a SPA OIDC client was created, the Client Authentication method was not displayed in the UI as expected.

OKTA-215691

Adding an IP address to an IP Blacklist Zone from the System Log resulted in a 400 error.

OKTA-215977

When an AD agent connected via proxy, a TLS alert to the proxy caused AD imports to intermittently fail.

OKTA-218083

Search functionality for IDP routing rules failed to get results for apps that contained the "|" pipe character.

OKTA-219226

The enrollment window for MFA U2F used an incorrect CSS that caused the display to be slightly incorrect.

OKTA-221403

There was no space between the app name icon in the app search results on the end user dashboard.

App Integration Fixes

The following SAML app was not working correctly and is now fixed

Miro (OKTA-219464)

The following SWA apps were not working correctly and are now fixed

Expensify (SWA Only) (OKTA-218710)
HM Revenue and Customs (HMRC) (OKTA-218854)
Rabobank Internetbankieren (OKTA-218881)
Sprout Social (OKTA-218711)
The Information (OKTA-218929)
UserVoice (OKTA-218709)
WFX (OKTA-218240)

Applications

New Integrations

The following partner-built provisioning integration app is now available in the OIN as partner-built Early Access:

TOPdesk Operator by FuseLogic: For configuration information, see the TOPdesk operator provisioning integration guide.

SAML for the following Okta Verified applications

Broker Buddha (OKTA-219121)
Celonis (OKTA-217901)
Drafted (OKTA-219407)
Enzyme QMS (OKTA-213382)
Matik (OKTA-218397)
PressPage (OKTA-218318)
RStudio Connect (OKTA-219846)
Trend Micro Apex One as a Service (OKTA-218066)
Zerotek (OKTA-218354)

SWA for the following Okta Verified applications

California Water (OKTA-217189)
Compass PHS (OKTA-207732)
Harland Clarke Checks Center (OKTA-216860)
Lola (OKTA-211494)
New York Magazine (OKTA-215724)
Nexus System Connect (OKTA-215329)
United TranzActions (OKTA-216858)
Westchester Fast Track (OKTA-218185)

2019.04.2: Update 2 started deployment on May 6

Fixes

General Fixes

OKTA-201787

The Okta browser plugin did not work in Chrome for the ALMobile private app.

OKTA-205783

Private apps that were incorrectly categorized as User Directory appeared on the Directory Integrations page.

OKTA-206470

User credentials were not passed to the LastPass app when using Chrome.

OKTA-206749

Super admins could subscribe to org-wide email notifications for admin roles, to which they did not have permission.

OKTA-207909

When setting up a new password, the Change Password button did not become inactive after the first click.

OKTA-210587

The Dashboard displayed links that the following admin roles cannot access: App, Group, Help Desk and API access management admins.

OKTA-210776

The security image on the sign-in page did not load when the username contained a plus (+) character.

OKTA-210869

An App admin assigned permissions through a group role was not able to edit the SAML settings of an app for which they had permission.

OKTA-210961

The Need help signing in link did not have ARIA attributes to indicate its expand or collapse state.

OKTA-211541

When an admin created a user with a password that did not meet the password requirements, the System Log showed a successful Create Okta User event even though the user creation failed.

OKTA-213686

Authorization for an app failed when using a routing rule configured to default to a social identity provider.

OKTA-214203

In some cases, reactivating a user created a duplicate entry in the System Log.

OKTA-214365

Some /authn APIs were missing the Cancel link in their response.

OKTA-215638

The Japanese translation of the password reset restrictions needed improvement.

OKTA-215983

Email templates for MFA Factor Enrolled and MFA Factor Reset did not translate into the Thai language correctly.

OKTA-221657

When IdP Discovery was enabled for some customers, IWA sign-in flows stopped working due to browsers truncating requests in the URL.

OKTA-221667

An App Admin assigned permissions through a group role could only view OpenID Connect apps when creating a new app.

OKTA-221708

Some icons were missing when signing in to the Gmail app using Okta Mobile for Device trust.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

2020 Spaces (OKTA-220169)
ADP Workforce Now (OKTA-221296)
Alabama Power (OKTA-220005)
Avalara (OKTA-218996)
Benefit Resource Inc (OKTA-218390)
Breeze (OKTA-221637)
CAPPS Enterprise Portal (OKTA-219133)
CRG emPerform (OKTA-219139)
Express Xactlycorp (OKTA-220904)
EZPassNY (OKTA-218426)
Harland Clarke Checks Center (OKTA-221646)
Lifeworks (OKTA-219537)
New York Times (OKTA-221218)
Redis Labs (OKTA-221219)
Shopify (OKTA-221653)
SpringCM (OKTA-217660)
T. Rowe Price (OKTA-220319)

Applications

Application Updates

We are switching the authentication mode of our DocuSign provisioning integration to OAuth. For more information see the DocuSign Provisioning Guide.

New Integrations

The following partner-built provisioning integration app is now available in the OIN as partner-built Early Access:

Chorus.ai: For configuration information, see Configuring Provisioning for Chorus.ai.

SAML for the following Okta Verified applications

Braze (OKTA-218398)
Chorus.ai (OKTA-217886)
Fulcrum (OKTA-220635)
Harness (OKTA-219122)
IT-Conductor (OKTA-220627)
MaestroQA (OKTA-220841)
PhraseApp (OKTA-220846)
Zapier SAML (OKTA-219123)
ZenQMS (OKTA-220313)

SWA for the following Okta Verified applications

Adobe Admin Console (OKTA-214878)
Adobe Fonts (OKTA-217129)
BigBlueOnline (OKTA-214709)
Catsy (OKTA-221527)
CFA Institute (OKTA-218957)
Cloud Ranger (OKTA-220214)
Condeco Connect (OKTA-220492)
E-Boekhouden (OKTA-217430)
First Republic Securities (OKTA-217204)
Jaggaer Supplier Support (OKTA-221245)
MD-Staff (OKTA-211897)
my529 Financial Advisor (OKTA-219991)
Outgrow (OKTA-217883)
PG&E (OKTA-217203)
SecureDock (OKTA-220676)
Stratechery (OKTA-217201)
The Trade Desk for Goodway Group (OKTA-218990)
US Plastic (OKTA-220482)

March 2019

2019.03.0: Monthly Production release began deployment on March 11

* Features may not be available in all Okta Product SKUs.

Content

Generally Available Features
Early Access Features
Fixes
Applications
Weekly Updates

Generally Available Features

New Features

Security Tips on admin console

Security Tips now appear on the admin console. These tips suggest a list of security features that can be enabled to improve the security posture of an org. For more information, see Security Checklist.

Default sign on rule set to Deny in Client Access Policies for new Office 365 app instances

In Client Access Policies for new Office 365 app instances, the Default sign on rule is now set to Deny access (formerly set to Allow). Additionally, we've provided a rule above the Default sign on rule that allows access to only web browsers and apps that support Modern Authentication. This change is designed to help customers implement more secure policies by default. Note: Existing O365 app instances are unaffected by this change. For more information, see Office 365 Client Access Policies.

Skip importing groups during Office 365 user provisioning

While provisioning Office 365 in Okta, you can choose to skip importing Office 365 user groups and group memberships into Okta. This allows you to focus initially on user provisioning and take care of group assignments later in the deployment process. For more information, see Skip importing groups during Office 365 user provisioning.

Additional Custom Attributes for Webex integration

Our Webex integration is enhanced by adding support several new custom attributes. Okta imports these attributes that you can then map as additional custom properties. For more information see the Webex Provisioning Guide.

System Log enhancement

We’ve enhanced our System Log to take advantage of our new Network Zones feature. Admins can now hover over an IP address that's part of an event and navigate through the series of menus to add that IP address to either the gateway or proxy list of IP addresses.

SCIM App Wizard

Okta supports SCIM (System for Cross-domain Identity Management specification) provisioning for apps created with the Okta App Integration Wizard (AIW).

For more information about SCIM, see SCIM-Based Provisioning Integration. For instructions to enable SCIM for app-wizard apps, see The SCIM App Wizard.

View admin list by role

Super admins can now filter the list of admins by role and type for easier searching.

Social Identity Providers

This feature allows your end users to self-register with your custom applications by first authenticating through their existing social identity accounts, such as Facebook, Google, Yahoo, or LinkedIn. For new users of your custom application, Okta creates a Just In Time (JIT) Okta user profile based on attributes stored in their social profiles.

For more information see Identity Providers.

System Log events for YubiKey Seed

New System Log events have been added when a user uploads or revokes a YubiKey Seed successfully.

System Log events for Active Directory imports

A new System Log event appears when an Active Directory import is converted from an incremental to a full import.

A new System Log event appears when a full Active Directory import is required.

Admin role behavior changes

Admin roles assigned by adding a user to an Admin group can no longer be edited or customized for individual users. To edit or remove admin privileges from a user that were assigned by adding the user to an admin group, you must remove the user from the group. Additionally, if a user has individual admin privileges assigned to them as well as admin privileges they received due to being in an admin group, each admin privilege will be listed separately. The icons indicate whether the privilege was assigned individually or as a result of group membership. For details, see Admin assignment page overview and Assign admin privileges.

Use Expression Language (EL) to map AD attribute to Workplace by Facebook

Okta now uses EL to map manager from AD to the Workplace by Facebook app for all new apps. For more information about Workplace by Facebook provisioning, see the Workplace by Facebook Provisioning Guide.

CPC app operations throttling

To ensure execution of all customers’ provisioning operations in a timely manner, operations for CPC apps are now throttled on a per org basis.

Generally Available Enhancements

Documentation links for Security Checklist

The Security Checklist on the admin console is updated to include documentation links for each setting. For more information about this feature, see Security Checklist.

Region codes updated for network zones

Network zones region codes are updated to adhere to the specifications of the ISO-3166 standard. This update includes changes to region names within Mexico, the Democratic Republic of the Congo, and Czech Republic. For more information about using country and region codes, see Network Security.

Early Access Features

New Features

Okta LDAP agent, version 5.5.5

This release contains:

Support for a configurable number of agent polling threads
Internal fixes

For details, see Okta Java LDAP agent version history and Change the number of Okta LDAP agent threads.

Review prompt on Okta Mobile for iOS

End-users using Okta Mobile on iOS are prompted to provide an App Store rating for the app. When they provide a rating in the app and click Submit, they are taken to the App Store page for the Okta Mobile app to provide more optional feedback about the app. They can click Not now to dismiss the option. For more information, see Review prompt on Okta Mobile (iOS only).

Schedule user imports

When you set up Provisioning to import users from an app or from a CSV directory to Okta, you can set up a schedule for imports at regular intervals on an hourly, daily, or weekly basis. If your app supports incremental imports, then you can set up both full and incremental import schedules. This integration applies to all non-AD and LDAP applications that support imports such as CSV directory, Workday, SuccessFactors, BambooHR, Salesforce, and so on. For more information, see Schedule imports.

Okta On-Prem MFA Agent, version 1.4.0

This release replaces the JRE with the Amazon Corretto 8.0 version of OpenJDK JRE. For the agent version history, see Okta On-Prem MFA Agent Version History.

OIN Manager supports multiple application submissions

When submitting a new application integration for review by Okta, the OIN Manager now supports multiple concurrent application submissions (for new orgs only).

Early Access Enhancements

Custom domain HTTP to HTTPS redirect

Custom domain can redirect from HTTP to HTTPS. For more information about custom domains, see Configure a custom URL domain.

Fixes

General Fixes

OKTA-135037

Disabled users in the Roambi app were incorrectly imported into Okta.

OKTA-205616

The tooltip for username was missing on the Identifier-first login page when using IdP Discovery.

OKTA-205713

The Okta Interstitial page used an incorrect font on Windows OS.

OKTA-205734

The authentication process took more time than expected when the "Permit Automatic Push for Okta Verify Enrolled Users option for the RADIUS application was activated.

OKTA-207282

End-users could not see the Zip Code on the Personal Information page on the end user dashboard despite having read-write permissions.

OKTA-207634

Customers were not properly redirected to the correct JIRA On-Prem instance after updating to JIRA On-Prem version 3.0.7.

OKTA-208446

Updates to the Okta Reporting Path were not saved on the first attempt and failed with errors when configuring API integration for the UltiPro app.

OKTA-209118

When configuring an OPP app with a SCIM connector, authentication headers were sometimes misconfigured.

OKTA-210624

For Desktop Device Trust flows, authentication failures reported in the System Log lacked sufficient detail.

OKTA-211769

When Single Line Prompt was enabled in the Radius app, login using a soft token generated duplicate events in the System Log.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

Allegra False Creek (OKTA-211577)
Amazon Web Services (OKTA-200754)
Basecamp (OKTA-210785)
Bitbucket (OKTA-209277)
Citi Velocity (OKTA-211570)
CrazyEgg (OKTA-208795)
Expensify (SWA Only) (OKTA-209343)
Glance (OKTA-211569)
Google AdSense (OKTA-208416)
Meetup (OKTA-208796)
MSCI ESG Manager (OKTA-210231)
SecureMail Cloud (OKTA-210230)
Stamps.com (OKTA-211576)
T. Rowe Price (OKTA-208929)

Applications

Application Updates

The following partner-built provisioning integration app is now Generally Available in the OIN as partner-built:
- WorkRamp: For configuration information, see Configuring SCIM Provisioning for WorkRamp.
- Expensify: For configuration information, see Expensify's Deactivating User's with Okta.
Namely now supports the following Provisioning features (in addition to the Profile Master feature that it already supports):
- Create users
- Update user attributes
For users that have set-up the Namely integration and enabled Provisioning before July 23, 2018, they have to follow the migration steps detailed in the Namely Configuration Guide if they want to use the new feature.

New Integrations

New SCIM Integration Application

The following partner-built provisioning integration apps are now available in the OIN as partner-built Early Access:

LogMeIn: For configuration Information, see Configuring Provisioning for LogMeIn Products.
SendSafely: For configuration Information, see Configuring SCIM Provisioning for SendSafely.

Mobile application for use with Okta Mobility Management (OMM) (Android and iOS)

Zscaler 2.0 (OKTA-210280)

SAML for the following Okta Verified applications

Idiomatic (OKTA-210213)
Stack Overflow Enterprise (OKTA-211271)

SWA for the following Okta Verified applications

1st Global: Identity Server (OKTA-203266)
Amazon Incentives (OKTA-205373)
ClickToTweet (OKTA-206100)
Cumberland (OKTA-202677)
ForeScout (OKTA-203181)
Fremont Bank (OKTA-205715)
GoodHabitz (OKTA-206150)
HR Certification Institute (OKTA-204048)
Johnson & Johnson (OKTA-207334)
LinkedIn Sales Navigator (OKTA-202984)
LivePerson LiveEngage (OKTA-206681)
Lutron (OKTA-206149)
PNC Retirement Directions Participant Login (OKTA-206676)
SagicoreLife: Agent Login (OKTA-202262)
SecurePay (OKTA-210232)
Supermetrics (OKTA-205909)
Template Two Page Plugin App (OKTA-207162)
Texas Mutual (OKTA-207028)
Zscaler 2.0 (OKTA-210280)

Weekly Updates

2019.05.1: Update 1 started deployment on May 20

Fixes

General Fixes

OKTA-184126

Custom domains were incorrectly reserved before being verified.

OKTA-194918H

Password credentials for the Paychex Online app were not inserted into the Password field in Edge browsers.

OKTA-204814

Certain group membership rules to assign AD-mastered users to an Okta group did not remove the users from the group when they were deactivated in AD.

OKTA-207871

Editing certain existing custom SAML app configurations resulted in errors.

OKTA-209615

In some cases, the EA Feature Manager page on the Admin Console had mismatched or empty feature descriptions.

OKTA-211237H

The complex password generator was able to generate passwords in the format of an <html> tag.

OKTA-212828

Resetting Web Authentication from the end user Settings page displayed errors even when the action was successful.

OKTA-212890

The Getting Started page on the Admin Console displayed errors for Internet Explorer 10 users.

OKTA-213551H

Push Group failed for the Zscaler 2.0 app and no Retry task was available in the admin console.

App Integration Fixes

The following SAML app was not working correctly and is now fixed

NetSuite (OKTA-209499)

The following SWA apps were not working correctly and are now fixed

MileIq (OKTA-212466)
Ncontracts (OKTA-209463)
Ray Wenderlich (OKTA-212010)
Sequr (OKTA-212548)
Skillshare (OKTA-211690)
WorkFlowy (OKTA-212464)
WP Engine (OKTA-210832)

Applications

New Integrations

SAML for the following Okta Verified applications

Casetabs (OKTA-212169)
Projector PSA (OKTA-212170)
Sqreen (OKTA-211580)
UWV Employer Portal (OKTA-209228)

SWA for the following Okta Verified applications

Arrowhead Auto: Producer Login (OKTA-203718)
Citi Investor Reporting For Structured Finance (OKTA-194263)
ClinPhone (OKTA-211579)
IDShield Plus (OKTA-207842)
Salt Lake Tribune (OKTA-203950)
Taleo Enterprise User Login (OKTA-211578)
Wright National Flood Insurance Company (OKTA-207916)

Mobile application for use with Okta Mobility Management (OMM) (Android and iOS)

Microsoft Office 365 (OKTA-199395)

2019.03.2: Update 2 started deployment on March 25

Fixes

General Fixes

OKTA-130296

When configuring JIT settings for a social identity provider, the Everyone group could erroneously be selected as one of the Group Assignments.

OKTA-139818

Attempting to set user credentials for an AppUser to a string longer than the permitted maximum length displayed an Internal Server Error instead of a Forbidden message.

OKTA-204598

Some successful MFA events did not appear in the System Log for some Orgs.

OKTA-205976

In some cases, Web Authentication FIDO2 appeared as Windows Hello (Web Authentication) while resetting factors on the Admin Console.

OKTA-209194

First time import of Namely-mastered users into Active Directory failed.

OKTA-209332

An app's Current Assignments report did not autopopulate the app's name even when the report was accessed through the app page.

OKTA-213567

Sometimes Okta Verify took too long to respond back to the browser, resulting in time-outs.

OKTA-214003

Certain invalid state token values caused the AuthN API to return an internal server error.

OKTA-214175

Okta Verify push did not work when authenticating via the LDAP Interface.

OKTA-217033H

The Group Attribute Statements filter could not be saved in a custom SAML App.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

Dell Premier (OKTA-213974)
Drift (OKTA-213975)
Fidelity & Guarantee Life (OKTA-213252)
Fitbit (OKTA-213976)
Flurry (OKTA-213977)
IBM Cloud (OKTA-214031)
NoMachine: Workbench (OKTA-210779)
Poll Everywhere (OKTA-213315)
RingCentral (OKTA-213133)
Safari Online Learning (OKTA-213099)
T. Rowe Price (OKTA-212189)

Applications

New Integrations

SAML for the following Okta Verified applications

Automox (OKTA-212528)
HealthKick (OKTA-212505)
Hive (OKTA-213326)
Sapling HR (OKTA-212512)
Workpath Platform (OKTA-213337)

SWA for the following Okta Verified applications

2020 Spaces (OKTA-210855)
Alabama Power (OKTA-211825)
Atlassian Service Desk (OKTA-206555)
BuildingConnected (OKTA-210302)
Cat SIS (OKTA-210839)
CoSchedule (OKTA-210164)
Fidelity Funds Network (OKTA-209733)
Interxion (OKTA-211723)
IOI Payroll V2 (OKTA-210854)
John Deere Service Advisor (OKTA-210838)
LexisNexis Bridger Insight XG (OKTA-195697)
LexisNexis Member Login (OKTA-209424)
Rabobank Internetbankieren (OKTA-209208)
Regus (OKTA-209724)
Rhino3d (OKTA-209991)
Salesforce (force.com) (OKTA-209752)
Steelcase Americas Village (OKTA-207490)
Steelcase Product Reference (OKTA-213961)
Thomson Reuters Practical Law (OKTA-209079)
Traackr (OKTA-210193)

2019.03.3: Update 3 started deployment on April 8

Fixes

General Fixes

OKTA-193430

The German translations for password requirements on the Welcome page and in the Password Reset flow were incorrect.

OKTA-203455

HTML in the Activation Email template did not render properly.

OKTA-204472

The Status box on the Admin Console erroneously displayed non-existent tasks for Group Push mappings.

OKTA-205284

When users tried to access some SAML apps that they were not assigned, they got an incorrect response code.

OKTA-208042

Certificate renewal failures sometimes rendered the existing certificate unusable and Device Trust validation failed until renewal was attempted again and succeeded. Note: This fix requires the New Windows Device Trust Registration Task, version 1.3.1.

OKTA-209139

Features in the Early Access Feature Manager could be disabled even if they had dependent features that were enabled and not in Early Access Feature Manager.

OKTA-210984

The alt text for the logo on the Sign In page was not clear.

OKTA-214498

In some cases the activation token in the Activation Email was valid beyond the set time limit.

OKTA-218084H

GSuite group memberships could not be imported from nested groups. Note that the following feature flags must be enabled: PROV_GOOGLE_USE_ACTUAL_ID_AS_EXTERNAL_ID_FOR_GROUP, PROV_GOOGLE_FIX_GROUP_ID_NESTED. Contact Okta Support for assistance.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

Cisco (OKTA-213384)
CCH Intelliconnect (OKTA-214497)
Frontier (OKTA-214713)
myKASTLE (OKTA-214293)
Workable (OKTA-214303)

Applications

Application Updates

The following partner-built provisioning integration app is now Generally Available in the OIN:

Abstract: For configuration information, see Configuring SCIM Provisioning for Abstract.

New Integrations

New SCIM Integration Application

The following partner-built provisioning integration apps are now available in the OIN as Early Access:

Infor CloudSuite: For configuration information, see Infor CloudSuite Provisioning for Okta Online Help.

SAML for the following Okta Verified applications

CallCabinet Atmos (OKTA-211053)
CareerVillage (OKTA-214516)
Cisco ASA VPN (SAML) (OKTA-196744)
FactSet (OKTA-214985)
Leapsome (OKTA-214515)
Status Hero (OKTA-215230)
Valimail Defend (OKTA-209773)
Zapier SAML (OKTA-214934)

SWA for the following Okta Verified applications

AJ Bell (OKTA-212543)
BSA-E-Filing (OKTA-213447)
Clear Company Krostcpas (OKTA-213476)
Hitachi Visualization Suite (OKTA-212856)
Las Vegas Open Data (OKTA-212857)
Lumity (OKTA-212197)
PricingDirect (OKTA-212352)
Tech Data NL (OKTA-212439)
Tracxn (OKTA-209902)
Valet Living (OKTA-214387)

February 2019

2019.02.0: Monthly Production release began deployment on February 19

* Features may not be available in all Okta Product SKUs.

Content

Generally Available Features
Early Access Features
Fixes
Applications
Weekly Updates

Generally Available Features

New Features

PIV Support for MTLS

Authentication for PIV (Personal Identification Verification) now supports the MTLS protocol and may be used once you have whitelisted the following domain: *.mtls.okta.com. For more information about IP whitelisting and Okta domains, refer to Configuring Firewall Whitelisting.

Location-based network zones

Zones can now be defined based on geo-location. For more information on location zones, see Networks.

Remember Device setting enabled by default

As part of sign-on policy rules, admins can now enable by default the setting for end users to not be challenged on the same device again upon sign in. For more information on this feature, see Security Policies.

Support for converting contractors to full time employees in Workday

Added support for converting contractors to full time employees within Workday. For more information see Workday Provisioning Guide.

End-user plugin settings

End users can now configure Okta Plug-in settings directly from the Your Apps menu in their browser. This feature lets end users customize the local behavior of the plugin, and helps end users and admins troubleshoot problems that may occur with the plugin. For details, see Configure the Okta browser plugin (end user settings). This feature is GA for Preview orgs only.

Copy temporary password to clipboard

When resetting a password, admins can copy the temporary password directly to the clipboard by clicking the copy to clipboard icon.

Google Integration updated

Okta's Google social login integration has been updated to account for the deprecation of the Google+ API. More information can be found in our Knowledge Base.

Signature and Digest Algorithms for Template WS-Fed Applications

Template WS-Fed applications can now choose between SHA1 vs SHA256 options for their Signature and Digest Algorithms. In addition, all Template WS-Fed applications will have X.509 certificates signed with SHA256. For more information, see Configuring the Okta Template WS Federation Application.

Okta Plug-in for Safari updated to 5.26.1

The Okta plugin for Safari browsers is updated to version 5.26.1. To meet Apple requirements, Okta built this version of the plugin as an App Extension to replace the legacy .safariextz architecture. This and future versions of the Okta Safari plugin will be available from the Mac App Store. For history, see Browser Plugin Version History

Generally Available Enhancements

Email notifications enabled by default

The setting for sending an email notification to end users who enroll in a new factor or request a factor reset is now enabled by default. For more information, see General Security.

EA Feature Manager feature list expanded

You can now enable Early Access features in the EA Feature Manager that may have other feature dependencies. If you select an EA feature that has a dependency on another feature, you must enable the required feature dependency before enabling your initial selection. For details, see Manage Early Access features .

G Suite Provisioning Guide

Provisioning for G Suite now includes a link to the G Suite Provisioning Guide.

Early Access Features

New Features

Okta Active Directory agent, version 3.5.6

This release includes the following changes:

Back-end changes to improve how the agent refreshes its DNS entries and connects to servers during disaster recovery.
The MaxRetryLimitSleep parameter default is now 8 minutes.
A bug fix resolving group membership issues when a user is created by JIT.

For more information, see Okta Active Directory agent version history.

Okta LDAP agent, version 5.5.4

This release contains internal changes and bug fixes. For more information, see Okta Java LDAP agent version history.

Use Okta MFA for Azure AD Conditional Access and Windows Hello for Business Enrollment

Satisfy Azure AD Conditional Access MFA requirements for your federated Office 365 (O365) app instance.
Enroll end users into Windows Hello for Business.

For more information, see Use Okta MFA to satisfy Azure AD MFA requirements for Office 365.

MFA for ePCS

Okta provides multifactor authentication for the Electronic Prescribing for Controlled Substances (ePCS) system with its integration to Epic Hyperspace, which is the front-end software that launches ePCS. For more information, see Okta MFA for Electronic Prescribing for Controlled Substances (ePCS)

Automations

Automations enable you to quickly prepare and respond to situations that occur during the lifecycle of Okta-mastered end users. You can set up and schedule the following automations to perform actions upon the groups you select:

User inactivity
User password expiration

For more information, see Automations .

Prevent web browsers from saving sign-in credentials

You can prevent browsers such as Chrome from saving an end user's sign-in credentials for Okta as well as for third-party apps accessed through the Okta Dashboard. For more information, see Prevent web browsers from saving sign-in credentials.

Mark Okta user profile attribute as sensitive

Okta now allows Super admins to mark an attribute in the Okta user profile as sensitive, which ensures that no one in Okta can view the information stored in that attribute field. You can also use sensitive attributes in SAML assertions to apps, allowing you to pass these sensitive attributes from the source app through Okta to an upstream app. For details, see Hide sensitive attributes.

Early Access Enhancements

Inline MFA Enrollment for RADIUS Apps

Admins can now either allow or prohibit end users to access resources protected by RADIUS to enroll in MFA while authenticating. For more information, see Configuring RADIUS applications in Okta.

Fixes

General Fixes

OKTA-145565

The response error message included a typo when an invalid 4-byte UTF-8 character (such as an emoji) was input into a text field

OKTA-201017

Sometimes when a Microsoft proxy was used, the proxy IP was displayed as the client IP in the System Log although the policies were enforced on the client IP.

OKTA-201572

End users had difficulty entering an SMS MFA code on the Okta sign-in page because a large portion of the Enter Code field was not clickable.

OKTA-201733

The Early Access feature that allows Okta-mastered users to move across OUs sometimes failed to update the organizational unit for Active Directory users whose account was pushed to Active Directory from Okta and whose AD username (CN) contained one of the following characters: ,\#+<>;"=

OKTA-203163

User profile updates for the Cornerstone app failed if the user already existed in Cornerstone.

OKTA-206191

In some cases group rules dependent on other group rules were not processed properly during user updates.

OKTA-206270

The Identity Provider list did not properly display the Authorize URI and Redirect URI fields.

OKTA-207402

Attempts to apply an app Sign On Policy Rule to users returned a spinning icon. This issue only occurred on Preview orgs.

OKTA-207554

The app Sign On Policy Rule that denied user access was not logged in the System Log’s application.policy.sign_on.deny_access event.

App Integration Fixes

The following SAML app was not working correctly and is now fixed

CyberArk Password Vault Web Access (OKTA-206890)

The following SWA apps were not working correctly and are now fixed

BullsEye Telecom (OKTA-207387)
Easy Projects (OKTA-207086)
Google Data Studio (OKTA-207296)
Infor EAM (OKTA-206680)
Looker (OKTA-206856)
ThinkHR (OKTA-207312)
Visible Equity (OKTA-206845)

Applications

Application Updates

Quick Base now supports the following Provisioning feature:
- Group Push.
For configuration information, see Configuring Okta Provisioning for Quick Base.

The following partner-built provisioning integration apps are now Generally Available in the OIN as partner-built:
- Atlassian Cloud: For configuration information, see Atlassian's Configure User Provisioning with Okta.
- Zoom: For configuration information, see Configuring Zoom with Okta.

New Integrations

New SCIM Integration Application

The following partner-built provisioning integration apps are now available in the OIN as partner-built Early Access:

Oracle Cloud Infrastructure: For configuration information, see Oracle Cloud Infrastructure Okta Configuration for Federation and Provisioning.
PlanMyLeave: For configuration information, see PlanmyLeave User Provisioning using SCIM v2.

SAML for the following Okta Verified applications

Boostr (OKTA-203119)
Pavaso (OKTA-207100)
PitchBook (OKTA-206101)
Revivn (OKTA-206671)
Rockset (OKTA-207102)

SWA for the following Okta Verified application

Zywave Home (OKTA-193830)

Weekly Updates

2019.02.1: Update 1 started deployment on February 25

Fixes

General Fixes

OKTA-197013

MFA Factor Reset email template failed to save with a validation error.

OKTA-199716

If the Self Service Registration form included Preferred Language and Country Code attributes, the Registration page did not load.

OKTA-200815

The Report Client IP setting of the RADIUS app did not affect the IP displayed in the Okta Verify Push notification received by the end user.

OKTA-202390

The setting for Dropbox user deactivation type in the application's Provisioning tab was not saved.

OKTA-202836

The number of Adobe Experience Manager groups and roles displayed in Okta was limited to 2000.

OKTA-203199

CSV reports downloaded from the System Log were missing IPChain data.

OKTA-203815

Some Okta accounts were not reactivated properly after related Active Directory accounts were re-enabled.

OKTA-204327

Assigning more than 10 network zones to Agentless Desktop SSO failed with an internal server error.

OKTA-204577

Some admins without appropriate permissions were able to see the Import tab for Directory Integrations.

OKTA-204887

Downloading CSV reports for Current Assignments failed.

OKTA-205714

When a Routing Rule was used with Agentless Desktop SSO or on-premise IWA, and user match criterion was specified, the rule resulted in a failed login flow.

OKTA-208669

Litmos app provisioning failed for some clients using the Australian tenant of the app.

OKTA-209258

Evaluation of some EL expressions resulted in unintended errors.

OKTA-209844

If routing rules and IWA were both enabled, the User matches section for Routing Rules was erroneously visible.

App Integration Fixes

The following SAML apps were not working correctly and are now fixed

NetSuite (OKTA-208950)
SightPlan (OKTA-208109)
SightPlan (OKTA-208109)
Torii (OKTA-208155)

The following SWA apps were not working correctly and are now fixed

AccessNS (OKTA-207099)
Amazon JP (OKTA-206135)
Apple Developer (OKTA-208815)
BVS Performance Solutions (OKTA-201303)
EZ Texting (OKTA-207091)
IATA (OKTA-205105)
NCCI Field Call (OKTA-207098)
Shopify (OKTA-209070)
Site5 (OKTA-207092)
Tegile (OKTA-208801)
Virgin Pulse (OKTA-207089)
yodeck (OKTA-208800)

Applications

Application Updates

The following partner-built provisioning integration app is now Generally Available in the OIN as partner-built:

Effy Freshservice: For configuration information, see Effy's Configuring SCIM with Okta.

New Integrations

New SCIM integrations

The following partner-built provisioning integration apps are now available in the OIN as partner-built Early Access:

Abstract: For configuration information, see Configuring SCIM Provisioning for Abstract.
Symantec Web Security Service: For configuration information, see Symantec's Integrate Okta at the SAML IdP.
Flock: For configuration information, see the Flock Okta Connector Configuration Guide.

SAML for the following Okta Verified applications

AMGtime (OKTA-208211)
Doppler (OKTA-208076)
EpicCareLink (OKTA-209500)
Flock (OKTA-208088)
Ontrack Workflow (OKTA-205379)
Qualified.io (OKTA-204346)
Squadcast (OKTA-208072)
Stormboard SAML (OKTA-208075)
Web Manuals (OKTA-206111)

Mobile applications for use with Okta Mobility Management (OMM) (Android and iOS)

Jobvite (OKTA-205265)
Lattice (OKTA-203396)
Lattice (OKTA-203396)

SWA for the following Okta Verified applications

Access FileCloud (OKTA-202796)
Aquera (OKTA-207382)
AutoEntry (OKTA-201237)
BungalowNet (OKTA-201604)
Centralized Showing Service (OKTA-202381)
Qumulo Partner Portal (OKTA-202644)
Rocket Lawyer (OKTA-202052)
Sweetgreen (OKTA-201715)
SwipedOn (OKTA-203574)
Tempo (OKTA-200175)
Travelport: Rooms and More (OKTA-201895)
Uxpressia (OKTA-199602)

2019.02.2: Update 2 started deployment on March 4

Fixes

General Fixes

OKTA-175415

Some users who enabled Yubikey as an MFA factor could not use it for sign in.

OKTA-186607

In some cases, AD-mastered users reactivated in Okta remained in the Password Reset status on the Okta Admin Console.

OKTA-196329

The toggle button for switching between the Okta Developer Console and the Classic UI was mispositioned.

OKTA-205724

Adding a SAML identity provider with the Assertion Consumer Service URL set to Organization (shared) resulted in a 400 bad request error during SPAn acronym for service provider. Generally, an SP is a company, usually providing organizations with communications, storage, processing, and a host of other services. Within Okta, it is any website that accepts SAML responses as a way of signing in users, and has the ability to redirect a user to an IdP (e.g., Okta) to begin the authentication process.-initiated flows.

OKTA-205914

Profile changes were not synced to Active Directory or LDAP directories when they occurred at the same time that an app-mastered user was reactivated in the app.

OKTA-206305

Deleted users were sometimes incorrectly shown as Active instead of Inactive in the Okta Usage Report.

OKTA-206513

In some cases, the Okta Admin Console took a long time to load.

OKTA-206559

Sometimes IdP routing rules did not direct to the correct identity provider when the request contained an empty username query parameter.

OKTA-210021

For app sign on policies configured to gate app access when client IPs match specified network zones, the matched network zone did not appear in the Zone field of the System Log events.

App Integration Fixes

The following SAML apps were not working correctly and are now fixed

HostAnalytics (OKTA-208766)
IBM MaaS360 (OKTA-195086)

The following SWA apps were not working correctly and are now fixed

Appbot (OKTA-209897)
DHL Express (OKTA-209932)
IDrive (OKTA-209898)
Smallpdf (OKTA-209784)
WP Engine (OKTA-209535)

Applications

Application Updates

The following partner-built provisioning integration apps are now Generally Available in the OIN as partner-built:

Flock: For configuration information, see the Flock Okta Connector Configuration Guide.
Expensify: For configuration information, see Expensify's Deactivating User's with Okta.
4me: For configuration information, see 4me's Okta configuration documentation.

New Integrations

The following partner-built provisioning integration app is now available in the OIN as partner-built Early Access:

Lessonly: For configuration information, see Configuring Provisioning for Lessonly.

SAML for the following Okta Verified applications

Fulcrum (OKTA-210208)
HostAnalytics (OKTA-210227)
IDrive (OKTA-204347)
Modern Health (OKTA-210046)
PlainID (OKTA-210274)

SWA for the following Okta Verified applications

Adobe Experience Cloud (OKTA-204957)
Benson (OKTA-204945)
Bloomberg BNA (OKTA-205736)
Boston Properties (OKTA-204477)
Catalist (OKTA-204927)
Comerica Business Connect (OKTA-204380)
Florida Peninsula (OKTA-204778)
Genworth Mortgage Insurance (OKTA-202860)
Legrand Service Center (OKTA-204458)
NCR (OKTA-205586)
SoftMouse (OKTA-205528)
Title365 (OKTA-202822)
Wish (OKTA-205049)

Mobile application for use with Okta Mobility Management (OMM) (Android and iOS)

Figma (OKTA-203395)

January 2019

2019.01.0: Monthly Production release began deployment on January 14

* Features may not be available in all Okta Product SKUs.

Content

Generally Available Features
Early Access Features
Fixes
Applications
Weekly Updates

Generally Available Features

New Features

Email notifications for Factor Enrollment and Factor Reset

Admins can enable two new settings for email notifications that are sent to end users. When enabled, end users will receive an email confirmation if the end user or an admin enrolls in a new factor or resets an existing factor for their account. For more information on end user email notifications, see General Security.

Automatically send an email to locked-out end users

You can automatically send your users an email if their account becomes locked due to too many failed sign-in attempts. You can insert a link in the email to let users unlock their account. For details, see Configure lockout settings.

Group Push enhancements

Group Push now supports the ability to link to existing groups in the following application integrations:

Slack
Dropbox for Business
ServiceNow UD

You can centrally manage these apps in Okta. For details, see Using Group Push.

Enhanced provisioning for Office 365

With additional enhancements to Microsoft Office 365 integration admins can now synchronize identities from on-premises to cloud-based Office 365, provision a user profile that is extended further to include over 100 attributes, as well as synchronize distribution groups, contacts, and resources such as conference rooms.

Admins can also manage user licenses and roles, independent of other provisioning flows. The new provisioning type for Office 365, License/Roles Management Only, allows admins to manage user license assignment and role delegation for existing Office 365 users and for users provisioned to Office 365 with third-party tools. For more details, see Okta Enhancements with Microsoft Office 365 Integration.

Modern authentication support

We have extended our Office 365 Sign On policies to include the ability to distinguish between web browser and modern authentication clients, giving you even more granularity in controlling how users are accessing corporate data. You access this functionality by creating a new App Sign On Rule.

Extended Client Access policy capability for apps

When you create App Sign on Policy rules, you can now specify platform types with greater granularity. For details, see Add Sign On policies for applications.

Additional Custom Attributes for DocuSign integration

Our DocuSign integration is enhanced by adding support several new custom attributes. Okta imports these attributes that you can then map as additional custom properties. For details, see the DocuSign Provisioning Guide.

System Log save and reuse searches

After performing a System Log search, a Save button now appears next to the query. Click Save and you are prompted to name your search. Once saved, your named search appears on the main Reports page. You can reuse your saved search, modify it, or delete it. Note that saved searches can only be seen by the user who created them. A maximum of 20 searches can be saved at any time.

LDAP Interface, query performance improvement

LDAP Interface queries will no longer return the memberOf attribute unless requested specifically, or when all operational attributes are queried using “+”. This change brings performance improvement to searches that did not require this attribute. Improvements were also made to return additional operational attributes that were part of LDAP core schema. This list includes hasSubordinates, structuralObjectClass, entryDN, subschemaSubentry, and numSubordinates. Note that numSubordinates is not calculated for users and groups containers. For details, see Connecting to Okta using the LDAP Interface.

XFF Evaluation for Dynamic Zones and Behavior Detection

As part of Dynamic Zone and Behavior Detection evaluation, the client IP is now validated using the trusted proxies that have been configured for that org. In the admin System Log, this IP appears as the Client IP. For more information, see Dynamic Zone Evaluation.

New Windows Device Trust Registration Task, version 1.3.0

This release includes the following:

Improved support for organizations that route internet traffic through a proxy server.
Fixes an issue in which some Device Trust System Log events reported the Windows operating system version inaccurately on Windows desktops running Windows 8.1 or higher.

For version history, see Device Trust for Windows Desktop Registration Task Version History.

Support for Vietnamese language

Support for the Vietnamese language for the end user experience is now available to all customers. You can select the default language preference for your entire org, and your end users can select a different language preference for their own experience. For more information, see Configure the Display Language.

JIRA On-Prem Authenticator, version 3.0.7

This release includes enhanced SP-initiated SAML flow and support for spUsers and spGroups to handle JIRA only users. For version history, see JIRA Authenticator Version History.

Okta Browser Plug-in, version 5.25.0

Okta Browser Plug-in has been updated to version 5.25.0 for Chrome, Edge, Firefox, and Internet Explorer. This version contains security enhancements in addition to enhanced end user settings. For version history, see Okta Plug-in Version History. (Version history/browser ver history).

Enforce Device Trust for managed Windows computers

Okta Device Trust for Windows allows you to prevent unmanaged Windows computers from accessing enterprise services through browsers and native applications. For details, see Enforce Device Trust for managed Windows computers.

Generally Available Enhancements

EA Feature Manager

To provide more information about self-serviceable EA Features, links to help or developer documentation are now available for select features in the EA Feature Manager. For details, see Manage Early Access features.

New device notification enhancement

The setting for end users to receive a new device notification email when signing in to Okta from a new or unrecognized device is now enabled by default for all orgs. For more information about email notification settings, refer to New or Unknown Device Notification Emails.

Username passes to IdP when using identity-first IdP Discovery flow

When using an identifier-first IdP discovery flow and the user is redirected to the Identity Provider, such as SAML, Google, Microsoft, or Generic OIDC, the username value is passed on to the Identity Provider so the user does not have to type it in again.

API Token size increased for OAuth

We have increased the API token size when configuring OAuth 2.0 based authentication from 2 kB to 64 kB. For more information about OAuth, see OpenID Connect & OAuth 2.0 API.

Logos available for all Social Identity Providers

All social identity providers have the default logos shown below:

LDAP Interface, increased page size

The LDAP page size is increased from 200 to 1001, allowing LDAP clients to use a multiple page size of 1000. For details, see Connecting to Okta using the LDAP Interface.

Search range for group membership

The Okta LDAP Interface previously limited membership searches to the first 200 users for a group. This restriction has been removed and the LDAP Interface will iterate through all pages before returning membership response back to the client. This applies to LDAP searches that query uniquemember and ismemberOf attributes. For details, see Connecting to Okta using the LDAP Interface.

Early Access Features

New Features

Multi-forest support for Windows Device Trust enrollment

IWA web app version 1.12.2 supports cross-forest/cross-domain Windows device trust enrollment. Now an IWA web app running in one forest can detect and assess the trust posture of Windows desktop devices located in another trusted forest and then allow these devices to enroll in Windows Device Trust. For more about Windows Device Trust, see Enforce Okta Device Trust for managed Windows computers.

Okta collecting product feedback from end users

Admins can allow Okta to collect feedback from end users. If this feature is turned on, end users will see a prompt on their Okta dashboard requesting feedback about our products and services. You can opt out of Okta User Communication in Settings > Customization > General. For more information, see End User Communication.

Web Authentication for U2F as a Factor

Admins can enable the factor Web Authentication for U2F, where U2F keys are authenticated using the WebAuthn standard. For more information, see Web Authentication for U2F.

Okta SSO IWA Web App Agent, version 1.12.2

This EA release includes: Security fixes. Support for cross-forest/cross-domain Windows device trust enrollment. Now an IWA web app running in one forest can detect and assess the trust posture of Windows desktop devices located in another trusted forest and then allow these devices to enroll in Windows Device Trust. For details, see Okta SSO IWA Web App agent Version History.

Fixes

General Fixes

OKTA-193300

In the admin System Log, the zone field was populated for all events that matched a sign-on policy even when the IP of the client request did not match any zones configured in the policy.

OKTA-193330

When the same user was API and App Admin, only OIDC apps were visible in the Universal Directory profile editor.

OKTA-194244

A misleading error message was displayed when the rate limit was exceeded while using the LDAP Interface to query LDAP.

OKTA-197762

Fixed inconsistent behavior with the Reset Password Link for LDAP users.

OKTA-199498

In some cases, Okta-mastered users were deactivated when their linked accounts in Active Directory were deactivated.

OKTA-200928

Logging on through Jira on-prem chiclet didn't error out properly if the end user didn't exist in the target app.

OKTA-203819H

Some orgs were unable to create the number of users that they were entitled to.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

ADP Portal (Admin) (OKTA-198299)
Bloomberg BNA (OKTA-202952)
Blue Cross Blue Shield North Carolina (OKTA-191585)
Coolblue (OKTA-203010)
Copper (OKTA-202311)
Dell EMC (OKTA-197625)
Egencia France (OKTA-202309)
Garveys (OKTA-202308)
Google AdWords (OKTA-200072)
Google Play Developer Console (OKTA-201061)
GT Nexus (OKTA-203008)
Monster Hiring (OKTA-202848)
Newton Software (OKTA-202111)
ONE by AOL Mobile (OKTA-201772)
SAP NetWeaver Application Server (OKTA-202310)
Tenable Support Portal (OKTA-201111)
The San Diego Union-Tribune (OKTA-202856)

Applications

Application Updates

The following partner-built provisioning integration app is now Generally Available in the OIN as partner-built:

Meta Networks Connector: For configuration information, see How to Configure SCIM 2.0 For Meta Networks.

New Integrations

New SCIM Integration Application

The following partner-built provisioning integration app is now available in the OIN as partner-built Early Access:

Effy: Freshservice Provisioning: For configuration information, see Effy: Freshservice Provisioning's Configuring SCIM with Okta.

SAML for the following Okta Verified applications

Oracle Cloud Infrastructure (OKTA-203179)
PerimeterX (OKTA-202317)
Visitly (OKTA-202988)
Workpath (OKTA-202894)

SWA for the following Okta Verified applications

AIMA (OKTA-197142)
BioDigital (OKTA-197194)
Cisco Registered Envelope Service (OKTA-197090)
DeKalb Physician Portal (OKTA-197193)
Financial News (OKTA-198739)
Fresh Direct (OKTA-197128)
My Eaton (OKTA-200770)
Ocado (OKTA-197129)
Private Advisors (OKTA-198720)

Weekly Updates

2019.01.1: Update 1 started deployment on January 22

Fixes

General Fixes

OKTA-192916

Okta Expression Language for defining a custom UserName mapping was not supported when creating a new app.

OKTA-194089

Read-only admins and Application admins saw incorrect values for Max Unassignments for applications with provisioning enabled.

OKTA-197629

In SAML App Wizard apps, the error returned when the Relay State was too long, was unclear.

OKTA-200927

Some DelAuth users who had an incomplete profile setup were not able to complete the SAML forceAuthn flow.

OKTA-201827

Group Rules did not trigger for SecondEmail if the attribute was updated via self-service.

OKTA-203326

System Log processing experienced a lag when clearing large import queues because of firing a syslog event for each user in the import flow. Now a single syslog event is fired indicating the number of users cleared from the import queue.

OKTA-205267H

For some SP-initiated SAML Requests, it incorrectly included the <Subject> element in the AuthN request.

OKTA-205324H

Okta did not allow admins to delete a group push mapping if the mapping was in error status.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

ADP Portal (Admin) (OKTA-203745)
Avalara Partner Portal (OKTA-204049)
Barrons Online (OKTA-203796)
LA Times (OKTA-203390)
Netflix (OKTA-204051)
Shopify (OKTA-203516)
TigerText (OKTA-203393)

Applications

Application Updates

The following partner-built provisioning integration app is now Generally Available in the OIN as partner-built:

Peakon: For configuration information, see Peakon's Set up user provisioning with Okta.

New Integrations

SAML for the following Okta Verified applications

Cobalt (OKTA-204332)
Imagineer Clienteer (OKTA-203743)

SWA for the following Okta Verified applications

AnyImage (OKTA-200388)
Crowdstrike Falcon (OKTA-199903)
FIS Client Portal (OKTA-193928)

2019.01.2: Update 2 started deployment on February 4

Fixes

General Fixes

OKTA-152340

Pushing after removing group memberships failed for CPC apps (For example, ServiceNow, Dropbox, Slack).

OKTA-167393

In Okta Verify, Push challenges that were approved by users from the notification center had to be approved again in the Okta Verify iOS app.

OKTA-184036

Re-creating a user via JIT did not assign AD group memberships if the User Must Change Password At Next Logon option was enabled on the AD user profile after the user was deleted from Okta.

OKTA-189547

Translation to Japanese for the MFA prompt Do not challenge me on this device for the next 30 minutes was incorrect.

OKTA-192100

Multiple run-time exception errors caused the LDAP agent to fail.

OKTA-195065

Pushing groups for GSuite app failed with the error Unexpected character ( '<' (code 60)): expected a valid value.

OKTA-196483

When the default backoff setting for the AD and LDAP agents was 1 hour, it caused the agents to remain unavailable for the entire hour regardless of when the underlying issue was fixed.

OKTA-197083

Admin roles that were granted, scoped, or revoked through the Roles API did not appear in the System Log.

OKTA-197934

Provisioning for the Adobe Experience Manager SAML app failed when users had an underscore "_" in their login attribute.

OKTA-198025

The following role attributes can now be added in PagerDuty: admin, limited_user, observer, read_only_user, restricted_access, team_responder, user.

OKTA-198932

Template SAML 1.1 apps did not honor the configuration for response/assertion signing in IdP-initiated flows.

OKTA-199767

The Help link for Verifying IE Plug-in Enablement led to an invalid page.

OKTA-201029

The MFA Factor Enrolled email was sent before enrollment was completed.

OKTA-201591

The application condition for an IdP Discovery rule only allowed for 20 applications.

OKTA-201763

The Update Now button on the Sign On tab was always present even when not needed.

OKTA-201789

When searching for users by string match, if the string contained a space (for example, users with multiple last names such as "Van Horne") Okta only tried matching against the full name.

OKTA-202346

Changing profile mappings between applying only at user creation and applying at both creation and update would sometimes fail to apply the change.

OKTA-202684

For custom SAML applications, if the admin changed the Name Id format to persistent, the metadata was not updated.

OKTA-203596

An Application Sign-On policy created to allow or deny access to rich clients using modern auth and running on iPad didn't work as expected.

OKTA-204275

Domain matching in IdP Discovery rules were incorrectly case-sensitive.

OKTA-204738

An Invalid Factor error was encountered when end users used a permitted U2F factor, but also had one or more disallowed devices registered.

OKTA-205371

The Language drop-down list box on the Settings page incorrectly contained the label Beta for some languages.

OKTA-205410

Customers with Network Zone locations with China region codes CN-11, or CN-(some number) could not see the name of the region correctly, nor could they edit the Network Zone.

OKTA-205446H

For new enrollments, Voice Call MFA failed with Each code can only be used once. Please wait for a new code and try again.

OKTA-205703

The Current Assignments report was not filtering correctly when USER_LISTS_FOR_AUDITING was enabled.

App Integration Fixes

The following SAML app was not working correctly and is now fixed

Bomgar (OKTA-196914)

The following SWA apps were not working correctly and are now fixed

ADP Screening and Selection Services (OKTA-202613)
Air Canada (OKTA-204326)
AnswerForce (OKTA-204331)
Backblaze (OKTA-205585)
BlackBerry Developers (OKTA-204370)
BlueJeans (OKTA-204960)
Booking (OKTA-204584)
Capital One (OKTA-204050)
Copper (OKTA-204325)
Crowdstrike Falcon (OKTA-205584)
CSCglobal (OKTA-204849)
Curalate (OKTA-206158)
Dell Boomi (OKTA-204328)
Eventbrite (OKTA-206655)
Evernote (OKTA-206169)
FACTs (OKTA-204599)
GatherContent (OKTA-205587)
Google AdWords (OKTA-206109)
Google Analytics (OKTA-205638)
GuideStar (OKTA-206168)
Hippo CMMS (OKTA-205390)
Infor EAM (OKTA-204329)
JobAdder (OKTA-202705)
LoopUp (OKTA-205012)
Maxemail (OKTA-206469)
My ADT (OKTA-206221)
MyCitrix (OKTA-205472)
NodePing (OKTA-205274)
Quantum Workplace (OKTA-204596)
Reputation.com Personal (OKTA-204737)
Shopify (OKTA-205380)
SimplyWell Member (OKTA-206545)
Trip Advisor (OKTA-205588)
USPS (OKTA-206184)
Virgin Mobile OneView (OKTA-206157)
WorkflowMAX (OKTA-206136)
WorkTerra (OKTA-206161)

Applications

New Integrations

The following partner-built provisioning integration apps are now available in the OIN as partner-built Early Access:

Zscaler 2.0: For configuration information, see Zscaler's SAML & SCIM Configuration Example: Okta.
Twic: For configuration information, see the Twic Scim Integration Guide.
Visitly: For configuration information, see Visitly's Integrate with Okta Provisioning.
Workteam: For configuration information, see Workteam's Configuring User Provisioning.

SAML for the following Okta Verified applications

CodeSignal (OKTA-204339)
Signagelive (OKTA-202831)
Simian (OKTA-204348)
Stampli (OKTA-203206)
Workspace (OKTA-205099)

SWA for the following Okta Verified applications

Ask the Fed (OKTA-197941)
Data Navigator (OKTA-197939)
Doctena (OKTA-198514)
Jack Henry & Associates Client Portal (OKTA-194264)
LexisNexis Bridger Insight XG (OKTA-196365)
Tech Data France (OKTA-192411)

Content

2018 Production Releases
2018 Application Integrations and Updates
2018 Bug Fixes

2018 Production Releases

2018.12 December release and updates

December 2018

2018.12.0: Monthly Production release began deployment on December 10

* Features may not be available in all Okta Product SKUs.

Content

Generally Available Features
Early Access Features
Fixes
Applications
Weekly Updates

Generally Available Features

New Features

Push Notifications for the Okta RADIUS Agent

The Okta Radius Agent now includes functionality for end users to opt in to receive push notifications for MFA when enrolled with Okta Verify. For information on how to enable this setting, see Autopush for RADIUS.

Okta Windows Credential Provider agent, version 1.1.3

This release contains general bug fixes. For version history, see Okta MFA Credential Provider for Windows Version History .

Profile Editor supports linked objects

You can now add a custom attribute with a linked object data type to the Okta user profile. For details, see Add a linked object to an Okta user profile.

Add Notes to Okta-managed apps

You can now add App Notes to communicate with end users and other admins about apps. In addition to enhancing app deployment and usage, App Notes can also reduce help desk calls, provide troubleshooting assistance, and increase end user self service.

App Notes facilitate the following types of communications:

Application notes to end users – Allows admins to present helpful information to end users, such as why they've been assigned the app, whom to contact for help, and links to additional information.
Application notes to admins – Allows admins to share administrative details about apps with other Super, App, Read-only, and Mobile admins.

For more information, see Add notes to an app.

Super admins can choose default email notifications for admins

Super admins have the ability to select which email notifications a specific type of admin receives by default. This allows you to manage the amount of email traffic the different admin roles receive. The new defaults will override existing admin email notifications default settings (see Email Notifications for default settings). This will exclude most admins from receiving most email notifications. For details, see Set default email notifications.

Generally Available Enhancements

Admin Console update

We have updated the release number displayed in the Admin Console to the YYYY.MM.U format that we are officially adopting with the December Monthly Release. For more information, see Release Notes.

Okta User Communication improvement

We have improved the Okta User Communication message in Settings > Customization to clarify the scopeA scope is an indication by the client that it wants to access some resource. of end user communication.

Group Push enhancements

Group Push now supports the ability to link to existing groups in the following application integrations:

Smartsheet
Facebook at Work
Org2Org
Adobe CQ
JIRA, JIRA On-Prem
DocuSign

You can centrally manage these apps in Okta. For details, see Enhanced Group Push.

People page performance improvements

The A-to-Z links on the People page have been deprecated as part of efforts to improve the performance and responsiveness of the page in the Admin UI for large orgs. Screenshots:

Before:

After:

Reports enhancement

When generating reports, the earliest start date you can select is now 13 months prior to the current date. For more information about Reports, see Reports.

Early Access Features

New Features

Support for Salesforce Government Cloud

You can create instances of the Salesforce app that can integrate with Salesforce Government Cloud. For more details, see the Salesforce Provisioning Guide.

Okta Active Directory agent, version 3.5.5

This release includes:

A bug fix for errors when importing a group with more than 1,500 users.
Internal bug fixes

For version history details, see Okta Active Directory agent version history.

PIV Card authentication option added to identifier first Sign In page

A PIV Card authentication option is now provided on the identifier firstInstead of presenting both a Username and a Password field, "identifier first" sign in pages present only a Username field. As used in Okta IdP Routing Rule scenarios, "identifier first" sign in pages submit usernames to Okta for determining which IdP should be used to authenticate an end user. Sign In page when you configure a Smart Card Identity Provider and a corresponding IdP Routing Rule in the Okta Admin console. For more about Okta's support for PIV card authentication, see Add a Smart Card/PIV Card.

View admin list by role

Super admins can now filter the list of admins by role and type for easier searching.

Early Access Enhancements

ASN Support for Dynamic Zones

Admins can now enter ASNs (Autonomous System Numbers) when creating or editing a dynamic zone. For more information about using ASNs, see Dynamic Zones.

FIPS-mode encryption enhancement

We have updated the Okta Verify configuration UI label for the FIPS-Mode encryption setting. For more information, see Enabling FIPS-mode encryption.

Fixes

General Fixes

OKTA-185031

Recreating group push mappings for previously existing groups would cause group memberships to not be mastered by Okta.

OKTA-187881

An LDAP directory could not be assigned to an Okta group when Sync password was enabled and Create users was disabled.

OKTA-193192

Some end users were still prompted to authenticate with MFA despite successful enrollment with Okta Verify or Duo within the same session.

OKTA-194472

The API Access Management Admin role was not returned for the user when performing a GET on api/v1/users/${userId}/roles endpoint.

OKTA-195092

When using browsers other than Internet Explorer, Agentless Desktop SSO was performing two authentication requests for each user, increasing the authentication time.

OKTA-196220

Push Groups functionality only worked for admins with Super Admin rights.

OKTA-197099

Provisioning operations for the Coupa app failed.

OKTA-197991

The MFA Usage Report listed Okta Verify with Push as an enrolled factor even if the factor was reset by an end user from their dashboard making it no longer enrolled.

OKTA-198258

There was a minor grammatical error in the app approval admin notification message.

OKTA-198556

IdP Discovery rule with a Sharepoint On-Premise specific app instance condition was not routing properly on SP-initiated login flows.

OKTA-198797

After creating an ASN dynamic zone via the API, then viewing via the UI, the default proxy type was Unchecked instead of Any proxy.

OKTA-201054H

SAML IdP flow broke down with a 404 error if the ACS URLACS Endpoint – Assertion Consumer Service URL – often referred to simply as the SP login URL. This is the endpoint provided by the SP where SAML responses are posted. The SP needs to provide this information to the IDP was in {{org}}/auth/saml20/{{IdP name}} format.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

Alibaba Cloud (Aliyun) (OKTA-198076)
Anaplan (OKTA-198239)
Apple Business Manager (OKTA-198241)
Dell Boomi (OKTA-198237)
Egencia UK (OKTA-198487)
Linux Academy (OKTA-198691)
PacificSource InTouch (OKTA-197597)
Perfode (OKTA-198238)
Rival IQ (OKTA-190557)
Salesforce: Marketing Cloud (OKTA-197948)
Web Manuals (OKTA-199509)

Applications

Application Updates

The following partner-built provisioning integration app is now Generally Available in the OIN as partner-built:

LearnCore: For configuration information, see LearnCore's Using Okta for provisioning and SSO in LearnCore.

New Integrations

New SCIM Integration Application

The following partner-built provisioning integration app is now available in the OIN as partner-built Early Access:

Web Manuals: For configuration information, see Web Manuals' Okta Provisioning Instructions.

SAML for the following Okta Verified applications

Abstract (OKTA-192587)
BambooHR (OKTA-199943)
CloudBees (OKTA-191171)
SAP Concur Solutions (OKTA-198484)
Workable (OKTA-198491)

SWA for the following Okta Verified applications

Acronis Cloud (OKTA-189384)
Ameriflex Wealth Care Portal (OKTA-197201)
Autodesk BIM 360 (OKTA-194354)
buildpulse (OKTA-196661)
Business Insider PRIME (OKTA-196625)
Drift (OKTA-192116)
Forum: Business Online Banking (OKTA-195330)
HigherGear - (OKTA-196158)
HomeDepot Vendor Portal (OKTA-190428)
HP DaaS (OKTA-196207)
Insperity Premier (OKTA-191066)
Kayak (OKTA-74699)
TrendKite (OKTA-197199)
WealthEngine (OKTA-198240)
Zywave Home (OKTA-193830)

Weekly Updates

2018.12.1: Update 1 started deployment on December 17

Fixes

General Fixes

OKTA-155477

AD-mastered users logging into Okta with a temporary password were not asked to create a new password.

OKTA-177142

Inbound delegated authentication failed in application when the application username and Okta username were different.

OKTA-182115

As a result of multiple redirects, URLs became too long when a SAML app was used in conjunction with IWA and multifactor authentication.

OKTA-188067

When adding a user to the source user group, if the target user group did not exist, group push mappings did not display an error.

OKTA-189754

The Sign On policy did not show a warning after reaching the limit of 20 rules per policy in the UI. The limit has now been increased to 50 before showing the warning.

OKTA-190684

The OpenID Connect Client ID Token settings form was missing a link to the reference documentation about the groups claim, also the the Sign On mode tab was missing a link to the profile mappings.

OKTA-191321

In some cases, the LDAP search filter did not allow using "<" and ">" simultaneously.

OKTA-191398

The System Log did not include hostname in the Debug Context for Windows events.

OKTA-195890

IdP Discovery routing rules with an application condition and without a user identifier condition were not routing to social IdPs.

OKTA-195916

Resetting the password for one account while a different user was signed into another account in the same browser generated a successful System Log event for the wrong account, and the UI showed a failure message although password reset was successful.

OKTA-196579

The WebEx app did not update sessionType attributes for users.

OKTA-199133

The System Log did not report enrollment failures that occurred when the relevant Device Trust setting was not enabled in the Okta Admin Console.

OKTA-200176

The Application Usage report returned a server error instead of a bad request message when an invalid date was entered to generate the report.

App Integration Fixes

The following SAML app was not working correctly and is now fixed

IntraLinks (OKTA-198125)

The following SWA apps were not working correctly and are now fixed

Crunchbase (OKTA-198994)
Dashlane Business (OKTA-199046)
Shopify (OKTA-200163)
Thycotic Force (OKTA-198995)

Applications

New Integrations

The following partner-built provisioning integration app is now available in the OIN as partner-built Early Access:

OfficeSpace Software: For configuration information, see the OfficeSpace Software Okta - SCIM configuration guide.

SAML for the following Okta Verified applications

Expiration Reminder (OKTA-200470)
RecruitBot (OKTA-196618)

SWA for the following Okta Verified applications

Haivision Support (OKTA-191530)
ONE by AOL: Video (OKTA-196063)

2018.12.2: Update 2 started deployment on January 7

Fixes

General Fixes

OKTA-71278

The Identity Providers list was missing the Action column header and had alignment issues.

OKTA-154988

Missing fields were not highlighted in the error message displayed when adding a new SAML identity provider.

OKTA-189636

Username changes in Okta for AD-Mastered users were not correctly pushed to the JIRA On-Prem app.

OKTA-190763

Users who had been locked out and then deactivated were still listed as locked out on the Reset Password and Unlock People pages, as well as on dashboard notifications.

OKTA-191917

When the Agentless Desktop SSO flow failed, the FromURI parameter was missing, causing a launched app not to load.

OKTA-193120

Incremental imports did not properly terminate users due to time zone differences.

OKTA-194696

Group membership updates that failed due to the Org2Org rate limit were not retried.

OKTA-197806

For orgs with the EA feature, Advanced Schema for Box enabled, assigning a group to Box sometimes failed.

OKTA-201633

The users/${userId}/factors/catalog endpoint returned email as a supported factor type although Email Authentication had not been enabled for the org in their MFA setting.

OKTA-201799

When searching for a group containing a space character, the text box selection to continue typing was lost and required users to click on the text box again to type next character.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

Aha (OKTA-200921)
Amazon DE (OKTA-200178)
CarGurus (OKTA-201462)
Cintellate by SAI Global (OKTA-201461)
GFI Mail Essential Online (OKTA-199274)
GTA Travel (OKTA-200126)
Gusto (OKTA-199737)
Handshake (OKTA-201464)
HP Connected (OKTA-200425)
MyViverae by Viverae (OKTA-200739)
Papertrail (OKTA-199505)
Sauce Labs (OKTA-199066)
SeamlessWeb (OKTA-201041)
The San Diego Union-Tribune (OKTA-201415)

Applications

Application Updates

The following partner-built provisioning integration apps are now Generally Available in the OIN as partner-built:

Retool: For configuration information, see Retool's Okta Specific Guide.
Wrike: For configuration information, see Wrike & Okta, User Provisioning.
Drift: For configuration information, see Drift's Okta SCIM Configuration Guide.
OfficeSpace Software: For configuration information, see the OfficeSpace SoftwareOkta - SCIM configuration guide.

New Integrations

The following partner-built provisioning integration app is now available in the OIN as partner-built Early Access:

4me: For configuration information, see 4me's OKTA configuration instructions.
Tableau Online: For configuration information, see Tableau Online's Automate User Management through an External Identity Provider.
CyberArk SCIM Server: For configuration information, see Configuring Provisioning for CyberArk SCIM.
Workpath: For configuration information, see Workpath's Okta Configuration Guide.

SAML for the following Okta Verified applications

Abacus (OKTA-201459)
Envoy Global (OKTA-201924)
Firstbird (OKTA-202087)
Five9 Plus Adapter for Salesforce (OKTA-198492)
Imagineer WebVision (OKTA-202327)
International Relocation Center (OKTA-200829)
iObeya (OKTA-198510)
SevenRooms (OKTA-199302)
Splash (OKTA-201453)
Wootric (OKTA-198958)
Zoom SAML (OKTA-200668)

SWA for the following Okta Verified applications

Anexia Engine (OKTA-197187)
Bloomberg (OKTA-198566)
CAPPS Enterprise Portal (OKTA-190371)
FHLBank of Dallas (OKTA-189796)
Information Management Network (OKTA-199265)
Morningstar UK (OKTA-199264)
NET-ENTERPRISES.FR (OKTA-190878)
PostNL Digital Postage Stamp (OKTA-198257)
Quip (OKTA-191534)
SonicWall Capture Security Center (OKTA-198693)
TxDMV webDEALER (OKTA-192030)
Vantiv IQ (OKTA-193087)

Mobile application for use with Okta Mobility Management (OMM) (Android and iOS)

LogicMonitor (OKTA-193723)

2018.47 and 2018.48 Production release began deployment on December 3

2018.45 began deployment on November 12

2018.44 began deployment on November 5

2018.30 and 2018.31 began deployment on August 6

2018.29 began deployment on July 23

2018.28 began deployment on July 16

2018.25 began deployment on June 25

2018.24 began deployment on June 18

2018.21 and 2018.22 began deployment on June 5

2018.19 began deployment on May 14

Update (May 23, 2018): Rate Limit Notifications

Added the following enhancements to support Rate Limit notifications:

Notification banners within Okta for Super administrators when the Rate Limit warning and violation thresholds have been reached within the last 24 hours. Screenshot
Automatic email notifications to Super administrators when the Rate Limit warning and violation thresholds have been reached within the last 24 hours. Screenshot
An Email Notifications setting available in Settings > Account for the Super administrator to turn the email notification on or off. This setting is turned on by default. Screenshot
Syslog entries that track discrete rate limit events for warnings and violations, and that can be queried independently or jointly. This provides you with a full picture of organizational as well as individual client trends.

For example, the following query shows both warnings and violations:

eventType eq "system.org.rate_limit.warning" OR eventType eq "system.org.rate_limit.violation"

Both the notification banner and the email notification contain a link to the query above. Screenshot

For more information, refer to Rate Limiting at Okta.

2018.18 began deployment on May 7

2018.15 began deployment on April 16

Production

July 2019

2019.07.0: Monthly Production release began deployment on July 15

Generally Available Features

New Features

Timeout warning added to the Sign-In Widget

Token expiration window increased to five years

Okta Verify factor available for all orgs

ADFS app support for OIDC authentication

Custom Email Template enhancement

Okta Browser Plugin for Firefox available from Firefox Add-ons

OPP agent, version 1.3.2

Email as an MFA Factor

Prevent end users from choosing commonly used passwords

Multifactor Authentication for admins

New admin role, Report admin

Reauthentication prompts

Dynamic network zones

Configure a custom Okta-hosted sign-in page

Configure a custom error page

LDAP support for Auxiliary Object classes

Current Assignments and Recent Unassignments reports added to the Reports page

Generally Available Enhancements

New System Log event for sent emails

New System Log event for redeemed credentials in an email

Validate service account credentials for Kerberos realm

UI enhancements for Sign-On Policies and Password Policies

System Log events for Behavior Settings

Early Access Features

New Features

LDAP agent, version 5.6.1

Enforce Okta Device Trust for Native Apps and Browsers on MDM-managed Android devices

Okta SSO IWA Web App agent, version 1.13.0

Admin report CSV changes

Okta user profile, enforce custom attribute uniqueness

Early Access Enhancements

Agentless Desktop SSO, feature dependency

New System Log events for Inline Hooks

New System Log event for ThreatInsight

Sign-In Widget labeling

Fixes

OKTA-215899

OKTA-221328

OKTA-235794

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

Applications

Application Updates

New Integrations

New SCIM Integration Application

SAML for the following Okta Verified applications

SWA for the following Okta Verified applications

June 2019

2019.06.0: Monthly Production release began deployment on June 10

Generally Available Features

New Features

Matching imported users

Enhanced Okta LDAP integrations with Universal Directory

Last factor remembered for authentication

Enhanced Group Push for Samanage

Location zones support blacklisting

LDAP support for Auxiliary Object classes

New macOS Device Trust Registration Task, version 1.2.1

New Windows Device Trust Registration Task, version 1.3.1

Okta Windows Credential Provider, version 1.1.4

Okta Browser Plugin version 5.29.0 for all browsers

Generally Available Enhancements

Password policy default for new orgs

Early Access Feature Manager enhancement

Aquera apps timeout increased

Okta Sign-on widget improvements

Early Access Features

New Features

DocuSign Provisioning enhancement

Allow end users to quickly access everyday apps

Incremental Imports for CSV

LDAP agent, version 5.6.0

System Log event for Agentless Desktop SSO configuration updates

System Log event for Kerberos realm settings

System Log event for Agentless Desktop SSO redirects