January 2022

2022.01.0: Monthly Production release began deployment on January 10

* Features may not be available in all Okta Product SKUs.

Generally Available Features

New Features

Widget, version 5.16.0

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Sign-In Widget Guide.

Okta Provisioning agent, version 2.0.6

This version of the agent contains security fixes. See Okta Provisioning agent and SDK version history

Okta On-Prem MFA agent, version 1.4.8

This version of the agent contains security fixes. See Okta On-Prem MFA Agent Version History.

Okta Active Directory agent, version 3.8.0

This version of the agent contains:

  • Agent auto-update support
  • Improved logging functionality to assist with issue resolution
  • Bug fixes

See Okta Active Directory agent version history.

Okta RADIUS Server agent, version 2.17.2

This version of the agent contains security fixes. See Okta RADIUS Server Agent Version History.

Delivery status of SMS messages in the System Log

Administrators can now view the delivery status for SMS messages in the System Log. For information about the new event type, see Configure and use telephony.

Feature name change: New Sign-On Notification

The New Device Notification functionality is renamed to New Sign-On Notification in the Admin Dashboard, the email notification title, and elsewhere. It refers to the email notification a user receives when there’s a sign-in event from an unrecognized device.

New permissions for custom admin roles

The following new permissions can now be assigned to a custom admin role:

  • Activate users

  • Deactivate users

  • Suspend users

  • Unsuspend user

  • Delete users

  • Unlock users

  • Clear user sessions

  • Reset users' authenticators

  • Reset users' passwords

  • Set users' temporary password

  • Run imports.

The new permissions give super admins more granular control over their delegated org permissions. See About role permissions.

Editable Sign-in URL

End users can edit sign-in URLs for their apps on the App Settings page.

Service Principal Name functionality improvement

New Service Principal Name (SPN) functionality allows Agentless Desktop Single Sign-on (ADSSO) authentication to continue without interruption when an SPN is updated. A service account and an SPN are required for ADSSO Kerberos authentication. With this change, you can now update the SPN frequently as an additional security precaution. See Create a service account and configure a Service Principal Name.

OAuth Dynamic Issuer option

An authorization server’s issuer URL can be used to validate whether tokens are issued by the correct authorization server. You can configure the issuer URL to be either the Okta subdomain (such as or a custom domain (such as See Create the Authorization Server.

When there are applications that use Okta’s subdomain and other applications that use the custom domain, the issuer validation breaks because the value is hard-coded to one domain or the other.

With Dynamic Issuer Mode, the issuer value in minted tokens is dynamically updated based on the URL that is used to initiate the original authorize request.

For example, if the authorize request is, the issuer value is

Dynamic Issuer Mode helps with:

  • Split deployment use cases

  • Migration use cases when customers migrate from the Okta domain to a custom domain

  • Support with multiple custom domains

Rate limit dashboard

The new rate limit dashboard helps you investigate the cause of rate limit warnings and violations. You can also use it to view historical data and top consumers by their IP address.

This helps you:

  • Isolate outliers

  • Prevent issues in response to alerts

  • Find and address the root cause of rate limit violations

You can access the dashboard using the link provided in the rate limit violation event in the System Log. See Rate limit dashboard.

You can also open the dashboard in the Admin Console to monitor API usage over a period of time, change rate limit settings, and customize the warning threshold. See Rate limit monitoring.

Error response updated for malicious IP address sign-in requests

If you block suspicious traffic and ThreatInsight detects that a sign-in request comes from a malicious IP address, Okta automatically denies the user access to the organization. The user receives an error in response to the request. From the user’s perspective, the blocked request can’t be identified as the result of ThreatInsight having identified the IP address as malicious.

Make Okta the source for Group Push groups

Admins can now make Okta the profile source for all members of a group that is used for Group Push. When this feature is enabled, integrated apps can't change app group memberships. This functionality allows admins to maintain the accuracy of app group membership and prevents changes to group membership after a push. See Manage Group Push.

Password change notifications for LDAP-sourced users

Password change email notifications may now be sent to LDAP-sourced users.

LDAP-sourced users secondary email prompt on first sign in

Admins now have the option to prompt LDAP-sourced users for a secondary email when they sign in to Okta for the first time. When a secondary email is provided, password reset and activation notifications are sent to the user’s primary and secondary email addresses. Duplicating these notifications increases the likelihood they are seen by users and reduces support requests. See Configure optional user account fields.

Directory Debugger for Okta AD and LDAP agents

Admins can now enable the Directory Debugger to provide Okta Support with access to Okta AD and LDAP agent diagnostic data. This new diagnostic and troubleshooting tool accelerates issue resolution by eliminating delays collecting data and improves communication between orgs and Okta. See Enable the Directories Debugger.


Improved SIW error messages

The Sign-In Widget now has improved JIT error messages.

OIN Manager enhancements

The OIN Manager includes the following updates for ISV submissions:

  • It clarifies that OID and SAML integrations must support multi-tenancy.

  • It clarifies that only one OIDC mode can be selected for an OID integration.

  • It allows the format ${app.domain}/redirect_url for URIs.

  • It no longer allows ISV submissions for the Social Login and Log Streaming categories. See OIN App Integration Catalog.

  • It allows the use of app instance properties when configuring single logout (SLO) for SAML app integrations.

  • It requires that ISV submissions specify one or more use cases. Existing submissions may need to be updated to change from previous categories to the new use cases.

Updated interstitial page animation

A new animation is displayed on a loading page when users sign in to an app from Okta.

API token ID displayed in tokens

API token ID is now displayed under API tokens for easy tracking.

SHA type displayed for SAML certificates

SHA type is now displayed for SAML certificates in the Admin Console.

Early Access Features

New Feature

Okta AD Agent automatic update support

Admins can now initiate or schedule automatic updates to Okta AD agents from the Admin Console. With agent auto-update functionality, admins no longer need to manually uninstall and then reinstall Okta AD agents when a new agent version is released. Agent auto-updates keep your agents up to date and compliant with the Okta support policy, and help ensure your org has the latest Okta features and functionality. Single or multiple agents can be updated on demand, or updates can be scheduled to occur outside of business hours to reduce downtime and disruption to users. See Automatically update Okta agents.


General Fixes


The Medallia Mobile application dataAccess attribute wasn't automatically updated after changes were made to a user's group membership.


The SAML assertion sent by Okta to AWS exceeded the max character length supported by AWS (100,000 characters).


Launch on sign-in apps on the Okta End-User Dashboard launched multiple times after the user signed in.


An incorrect error message appeared when admins searched for groups and the Expression Language query included invalid attributes.


Users signing in to OIDC apps through Okta-hosted Sign-In Widgets on custom authorization servers received an access error message before they could provide their password.


Some branded pages used an org’s previously uploaded logo rather than their new theme logo.


When admins created custom language and country code attributes in the Profile Editor, the format property wasn’t updated and submitted.


Some admins without super admin permissions could view a link to the Admin role assignments report. This occurred for orgs with the Custom Admin Roles feature enabled.


Mitigation of CSV Injection wasn't provided in all Okta-generated CSV reports.


Admins received a 500 Internal Server Error when attempting to delete a YubiKey in blocked status.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed:

  • Bendigo Bank (OKTA-454211)

  • EdgeCast (OKTA-453148)

  • Maxwell Health (OKTA-454213)

  • My T-Mobile (OKTA-455732)

  • Redis (OKTA-454218)


New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:

SAML for the following Okta Verified application:

  • Regal Voice (OKTA-448791)

December 2021

2021.12.0: Monthly Production release began deployment on December 13

* Features may not be available in all Okta Product SKUs.

Generally Available Features

New Features

Widget, version 5.14.0

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Okta Sign-In Widget Guide.

Choose client types for Office 365 sign-on policy

When creating app sign-on policy rules to manage access to Office 365 apps, you can now specify client types such as web browser, modern auth, or Exchange ActiveSync. This allows you to apply Office 365 sign-on policies to granular use-cases. See Office 365 sign-on rules options.

Branding now available in the Admin Console

This UI release provides admins and developers with an Admin Console UI to upload brand assets to customize their Okta-hosted pages. The Customizations tab in the Admin Console is also now moved to a top-level menu item in the left-hand navigation, and Branding-related controls have all been moved under it. The Settings > Appearance tab has also been removed, and functionality moved under the Customizations tab for ease of use. See Branding.

Admin Experience Redesign toggle removed

The toggle that allowed super admins to switch between the Admin Experience Redesign and the old experience has been removed. All Okta admins now benefit from our restyled Okta Admin Dashboard, responsive navigation side bar, and modern look and feel. If you need more time to adapt to the new user experience, you can revert to the old experience by contacting Okta Support until April 2022.

Upload Logo for org deprecated

The Upload Logo for Org endpoint (api/v1/org/logo) is deprecated. Use the Upload Theme Logo (/api/v1/brands/${brandId}/themes/${themeId}/logo) endpoint instead.

Policy rule events now eligible for event hooks

The following policy rule events are now eligible for event hooks:

  • policy.rule.activate

  • policy.rule.delete

See Event Hooks.

Salesforce Federated ID REST OAuth

Admins can now upgrade to the latest version of our Salesforce Federated ID integration. OAuth provides enhanced security and is now used for Provisioning and Imports authentication. This feature is currently available for new orgs only. See Configure OAuth and REST integration.

Localized SAML setup instructions

To achieve its objective of becoming the leader in identity and access management, Okta is actively expanding to numerous countries. To better serve this diverse market, Okta has begun localizing its customer-facing products to improve usability. To facilitate this process for SAML setup instructions, Okta will automatically provide the instructions in the user's chosen display language, if a translated version is available. Currently, a limited number of SAML setup instructions are now available in Japanese. See End users: set up display language.

Okta MFA Credential Provider for Windows, version 1.3.5

This version of the agent contains:

  • Security enhancements

  • Internal fixes

See Okta MFA Credential Provider for Windows Version History.

Okta On-Prem MFA agent, version 1.4.6

This version of the agent contains updates for certain security vulnerabilities.

See Okta On-Prem MFA Agent Version History.

Okta RADIUS Server agent, version 2.17.0

This version of the agent contains updates for certain security vulnerabilities.

See Okta RADIUS Server Agent Version History.

Okta Browser Plugin, version 6.6.0 for all browsers

This version includes minor bug fixes and improvements. See Okta Browser Plugin version history .


Org setting to disable device token binding

For compatibility purposes, orgs can now disable device binding. Device binding ensures that state tokens are used only by the actor who initiated the authentication flow. See General Security.

SharePoint (On-Premises) instructions updated

SharePoint (On-Premises) instructions have been updated to remove SharePoint 2010 from the Downloads page.

Early Access Features

New Features

Improved app settings panel

End users now have an improved app settings panel in the Okta End-User Dashboard, allowing for better password management, clearer communication on app configurations, and for end users to launch an app from the app drawer. See View the app settings page.


Admins may now enable the Recent Activity feature

The Recent Activity functionality may now be enabled or disabled by admins. Recent Activity displays recent sign-in events and associated security events so admins can track suspicious activity and keep their environment safe. See Recent Activity and Security Events.


General Fixes


Org admins couldn't add social Identity Providers.


UI errors occurred when users hovered over a locked app on the Okta End-User Dashboard.


The spinner stayed visible after a sign-in error in some orgs with security image disabled.


Password push events were not showing in the System Log when multiple domains were federated in the same Office 365 app.


App usernames weren't updated automatically on non-provisioning enabled apps.


The Client drop-down menu wasn't displayed properly when admins added a new access policy for Authorization Servers using Internet Explorer.


Random users were unassigned from applications when imported and assigned by group.


Applying admin-managed tabs to end users occasionally completed much later, after the changes were initially made.


Users were directed to the wrong step of the Log Stream creation wizard when they clicked a link to create a specific type of Log Stream.


Some users who accessed the Okta End-User Dashboard saw a blank screen.


The text field for an app’s alternative name was missing from the app drawer.


In orgs with a custom domain URL and self-service registration enabled, users who went directly to the registration link saw a 404 error.


Users weren't prompted to correct their device’s time if their device was behind the server’s time by more than five minutes or ahead by more than 65 minutes.


The search bar on the Okta End-User Dashboard produced results that were inaccessible for screen readers.


Two scrollbars were displayed for mobile users.


Apps on the Okta End User Dashboard on Internet Explorer opened as a pop-up window instead of a new tab.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • Amplitude (OKTA-449138)

  • Australian Financial Review (OKTA-450189)

  • Boxed (OKTA-449140)

  • Google Tag Manager (OKTA-448703)

  • HireFire (OKTA-448711)

  • Instacart Canada (OKTA-442943)

  • International SOS Assistance (OKTA-447156)

  • LinkedIn (OKTA-443788)

  • Mural (OKTA-443063)

  • Payroll Relief (OKTA-447159)

  • Safari Online Learning (OKTA-448707)

  • The Hartford EBC (OKTA-448956)

  • Twitter (OKTA-448961)

  • XpertHR (OKTA-449721)


Application Update

The Jive application integration is rebranded as Go To Connect.

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:

SAML for the following Okta Verified applications:

  • Chatwork (OKTA-449761)

  • ContractS CLM (OKTA-446453)

  • Elate (OKTA-448860)

  • WAN-Sign (OKTA-448922)

OIDC for the following Okta Verified applications:

Weekly Updates

November 2021

2021.11.0: Monthly Production release began deployment on November 8

* Features may not be available in all Okta Product SKUs.

Generally Available Features

New Features

Widget, version 5.13.0

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Okta Sign-In Widget Guide.

Okta LDAP agent, version 5.10.0

This version of the agent contains:

  • Range attribute retrieval for group membership attributes (full support will be available in a future release)

  • Real-time synchronization for user profiles, groups, and group memberships (full support will be available in a future release)

  • Expired password reset support for the eDirectory LDAP service (Okta Identity Engine)

  • Bug fixes

See Okta LDAP Agent version history.

Okta RADIUS Server agent, version 2.16.0

This version of the agent contains:

  • Government Community Cloud support

  • Internal and security fixes

See Okta RADIUS Server Agent Version History.

Okta MFA Credential Provider for Windows, version 1.3.4

This version of the agent contains:

  • Government Community Cloud support

  • Internal fixes

See Okta MFA Credential Provider for Windows Version History.

Okta ADFS Plugin, version 1.7.9

This version of the agent contains:

  • Government Community Cloud support

  • Internal fixes

See Okta ADFS Plugin Version History.

Okta On-Prem MFA agent, version 1.4.5

This version of the agent contains:

  • Government Community Cloud support

  • Internal fixes

See Okta On-Prem MFA Agent Version History.

Okta Browser Plugin, version 6.5.0 for all browsers

Internet Explorer local storage size for the Okta Browser Plugin has been increased. See Okta Browser Plugin version history .

Brands API support for auto-detecting contrast colors

The Brands API Theme object properties primaryColorContrastHex and secondaryColorContrastHex automatically optimize the contrast between font color and the background or button color. The auto-detection feature can be disabled by updating either property value with an accepted contrast hex value. See Brands.

New default selection for MFA enrollment policies

For MFA enrollment policy rules, the Any application that supports MFA enrollment option is now selected by default. See Configure an MFA enrollment policy.

New error page macros for themed templates

Custom error page templates include new macros to customize the URL (href) in addition to the button text for themed templates. See Use macros.

Custom domain SSL certification expiration warnings

To prevent service disruptions, Okta now sends admins a warning email 30, 15, and 7 days before their custom domain’s SSL certificate expires. If no action is taken, an expiration notice is sent when the certificate expires.

See Configure a custom URL domain.

Token-based SSO between native apps

Single Sign-On (SSO) between browser-based web applications is achieved by leveraging shared cookies. Unlike web applications, native applications can’t use web cookies. With Native SSO, Okta offers a token-based approach to achieve SSO between native applications.

Native SSO allows you to protect native OpenID Connect applications, such as desktop apps and mobile apps, and achieve SSO and Single Logout (SLO) between these applications. See Configure SSO for native apps.

Wildcards for OAuth redirect subdomains

Developers can now use the Apps API to set multiple redirect URI subdomains with a single parameter using the asterisk * wildcard. This feature provides convenience and flexibility in cases where subdomains vary by only a few characters. For example: https://subdomain* may be used to represent subdomain1, subdomain2, and subdomain3.

Sort applications on End-User Dashboard

End users can now sort applications alphabetically or by last added on the new Okta End-User Dashboard.

Asynchronous Application Reports

When enabled, this feature turns the generation of the Application Usage and the Application Password Health reports into an asynchronous process. Okta generates a report with the results and sends an email to the admin containing a download link for the CSV file. This enhancement is ideal for orgs with large amounts of user activity, as the generated reports can cover a greater range without timing out. See Application Usage report and App Password Health report.

Risk scoring improvements

Risk scoring improvements are being slowly deployed to all organizations. See Risk scoring.

Password expiry warning for LDAP group password policies

You can now configure an LDAP group password policy to provide users with a password expiry warning when their LDAP password is about to expire. Providing a password expiry warning in advance prevents users from losing access to shared resources and reduces the likelihood that you’ll need to reset passwords. See Configure a password policy.

Create and manage group profiles

You now have the flexibility to manage the default profile for Okta groups in the Profile Editor. This new functionality simplifies group management and lets you quickly add, edit, or remove custom profile attributes to groups. See Work with profiles and attributes. This feature will be gradually made available to all orgs.

Litmos supports Advanced Custom Attributes

We’ve enriched our Litmos integration to support Advanced Custom Attributes for the user profile. This allows you to add fields into the Okta user profile. See Litmos Provisioning Guide.

AES-GCM encryption support for SAML assertions

To secure SAML assertions from attacks and to adopt a stronger security mechanism, Okta now supports AES128-GCM and AES256-GCM encryptions modes in addition to AES-128 and AES-256 for SAML applications.


New System Log events for custom domain setup

The following events are added to the System Log:

system.custom_url_domain.cert_renew 3


Existing events now include CustomDomainCertificateSourceType.

OIN App Catalog user interface changes

The following text has been updated for consistency:

  • FILTERS is now Capabilities

  • Apps is now All Integrations

  • Featured is now Featured Integrations

  • OpenID Connect is now OIDC

  • Secure Web Authentication is now SWA

See Add existing app integrations.

Hash marks added to hex code fields

On the Branding page, hash marks are automatically added to the hex codes in the Primary color and Secondary color fields.

Event Hooks daily limit

The maximum allowable daily limit of Event Hooks for all orgs has increased from 100,000 to 200,000. A higher daily allocation of Event Hooks reduces the likelihood orgs will exceed their daily limits. See Workflows system limits.

Improved Branding preview

Branding previews now display correct text colors.

Widget button colors standardized

To comply with accessibility contrast ratios, the default variant colors for buttons on Okta sign-in and error page have been standardized to use the Okta design system.

On-Prem MFA application logo

The On-Prem MFA app logo for SecurID has been updated.

Early Access Features

New Features

Support for additional social Identity Providers

Social login is a form of SSO that uses existing information from a service such as Facebook, Twitter, or Google to sign in, instead of creating a new account specifically for a third-party website. Social Identity Provider (IdP) popularity varies by industry and region. We're making it easy for Okta admins to add new IdPs with out-of-the-box integrations for GitHub, GitLab, Salesforce, and Amazon, with more to come. These integrations add to our existing social IdP catalog in the OIN, allowing users to quickly sign up or sign in to your application without entering their email or creating a new password. See External Identity Providers.

Log Streaming

While Okta captures and stores its System Log events, many organizations use third-party systems to monitor, aggregate, and act on event data.

Log Streaming enables Okta admins to more easily and securely send System Log events to a specified system such as Amazon Eventbridge in real time with simple, pre-built connectors. They can easily scale without worrying about rate limits, and no admin API token is required. See Log Streaming .


Edit resource assignments for standard roles

Super admins can now quickly and easily search for, add, and remove the resource assignments for a standard role. See Edit resources for a standard role assignment.

Manage email notifications for custom admin roles

Super admins can configure the system notifications and Okta communications for custom admin roles. Configuring the email notifications helps ensure admins receive all of the communications that are relevant to their role. See Configure email notifications for an admin role.

New Velocity email templates

Orgs with Enhanced Email Macros enabled can now customize Factor Reset and Factor Enrollment email templates with Velocity Template Language. See Customize an email template.


General Fixes


When multiple factors were required in the MFA for Active Directory Federation Services (ADFS) enrollment flow, only a single factor was enrolled before the user was allowed to sign in.


After the Microsoft ADFS (MFA) app Sign-On setting was changed to MFA as a Service, the app no longer appeared on the end-user home page.


Users weren't instructed to sign out and then sign in again when the mobile device management (MDM) remediation screen appeared during Intune setup.


The Identity Provider factor name wasn’t updated when the admin changed the Identity Provider name.


The YubiKey report didn’t list all YubiKeys when the user sorted the entries by Status.


When the Remove Group endpoint was called with an invalid group profile attribute, the group wasn't removed.


Sometimes when a super admin assigned several standard roles to a group at a time, some of those roles didn’t appear on the Groups page.


Screen Readers didn't interact properly with the search bar on the Okta End-User Dashboard.


On the Suspicious Activity User Report, the Login field was incorrectly labeled Email and didn't display the primary email address of the user who reported the activity.


Admins weren't able to use the Expression Language to compare a user's status to a string.


Admins weren’t able to add multiple custom attributes to an app on the Okta End-User Dashboard.


When the super org admin role was revoked from a user, the resulting email notification didn’t include the org name or URL.


Selecting the ellipses on an app card on the Okta End-User Dashboard incorrectly opened the app instead of accessing its settings.


Users attempting to enroll an MFA factor while signing in to an OIDC app received server error messages and couldn’t complete the enrollment.


The Sort Apps function didn't work when the Okta End-User Dashboard was displayed in Dutch, Brazilian, Portugese, Simplified Chinese, or Traditional Chinese.


For some orgs with Branding enabled, the theme was reset after an admin’s role changed.


Sometimes, when deactivated LDAP-sourced users attempted to sign in to Okta, an incorrect message appeared.


Some users saw an error when signing in to the new End-User Dashboard or OIDC apps for the first time.

App Integration Fixes

The following SAML app was not working correctly and is now fixed

  • Cloze (OKTA-440336)


Application Updates

  • The configuration guide for the Vable SCIM integration is updated: Okta Users Provisioning For The Vable Platform.

  • The American Express Work was a duplicate integration and has been removed from the OIN Catalog. Customers should use the American Express - Work integration.

New Integrations

New SCIM Integration Application:

The following partner-built provisioning integration app is now Generally Available in the OIN as partner-built:

OIDC for the following Okta Verified applications:

Weekly Updates