November 2019

2019.11.0: Monthly Production release began deployment on November 11

* Features may not be available in all Okta Product SKUs.

Generally Available Features

New Features

Agentless Desktop SSO migration

Customers who enabled Agentless Desktop SSOAn acronym for single sign-on. In a SSO system, a user logs in once to the system and can access multiple systems without being prompted to sign in for each one. Okta is a cloud-based SSO platform that allows users to enter one name and password to access multiple applications. Users can access all of their web applications, both behind the firewall and in the cloud, with a single sign in. Okta provides a seamless experience across PCs, laptops, tablets, and smartphones. using the registry key configuration method must migrate to the KerberosKerberos is a computer-network authentication protocol that works on the basis of tickets to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner. alias supported configuration. Contact Support to enable ENG_ADSSO_MIGRATION_READINESS_CHECK which allows you to check your readiness prior to migrating.

For a list of complete migration steps refer to Migrate your Agentless Desktop SSO configuration.

New System Log events for Okta user groups

System Log events have been added to indicate when Okta user groupsGroups allow you to organize your end users and the apps they can access. Assigning apps to large sets of end users is made easier with groups. are successfully created or deleted.

widget for end-user factor enrollment

The sign-in widget is now displayed if an end user enrolls in a factor manually or resets a factor from the End User Dashboard settings. This feature is being released to Production orgs gradually over the month of November.

Minor visual changes to the Feature Manager

The Feature Manager user interface has been updated with minor changes including:

  • The Early Access auto-enroll option is now at the bottom of the Early Access section.
  • When a feature is auto-enabled in EA, the date of enrollment is listed beside the toggle switch.

Agentless Desktop SSO

Agentless desktop SSO and Silent Activation now support Kerberos alias authentication for customers implementing these features for the first time. See Configure Agentless Desktop SSO - new implementations and Office 365 Silent Activation. This feature is Generally Available in Production for new orgs only.


Automations enable you to quickly prepare and respond to situations that occur during the lifecycle of end usersIn Okta literature, we generally refer to "end users" as the people who have their own Okta home page (My Applications), using apps to authenticate into all of their apps. End users do not have any administrative control. When we refer to "users" we are generally referring to the individual(s) who have administrative control. who are assigned to an Okta group. You can set up two types of Automations and perform actions such as changing user lifecycle states and notifying users:

  • Recurring Automations to check for conditions such as user inactivity and password expiration
  • One-time Automations to bulk suspend and notify users belonging to a particular group irrespective of their activity

For more information, see Automations .

Required update for Microsoft Dynamics CRM, admin consent needed

We have updated the landing URL for the Microsoft Dynamics 365 appAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in. to use OAuth and to be accessible globally. The updated app resolves the issue where end-users outside the USA could not access Dynamics 365 and were redirected to an error page.

You need to provide or renew Admin consent within the Okta Office 365 app instance to continue using Dynamics 365 app in your Okta org.

See Provide Microsoft admin consent for Okta.

Security Behavior Detection

To provide additional security without overburdening your end users, you can configure a Sign On policy for your organization to require additional authentication for behaviors defined as higher risk based on variance from individual users' prior sign ins. Admins can configure the system so that individual end users are only prompted for an additional MFA factor when there is a change in behavior that the admin defines. For more information, see Security Behavior Detection.

Generally Available Enhancements

Admin roles for groups

Admin roles can now only be granted to groups with less than 5000 members.

For more information, see Assign admin privileges.

Admin settings for end-user suspicious activity reporting

In account settings, admins now have the option to exclude themselves or other admins from receiving user-reported notifications about suspicious account activity.

For more information, see Suspicious Activity Reporting.

WebAuthn UI enhancement

The description and icon for the WebAuthn factor have been updated both in the Admin Console and Sign-in Widget.

For more information, see Web Authentication (FIDO2) .

Early Access Features

New Features

Workday Field Overrides

As part of our new Workday connector, Field Overrides are an alternate way to pull custom attribute information from Workday that replaces the existing custom report facility.

For more information, see Workday Field Overrides.

OAuth for Okta

With OAuth for Okta, you are able to interact with Okta APIs using scoped OAuth 2.0 access tokens. Each access token enables the bearer to perform specific actions on specific Okta endpoints, with that ability controlled by scopes that the access token contains.

For more information, see OAuth for Okta guide.

Okta RADIUS Service Agent Update, version 2.9.5

The Okta RADIUS Server AgentA software agent is a lightweight program that runs as a service outside of Okta. It is typically installed behind a firewall and allows Okta to tunnel communication between an on-premises service and Okta's cloud service. Okta employs several agent types: Active Directory, LDAP, RADIUS, RSA, Active Directory Password Sync, and IWA. For example, users can install multiple Active Directory agents to ensure that the integration is robust and highly available across geographic locations. version 2.9.5 is updated to run under the LocalService account, which has lower privileges than LocalSystem. The service has also been configured with a write-restricted token to further restrict access.

For more information, see Okta RADIUS Server Agent Version History.

Okta MFA Credential Provider for Windows, version 1.2.2

The Okta MFA Credential Provider version 1.2.2 includes bug fixes and adds self-service password reset.

For more information, see Okta MFA Credential Provider for Windows Version History .

Admin settings for selecting identity providers

Admins now have the option to configure a sign-on policy based on a specific identity provider.

For more information, see Adding Rules in Security Policies.

Disable Import Groups per app

Admins have the option to choose whether groups are included in imports from apps. This new option is available when setting up provisioning for an app.

This feature should be used with care as disabling group imports will have the result of deleting all groups from the app you are configuring. As such, we provide a warning prior to disabling group imports:

Note that you will be unable to disable group imports for an app if the following conditions exist:

  • App Assignments based on Group exist
  • Group policy rules exist
  • Group Push mappings exist

In these cases, an error is displayed.


General Fixes


Group rules were not applied to reactivated users.


With Routing Rules enabled, users saw the message This is the first time you are connecting to [an application] from this browser even though they had logged in before.


With Routing Rules enabled, users saw the message This is the first time you are connecting to [an application] from this browser even though they had logged in before.


Custom TOTP factors were not supported as part of the authentication flow in Factor Sequencing.


Changes to Max Import Unassignment settings were not logged in the System Log.


WebAuthn factor types were incorrectly named as Windows Hello in the MFA Usage Report.


The Reset via Email button on a custom sign-in page was visible and active even when that option was disabled for custom URL domains.


In some cases, end users registering for Okta Verify were enrolled in One-Time Password but not in Push.


Some admins with MFA for Admin configured entered an infinite page-loading loop when signing into the Admin Console.


The HealthInsight page did not load properly for certain Okta orgs.


Re-authentication defined in sign-on policies only supported SAMLAn acronym for Security Assertion Markup Language, SAML is an XML-based standard for exchanging authentication and authorization data between an identity provider (IdP) and a service provider (SP). The SAML standard addresses issues unique to the single sign-on (SSO) solution, and defines three roles: the end user, the IdP, and the SP. Here's how SAML works through Okta: SP-initiated flow: the end user requests (principally through a browser) a service from the SP. The SP requests and obtains an identity assertion from the IdP (in this case, Okta). On the basis of this assertion, the SP can decide whether or not to authorize or authenticate the service for the end user. IdP-initiated flow: with Okta as the IdP, an end user goes to the Okta browser and clicks on an app, sending a SAMLResponse to the configured SP. A session is established with the SP, and the end user is authenticated.-based apps and did not support SWAAn acronym for Secure Web Authentication. SWA is a SSO system developed by Okta to provide single sign-on for apps that don't support proprietary federated sign-on methods or SAML. Users can enter their credentials for these apps on their homepage. These credentials are stored such that users can access their apps without entering their credentials each time. When users first sign-in to a SWA app from their homepage, they see a pop-up message asking if they were able to sign-in successfully..

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • Adobe Stock (OKTA-257769)

  • GoToWebinar (OKTA-255869)

  • Grammarly (OKTA-258776)

  • Instacart (OKTA-258045)

  • Sainsburys Groceries (OKTA-258041)

  • Twenty20 Stock (OKTA-257496)

  • Twilio (OKTA-258047)


Application Updates

ProvisioningProvisioning is the enterprise-wide configuration, deployment, and management of multiple types of IT system resources. Specifically, provisioning provides users access to equipment, software, or services. This involves creating, maintaining and deactivating required business process automation objects and attributes in systems, directories, and applications. support has been removed from the following apps due to low customer usage, lack of standards based integration, and high supportability cost:

  • OutSystems
  • ExactTarget
  • RightnowCX
  • SugarCRM

New Integrations

SAML for the following Okta Verified application

  • GainsightPX (OKTA-253926)

SWA for the following Okta Verified applications

  • Ontario MC EDT (OKTA-244471)

  • ParcelQuest (OKTA-249541)

  • WatchGuard Evidence Library (OKTA-244478)

October 2019

2019.10.0: Monthly Production release began deployment on October 14

* Features may not be available in all Okta Product SKUs.

Generally Available Features

New Features

Reports calendar selections limited to past 3 months

The calendar date range for a report displays the past three months only. This matches the maximum date range for report data.

Tokens transform events no longer available

Token transform System Log [events]() will no longer fire for SAML and Token inline hooks. They are retained in Inline Hook events.

See API event types.

Device Trust applies to apps in Okta Mobile for iOS

Any Device Trust policies configured in your environment are now also enforced when iOS device users access resources through Okta Mobile. This functionality is enabled by default. To change it, go to Security > General > Okta Mobile.

See Okta Mobile Settings.

Okta Browser Plugin version 5.33.0 for all browsers

This version includes the following:

  • Security warning and anti-phishing whitelist
  • Reflection of real-time app and profile changes in the end user dashboard
  • Custom URL domain support for the plugin (available in Preview orgs)
  • New look (available in beta)
  • Back-end enhancements

See Okta Browser Plugin: Version History.

OPP agent, version 1.3.4

This version of the OPP agent:

  • Improves networking utilities and recovery speed after a DR event
  • Improves log correlation between the agent and Okta
  • Fixes a bug that read special characters from a CSV incorrectly

See On Premises Provisioning Agent and SDK Version History.

Active Directory agent, version 3.5.9

This release of the AD agent fixes an issue where meta data about Active DirectoryActive Directory (AD) is a directory service that Microsoft developed for the Windows domain networks. It is included in most Windows Server operating systems as a set of processes and services. Initially, Active Directory was only in charge of centralized domain management. domains was not updated in Okta during imports from AD. In some cases this prevented features which rely on this meta data, for example Agentless Desktop SSO, from working correctly or being configured for the first time.

See Okta Active Directory agent version history.

JIRA Authenticator Toolkit, version 3.1.2

This release includes the following bug fix: JIRA service failed to start after upgrading the JIRA Authenticator from 3.0.7 to 3.1.1.

See Okta Jira Authenticator Version History.

Okta Browser Plugin reflects real-time app and profile changes in the end user dashboard

The Okta Browser Plugin now reflects the real-time state of the end user dashboard, eliminating the need to refresh the dashboard for the plugin to reflect the latest app and profile changes. This feature is available on Okta Browser Plugin version 5.29.0 or higher. For more information, see Okta Browser Plugin.

App condition for MFA enrollment policy

Admins can now use a new condition when setting a rule for an MFA enrollment policy. When this condition is configured, end users are prompted for factor enrollment when accessing all of their applications or only for those selected by their org admin. For more information, see App Condition for MFA Enrollment Policy.

Add event hooks from the Admin Console

Admins can now add event hooks from the Admin Console. Event hooks send outbound calls from Okta that trigger asynchronous process flows in admins' own software. For more details, see Event Hooks.

Generally Available Enhancements

Adobe CQ Enhancement

You can specify whether to ignore inactive users or not during imports to/from Adobe CQ.

Group Admin behavior change

When a group admin with permissions to manage a single group adds a new user to the org, the group name is automatically populated.

New System Log event for email challenge

The new event now includes more debugData information to indicate whether an email challenge was answered (redeemed) using the same browser from which it was initiated.

Scope Naming Restriction

OAuth Scopes may not start with the okta. prefix. See Create scopes.


General Fixes


When assigning users to Microsoft Office 365, a Profile push error message was displayed. Users could still sign in and their profiles were updated correctly.

OKTA-221078, OKTA-231642

When Okta MFA for Azure AD Conditional Access was enabled, admins were unable to configure Microsoft Office 365 using the I want to configure WS-Federation myself using PowerShell option.


Deactivated users were imported from Adobe CQ.


In OAuth 2.0/OIDCOpenID Connect (OIDC) is an authentication layer on top of OAuth 2.0, an authorization framework. The standard is controlled by the OpenID /authorize request, the Okta Sign-In Widget incorrectly rendered the login_hint parameter, substituting + with a space.


Users were unable to sign in to the GoAnywhere SWA app automatically and had to enter their credentials manually.


Admins could not add an IP to a Network Zone in the System Log if there were more than 20 Network Zones. Only the first 15 zones were displayed.


The group icon for the Namely app was incorrectly displayed on the Directory > Groups page.


MFA factor enrollment policies were not enforced when Factor Sequencing was enabled.


When admins removed a user from a group with more than one # character in the group name, the confirmation message ignored all text preceding the last #. This resulted in an incorrect confirmation message.


Users were able to sign in to the NorthWest Evaluation Association MAP app only when using Sign in with 1 click.


Imports failed in Preview instances of the WebEx (Cisco) app.


Admins were allowed to subscribe to email notifications for which they did not have permission.


When admins entered a username to test if a new LDAP configuration was valid, the Next button did not work.


In some cases, the group attribute for Template WS-Fed apps was evaluated incorrectly.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • Chicago Tribune (OKTA-248424)

  • CrowdStrike Support Portal (OKTA-250779)

  • Cube19 (OKTA-253339)

  • MailGun (OKTA-250727)

  • Nice inContact Workforce Management (OKTA-250421)

  • Template 2 Page Plugin (OKTA-249755)


Application Updates

  • Provisioning support removed for Huddle and Connected Data apps - Provisioning support has been removed from the Huddle and Connected Data apps due to its low customer usage, lack of standards based integration, and high supportability cost.

New Integrations

SAML for the following Okta Verified applications

  • Compusense (OKTA-252571)

  • Moesif API Analytics (OKTA-251060)

Weekly Updates

September 2019

2019.09.0: Monthly Production release began deployment on September 9

* Features may not be available in all Okta Product SKUs.

Generally Available Features

New Features

Customizable email template for LDAP users

The LDAP Forgot Password Denied email template can now be customized for LDAP users who have requested a password reset but must have their password reset by an admin. See Email customization .

New System Log event for event hooks

Event hook eligible System Log events now display the event hook ID in the Debug Context object under the TargetEventHookId field.

For a list of event hook eligible System Log events, filter our Event Types Catalog by the event-hook tag.

Okta Browser Plugin, version 5.32.0 for all browsers

This version includes the following:

  • Custom URL domain support for the plugin (available through the EA Feature Manager)
  • Back-end enhancements

See Okta Browser Plugin: Version History.

End of support for Okta Mobile Connect on iOS 13 and iPad OS 13

Okta Mobile Connect will not function on iPhones and iPads that upgrade to iOS 13 and iPad OS 13, respectively, because version 13 introduces changes that affect the way an Apple API handles external requests to open Okta Mobile. See Okta Mobile Connect.

User enrollment of multiple Web Authentication factors

End users now have the option to enroll in more than one instance of a WebAuthn-based factor, which can be set up either from the sign-in widget or from the end user dashboard settings. See Web Authentication (FIDO2) .

Active Directory, honor AD password policy

If an AD-mastered user has forgotten their password the AD password policy is honored when the user resets their password.

Support for LDAP provisioning

With the addition of the following Provisioning Features, Okta's LDAP integrations now closely match the functionality already available to Okta Active Directory (AD) integrations.

  • Create Users

  • Update and deactivate LDAP accounts

  • DN customization

  • Profile Masters

For more information, see Provisioning Features.

Admin report CSV changes

The Administrator report containing information about all admins, their roles, and permissions will now be generated asynchronously. Super admins can generate the report by clicking Request Report and they will receive an email with a download link when the report is ready. For details, see The Super admin role .

Inline Hooks

Admins can now add Inline Hooks from the admin console. Inline Hooks enable admins to integrate custom functionality into Okta process flows. For more information, see Inline hooks.

Configure Okta Device Trust for Native Apps and Safari on MDM managed iOS devices

Okta Device Trust for MDM managed iOS devices allows you to prevent unmanaged iOS devices from accessing enterprise services through browsers and native applications:

Note: This feature requires Okta Mobile 5.12 for iOS (or later), available in the App Store beginning February 1st.

For details, see Configure Okta Device Trust for Native Apps and Safari on MDM managed devices.

ThreatInsight Threat Detection

Admins can now configure ThreatInsight — a new feature that detects credential-based attacks from malicious IP addresses. ThreatInsight events can be displayed in the admin system log and also be blocked once this feature is configured. For more information, see ThreatInsight.

Apps supporting incremental imports

Workday joins Active Directory and LDAP in the ability to run immediate, incremental imports. Okta strives to add this functionality to more and more provisioning-enabled apps.  This feature is currently only available for Preview orgs.

Note: To use this functionality, your org must also have the Workday Incremental Imports (ENG_PROV_WORKDAY_INCREMENTAL_IMPORTS) Early Access feature enabled.

Early Access Features

New Features

Quick Access tab on the Okta Browser Plugin available through EA feature manager

Quick Access tab on the Okta Browser Plugin is now available through the EA feature manager. See Allow end-users to quickly access apps.

MFA for Oracle Access Manager

With Okta MFA for Oracle Access Manager (OAM), customers can use OAM as their Identity Provider (IdP) to applications and also use Okta for MFA to provide a strong method of authentication for applications. For more information, see MFA for Oracle Access Manager.

New Windows Device Registration Task, version 1.4.0

This release includes the following:

Okta On-Prem MFA agent, version 1.4.1

This release of the agent contains security enhancements. See On-Prem MFA Agent Version History.

Factor Sequencing

Admins can now provide end users with the option to sign in to their org using various MFA factors as the primary method of authentication in place of using a standard password. See Factor Sequencing.


General Fixes


The translations were missing for the API AM User Consent buttons.


On the Push Groups to Active Directory > Push Groups by Name page, clicking Show more incorrectly redirected the admin to the People page.


The Self-Service Create Account Registration form did not clear a failed password validation status even after the password was updated to meet complexity requirements.


The last MFA factor used was not remembered for some orgs that use app-level MFA rules and a custom URL domain for sign-in attempts initiated by a Service Provider.


The Active Directory Settings page was slow or unresponsive for directories with more than 10,000 Organizational Units (OUs). To obtain the fix for this bug, contact Support.


When Factor Sequencing was enabled and a user clicked Sign Out from the sign-in widget, the browser page had to be refreshed manually for the user to sign in again.


Some authentication error messages for the custom IdP factor were not displayed by the sign-in widget.


Some sign-on policies and rules for IWA were not applied when a user signed in.


An extra character > appeared in the Admin navigation header.


The temporary password was not displayed in developer account activation emails.


Web Authentication factor names were not displayed correctly under Extra Verification in end user settings.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • Active Campaign (OKTA-245468)

  • Aegify (OKTA-245093)

  • BSPlink (OKTA-239934)

  • Check Point (OKTA-244812)

  • CultureIQ (OKTA-245092)

  • DesignCrowd (OKTA-245635)

  • Google Play Developer Console (OKTA-241992)

  • Hippo CMMS (OKTA-246930)

  • Key Bank (OKTA-245091)

  • MyFax (OKTA-244628)

  • OnePath Advisor (OKTA-243552)

  • (OKTA-244279)

  • Shutterfly (OKTA-245801)

  • Wells Fargo Funding (OKTA-244825)


Application Updates

To reflect Webex name changes we have updated our documentation as follows:

  • Webex (Cisco) is renamed to Cisco Webex Meetings

New Integrations

SAML for the following Okta Verified applications

  • 15five (OKTA-245730)

  • Centrify Privilege Access Service (OKTA-244805)

  • COMPASS by Bespoke Metrics (OKTA-246403)

  • Gateway Software Solutions (OKTA-231714)

  • Good2Give (OKTA-244842)

  • Legal Diary (OKTA-231714)

  • Wellness360 (OKTA-242402)

SWA for the following Okta Verified application

  • United Capital (OKTA-240147)

Weekly Updates