Production

  Current Upcoming
Production 2022.01.0 2022.01.1 Production release is scheduled to begin deployment on January 18
Preview 2022.01.1

2022.01.2 Preview release is scheduled to begin deployment on January 26

January 2022

2022.01.0: Monthly Production release began deployment on January 10

* Features may not be available in all Okta Product SKUs.

Content

Generally Available Features

New Features

Sign-In Widget, version 5.16.0

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Sign-In Widget Guide.

Okta Provisioning agent, version 2.0.6

This version of the agent contains security fixes. See Okta Provisioning agent and SDK version history

Okta On-Prem MFA agent, version 1.4.8

This version of the agent contains security fixes. See Okta On-Prem MFA Agent Version History.

Okta Active Directory agent, version 3.8.0

This version of the agent contains:

  • Agent auto-update support
  • Improved logging functionality to assist with issue resolution
  • Bug fixes

See Okta Active Directory agent version history.

Okta RADIUS Server agent, version 2.17.2

This version of the agent contains security fixes. See Okta RADIUS Server Agent Version History.

Delivery status of SMS messages in the System Log

Administrators can now view the delivery status for SMS messages in the System Log. For information about the new event type, see Configure and use telephony.

Feature name change: New Sign-On Notification

The New Device Notification functionality is renamed to New Sign-On Notification in the Admin Dashboard, the email notification title, and elsewhere. It refers to the email notification a user receives when there’s a sign-in event from an unrecognized device.

New permissions for custom admin roles

The following new permissions can now be assigned to a custom admin role:

  • Activate users

  • Deactivate users

  • Suspend users

  • Unsuspend user

  • Delete users

  • Unlock users

  • Clear user sessions

  • Reset users' authenticators

  • Reset users' passwords

  • Set users' temporary password

  • Run imports.

The new permissions give super admins more granular control over their delegated org permissions. See About role permissions.

Editable Sign-in URL

End users can edit sign-in URLs for their apps on the App Settings page.

Service Principal Name functionality improvement

New Service Principal Name (SPN) functionality allows Agentless Desktop Single Sign-on (ADSSO) authentication to continue without interruption when an SPN is updated. A service account and an SPN are required for ADSSO Kerberos authentication. With this change, you can now update the SPN frequently as an additional security precaution. See Create a service account and configure a Service Principal Name.

OAuth Dynamic Issuer option

An authorization server’s issuer URL can be used to validate whether tokens are issued by the correct authorization server. You can configure the issuer URL to be either the Okta subdomain (such as company.okta.com) or a custom domain (such as sso.company.com). See Create the Authorization Server.

When there are applications that use Okta’s subdomain and other applications that use the custom domain, the issuer validation breaks because the value is hard-coded to one domain or the other.

With Dynamic Issuer Mode, the issuer value in minted tokens is dynamically updated based on the URL that is used to initiate the original authorize request.

For example, if the authorize request is https://sso.company.com/api/v1/authorize, the issuer value is https://sso.company.com.

Dynamic Issuer Mode helps with:

  • Split deployment use cases

  • Migration use cases when customers migrate from the Okta domain to a custom domain

  • Support with multiple custom domains

Rate limit dashboard

The new rate limit dashboard helps you investigate the cause of rate limit warnings and violations. You can also use it to view historical data and top consumers by their IP address.

This helps you:

  • Isolate outliers

  • Prevent issues in response to alerts

  • Find and address the root cause of rate limit violations

You can access the dashboard using the link provided in the rate limit violation event in the System Log. See Rate limit dashboard.

You can also open the dashboard in the Admin Console to monitor API usage over a period of time, change rate limit settings, and customize the warning threshold. See Rate limit monitoring.

Error response updated for malicious IP address sign-in requests

If you block suspicious traffic and ThreatInsight detects that a sign-in request comes from a malicious IP address, Okta automatically denies the user access to the organization. The user receives an error in response to the request. From the user’s perspective, the blocked request can’t be identified as the result of ThreatInsight having identified the IP address as malicious.

Make Okta the source for Group Push groups

Admins can now make Okta the profile source for all members of a group that is used for Group Push. When this feature is enabled, integrated apps can't change app group memberships. This functionality allows admins to maintain the accuracy of app group membership and prevents changes to group membership after a push. See Manage Group Push.

Password change notifications for LDAP-sourced users

Password change email notifications may now be sent to LDAP-sourced users.

LDAP-sourced users secondary email prompt on first sign in

Admins now have the option to prompt LDAP-sourced users for a secondary email when they sign in to Okta for the first time. When a secondary email is provided, password reset and activation notifications are sent to the user’s primary and secondary email addresses. Duplicating these notifications increases the likelihood they are seen by users and reduces support requests. See Configure optional user account fields.

Directory Debugger for Okta AD and LDAP agents

Admins can now enable the Directory Debugger to provide Okta Support with access to Okta AD and LDAP agent diagnostic data. This new diagnostic and troubleshooting tool accelerates issue resolution by eliminating delays collecting data and improves communication between orgs and Okta. See Enable the Directories Debugger.

Enhancements

Improved SIW error messages

The Sign-In Widget now has improved JIT error messages.

OIN Manager enhancements

The OIN Manager includes the following updates for ISV submissions:

  • It clarifies that OID and SAML integrations must support multi-tenancy.

  • It clarifies that only one OIDC mode can be selected for an OID integration.

  • It allows the format ${app.domain}/redirect_url for URIs.

  • It no longer allows ISV submissions for the Social Login and Log Streaming categories. See OIN App Integration Catalog.

  • It allows the use of app instance properties when configuring single logout (SLO) for SAML app integrations.

  • It requires that ISV submissions specify one or more use cases. Existing submissions may need to be updated to change from previous categories to the new use cases.

Updated interstitial page animation

A new animation is displayed on a loading page when users sign in to an app from Okta.

API token ID displayed in tokens

API token ID is now displayed under API tokens for easy tracking.

SHA type displayed for SAML certificates

SHA type is now displayed for SAML certificates in the Admin Console.

Early Access Features

New Feature

Okta AD Agent automatic update support

Admins can now initiate or schedule automatic updates to Okta AD agents from the Admin Console. With agent auto-update functionality, admins no longer need to manually uninstall and then reinstall Okta AD agents when a new agent version is released. Agent auto-updates keep your agents up to date and compliant with the Okta support policy, and help ensure your org has the latest Okta features and functionality. Single or multiple agents can be updated on demand, or updates can be scheduled to occur outside of business hours to reduce downtime and disruption to users. See Automatically update Okta agents.

Fixes

General Fixes

OKTA-379478

The Medallia Mobile application dataAccess attribute wasn't automatically updated after changes were made to a user's group membership.

OKTA-412445

The SAML assertion sent by Okta to AWS exceeded the max character length supported by AWS (100,000 characters).

OKTA-420065

Launch on sign-in apps on the Okta End-User Dashboard launched multiple times after the user signed in.

OKTA-444924

An incorrect error message appeared when admins searched for groups and the Expression Language query included invalid attributes.

OKTA-447750

Users signing in to OIDC apps through Okta-hosted Sign-In Widgets on custom authorization servers received an access error message before they could provide their password.

OKTA-448006

Some branded pages used an org’s previously uploaded logo rather than their new theme logo.

OKTA-453672

When admins created custom language and country code attributes in the Profile Editor, the format property wasn’t updated and submitted.

OKTA-454206

Some admins without super admin permissions could view a link to the Admin role assignments report. This occurred for orgs with the Custom Admin Roles feature enabled.

OKTA-456082

Mitigation of CSV Injection wasn't provided in all Okta-generated CSV reports.

OKTA-456084H

Admins received a 500 Internal Server Error when attempting to delete a YubiKey in blocked status.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed:

  • Bendigo Bank (OKTA-454211)

  • EdgeCast (OKTA-453148)

  • Maxwell Health (OKTA-454213)

  • My T-Mobile (OKTA-455732)

  • Redis (OKTA-454218)

Applications

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:

SAML for the following Okta Verified application:

  • Regal Voice (OKTA-448791)

December 2021

2021.12.0: Monthly Production release began deployment on December 13

* Features may not be available in all Okta Product SKUs.

Content

Generally Available Features

New Features

Sign-In Widget, version 5.14.0

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Okta Sign-In Widget Guide.

Choose client types for Office 365 sign-on policy

When creating app sign-on policy rules to manage access to Office 365 apps, you can now specify client types such as web browser, modern auth, or Exchange ActiveSync. This allows you to apply Office 365 sign-on policies to granular use-cases. See Office 365 sign-on rules options.

Branding now available in the Admin Console

This UI release provides admins and developers with an Admin Console UI to upload brand assets to customize their Okta-hosted pages. The Customizations tab in the Admin Console is also now moved to a top-level menu item in the left-hand navigation, and Branding-related controls have all been moved under it. The Settings > Appearance tab has also been removed, and functionality moved under the Customizations tab for ease of use. See Branding.

Admin Experience Redesign toggle removed

The toggle that allowed super admins to switch between the Admin Experience Redesign and the old experience has been removed. All Okta admins now benefit from our restyled Okta Admin Dashboard, responsive navigation side bar, and modern look and feel. If you need more time to adapt to the new user experience, you can revert to the old experience by contacting Okta Support until April 2022.

Upload Logo for org deprecated

The Upload Logo for Org endpoint (api/v1/org/logo) is deprecated. Use the Upload Theme Logo (/api/v1/brands/${brandId}/themes/${themeId}/logo) endpoint instead.

Policy rule events now eligible for event hooks

The following policy rule events are now eligible for event hooks:

  • policy.rule.activate

  • policy.rule.delete

See Event Hooks.

Salesforce Federated ID REST OAuth

Admins can now upgrade to the latest version of our Salesforce Federated ID integration. OAuth provides enhanced security and is now used for Provisioning and Imports authentication. This feature is currently available for new orgs only. See Configure OAuth and REST integration.

Localized SAML setup instructions

To achieve its objective of becoming the leader in identity and access management, Okta is actively expanding to numerous countries. To better serve this diverse market, Okta has begun localizing its customer-facing products to improve usability. To facilitate this process for SAML setup instructions, Okta will automatically provide the instructions in the user's chosen display language, if a translated version is available. Currently, a limited number of SAML setup instructions are now available in Japanese. See End users: set up display language.

Okta MFA Credential Provider for Windows, version 1.3.5

This version of the agent contains:

  • Security enhancements

  • Internal fixes

See Okta MFA Credential Provider for Windows Version History.

Okta On-Prem MFA agent, version 1.4.6

This version of the agent contains updates for certain security vulnerabilities.

See Okta On-Prem MFA Agent Version History.

Okta RADIUS Server agent, version 2.17.0

This version of the agent contains updates for certain security vulnerabilities.

See Okta RADIUS Server Agent Version History.

Okta Browser Plugin, version 6.6.0 for all browsers

This version includes minor bug fixes and improvements. See Okta Browser Plugin version history .

Enhancements

Org setting to disable device token binding

For compatibility purposes, orgs can now disable device binding. Device binding ensures that state tokens are used only by the actor who initiated the authentication flow. See General Security.

SharePoint (On-Premises) instructions updated

SharePoint (On-Premises) instructions have been updated to remove SharePoint 2010 from the Downloads page.

Early Access Features

New Features

Improved app settings panel

End users now have an improved app settings panel in the Okta End-User Dashboard, allowing for better password management, clearer communication on app configurations, and for end users to launch an app from the app drawer. See View the app settings page.

Enhancement

Admins may now enable the Recent Activity feature

The Recent Activity functionality may now be enabled or disabled by admins. Recent Activity displays recent sign-in events and associated security events so admins can track suspicious activity and keep their environment safe. See Recent Activity and Security Events.

Fixes

General Fixes

OKTA-372730

Org admins couldn't add social Identity Providers.

OKTA-393284

UI errors occurred when users hovered over a locked app on the Okta End-User Dashboard.

OKTA-416595

The spinner stayed visible after a sign-in error in some orgs with security image disabled.

OKTA-430797

Password push events were not showing in the System Log when multiple domains were federated in the same Office 365 app.

OKTA-433327

App usernames weren't updated automatically on non-provisioning enabled apps.

OKTA-438888

The Client drop-down menu wasn't displayed properly when admins added a new access policy for Authorization Servers using Internet Explorer.

OKTA-439104

Random users were unassigned from applications when imported and assigned by group.

OKTA-439327

Applying admin-managed tabs to end users occasionally completed much later, after the changes were initially made.

OKTA-441168

Users were directed to the wrong step of the Log Stream creation wizard when they clicked a link to create a specific type of Log Stream.

OKTA-443459

Some users who accessed the Okta End-User Dashboard saw a blank screen.

OKTA-449400

The text field for an app’s alternative name was missing from the app drawer.

OKTA-450158

In orgs with a custom domain URL and self-service registration enabled, users who went directly to the registration link saw a 404 error.

OKTA-450543

Users weren't prompted to correct their device’s time if their device was behind the server’s time by more than five minutes or ahead by more than 65 minutes.

OKTA-450896

The search bar on the Okta End-User Dashboard produced results that were inaccessible for screen readers.

OKTA-450927

Two scrollbars were displayed for mobile users.

OKTA-457787H

Apps on the Okta End User Dashboard on Internet Explorer opened as a pop-up window instead of a new tab.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • Amplitude (OKTA-449138)

  • Australian Financial Review (OKTA-450189)

  • Boxed (OKTA-449140)

  • Google Tag Manager (OKTA-448703)

  • HireFire (OKTA-448711)

  • Instacart Canada (OKTA-442943)

  • International SOS Assistance (OKTA-447156)

  • LinkedIn (OKTA-443788)

  • Mural (OKTA-443063)

  • Payroll Relief (OKTA-447159)

  • Safari Online Learning (OKTA-448707)

  • The Hartford EBC (OKTA-448956)

  • Twitter (OKTA-448961)

  • XpertHR (OKTA-449721)

Applications

Application Update

The Jive application integration is rebranded as Go To Connect.

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:

SAML for the following Okta Verified applications:

  • Chatwork (OKTA-449761)

  • ContractS CLM (OKTA-446453)

  • Elate (OKTA-448860)

  • WAN-Sign (OKTA-448922)

OIDC for the following Okta Verified applications:

Weekly Updates

Generally Available

Sign-In Widget, version 5.14.1

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Sign-In Widget Guide.

Fixes

General Fixes

OKTA-328461

The footer in some email templates contained an incorrect link to Okta.

OKTA-410446

DebugData in the System Log didn’t include ClientSecret information.

OKTA-428685

Errors occurred when admins attempted to assign DocuSign to users.

OKTA-440608

Some admins couldn't view groups that were assigned to an app, even though their custom role had permission to view them.

OKTA-447471

Duplicate reactivation requests for the Org2Org app caused 400 errors in the System Log.

OKTA-447916

Admins received the wrong error message when they attempted to delete a custom domain.

OKTA-448321

When the Custom Admin Roles feature was enabled, groups with “#” in the group name couldn’t be assigned to a role.

OKTA-449880

When Enhanced Email Macros was enabled, the text in some default email templates was incorrect.

OKTA-451075

Security fix for the Okta Provisioning Agent. For this fix, download Okta Provisioning Agent version 2.0.6.

OKTA-451868

In new developer orgs, admins weren’t provisioned for Salesforce Help.

OKTA-452041

Attempts to sign in to the Admin Console using Safari on an iOS device were prevented by the popup blocker.

OKTA-452099

The QR verification form in the device authentication flow wasn’t pre-filled with the user code.

OKTA-454767H

Some app labels were missing in the redesigned OIN App Catalog.

App Integration Fix

The following SWA app was not working correctly and is now fixed:

  • GoDaddy (OKTA-449141)

Applications

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:

Fixes

General Fixes

OKTA-441896

Group attribute statements added in a SAML 2.0 integration app (AIW) didn’t appear in the Preview the SAML Assertion section.

OKTA-444246

Some SAML doc links in the Admin Console didn’t work.

OKTA-447069

End-users encountered a 403 error when accessing a bookmark app after being migrated to the new Okta End-User Dashboard.

OKTA-447885

When adding a custom domain, admins received the wrong error message if they left the Domain field blank.

OKTA-448560

New users received an activation email with Velocity macros instead of their name. This occurred if the org’s profile enrollment policy didn’t require first and last names.

OKTA-448936

The Create a new resource set page couldn't display groups with & in the group name. This occurred for orgs with the Custom Admin Roles feature enabled.

OKTA-448940

The Edit resources to a standard role page displayed an error when admins searched for a group. This occurred for orgs with the Custom Admin Roles feature enabled.

OKTA-451345

The Velocity parsing engine failed when email templates contained a variable that was followed by (.

OKTA-452680

Application usage reports created asynchronously for specific groups included users that didn’t belong to the groups selected for the reports.

OKTA-454197

On the Add domain page, the Next, Remove, and Verify DNS buttons were clickable while the addition was in progress.

OKTA-456383H

CSV imports failed when using Okta Provisioning Agent, version 2.0.6. For this fix, download Okta Provisioning Agent, version 2.0.7.

OKTA-458089H

Some Netsuite imports into Okta failed with the following error failure: A SOAP message cannot contain entity references because it must not have a DTD.

Applications

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration app is now Generally Available in the OIN Catalog as partner-built:

SAML for the following Okta Verified applications:

  • Imprivata Privileged Access Management (OKTA-450222)

  • Lucca (OKTA-450219)

  • PowerDMS (OKTA-454504)

  • Rybbon (OKTA-451438)

November 2021

2021.11.0: Monthly Production release began deployment on November 8

* Features may not be available in all Okta Product SKUs.

Content

Generally Available Features

New Features

Sign-In Widget, version 5.13.0

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Okta Sign-In Widget Guide.

Okta LDAP agent, version 5.10.0

This version of the agent contains:

  • Range attribute retrieval for group membership attributes (full support will be available in a future release)

  • Real-time synchronization for user profiles, groups, and group memberships (full support will be available in a future release)

  • Expired password reset support for the eDirectory LDAP service (Okta Identity Engine)

  • Bug fixes

See Okta LDAP Agent version history.

Okta RADIUS Server agent, version 2.16.0

This version of the agent contains:

  • Government Community Cloud support

  • Internal and security fixes

See Okta RADIUS Server Agent Version History.

Okta MFA Credential Provider for Windows, version 1.3.4

This version of the agent contains:

  • Government Community Cloud support

  • Internal fixes

See Okta MFA Credential Provider for Windows Version History.

Okta ADFS Plugin, version 1.7.9

This version of the agent contains:

  • Government Community Cloud support

  • Internal fixes

See Okta ADFS Plugin Version History.

Okta On-Prem MFA agent, version 1.4.5

This version of the agent contains:

  • Government Community Cloud support

  • Internal fixes

See Okta On-Prem MFA Agent Version History.

Okta Browser Plugin, version 6.5.0 for all browsers

Internet Explorer local storage size for the Okta Browser Plugin has been increased. See Okta Browser Plugin version history .

Brands API support for auto-detecting contrast colors

The Brands API Theme object properties primaryColorContrastHex and secondaryColorContrastHex automatically optimize the contrast between font color and the background or button color. The auto-detection feature can be disabled by updating either property value with an accepted contrast hex value. See Brands.

New default selection for MFA enrollment policies

For MFA enrollment policy rules, the Any application that supports MFA enrollment option is now selected by default. See Configure an MFA enrollment policy.

New error page macros for themed templates

Custom error page templates include new macros to customize the URL (href) in addition to the button text for themed templates. See Use macros.

Custom domain SSL certification expiration warnings

To prevent service disruptions, Okta now sends admins a warning email 30, 15, and 7 days before their custom domain’s SSL certificate expires. If no action is taken, an expiration notice is sent when the certificate expires.

See Configure a custom URL domain.

Token-based SSO between native apps

Single Sign-On (SSO) between browser-based web applications is achieved by leveraging shared cookies. Unlike web applications, native applications can’t use web cookies. With Native SSO, Okta offers a token-based approach to achieve SSO between native applications.

Native SSO allows you to protect native OpenID Connect applications, such as desktop apps and mobile apps, and achieve SSO and Single Logout (SLO) between these applications. See Configure SSO for native apps.

Wildcards for OAuth redirect subdomains

Developers can now use the Apps API to set multiple redirect URI subdomains with a single parameter using the asterisk * wildcard. This feature provides convenience and flexibility in cases where subdomains vary by only a few characters. For example: https://subdomain*.example.com/oidc/redirect may be used to represent subdomain1, subdomain2, and subdomain3.

Sort applications on End-User Dashboard

End users can now sort applications alphabetically or by last added on the new Okta End-User Dashboard.

Asynchronous Application Reports

When enabled, this feature turns the generation of the Application Usage and the Application Password Health reports into an asynchronous process. Okta generates a report with the results and sends an email to the admin containing a download link for the CSV file. This enhancement is ideal for orgs with large amounts of user activity, as the generated reports can cover a greater range without timing out. See Application Usage report and App Password Health report.

Risk scoring improvements

Risk scoring improvements are being slowly deployed to all organizations. See Risk scoring.

Password expiry warning for LDAP group password policies

You can now configure an LDAP group password policy to provide users with a password expiry warning when their LDAP password is about to expire. Providing a password expiry warning in advance prevents users from losing access to shared resources and reduces the likelihood that you’ll need to reset passwords. See Configure a password policy.

Create and manage group profiles

You now have the flexibility to manage the default profile for Okta groups in the Profile Editor. This new functionality simplifies group management and lets you quickly add, edit, or remove custom profile attributes to groups. See Work with profiles and attributes. This feature will be gradually made available to all orgs.

Litmos supports Advanced Custom Attributes

We’ve enriched our Litmos integration to support Advanced Custom Attributes for the user profile. This allows you to add fields into the Okta user profile. See Litmos Provisioning Guide.

AES-GCM encryption support for SAML assertions

To secure SAML assertions from attacks and to adopt a stronger security mechanism, Okta now supports AES128-GCM and AES256-GCM encryptions modes in addition to AES-128 and AES-256 for SAML applications.

Enhancements

New System Log events for custom domain setup

The following events are added to the System Log:

system.custom_url_domain.cert_renew 3

system.custom_url_domain.delete

Existing events now include CustomDomainCertificateSourceType.

OIN App Catalog user interface changes

The following text has been updated for consistency:

  • FILTERS is now Capabilities

  • Apps is now All Integrations

  • Featured is now Featured Integrations

  • OpenID Connect is now OIDC

  • Secure Web Authentication is now SWA

See Add existing app integrations.

Hash marks added to hex code fields

On the Branding page, hash marks are automatically added to the hex codes in the Primary color and Secondary color fields.

Event Hooks daily limit

The maximum allowable daily limit of Event Hooks for all orgs has increased from 100,000 to 200,000. A higher daily allocation of Event Hooks reduces the likelihood orgs will exceed their daily limits. See Workflows system limits.

Improved Branding preview

Branding previews now display correct text colors.

Sign-In Widget button colors standardized

To comply with accessibility contrast ratios, the default variant colors for buttons on Okta sign-in and error page have been standardized to use the Okta design system.

On-Prem MFA application logo

The On-Prem MFA app logo for SecurID has been updated.

Early Access Features

New Features

Support for additional social Identity Providers

Social login is a form of SSO that uses existing information from a service such as Facebook, Twitter, or Google to sign in, instead of creating a new account specifically for a third-party website. Social Identity Provider (IdP) popularity varies by industry and region. We're making it easy for Okta admins to add new IdPs with out-of-the-box integrations for GitHub, GitLab, Salesforce, and Amazon, with more to come. These integrations add to our existing social IdP catalog in the OIN, allowing users to quickly sign up or sign in to your application without entering their email or creating a new password. See External Identity Providers.

Log Streaming

While Okta captures and stores its System Log events, many organizations use third-party systems to monitor, aggregate, and act on event data.

Log Streaming enables Okta admins to more easily and securely send System Log events to a specified system such as Amazon Eventbridge in real time with simple, pre-built connectors. They can easily scale without worrying about rate limits, and no admin API token is required. See Log Streaming .

Enhancements

Edit resource assignments for standard roles

Super admins can now quickly and easily search for, add, and remove the resource assignments for a standard role. See Edit resources for a standard role assignment.

Manage email notifications for custom admin roles

Super admins can configure the system notifications and Okta communications for custom admin roles. Configuring the email notifications helps ensure admins receive all of the communications that are relevant to their role. See Configure email notifications for an admin role.

New Velocity email templates

Orgs with Enhanced Email Macros enabled can now customize Factor Reset and Factor Enrollment email templates with Velocity Template Language. See Customize an email template.

Fixes

General Fixes

OKTA-243898

When multiple factors were required in the MFA for Active Directory Federation Services (ADFS) enrollment flow, only a single factor was enrolled before the user was allowed to sign in.

OKTA-409578

After the Microsoft ADFS (MFA) app Sign-On setting was changed to MFA as a Service, the app no longer appeared on the end-user home page.

OKTA-411306

Users weren't instructed to sign out and then sign in again when the mobile device management (MDM) remediation screen appeared during Intune setup.

OKTA-412100

The Identity Provider factor name wasn’t updated when the admin changed the Identity Provider name.

OKTA-412459

The YubiKey report didn’t list all YubiKeys when the user sorted the entries by Status.

OKTA-417499

When the Remove Group endpoint was called with an invalid group profile attribute, the group wasn't removed.

OKTA-418219

Sometimes when a super admin assigned several standard roles to a group at a time, some of those roles didn’t appear on the Groups page.

OKTA-422328

Screen Readers didn't interact properly with the search bar on the Okta End-User Dashboard.

OKTA-422586

On the Suspicious Activity User Report, the Login field was incorrectly labeled Email and didn't display the primary email address of the user who reported the activity.

OKTA-425318

Admins weren't able to use the Expression Language to compare a user's status to a string.

OKTA-428079

Admins weren’t able to add multiple custom attributes to an app on the Okta End-User Dashboard.

OKTA-430675

When the super org admin role was revoked from a user, the resulting email notification didn’t include the org name or URL.

OKTA-432942

Selecting the ellipses on an app card on the Okta End-User Dashboard incorrectly opened the app instead of accessing its settings.

OKTA-434233

Users attempting to enroll an MFA factor while signing in to an OIDC app received server error messages and couldn’t complete the enrollment.

OKTA-440551

The Sort Apps function didn't work when the Okta End-User Dashboard was displayed in Dutch, Brazilian, Portugese, Simplified Chinese, or Traditional Chinese.

OKTA-440618

For some orgs with Branding enabled, the theme was reset after an admin’s role changed.

OKTA-440816

Sometimes, when deactivated LDAP-sourced users attempted to sign in to Okta, an incorrect message appeared.

OKTA-440695

Some users saw an error when signing in to the new End-User Dashboard or OIDC apps for the first time.

App Integration Fixes

The following SAML app was not working correctly and is now fixed

  • Cloze (OKTA-440336)

Applications

Application Updates

  • The configuration guide for the Vable SCIM integration is updated: Okta Users Provisioning For The Vable Platform.

  • The American Express Work was a duplicate integration and has been removed from the OIN Catalog. Customers should use the American Express - Work integration.

New Integrations

New SCIM Integration Application:

The following partner-built provisioning integration app is now Generally Available in the OIN as partner-built:

OIDC for the following Okta Verified applications:

Weekly Updates

Early Access

Okta Provisioning agent, version 2.0.4

This release of the Okta Provisioning agent contains vulnerability fixes. See Okta Provisioning agent and SDK version history.

Fixes

General Fixes

OKTA-429081

When an admin deleted an app with Federation Broker Mode enabled, users could continue to sign in to the app.

OKTA-429782

Sometimes when the app group membership for a user was deactivated, any role assignments that were revoked from that user still appeared on the Administrators page.

OKTA-429868

API tokens for group admins didn't have the role displayed in the Security > API > Token section.

OKTA-431083

An error occurred when admins attempted to upload an IPA file to the Upload Mobile App page.

OKTA-434925

Email address change notifications were incorrectly sent to the new email address and not the old email address.

OKTA-435431

On the new Okta End-User Dashboard, end users were still able to request apps after an admin had disabled the app request feature.

OKTA-436761

End users were incorrectly prompted to copy password credentials to their clipboard when accessing SWA apps that were shared between users with admin-controlled passwords.

OKTA-439047

Sometimes, the System Log displayed Grant user privilege success events for admins when there were no changes to their privileges.

OKTA-439196

The Okta End-User Dashboard displayed a blank screen to users whose clocks were incorrectly set.

OKTA-441222

When a super admin changed the role notification settings for an admin, some third-party admins with that role were included in the notification subscription.

OKTA-441434

The View Setup Instructions link was broken on the Add Identity Provider page.

OKTA-444012

Branding features weren’t visible in the navigation menu of the legacy Admin Console.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed:

  • Alibaba Cloud (Aliyun) (OKTA-439430)

  • Apple Store for Business (OKTA-439233)

  • ID90 Travel (OKTA-435212)

  • MessageBird (NL) (OKTA-440295)

  • Screen Leap (OKTA-440292)

  • TD Ameritrade (OKTA-436146)

Applications

New Integrations

SAML for the following Okta Verified applications:

  • Agencyzoom (OKTA-436124)

  • Altruistiq (OKTA-440339)

  • Auvik (OKTA-435860)

  • Ceresa (OKTA-437597)

  • Clumio (OKTA-440285)

  • Workstream (OKTA-441160)

SWA for the following Okta Verified application:

  • Greene King (OKTA-441236)

OIDC for the following Okta Verified application:

  • Luma Brighter Learning: For configuration information, see Okta/Luma SSO.

Fixes

General Fixes

OKTA-419946

When an admin assigned an app to a user, the Edit User Assignments window appeared too small.

OKTA-428017

When the Custom Admin Roles feature was enabled and an admin searched for a group to assign to a role, the list of groups didn’t display their respective app logos.

OKTA-436016

In orgs with deleted groups, admins couldn't run the Admin role assignments report.

OKTA-438793

On the Admin Dashboard, the Overview section displayed an incorrect Updated at time between 12:00 AM and 1:00 AM.

OKTA-441161

When a super admin edited the User Account customization settings, an error occurred after they verified their password.

OKTA-443995

End users were unable to add org-managed apps to the Okta End-User Dashboard after admins had enabled self-service.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • HelpSpot Userscape (OKTA-440296)

  • Instacart Canada (OKTA-442946)

  • Moffi (OKTA-442915)

Applications

New Integrations

SAML for the following Okta Verified applications:

  • Autodesk (OKTA-425911)

  • YesWeHack (OKTA-443624)

OIDC for the following Okta Verified applications:

Generally Available

Sign-In Widget, version 5.13.1

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Sign-In Widget Guide.

Fixes

General Fixes

OKTA-373558

App approval forms incorrectly listed deactivation options and available licenses for Google Workspace.

OKTA-414394

On the Applications page, some admins with a custom role could view the buttons for actions that they didn’t have permission to perform.

OKTA-414517

Users who self-registered but hadn’t completed activation were deactivated if they attempted to sign in with a Google IdP.

OKTA-424842

On the Select assignments to convert page, eligible users didn't appear in the user list.

OKTA-424897

When using the Self-Service Registration feature, users with slower internet connections could click Register again while the account was being created.

OKTA-431945

Sometimes when a third-party admin role was assigned though the public API, the admin's status didn't change in the Okta Help Center.

OKTA-433439

Push Profile updates sometimes failed due to a missing Effective Date value.

OKTA-434556

In Try Okta Free orgs, the Days left in your trial banner didn’t always display the correct number of days.

OKTA-434789

When Veeva Vault was provisioned, the authentication rate limit was incorrectly applied to bulk operations.

OKTA-435148

Unique attributes were retained when admins used a CSV file to import user attributes and the import was unsuccessful.

OKTA-438657

When a custom admin role had the View application and their details permission, admins with that role couldn’t access OIDC applications.

OKTA-441490

When previously deactivated users with expired passwords were reactivated and allowed to sign in using their Personal Identity Verification (PIV) cards, they were required to reset their passwords.

OKTA-442991

When the Custom admin roles feature was enabled, the Administrator assignment by admin and Administrator assignment by role pages displayed the Edit button for admin roles that couldn’t be constrained to a resource.

OKTA-443494

When MFA for Active Directory Federation Services (ADFS) was in OIDC mode and two users were assigned the same custom name, an incorrect error was returned.

OKTA-445826

The help link was incorrect for Settings > Customization > Configure a custom URL domain.

OKTA-453056H

When accessing reports, report admins received a 403 error.

OKTA-453535H

An older library for the RSA and RADIUS agents caused potential security issues in certain situations.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed:

  • American Funds Advisor Client Login (OKTA-442550)

  • Bank of America CashPro (OKTA-444481)

  • M&T Bank - Commercial Services (OKTA-447154)

  • Nimble (OKTA-444703)

  • The Trade Desk (OKTA-445291)

Applications

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:

SAML for the following Okta Verified applications:

  • ParkOffice (OKTA-445142)

  • SecZetta (OKTA-446467)

October 2021

2021.10.0: Monthly Production release began deployment on October 11

* Features may not be available in all Okta Product SKUs.

Content

Generally Available Features

New Features

Sign-In Widget, version 5.12.0

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Sign-In Widget Guide.

Okta Active Directory agent, version 3.7.0

This version of the agent contains:

  • Government Community Cloud support

  • Improved logging functionality to assist with issue resolution

  • Bug fixes

See Okta Active Directory agent version history.

Okta LDAP agent, version 5.9.0

This version of the agent contains:

  • Government Community Cloud support

See Okta LDAP Agent version history.

Okta SSO IWA Web App agent, version 1.14.0

This version of the agent contains:

  • Government Community Cloud support

  • Internal fixes

See Okta SSO IWA Web App version history.

Okta Active Directory Password Sync agent, version 1.4.0

This version of the agent contains:

  • Government Community Cloud support

  • Security enhancements

  • Internal fixes

See Okta Active Directory Password Sync Agent version history.

Okta Browser Plugin, version 6.4.0 for all browsers

  • For orgs that enable this feature through self-service EA, end users can now generate passwords from the Okta Browser Plugin pop-up window.

  • For orgs that enable this feature through self-service EA, the Okta Browser Plugin now recommends strong passwords during SWA app sign-up.

  • Plugin extension architecture for Safari has been updated to WebExtension.

See Okta Browser Plugin version history .

SAML 2.0 Assertion grant flow

You can use the SAML 2.0 Assertion flow to request an access token when you want to use an existing trust relationship without a direct user approval step at the authorization server. The flow enables a client app to reuse an authorization by supplying a valid, signed SAML assertion to the authorization server in exchange for an access token. This flow is often used in migration scenarios from legacy Identity Providers that don't support OAuth. See Create Rules for Each Access Policy.

Password management on the new Okta End-User Dashboard

Users who access the new Okta End-User Dashboard from mobile or desktop can now show and copy passwords for their apps to their clipboard. They can also use a new password management modal to edit the username or password fields for their apps.

Okta Provisioning agent incremental imports

The option to incrementally import user data is now available for the Okta Provisioning agent. Incremental imports reduce the time required for synchronization by only downloading user information that has changed since the last successful import. See Okta Provisioning Agent incremental import.

Schemas API unique attributes

The Schemas API now includes unique attributes for custom properties in Okta user profiles and the Okta group profile. You can declare a maximum of five unique properties for each user type and five unique properties in the Okta group profile. This feature helps prevent the duplication of data and ensures data integrity.

Org Under Attack for ThreatInsight

Okta ThreatInsight now has enhanced attack detection capability. “Org under attack” establishes a base line traffic pattern and adjusts based on legitimate changes in traffic patterns. When a threat is detected, the algorithms are optimized to block all malicious requests while creating a System Log event to alert on the attack. After the attack subsides, threatInsight returns into its normal mode of operation. This capability enables quick blocking action during an attack. See About Okta ThreatInsight. This feature will be gradually made available to all orgs.

Enhancements

Custom footer enhancement

With Branding enabled, admins can now hide the Powered by Okta message in the footer of their Okta-hosted sign-in page and End-User Dashboard. See Configure the footer for your org.

Routing Rules performance enhancements

Performance enhancements on the Routing Rules page include optimized adding, editing, dragging, and deactivating of rules, and improved loading when the number of rules exceeds 1,000. See Configure Identity Provider routing rules.

Log per client mode for client-based rate limits

Client-based rate limits are now in Log per client mode for all orgs for both OAuth 2.0 /authorize and /login/login.htm endpoints. This offers additional isolation to prevent frequent rate limit violations.

Early Access Feature

Early Access features from this release are now Generally Available.

Fixes

General Fixes

OKTA-325592

When LDAP delegated authentication was enabled, an incorrect event type was used to process user profile updates.

OKTA-372064, OKTA-430527, OKTA-431382

Accessibility issues occurred on the new Okta End-User Dashboard.

OKTA-420524

A password change notification email wasn’t sent to users after their password was changed by an administrator.

OKTA-421812

A Download Latest button wasn’t available for Okta LDAP agents on the Admin Console Downloads page.

OKTA-426923

When users were deleted asynchronously, the entries associated with the user weren't removed from the UniqueEntityProperty table.

OKTA-427016

When Self-Service Registration was enabled, a change to a user's email address in their profile source caused their UPN (user principal name) in Okta to also change, despite it being mapped to the username.

OKTA-427932

When Branding was enabled, the Sign-In Widget was distorted on custom sign-in pages.

OKTA-428268

When an LDAP interface (LDAPi) client had Custom Admin Roles enabled, time-out errors sometimes occurred during group member queries.

OKTA-431349

Translated versions of AD and LDAP configuration validation messages weren’t provided.

OKTA-431868

In the UI for the SuccessFactors app, options for Active User Statuses weren't displayed.

OKTA-432400

Some dialogs didn't appear on the new Okta End-User Dashboard for some users.

App Integration Fixes

The following SWA app was not working correctly and is now fixed

  • Amplitute (OKTA-429432)

Applications

Updates

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:

OIDC for the following Okta Verified application:

  • Extole: For configuration information see Okta Instructions.

Weekly Updates

Fixes

General Fixes

OKTA-383501

When a custom admin role was assigned to an existing group with standard roles, the System Log displayed duplicate Grant user privilege events for the members of the group.

OKTA-399667

Provisioning to Zendesk failed when a user with the same email already existed in Zendesk.

OKTA-414295

For orgs with Custom Administrator Roles enabled, the page filters on the Roles, Resources, and Admins tabs of the Administrators page were labeled incorrectly.

OKTA-414339

Org2Org Push Groups sometimes failed.

OKTA-415370

On OIDC app creation, if no locale was specified, it defaulted to an invalid value (en-US).

OKTA-423420

After Branding was enabled, admins could still navigate to original Settings > Customization pages.

OKTA-426692

Provisioning (create/update) users to NetSuite failed with a Null Pointer Exception (NPE).

OKTA-427646

Group rule Okta Expression Language IF statements couldn’t include integer array attributes.

OKTA-429330

Sometimes, when an org used the Okta IWA Web Agent for Desktop Single Sign-on (DSSO), a missing objectGUID caused a 500 Internal Server Error when users attempted to sign in to Okta.

OKTA-431920

Clicking ASN Lookup when configuring a dynamic zone in the Admin Console didn't open a valid autonomous system number (ASN) lookup service.

OKTA-433981

When an admin role was constrained to a group, users with that role sometimes experienced time-out errors on the People page.

Applications

Application Updates

New Integrations

New SCIM Integration Application:

The following partner-built provisioning integration app is now Generally Available in the OIN Catalog as partner-built:

SAML for the following Okta Verified applications:

  • Docutrax (OKTA-433521)

  • Testsigma (OKTA-405606)

OIDC for the following Okta Verified applications:

Generally Available

Sign-In Widget, version 5.12.2

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Sign-In Widget Guide.

Fixes

General Fixes

OKTA-329002

The Custom Administrator Roles Early Access feature wasn’t available for Developer orgs.

OKTA-335217

OAuth applications granted authorization tokens on accounts for which users had not yet completed registration.

OKTA-419163

Some admins who were assigned a custom role could convert app assignments for users they weren’t constrained to.

OKTA-419532

The System Log didn’t display Client IP for user.lifecycle.create events from users created through self-service registration.

OKTA-421451

Permission attributes for the Dropbox application weren’t displayed correctly.

OKTA-421698

Password-reset failures due to sign-in policy violations didn't appear in the System Log.

OKTA-425798

The endUserDashboardTouchPointVariant property on the Brands API Theme object didn’t include a variant for LOGO_ON_FULL_WHITE_BACKGROUND.

OKTA-425804

Admins who viewed completed tasks on the new Okta End-User Dashboard couldn't see who approved or rejected the tasks.

OKTA-426548

A 500 Internal Server error appeared when sensitive attributes were included in attribute search results.

OKTA-428163

When using the Firefox browser, users were unable to edit the Forgot Password Text Message section of the Settings page.

OKTA-428329

Some admins who were assigned more than one custom role could manage the app assignments for users and groups they weren’t constrained to.

OKTA-431377

End users couldn't customize how long pop-ups were displayed on the new Okta End-User Dashboard.

OKTA-431675

When admins used the Add Person dialog in the new Admin Console to add users, automatic resizing of the dialog resulted in a "The field cannot be left blank" error message.

OKTA-431879

If admins edited their Branding theme after it had been applied to an Okta page, the changes weren’t applied until they performed a hard refresh.

OKTA-432829

With Enhanced Email Macros enabled, email templates that were previously customized or translated with Expression Language (EL) couldn’t be edited and saved due to invalid EL expressions.

OKTA-433352

Some end users lost access to the Pressbox and Genny apps when accessing them from the new Okta End-User Dashboard.

OKTA-434859

SAML Org2Org didn't work on the new Okta End-User Dashboard.

OKTA-435293

After Branding was enabled, admins couldn’t use their org logo on a white background for the End-User Dashboard.

OKTA-436513

After Branding was enabled, some orgs were unable to update their existing subdomain names.

OKTA-436732

After the MFA Factor Enrolled email template was customized with Enhanced Email Macros, its default template continued to be sent to users.

OKTA-436949

The Recently Used Apps section wasn't translated on the Settings page of the new Okta End-User Dashboard until the page was refreshed.

OKTA-437664

An Event Hook for group-based privilege change events sometimes didn't include the Okta subdomain events in the JSON response.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • Alabama Power (OKTA-437660)

  • Ally Bank (OKTA-435214)

  • American Express - Work (OKTA-438301)

  • Azure Portal Login (OKTA-436740)

  • Booking Admin (OKTA-436792)

  • Cat SIS (OKTA-436148)

  • Cronitor (OKTA-438303)

  • Exact Online (OKTA-435209)

  • Grove (OKTA-438304)

  • Key Bank (OKTA-438305)

  • Redis Labs (OKTA-436147)

  • SiteGround (OKTA-437897)

  • UBS (OKTA-436149)

  • Vitality (OKTA-436145)

Applications

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:

SAML for the following Okta Verified applications

  • Level AI (OKTA-435557)

  • Loom (OKTA-398082)

  • Pima.app (OKTA-435601)

  • Polytomic (OKTA-435605)

  • Smarp (OKTA-415875)

OIDC for the following Okta Verified applications

September 2021

2021.09.0: Monthly Production release began deployment on September 7

* Features may not be available in all Okta Product SKUs.

Content

Generally Available Features

New Features

Sign-In Widget, version 5.10.1

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Okta Sign-In Widget Guide.

MFA Credential Provider for Windows, version 1.3.3

This version includes hardening around certain security vulnerabilities. See Okta MFA Credential Provider for Windows Version History.

Improved new device behavior detection

Stronger signals are now used for the detection of new devices. Devices with web browsers that don't store cookies are treated as new and trusted applications must send a unique identifier for each device as a device token. See Behavior detection. This feature is made available to all orgs.

Enhancements

ThreatInsight default mode for new orgs

For new orgs, the default mode for ThreatInsight is now set to Audit mode. Previously, with no mode set by default, events weren't logged unless Audit mode or Block mode was enabled manually. Now with Audit mode set by default for new orgs, the security.threat.detected event is logged once a malicious request is detected. See Okta ThreatInsight.

OIN Manager enhancements

  • The UI text has been clarified for the group patch batching process in the OIN Manager for SCIM submissions. See the Submit an app integration guide.
  • Partners can now provide multiple support contacts, such as email addresses, support URLs, and phone numbers for customers who need assistance when installing or configuring their app integration. This information is shared with users through the app integration’s details page in the OIN catalog. See the Submit an app integration guide.

PagerDuty SSO Domain Support

Base URL is now used instead of Organization Subdomain for PagerDuty SSO configuration. This enables customers with EU domains to input their URL when they set up SSO.

Updated End-User Dashboard icon for mobile users

The End-User Dashboard icon has been updated for mobile users.

Updated Delete Person and Delete Group dialogs

The Delete Person and Delete Group dialogs now include statements to clarify what is removed when a person or group is deleted. This can include application assignments, sign-on policies, routing rules, and user profiles. This change helps admins better understand the ramifications of deleting people and groups. See Deactivate and delete user accounts and Manage groups.

Early Access Features

New Features

Custom Administrator Roles

The standard admin roles available today don’t always meet all the granular delegated administration requirements, which may result in admins having either more or less permissions than they need.

The Custom Administrator Roles feature allows super admins to:

  • Create admin assignments with granular roles, which include specific user, group, and application permissions.

  • Constrain these admin assignments to resource sets.

Use Custom Administrators Roles to:

  • Increase admin productivity.

  • Decentralize the span of access that any one admin has.

  • Grant autonomy to different business units for self-management.

See Custom Administrator Roles .

Enhancement

New grant type for native SSO

A new grant type, Token Exchange, is available for Authorization Server configuration. Admins can select the grant type to enable SSO for native apps. For more information see Configure SSO for Native apps.

Fixes

General Fixes

OKTA-364848, OKTA-364849, OKTA-364921, OKTA-382725, OKTA-382848, OKTA-382907

Some accessibility issues occurred on the Okta End-User Dashboard.

OKTA-386820

Group Push tasks weren't displayed on the Admin Dashboard.

OKTA-391032

Custom admins with Manage group permissions could view the Add Rule button on the Groups > Rules tab.

OKTA-393077

The View IDP Metadata link incorrectly required an active session when application-specific certificates were enabled.

OKTA-408184

A gap between the deactivation of a contractor and the activation of that user to a full-time employee caused incremental imports for Workday to fail.

OKTA-408562

On the Directory > Groups page, an icon didn’t appear for the Zendesk application.

OKTA-409182

Translations weren't provided for some unsuccessful LDAP password update error messages.

OKTA-409388

Users weren't added to groups when the locale attribute filter was set to equals in the group rule.

OKTA-411252

If an admin added an app integration but didn't complete the process and subsequently assigned it to a group, then clicking the link for the app integration through the Groups directory opened the Add app integration process instead of the settings page for that app integration.

OKTA-416414

Sign-in redirect URI requests failed due to wrapping of the designated URI in the Admin Console.

OKTA-416671

Wildcard OAuth redirect URIs failed if subdomains included underscores.

OKTA-417982

During an OAuth client lifecycle event, the debug data section of the System Log logged incorrect client IDs.

OKTA-420534

While loading, the side navigation on the new Okta End-User Dashboard was misaligned.

OKTA-421801

Some users with a custom domain URL couldn't add or edit resource sets for custom admin roles.

OKTA-421951

Adding an expiration date macro to the Password Reset email template resulted in an Invalid Expression error.

OKTA-422282

End users were able to add bookmark apps after their admins configured the App Catalog Setting to allow org-managed apps only.

OKTA-422340

The number of groups displayed in the Admin Dashboard Overview differed from the correct number of groups reported on the Directory > Groups page.

OKTA-422782

Text didn't wrap properly in the Note for requester field for app approval requests.

OKTA-425921H, OKTA-425993H

Sometimes, when users signed in to Okta and Agentless Desktop Single Sign-on (ADSSO) was enabled, groups outside of the selected organizational units were retrieved.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed:

  • Avalara (OKTA-415081)

  • Fisher Scientific (OKTA-422646)

  • Microsoft Volume Licensing (OKTA-420160)

  • Quadient Cloud (OKTA-422635)

  • RescueAssist (OKTA-422643)

  • WeWork (OKTA-423570)

Applications

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:

SAML for the following Okta Verified applications:

  • Anomalo (OKTA-421527)

  • Paradime (OKTA-420444)

OIDC for the following Okta Verified application:

Weekly Updates

Fixes

General Fixes

OKTA-407869

Some error messages in the Sign-In Widget were translated from English to other languages when the user's language was English.

OKTA-417450

LDAP-sourced users weren’t able to sign in to the Okta Admin Console when their passwords expired and a password policy allowed passwords to be updated.

OKTA-418723, OKTA-420397

New Okta branding didn’t appear on some default error page templates.

OKTA-421227

On the Administrator assignment by admin page, the Copy groups and Paste groups buttons didn’t appear for standard roles that were constrained to one or more groups.

OKTA-421767

The User Profile > Admin roles tab was visible for deactivated users. For active users with no assigned roles, the button to add privileges was mislabeled Edit individual admin privileges.

OKTA-422485

Searches in the LDAP Interface didn’t return results when the search terms were capitalized.

OKTA-423616

The Push Groups page became unresponsive when admins created new group push mappings.

OKTA-424357

ThreatInsight didn't always block IP addresses that were identified as the source of password spray attacks.

Applications

New Integrations

New SCIM Integration Application

The following partner-built provisioning integration app is now Generally Available in the OIN Catalog as partner-built:

SAML for the following Okta Verified application:

  • Wiz (OKTA-422626)

Fixes

General Fixes

OKTA-399959

Session timeout policy wasn't enforced during IdP-initiated login to the Admin Console.

OKTA-412102

If an admin added a rule to an app sign-on policy and named it Default sign on rule, they were unable to edit or delete the rule.

OKTA-414089

Admins with the Manage Applications custom admin permission couldn’t access the Profile Editor, Directory Integrations, or Profile Sources pages.

OKTA-414564

A Sign-in Widget message was translated into Russian incorrectly.

OKTA-420154

If client-based rate limiting was enabled, end users were sometimes presented with a 429 error instead of the sign-in page when their session expired or they signed out.

OKTA-421356

LDAP-sourced user profiles weren’t updated when an admin changed the user profile status from suspended to unsuspended.

OKTA-423419

When Enhanced Email Macros was enabled, using required variables without brackets resulted in a validation error.

OKTA-423470

Org logos on the new Okta End-User Dashboard were sometimes oversized.

OKTA-424330

Some Preview org customers received an error when accessing end-user pages after they changed their browser language to Chinese-Traditional.

OKTA-425588

Rate limit enforcement for Voice-based MFA was not mitigating certain toll fraud attacks.

OKTA-427137

DocuSign deprovisioning sometimes failed with the following error: “Adding entity to http method DELETE is not supported.”

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • 3Rivers (OKTA-424892)

  • Adobe Enterprise (OKTA-424893)

  • CallTower (OKTA-424894)

  • Parse.ly (OKTA-422625)

Applications

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:

  • KnowBe4: For configuration information, see here (you need to sign in to KnowBe4 to access their documentation).

SAML for the following Okta Verified application

  • Code Climate Velocity (OKTA-424882)

OIDC for the following Okta Verified applications

Generally Available

Sign-In Widget, version 5.11.0

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Sign-In Widget Guide.

Fixes

General Fixes

OKTA-393693

If an app sign-on policy required re-authentication every 0 minutes, some users were unable to reset their passwords.

OKTA-419837

When Branding was enabled, custom code editor pages displayed an incorrect warning.

OKTA-423586

Function names that include blank spaces didn’t work with Enhanced Email Macros.

OKTA-425232

When Branding was enabled, the Go to Homepage button on the Okta error page didn’t use the default Okta variant color.

OKTA-425425

When a super admin tried to generate a Current Assignment report, Okta Admin Console didn’t appear as an available application.

OKTA-426446

When a third-party admin role was assigned, the admin's status didn't change in Salesforce and the Exclude admin from receiving all admin-related communications rule wasn't enforced.

OKTA-430127

When Branding was enabled and later disabled, the sign-in and error pages that were customized with HTML code editors during the enabled period could be reset to their defaults.

OKTA-430524

The default password policy was sometimes being evaluated for users instead of the configured password policy.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • Frame.io (OKTA-427018)

  • Google Play Developer Console (OKTA-425775)

  • PNC Borrower Insight (OKTA-426061)

  • Tech Data (OKTA-427022)

Applications

New Integrations

SAML for the following Okta Verified applications

  • Blue Ocean Brain (OKTA-426050)

  • Kintone.com (OKTA-421223)

  • Skypher (OKTA-426992)

OIDC for the following Okta Verified applications

Generally Available

Sign-In Widget, version 5.11.1

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Sign-In Widget Guide.

Fixes

General Fixes

OKTA-327544

An HTTP 500 Internal Server Error message appeared when users attempted to sign in to Okta and their username included an asterisk (*).

OKTA-417936

During an IdP Discovery flow, routing rules were no longer observed if users clicked Back to sign in from the MFA prompt.

OKTA-420946

When admins customized the MFA Factor Enrolled or MFA Factor Reset email templates, the default template was sent to users.

OKTA-423578

Admins could create ADSSO IdP routing rules when ADSSO functionality was enabled and then disabled.

OKTA-425321

When an admin had a custom role with the Manage users and Edit users' authenticator operations permissions, they couldn’t enroll users in the YubiKey factor.

OKTA-427145

When the Admin role assignments report was filtered by a group, it didn’t include group membership admins who were constrained to that group.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • Autotask (OKTA-429728)
  • Contract Express (OKTA-429434)
  • DocsCorp Support (OKTA-425176)
  • Google Play Developer Console (OKTA-425775)
  • SAP Concur Solutions (OKTA-427469)
  • Shipwire (OKTA-426103)
  • Twitter (OKTA-430242)

Applications

New Integrations

New SCIM Integration Application

The following partner-built provisioning integration app is now Generally Available in the OIN Catalog as partner-built:

SAML for the following Okta Verified applications

  • Jooto (OKTA-429135)
  • Merge (OKTA-430337)

OIDC for the following Okta Verified applications

August 2021

2021.08.0: Monthly Production release began deployment on August 9

* Features may not be available in all Okta Product SKUs.

Content

Generally Available Features

New Features

Sign-In Widget, version 5.9.0

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Okta Sign-In Widget Guide.

Okta solution visible in footer

To help admins identify their Okta solution, the version number in the footer of the Admin Console is now appended with C for Classic Engine orgs and E for Identity Engine orgs. See Identify your Okta solution.

On-Prem MFA agent, version 1.4.4

This version includes bug fixes, security enhancements, and a new version of the Log4J library. See Okta On-Prem MFA Agent Version History.

ADFS Plugin, version 1.7.8

This version includes bug fixes and security enhancements. See Okta ADFS Plugin Version History.

Root signed PIV certificate support

Certificates signed directly from a root CA certificate, with no intermediates, can now be used for Personal Identity Verification (PIV) authentication.

Multiple active user statuses for SuccessFactors integration

Support for multiple active user statuses: When importing users from SuccessFactors into Okta, admins can now select more than one active user status, such as Leave of Absence. See Learn about SAP SuccessFactors Employee Central data provisioning.

Deleted schema property scrubber

All existing data associated with a schema property is now removed when a schema property is deleted. To prevent data corruption, the property cannot be recreated until the existing data is fully removed. Previous data is no longer restored when recreating a deleted schema property with the same definition. This new functionality prevents the corruption of profile data and the associated Elastic search issues. See Add or remove custom directory schema attributes.

This feature will be gradually made available to all orgs.

 

LDAP agent, version 5.8.0

This version of the agent contains:

  • Password expiry warning support for Oracle Directory Server Enterprise Edition (ODSEE), Oracle Unified Directory (OUD), OpenDJ, and SunOne 5.2 LDAP directory services

See Okta LDAP Agent version history.

Enhancements

New warning for excessive IP addresses

A warning now appears if a gateway or proxy has an IP range with more than 5 million addresses. See Create an IP Zone.

Start time and end time of rate limit windows

The Rate Limit Dashboard now displays the start time and end time of the rate limit window for each data point. This helps you analyze each data point with more granularity. See Rate limit dashboard.

End-User Dashboard styling

On the new Okta End-User Dashboard, text color in the side navigation has been updated. See Control access to the Okta End-User Dashboard.

OIN Manager enhancements

The Apps for Good category has been added to the selectable categories list. Also, other category names have been adjusted to match those shown in the OIN App Catalog.

OIN App Catalog UI improvements

If available, support contact information now appears on the details page for app integrations.

Early Access Features

New Features

Third-Party Risk

Okta Risk Eco-System API / Third-Party Risk enables security teams to integrate IP-based risk signals to analyze and orchestrate risk-based access using the authentication layer. Practitioners can step up, reduce friction or block the user based on risk signals across the customer’s security stack. Apart from improving security efficacy, this feature also enhances the user experience by reducing friction for good users based on positive user signals. See Risk scoring.

Okta Brands API

The Okta Brands API allows customization of the look and feel of pages and templates. It allows you to upload your own brand assets (colors, background image, logo, and favicon) to replace Okta's default brand assets. You can then publish these assets directly to the Okta-hosted Sign-In Page, error pages, email templates, and the Okta End-User Dashboard. See Customize your Okta experience with the Brands API.

Enhanced email macros for email template customization

Enhanced Email Macros updates the email templating engine to use Velocity Templating Language (VTL). This feature unlocks new syntax that provides enhanced conditional logic and access to all attributes in the Okta User Profile object. This allows developers and admins more customizations in their user-facing emails. See Customize email templates | Okta Developer and Customize an email template.

Fixes

General Fixes

OKTA-381874

On the Agents page, admins couldn't remove deleted RADIUS agents or hide the ones that weren't in use.

OKTA-386797

Users were able to make too many attempts to enter an SMS one-time passcode when performing a self-service unlock.

OKTA-388903

Using an Office 365 thick client to open documents from the SharePoint Server didn't work consistently.

OKTA-399414

A link was broken on the OIDC Identity Provider profile mapping page.

OKTA-404612

When updating the provisioning settings for an app integration, some admins had to reload the page because the Admin Console showed a verification message and then stopped responding.

OKTA-404620

Workflow URLs with the okta-emea subdomain weren’t automatically verified when used as an Event Hook URL.

OKTA-406499

On the Admin Console Tasks page, the first 10 tasks were duplicated when Show more tasks was selected and 10 or more tasks were already listed.

OKTA-409514

If an app integration with provisioning enabled was upgraded to support the Push Groups feature, admins were repeatedly prompted to enable provisioning.

OKTA-415772

The Tasks view was missing from the new Okta End-User Dashboard.

App Integration Fixes

The following SWA apps weren't working correctly and are now fixed:

  • Azure Portal Login (OKTA-411455)

  • Cisco WebEx Meeting Center - Enterprise (OKTA-411543)

  • Matrix Teams (OKTA-415413)

Applications

New Integrations

New SCIM Integration Application

The following partner-built provisioning integration app is now Generally Available in the OIN catalog as partner-built:

SAML for the following Okta Verified application:

  • Neptune (OKTA-393740)

Weekly Updates

Generally Available

Sign-In Widget, version 5.9.4

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Sign-In Widget Guide.

Fixes

General Fixes

OKTA-386084

Error page templates were inconsistently formatted.

OKTA-409142

The Registration Inline Hook didn’t correctly display error messages to the user during user self-registration.

OKTA-411448

Users who enrolled in multifactor authentication using the Active Directory Federation Services integration were unable to download the Okta Verify app from the Apple App Store and the Google Play store during enrollment.

OKTA-415642

Theme colors weren’t applied to custom pages in Internet Explorer 11.

OKTA-416292

The password management modal was incorrectly minimized on the new Okta End-User Dashboard after an end user responded to the copy confirmation modal.

OKTA-417651

When admins attempted to delete or revoke a YubiKey from the Okta Admin Console, the Done button didn’t appear upon completion.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • Fannie Mae Desktop Underwriter (OKTA-416904)

  • Frame.io (OKTA-416896)

  • i-Ready (OKTA-416899)

  • InternationalSOS (OKTA-415410)

  • LifeLock (OKTA-413854)

  • Milestone Xprotect Smart Client (OKTA-416893)

  • SDGE (OKTA-416903)

  • ShipStation (OKTA-416897)

  • Simple Sales Tracking (OKTA-416906)

  • Washington Post (OKTA-416908)

  • Yodeck (OKTA-415411)

Applications

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN catalog as partner-built:

SAML for the following Okta Verified application

  • Hiretual (OKTA-413861)

OIDC for the following Okta Verified application

Fixes

General Fixes

OKTA-309646

The scroll bar didn't function as expected while adding a new access policy to an authorization server.

OKTA-364838

Some accessibility issues occurred on the Okta End-User Dashboard.

OKTA-392409

Office 365 silent activation sometimes failed if the sign-on policy required re-authentication.

OKTA-407591

Prompts initiated by an admin to reset an end user’s password for an SWA app weren't displayed on the Okta End-User Dashboard.

OKTA-410027

When a user was deleted, the AlternateId field in the System Log displayed the user’s Okta identification number and not their email address.

OKTA-412526

The Note for requester field within the self-service app request approval settings didn't properly display messages.

OKTA-414136

The Office 365 integration in the Okta App Catalog showed a Group Linking option that wasn't available for Office 365.

OKTA-414387

End users who attempted to use a custom sign out URL were presented with a blank page on Internet Explorer 11.

OKTA-418656

Users weren’t prompted for additional authenticators after self-service password resets even though their sign-on policy required them.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed:

  • Alerus (OKTA-418805)

  • BenXcel (OKTA-418794)

  • Inbox by Gmail (OKTA-412080)

  • IBM MaaS360 (OKTA-418799)

  • Redis Labs (OKTA-418789)

Applications

Application Updates

  • We have added the userType attribute to the Slab SCIM schema. For details see the Slab Okta SCIM Integration Guide.

  • The FIS Global Client integration is deprecated from the OIN Catalog.

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:

SAML for the following Okta Verified applications:

  • Blingby Inline (OKTA-410691)

  • Panzura Data Services (OKTA-419287)

  • RudderStack (OKTA-413572)

OIDC for the following Okta Verified applications:

Fixes

General Fixes

OKTA-295856

Buttons and text were misaligned on the API > Trusted Origins tab.

OKTA-382908

A confirmation message wasn’t displayed when an admin removed the last resource from a resource set or the last permission from a role.

OKTA-385343

Group attributes weren't pushed from Okta to Active Directory (AD) as expected.

OKTA-387007

When an admin clicked Custom roles from the Overview section on the Administrators page, the Roles tab opened with the incorrect filters applied.

OKTA-402814

Users didn't receive a verification email after updating a secondary email address.

OKTA-402856

In the redesigned Admin Console, import safeguard warning messages didn’t appear on the Dashboard.

OKTA-412025

Users didn't receive a verification email after they were activated on the People page.

OKTA-413954

Certain YubiKey device make and model names didn't appear correctly on the Okta End-User and Admin Dashboards.

OKTA-417326

Some tabs and buttons on the user and group profile pages of the Custom Administrator Roles user interface were labeled incorrectly. Also, the Admin role assignment report page was called Custom reporting.

OKTA-418039

Enhanced email macros didn’t work with Branding.

OKTA-418150

On the People page, the last user with super admin permissions could be deleted without generating an error.

OKTA-418922

When a user was deleted on the People page, the PostDeleteUserEvent event type was Initiated and not Completed.

OKTA-420122

In the redesigned Admin Console, the Actions drop-down menu for SAML app certifications didn’t expand correctly.

OKTA-420740

When a theme was applied to the Okta-hosted sign-in page, the Sign in button didn’t change to the selected primary color.

OKTA-421446

The Administrator assignment by admin page didn’t load properly when the delegated admin had a standard role that was constrained to specific apps or groups.

OKTA-421481

Some Expression Language email templates didn’t work with Branding.

App Integration Fixes

The following SWA app was not working correctly and is now fixed:

  • Vitality (OKTA-420790)

Applications

Application Update

The following integrations are deprecated from the OIN Catalog: 

  • Hiveed

  • BenXcel

  • FIS Global

  • Nanigans

New Integrations

SAML for the following Okta Verified applications:

  • Blingby Programmatic (OKTA-421181)

  • Perimeter 81 (OKTA-415079)

  • Snackmagic (OKTA-419393)

  • Suveryapp (OKTA-420053)

SWA for the following Okta Verified application:

  • Integromat (OKTA-420293)

OIDC for the following Okta Verified application:

July 2021

2021.07.0: Monthly Production release began deployment on July 12

* Features may not be available in all Okta Product SKUs.

Content

Generally Available Features

New Features

Dedicated help sites for Okta products

Three of Okta’s products — Access Gateway, Advanced Server Access, and Workflows — now have their own dedicated help sites:

This enhancement offers direct access to independent online help sites for these products from help.okta.com. The new sites provide several benefits:

  • Compactly designed, product-centric content
  • Streamlined navigation
  • More efficient content updates and responsiveness to customer feedback

Okta Device Registration Task, version 1.3.2

This release includes internal code refactoring. You can download this version from the Settings > Downloads section of the Admin Console.

New Domains API response properties available

The Domains API includes the new response object properties of certificateSourcetype and expiration. The certificateSourcetype is a required property that indicates whether the Certificate is provided by the user. The accepted value is Manual. The expiration property on the DNSrecord object is an optional property that defines the TXT record expiration. See Domains API.

Default end-user experience

New orgs, including those created through the org creator API or the developer.okta.com website, will have the new end-user experience enabled by default in preparation for the old end-user experience deprecation starting on October 13. Learn more about this migration and other frequently asked questions in our support article.

Disable Import Groups per SCIM integration

Admins can now choose whether or not to import groups with all SCIM integrations. This new option is available when you set up provisioning for a SCIM integration.

Note that you can't disable group imports for an app if:

  • Import New Users and Profile Updates isn't enabled.

  • App Assignments based on Group exist.

  • Group policy rules exist.

  • Group Push mappings exist.

In these cases, an error is displayed.

Nutanix support

Okta Access Gateway customers can now download and deploy the Access Gateway virtual appliance on Nutanix Acropolis Hypervisor (or Nutanix AHV), a hyper-converged infrastructure platform popular among larger organizations. This provides customers with more options for infrastructure services supported by Access Gateway, including AWS, OCI, VMWare, and now Nutanix.

Remove the ability to disable Admin Experience Redesign

You can no longer disable the Admin Experience Redesign feature for your orgs.

Note: This is not applicable for orgs that didn't have Admin Experience Redesign enabled and used the legacy experience until 2021.06.4.

Windows Hello as an MFA factor is not supported for new orgs

Windows Hello as an MFA factor is no longer supported for new orgs. Existing orgs already using this feature can continue using it.

Test custom email templates

Admins can send themselves a test email to see how their custom email templates will look and function. This allows them to validate macro attributes and translations in the customized template and to see how the template will render in different email environments. Sending the test email to their primary email address eliminates their need to create a real end-to-end workflow to test customization. For more information, see Test a customized email template .

Create LDAP group password policies

You can now create group password policies for LDAP sourced users. This gives you the flexibility to provide users with the same password policy requirements as your local LDAP directory, easing the user experience of an LDAP integration with Okta. See About group password policies and Sign-on policies.

Event Hook preview

Event Hook preview lets admins easily test and troubleshoot their Event Hooks, as well as send sample requests without manually triggering an actual event. This means admins can preview the payload of a specific Event Hook type and make sure that it's what they need to move forward before a full deployment to production. See Event Hook Preview.

Enhancements

Workplace by Facebook new custom attribute

Okta now supports the is_frontline custom attribute in Workplace from Facebook. Supporting user type designations enables access for frontline and deskless workers.

OIN App Catalog UI improvements

For each app integration in the OIN App Catalog, the details page has been updated to use tabs that display the overview and the specific capabilities of the app integration. The details page also shows the Capabilities in the side navigation. Clicking a specific capability returns the administrator to the main Add Application page with that capability pre-selected in the filter. When an admin searches for app integrations, the filter is now persistent through category changes or when they refresh the page.

OIN Manager category selections

For app submissions in the OIN Manager, the category designations have been updated to match the categories available in the OIN App Catalog.

Changes to group assignment options for OIDC apps

Admins can create new OIDC applications without assigning them to a group. See Create OIDC app integrations using AIW.

HTML sanitizer for email templates

Velocity-based email templates are now processed by an HTML sanitizer. Templates that don’t conform to the rules of the sanitizer are corrected before they are sent. See Customize an email template.

Email template events

The creation and deletion of email templates are now logged as events in the System Log.

Rate limit violation event logging

Session-user and User rate violation events are now logged as operation-level events instead of org-wide events. This allows you to distinguish between rate limit violations at an org level and individual level.

Updated branding for End-User Dashboard

Okta branding on the Okta End-User Dashboard has been updated.

Early Access Features

New Feature

FIPS compliance for iOS or Android devices

Federal Information Processing Standards (FIPS) compliance is now available for iOS or Android devices. FIPS can be enabled on the Okta Verify configuration page. When FIPS compliance is enabled, admins can be confident that only FIPS-compliant software is used. See About FIPS-mode encryption.

Enhancement

OAuth redirect URI wildcards

Admins can now use a wildcard for multiple redirect URI subdomains when configuring OIDC applications. See Create OIDC app integrations using AIW.

Fixes

General Fixes

OKTA-274754

When an admin attempted to add an app integration to their org for which the org was not entitled, the error message didn't display the org's edition name.

OKTA-380653

A user-created on-the-fly app incorrectly appeared on the Tasks page under Number of apps that can have provisioning enabled.

OKTA-397607

Sometimes the failed-sign-in counter didn’t reset to zero after an end user successfully signed in, which resulted in improper lockouts.

OKTA-400220

When OpenLDAP was used with delegated authentication, an error message containing unnecessary information appeared if users attempted to change their password and it didn't meet the LDAP complexity requirements.

OKTA-401490

LDAP import schedules weren't updated when Relative Distinguished Name (RDN) attribute mapping from Okta to LDAP was missing.

OKTA-402247

New device notifications weren't sent during passwordless sign-in flows.

OKTA-404865

Group Push for Slack caused group members to be reset and gradually re-added, during which time group members couldn't access the app.

OKTA-405351

Some deactivated SAML IdP users whose attributes were updated with Just-in-time Provisioning were activated even though the reactivation JIT setting wasn't selected.

OKTA-407292

Some users were deactivated instead of deleted in Automations.

OKTA-408802

Sometimes, during SAML app configuration, the metadata link improperly required a sign-in session.

App Integration Fixes

The following SWA app was not working correctly and is now fixed

  • San Diego Gas and Electric (OKTA-407572)

Applications

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN as partner-built:

SWA for the following Okta Verified applications

  • Headspace (OKTA-403509)

  • Redprint (OKTA-394718)

  • SCOPE (OKTA-405791)

OIDC for the following Okta Verified applications

Weekly Updates

Generally Available

Sign-In Widget, version 5.8.2

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Sign-In Widget Guide.

Fixes

General Fixes

OKTA-405084

Long-running deactivation jobs didn't overwrite user status changes after a user was deleted.

OKTA-409081

Google Chrome users saw a session lifetime warning if they accessed an end-user dashboard embedded in an iFrame.

OKTA-409227

In the OpenID Connect (OIDC) app wizard, the default Assignments selection was Allow everyone in your organization to access.

Applications

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN catalog as partner-built:

SAML for the following Okta Verified applications

  • 4Degrees (OKTA-405438)

  • SkillsHood (OKTA-404888)

Generally Available

Sign-In Widget, version 5.8.4

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Sign-In Widget Guide.

Fixes

General Fixes

OKTA-382511

Users saw the wrong error message if they attempted self-service registration with a unique attribute (such as Customer Account Number) that was already in use.

OKTA-383402

In Identity Provider routing rules, the User attributes input field for the AND User Matches condition was narrow and misaligned.

OKTA-394734

The Admin Console Search field was unavailable with Lightweight Directory Access Protocol integrations.

OKTA-398165

Admins who selected the Users Locked Out task on the Admin Dashboard were redirected to the Reset Password page instead of the Unlock People page.

OKTA-399643

Org groups didn't appear as expected on the Admin Console Groups page.

OKTA-401969

Active Directory Single Sign-On users who were prompted to upgrade to Okta Verify with Push Authentication received an error 403 Forbidden message.

OKTA-404295

When an app request email was sent to an admin, the encoded URL was listed instead of its punycode URL.

OKTA-404488

During searches for Lightweight Directory Access Protocol-sourced users, concurrency limit violations caused 429 Too Many Requests errors.

OKTA-405064

Deleted user profiles were permanently removed when they were reactivated.

OKTA-405259

Sometimes, an agent status email wasn’t sent when the Okta IWA Web agent was unavailable.

OKTA-406581

End users who were unable to sign in successfully with Just-in-Time provisioning were sometimes redirected back to the sign-in page without seeing an error message.

OKTA-410072

Sample app bundle downloads didn’t use the current SDK version.

OKTA-411109

The Russian translation for an expired token was inaccurate.

OKTA-413703

Some orgs experienced an issue where the More Integrations section of the Okta App Catalog appeared empty.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • Addison Lee (OKTA-410400)

  • Business Insider Prime (OKTA-411534)

  • Calxa (OKTA-411523)

  • CB Insights (OKTA-410399)

  • Cloudapp (OKTA-411535)

  • Dashlane Business (OKTA-410403)

  • Dealer Daily Lexus (OKTA-411531)

  • eFlex Employee (OKTA-411513)

  • Fresh Direct (OKTA-410395)

  • Instacart (OKTA-411491)

  • Instacart Canada (OKTA-411510)

  • Ned Davis Research (OKTA-409608)

  • New York Times (OKTA-410985)

  • Office Tools Portal (OKTA-410397)

  • Passkey (OKTA-411526)

  • Samsara (OKTA-410392)

  • Skillsoft (OKTA-410402)

  • Soundcloud (OKTA-411532)

  • Trustwave (OKTA-410406)

  • United Tranzactions (OKTA-411519)

  • Untangle (OKTA-411520)

  • Wall Street Journal (OKTA-410396)

  • Zocdoc (OKTA-410398)

  • Zscalerbyz (OKTA-410405)

Applications

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN catalog as partner-built:

SAML for the following Okta Verified applications

  • Bonsai (OKTA-409442)

  • Cafe (OKTA-405554)

  • Dashlane (OKTA-407393)

  • eSuite (OKTA-405607)

  • FileFlex (OKTA-410143)

  • ShopRun (OKTA-411470)

  • TeamPay (OKTA-393790)

  • Transcend Engagement (OKTA-409454)

SWA for the following Okta Verified application

  • Samsara (Driver Sign In) (OKTA-414275)

OIDC for the following Okta Verified applications

June 2021

2021.06.0: Monthly Production release began deployment on June 7

* Features may not be available in all Okta Product SKUs.

Content

Generally Available Features

New Features

Okta Sign-In Widget, version 5.7.0

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Sign-In Widget Guide.

MFA Credential Provider for Windows, version 1.3.1

The MFA Credential Provider for Windows version 1.3.1 includes hardening around certain security vulnerabilities, support for Windows 2019, and other general bug fixes and improvements. See Okta MFA Credential Provider for Windows Version History

Okta Device Registration Task, version 1.3.1

This release is based on Python 3, to support macOS 10.15.xx (Catalina) and above. It addresses the known issue of device enrollment failures. You can download this version from the Settings > Downloads section of the Admin Console. See Enforce Okta Device Trust for Jamf Pro managed macOS devices and Device Trust for macOS Registration Task Version History.

LDAP Interface sign on policy

When creating a sign on policy, you can now create rules that apply only to LDAP Interface user authentications. With this change, you can apply a sign on policy to LDAP Interface authentications and exclude other authentication methods. See Sign-on policies.

Import Safeguard Event Hook

The Import Safeguard event is available for use as an Event Hook. Admins can use the Import Safeguard event to generate a notification when an import safeguard occurs. See Import safeguards and Event Types.

App Integration Wizard improvements

The App Integration Wizard has been updated with several usability improvements. For quicker access, you can now launch the wizard from either the Applications page or the Browse App Integration Catalog page. The platform and sign-on method selection process has been streamlined to remove unnecessary inputs. Help hints in the wizard have been improved to eliminate the need to look up definitions and guidance from the documentation. To save time, trusted origins and group assignment tasks can now be completed as part of the process rather than after the wizard creates the app integration. See Create custom app integrations.

Polling support for Agentless Desktop Single Sign-on and Integrated Windows Authentication authentication sessions

Agentless Desktop Single Sign-on (ADSSO) and Integrated Windows Authentication (IWA) authentication sessions now include polling to reduce the likelihood of service disruptions during periods of high bandwidth use. For users authenticating with ADSSO or IWA during peak periods, this change increases the likelihood that a server will be available to process their authentication request. See Active Directory Desktop Single Sign-on.

Okta Verify support for risk-based authentication

Okta Verify with Push now supports risk-based authentication. With this feature, admins can assess the level of risk when an end user signs in to their org and attempts to authenticate with Okta Verify. See About Okta Verify. This feature will be gradually made available to all orgs.

RADIUS support for EAP-TTLS

The RADIUS agents now support the EAP-TTLS network authentication protocol. See the supported factors section in any RADIUS Integrations. This feature is made available to all orgs.

Recently Used Apps

A Recently Used apps section has been added to the top of the Okta End-User Dashboard and the Okta Browser Plugin to make it easier for end users to access their applications. End users can enable and disable the Recently Used setting in their Preferences panel or Account Settings on the Okta End-User Dashboard.

When enabled, the Recently Used apps section is visible at the top of the Okta End-User Dashboard regardless of the number of apps assigned to the end user or whether any apps have been launched. If an end user re-enables the Recently Used apps section, apps that were used when the feature was previously enabled are not preserved. See Recently used applications. This feature will be gradually made available to all orgs.

Recently used apps section on the Okta dashboard

Enhancements

OIN Manager category selection changes

The choices in the OIN Manager App category selection list have been updated to match the categories available in the public OIN catalog. For existing submissions, the category choice isn't changed until the ISV updates the app submission in the OIN Manager. ISVs can also now select up to three categories for their app integration. See Submit an app integration.

OIN Manager OIDC enhancements

ISVs can now select which OpenID Connect modes their application supports: Single-Page Application (SPA) or Web. See OIDC settings.

Rate limit System Log Event Hook enhancements

The system.operation.rate_limit.warning event has been updated and now notifies administrators when their org is approaching an Event Hook rate limit.

The system.operation.rate_limit.violation event has been updated and now notifies administrators when their org has exceeded an Event Hook rate limit.

See Event Types.

OAuth scope flexible consent

When user consent is required for an OAuth scope, a new check box is available to enable Flexible consent, which blocks services from requesting the scope. See Create Scopes.

Combined OAuth claim evaluation events

To reduce system load and operational cost, a single app.oauth2.as.evaluate.claim event is now recorded per request, instead of separate events for access tokens and ID tokens.

Updated UI for provisioned username options

If an app integration doesn't support the Create only option in the Application username format drop-down menu, the option is now disabled rather than hidden.

Session synchronization

All browser tabs that access the Okta End-User Dashboard now maintain the same session lifetime.

Hidden fields in Sign-In Widget

Hidden username and password fields in the Sign-In Widget are no longer identifiable by screen readers.

File upload tool tips

Tool tip text formatting has been standardized on the App Instance page.

Active SAML certificate warning

A warning now appears when currently active SAML certificates are set as inactive in the Okta Admin Console.

 Early Access features from this release are now Generally Available.

Fixes

General Fixes

OKTA-371017

Assigning attributes when provisioning to Webex sometimes resulted in errors.

OKTA-374204

When a custom sign-out page was configured, users who reset their password with SMS and then clicked Back to sign in were redirected to the custom page.

OKTA-386816

Some app tasks that weren't mapped to Okta users didn't appear on the Admin Dashboard.

OKTA-387918

Admins were unable to view the Import Monitoring dashboard for applications when the application admin role was assigned to specific applications.

OKTA-388914

Okta erroneously pushed profile updates to Rally upon user reactivation when updates to user attributes were disabled.

OKTA-389233

The Sign-In Widget appeared blank for users who attempted to sign in while using multiple WebAuthn authenticator enrollments.

OKTA-393663

Some Firefox 88.0 users on Mac devices were presented with a blank page after signing in to Okta.

OKTA-395953

An incorrect error message was displayed when a user was created with a duplicate unique property.

OKTA-396812

If a user tried to re-enroll via RADIUS after their SMS factor was reset, they weren't prompted to verify their phone number.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • Addepar (OKTA-396929)

  • Ustream (OKTA-396921)

Applications

Application Updates

Adobe Sign now supports OAuth and REST API mode for provisioning for new app instances. Existing app instances should be migrated to the new app, see the Adobe Sign Migration Guide for details.

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration app is now Generally Available in the OIN as partner-built:

SAML for the following Okta Verified applications

  • AlphaSense (OKTA-394744)

  • cloudtamer.io (OKTA-399136)

Weekly Updates

Generally Available

Sign-In Widget, version 5.7.1

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Sign-In Widget Guide.

Fixes

General Fixes

OKTA-386890

Automation rules that were created to delete inactive users sometimes failed due to deprovisioning errors.

OKTA-388300

When the new Admin redesign experience was enabled, the Agents Dashboard displayed incorrect version information about upgraded RADIUS agents.

OKTA-388727

The Clear Unconfirmed Users button didn't work consistently on the Active Directory (AD) Import page.

OKTA-389975

The Sign On page was unresponsive after the Credentials Details section of Bookmark apps was updated.

OKTA-391272

Provisioning errors occurred when email addresses were pushed from Okta to UltiPro after being updated in Active Directory.

OKTA-398218

Syncplicity couldn't be provisioned for EU-based domains.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • 1Password Business (OKTA-398705)

  • Eden Workplace (OKTA-398670)

  • Gong (OKTA-394257)

  • Instagram (OKTA-398090)

  • Schwab Advisors (OKTA-401549)

Applications

Application Update

The existing Cacoo integration is deprecated and renamed Cacoo (deprecated). Customers should now use the Nulab Pass (Backlog Cacoo Typetalk) (SAML) integration in our OIN catalog.

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN catalog as partner-built:

OIDC for the following Okta Verified applications

Generally Available

Sign-In Widget, version 5.7.2

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Sign-In Widget Guide.

Fixes

General Fixes

OKTA-381119

Silent Activation was blocked for certain orgs if the app sign on-policy required MFA reauthentication.

OKTA-383213

Admins could create an app using the App Integration Wizard even when their trusted origin configuration was incorrect.

OKTA-384020

The Active Directory Self-Service Unlock Account email template didn't recognize ${samAccountName} as a valid input.

OKTA-391097

Admins couldn't clear the Auxiliary Object Class attribute for an LDAP integration after setting the attribute's value.

OKTA-392165

Pushing a group from Okta to Slack failed if the group contained more than 15,000 users.

OKTA-393207

End users with custom user types couldn't modify their personal information from End-User Dashboard > Settings.

OKTA-393223

Admins weren't able to use the tab key to navigate in the Upload Logo section of the App Integration Wizard.

OKTA-395044

Factor enrollment with Device Trust failed for some users when they attempted to sign in to Airwatch Workspace One for the first time.

OKTA-398676

Admin permissions were sometimes revoked unexpectedly when new permissions were assigned to the admin.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • 8x8 Account Manager (OKTA-402020)

  • Airbnb (OKTA-400493)

  • Certify (OKTA-401731)

  • Dodge Company Shop (OKTA-402526)

  • Enterprise (OKTA-402529)

  • LiveWell (OKTA-402511)

  • Recorded Future SSO (OKTA-402503)

  • Shopify (OKTA-401733)

  • Techsmith (OKTA-400221)

Applications

Application Updates

  • The Boardvantage Meetx/Director app integration is renamed to Nasdaq Boardvantage.

  • The Udemy for Business SCIM app is updated as follows:

    • The Separate Group and Membership Creation setting is enabled.

    • Batch size is updated to 500

  • The Zoom SCIM app integration schema is updated. For details, see Okta user management with Zoom.

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN catalog as partner-built:

SAML for the following Okta Verified applications

  • Muck Rack (OKTA-399126)

  • Pave Commute (OKTA-399131)

SWA for the following Okta Verified application

  • HomeTagz (OKTA-402746)

OIDC for the following Okta Verified applications

Generally Available

Sign-In Widget, version 5.7.3

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Sign-In Widget Guide.

Fixes

General Fixes

OKTA-372803

When set to custom, Okta Username format was autofilled with an invalid SpEL expression in the AD General Settings.

OKTA-386004

Some text strings in the End-User Dashboard weren't translated.

OKTA-386545

Exchange ActiveSync Settings in the Office 365 app > Mobile tab couldn't be saved.

OKTA-386841

When admins clicked the Application requests waiting task in the new Admin Dashboard, nothing happened.

OKTA-388959

The app import status showed as In Progress even when the import job had failed.

OKTA-395489

The Create new app integration and CAPTCHA integration forms used the term sign-on instead of sign-in.

OKTA-398094

The new End-User Dashboard displayed options to download Okta Mobile.

OKTA-399667

Some new Zendesk users weren't correctly provisioned in Okta.

OKTA-402379

Some admins could add apps to their orgs after the app limit was reached.

OKTA-402547

Users were prompted for MFA after they reset their passwords using Okta Windows Credential Provider.

OKTA-404379

The OIDC default scopes link sometimes added non-default scopes to access policy rules for authorization servers.

OKTA-407122H

Routing rules were ignored when using the user matches expression.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • CarGurus (OKTA-404542)

  • Delivery Slip (OKTA-402517)

  • SAP Concur Solutions (OKTA-404533)

  • Small Improvements (OKTA-402942)

  • Spectrum Business: Time Warner Cable (OKTA-402523)

  • SquareSpace Template (GT) (OKTA-404538)

  • Staples Advantage (OKTA-402525)

  • Workday Community (OKTA-404532)

Applications

New Integrations

New SCIM Integration Application

The following partner-built provisioning integration app is now Generally Available in the OIN catalog as partner-built:

SAML for the following Okta Verified application

  • Vimeo (OKTA-403474)

OIDC for the following Okta Verified applications

Fixes

General Fixes

OKTA-294735

Some text strings in the default email template editor weren’t translated.

OKTA-378363

When a user signed in over the Cisco Meraki network, using the RADIUS agent and Cisco Meraki app, and then changed their password, their account became locked.

OKTA-383559

Profile updates failed to push to the G Suite app and no error information was logged.

OKTA-386081

Error page templates for default and custom domains had inconsistent styling.

OKTA-387154

After the Content Delivery Network (CDN) was disabled for an org, the Sign-In Widget was still served from their custom domain.

OKTA-397685

On the Applications page, the cursor changed to show an extended hand cursor for non-clickable items.

OKTA-400622

The Browse App Catalog button on the Applications page was disabled for app admins.

OKTA-404562

The password policy requirements for LDAP-sourced user passwords were shown in a sentence format instead of a list.

OKTA-408809H

The MS Dynamic application icon didn't work as expected.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • Akamai EdgeControl (OKTA-406128)

  • AutoEntry (OKTA-406126)

  • AxurePortal (OKTA-405442)

  • Lincoln Financial Group (OKTA-404686)

  • Recorded Future (OKTA-405697)

  • SharePoint (OKTA-405464)

  • WealthEngine (OKTA-405780)

Applications

Application Update

  • The Bluecross Member Central - Massachusetts integration is deprecated and has been removed from the OIN catalog.

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN catalog as partner-built:

SAML for the following Okta Verified application

  • TrueCare (OKTA-405039)

OIDC for the following Okta Verified application

May 2021

2021.05.0: Monthly Production release began deployment on May 10

* Features may not be available in all Okta Product SKUs.

Content

Generally Available Features

New Features

Okta Sign-In Widget, version 5.6.0

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Okta Sign-In Widget Guide.

Okta Browser Plugin, version 5.45.0 for all browsers

  • The Recently Used apps section is now visible and accessible from the plugin popover.

  • The Recently Used apps section can be configured by end users on the Okta End-User Dashboard.

  • Plugin popover loading times have been decreased.

  • The plugin’s design and images have been updated.

See Okta Browser Plugin version history .

Agentless Desktop Single Sign-on authentication progress screen updates

Agentless Desktop Single Sign-on (ADSSO) authentication progress screens have been updated to make authorization and verification progress more visible and improve the user experience. See Configure agentless Desktop Single Sign-on.

Group push mapping change

When admins create a group push mapping and link it to a group whose members were imported through another method, those users are now Okta sourced. See About Group Push.

New Select assignments to convert screen

The addition of a Select assignments to convert screen to the Okta Admin Console makes the conversion of app assignments from individually-managed to group-managed easier. With the click of a button you can now quickly locate, select, and then convert individual users, or convert all eligible assignments. See Convert an individual assignment to a group assignment.

Generally Available Enhancements

System Log enhancements

OAuth refresh token event details

System Log events now display information that indicates whether an OAuth refresh token is rotating or persistent.

System Log debug field changes

System Log Advanced Filters no longer support the Contains operator for the following fields:

  • debugContext.debugData.url

  • debugContext.debugData.requestUri

This is to ensure that service stability and operations aren't impacted.

actionId value now available in the System Log

To identify the Okta Active Directory agent used to process a delegated authentication request, the actionId value has been added to the user.authentication.auth_via_AD_agent event in the System Log . For orgs that use multiple agents, this value makes it easier to identify the specific location of log data used to resolve authentication issues. See System Log.

OIN Manager - SCIM submission enhancement

When submitting a SCIM app in the OIN Manager, ISVs can now specify the maximum number of group membership changes that can be included in a single PATCH request. See Configure protocol-specific settings.

Open On-Prem MFA and RSA SecurID page on select

When admins select either On-Prem MFA or RSA SecurID token names from Security > API, the associated MFA factor page now opens.

New help text for Initiate Login URI field

The Initiate login URI field, available in an application’s General Settings tab, now includes additional inline help text to clarify the correct URI to add to this field.

TLS certificate update for okta.com

The TLS certificate for okta.com will be updated beginning on May 6th, 2021, US Pacific Time. The updated certificate will be signed with a new trust chain and Root Certificate Authority (CA) trust anchor. The Root CA will change from the DigiCert High Assurance EV Root CA to the DigiCert Global Root CA. To avoid negative impact and service outages, customers who have a limited or non-standard set of certificates in their trust stores must take action prior to May 6th, 2021. See FAQs.

Password Health Report enhancement

Date columns in the Password Health Report are now in ISO 8601 format to improve readability.

Increased authorization code lifetime

The OAuth authorization code lifetime is increased from 1 to 5 minutes.

Early Access Features

New Features

Enhancements

Okta Admin Console Groups page enhancements

The Okta Admin Console Groups page has been updated to simplify the addition of large numbers of users to groups and reduce the likelihood that all users can be accidentally removed from a group. In addition, search functionality has been significantly improved to make adding and removing users from groups quicker and easier. See Manage groups.

Fixes

General Fixes

OKTA-379813

In some cases, end users who verified with IdP as a factor and selected the option to Remember this device were unable to save their configuration.

OKTA-379879

When signing in to a third-party identity provider (IdP), the sign in hint wasn’t provided as a request parameter to the IdP.

OKTA-380784

In some cases, the security.threat.detected event type in the System Log was missing geographic information when ThreatInsight was enabled.

OKTA-387800

Vanity URLs for deleted users incorrectly included stack trace information with the 404 error.

OKTA-390301

Radius authentication with Duo sometimes failed if Single-line MFA prompts were disabled.

OKTA-391166

The link from the OIN Manager to the OIDC concepts document was broken.

Applications

Application Updates

The catalog descriptions for many OIN app integrations have been updated to improve accuracy and show available capabilities.

New Integrations

New SCIM Integration Application

The following partner-built provisioning integration app is now Generally Available in the OIN as partner-built:

OIDC for the following Okta Verified applications

Weekly Updates

Generally Available

Okta Sign-In Widget, version 5.6.1

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Okta Sign-In Widget Guide.

Fixes

General Fixes

OKTA-215049

When an OpenID Connect application was created using a deactivated application's name, a Duplicate Client Name error appeared.

OKTA-374204

End users were incorrectly redirected to the sign-out page if they reset their password through SMS and clicked the Back to Sign In link on the Code Verification page.

OKTA-380326

When an application was edited, the Initiate login URI field was erroneously auto-populated with a default value.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • ADP Vantage HCM (OKTA-390470)

  • ISACA (OKTA-391074)

  • ServiceNow (OKTA-390773)

  • Ticketmaster Account Manager (OKTA-390224)

  • United Health Care Member Login (OKTA-390993)

  • Xandr (AppNexus) (OKTA-390469)

Applications

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN as partner-built:

SAML for the following Okta Verified applications

  • Assembly (OKTA-387208)

  • Calendly (OKTA-390432)

  • Crosschq (OKTA-392449)

  • Ground Truth Intelligence (OKTA-385029)

  • ICI App (OKTA-391167)

  • Kaonavi (OKTA-389262)

  • Listrak (OKTA-386611)

  • MaestroQA-Enterprise (OKTA-393110)

  • Malt (OKTA-389581)

  • Officebooking (OKTA-389582)

  • QueryPie (OKTA-388315)

  • Webcasts.com Admin (OKTA-391005)

OIDC for the following Okta Verified applications

Generally Available

Okta Sign-In Widget, version 5.6.3

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Okta Sign-In Widget Guide.

Fixes

General Fixes

OKTA-362581

End users who attempted to sign in to the new Okta End-User Dashboard while access was prevented were not redirected to the proper error page.

OKTA-369101

Admins couldn't save login mappings for some OIDC Identity Providers.

OKTA-376269

When some users updated their recovery question, the password import inline hook was erroneously triggered.

OKTA-379913

Admins couldn't use the Tab key to advance to the next text field in the Test Delegated Authentication modal.

OKTA-383803

Creating new users in Coupa through Okta provisioning failed with a password length error even though the Sync password option was not selected.

OKTA-386927

The Light Agent role was not available to the users assigned to the Zendesk app.

OKTA-387820

The Current Assignment report in Application Access Audit sometimes failed to load and returned a 500 error.

OKTA-389874

The Client Credentials Flow could not implement a custom claim named scope.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • 1Password Business (OKTA-392758)

  • Concur - ProTrav (OKTA-394860)

  • Cradlepoint NetCloud (OKTA-392389)

  • Lifeworks (OKTA-395025)

  • SAP Concur Solutions (OKTA-395184)

  • The Washington Post (OKTA-393397)

Applications

Application Updates

The following SWA integrations are deprecated from the OIN:

  • Mindtickle - Admin

  • Lead Apparel

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN as partner-built:

SAML for the following Okta Verified applications

  • Acronis Cyber Cloud (OKTA-393653)

  • Emerge (OKTA-393802)

OIDC for the following Okta Verified applications

Generally Available

Sign-In Widget, version 5.6.4

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Sign-In Widget Guide.

Content security policy enforcement on end-user pages

Content security policy is now enforced for end-user pages. Content Security Policy headers provide an additional layer of security that helps to detect attacks such as cross-site scripting and data injection by ensuring browsers know what kind of actions the webpage can execute. We already had a policy enforced in our admin pages from last year and in report-only mode for end-user pages. We plan that future iterations of our Content Security Policy enforcement for end-user pages will become stricter than this first release.

This feature will be gradually made available to all orgs.

Fixes

General Fixes

OKTA-330390

On the Onboarding tasks page, the Create an app integration task wasn’t marked Complete after an OIDC or OIN app was added.

OKTA-363972

The RelayState value sent from Jira on-prem to Okta was invalid.

OKTA-378981

SAML requests and responses weren't logged in the System Log as distinct event fields and lacked detail about the SAML assertion.

OKTA-385091

Attempts to push blank values from Okta to any custom app attributes in Google Workspace failed.

OKTA-386112

Imports of more than 2,000 users from Adobe Experience Manager sometimes failed.

OKTA-390477

Suspended users were automatically unlocked but appeared as suspended in the Admin Console.

OKTA-393682

Automatic provisioning of users to Google Workspace sometimes failed with a java.io.IOException error.

OKTA-396391

Some Internet Explorer users received a ScriptError alert when signing in to apps.

OKTA-398081

If the users and groups in an app-level policy were deleted, the Admin Console incorrectly showed the policy as applied to all users and groups.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • Airbnb (OKTA-395954)

  • Boxed (OKTA-396919)

  • CultureIQ (OKTA-396932)

  • Eden (OKTA-395029)

  • Fortune (OKTA-395031)

  • Gong (OKTA-394257)

  • Granite Rock Reports (OKTA-393958)

  • LivePerson Expert (OKTA-390448)

  • Moffi (OKTA-395032)

  • MURAL (OKTA-395023)

  • Notion (OKTA-395035)

  • Odoo (OKTA-394706)

  • Traackr (OKTA-396931)

Applications

Application Updates

The following SWA integrations are deprecated from the OIN:

  • EverFi NEXT

  • AppNexus (replaced by Xandr)

New Integrations

New SCIM Integration Application

The following partner-built provisioning integration app is now Generally Available in the OIN as partner-built:

  • Sisense for Cloud Data Teams: For configuration information, see Sisense SCIM documentation.

SAML for the following Okta Verified applications

  • iHASCO Training Suite (OKTA-396044)

  • Mursion (OKTA-394726)

  • PoliteMail (OKTA-393990)

  • Soveren (OKTA-389257)

  • Writer.com (OKTA-393658)

SWA for the following Okta Verified applications

  • IDEE MFA (OKTA-393819)

  • Xandr (OKTA-394701)

OIDC for the following Okta Verified applications

April 2021

2021.04.0: Monthly Production release began deployment on April 12

* Features may not be available in all Okta Product SKUs.

Content

Generally Available Features

New Features

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Okta Sign-In Widget Guide.

Okta Active Directory agent, version 3.6.1

This version of the agent contains:

  • Improved query performance for customers with a large number of organizational units.

  • Security enhancements.

  • Improved logging functionality to assist with issue resolution.

  • Managed service account support for the Okta Active Directory agent.

  • Bug fixes.

See Okta Active Directory agent version history.

New operators available in Advanced Filters for System Log

Admins can now filter using new Advanced Filters operators:

  • ends with

  • not equal

  • is present (value exists)

  • greater than

  • greater than or equal to

  • less than

  • less than or equal to

Additionally, admins can now use the not equal, ends with, and is present operators in the System Log search bar. These operators provide greater flexibility when filtering System Log events. See System Log filters and search.

Admin Experience Redesign

With the Admin Experience Redesign feature, the Okta Admin Console now has:

  • A modern look and feel with improved responsiveness for the new navigation side bar.

  • A redesigned Okta Admin Dashboard that displays more practical insights for admins.

  • An Agents page in the Okta Admin Dashboard that shows the status and version of every Okta agent that is connected to customers' on-premises servers.

This improves the accessibility of the product, improves admin productivity, and helps admins to be more proactive with security issues. See Admin Experience Redesign.

Okta Applications

Okta admins can now create app-based sign-on policies for the Okta Dashboard, Okta Admin Console, and Okta Browser Plugin.

Previously, sign-on policies couldn't be configured for these first party applications. With this release, policy based on context such as user location, device, behavior, risk level, group membership, and more is included. This gives admins more flexibility and granular control over sign-on requirements for these first party apps. For example, different MFA requirements might apply to the Okta Admin Console for different groups of people.

See Control access to the Okta End-User Dashboard.

Okta End-User Dashboard redesign

Generally Available Enhancements

TLS certificate update for okta.com

The TLS certificate for okta.com will be updated beginning on May 6th, 2021, US Pacific Time. The updated certificate will be signed with a new trust chain and Root Certificate Authority (CA) trust anchor. The Root CA will change from the DigiCert High Assurance EV Root CA to the DigiCert Global Root CA. To avoid negative impact and service outages, customers who have a limited or non-standard set of certificates in their trust stores must take action prior to May 6th, 2021. See FAQs.

Email notification settings

Email notification settings for New sign-on, MFA enrolled, and MFA reset are no longer enabled by default for new orgs. This change prevents new orgs from unintentionally sending email notifications to end users. See General Security.

NetSuite integration enhancement

Okta can now import the supervisor/manager ID for an employee from NetSuite, removing the dependency on Active Directory.

OIN Manager supports variable SAML ACS URLs

SAML app integrations that support multiple ACS URLs can now use app instance property variables to create non-static single sign-on URLs in their submissions.

Okta ThreatInsight free trial

Orgs that use free trial editions now see a limited functionality notification in the Okta ThreatInsight Settings section of the Security > General page. See General Security.

End users on new dashboard can request apps

End users can now request an app through the link in the footer of the new Okta End-User Dashboard. To turn this setting on, go to the Okta Admin Console > Applications > Self Service and enable Allow users to email "Technical Contact" to request an app.

Early Access Features

New Features

Customize Okta domains

The ability to customize your Okta domain has now been rolled out to all orgs. With this feature, you can customize your Okta organization by replacing the Okta domain name with your own domain name. This allows you to create a seamless branded experience for your users so that all URLs look like your application. See Custom Domain API.

Fixes

General Fixes

OKTA-336939

For some orgs, the user activation page didn't display logos correctly if it was accessed through the redirect link in the User Activation email.

OKTA-337030, OKTA-375978, OKTA-378809, OKTA-379613, OKTA-380069, OKTA-380636, OKTA-381076, OKTA-381639

Some orgs that have the Admin Redesign Experience feature enabled had the following issues:

  • Scrolling functionality didn’t work as expected on some pages.

  • The Okta Admin Dashboard reached the rate limit threshold rapidly, causing a failure to load data in the Admin Dashboard widgets.

  • The spotlight search input field had extra padding.

  • Some pages had layout issues.

  • Some dialog boxes had unwanted scrollbars.

  • Some conditions in group rules were unreadable.

  • Group icons weren't display properly on the Group Assignment page.

OKTA-362647

Self-Service Registration incorrectly appeared in the Directory menu for group admins. This feature is available to super admins only.

OKTA-363849

The 12-hour timestamp on the Import Monitoring Dashboard didn’t display AM or PM.

OKTA-369992

The Report Suspicious Activity page didn’t display the geolocation and the IP address of the suspicious request.

OKTA-373689H

Sometimes the public OAuth metadata API responses did not include a Vary: Origin header, resulting in some browsers incorrectly caching the response across Origins.

OKTA-373957

Some iPhone and iPad users using Okta Mobile couldn’t sign in to Microsoft Teams.

OKTA-375702

The Okta Workflows app erroneously counted towards an org's app limit.

OKTA-375878

The Import Safeguard help documentation link on the Directories page was broken.

OKTA-376041

Some pop-up messages during the OAuth validation process incorrectly had scrollbars.

OKTA-376281

During creation of a new SPA app integration, the App Integration Wizard incorrectly enabled the Allow Access Token option under the Implicit grant type by default.

OKTA-376795

Registration Inline Hook sometimes failed during the self-service registration process.

OKTA-378045H

The Applications page in Developer orgs didn't have clear instructions about how to create more custom apps by upgrading to an Enterprise plan.

OKTA-378989

For some orgs, SAML inline hooks didn’t work as expected.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • AlertLogic (OKTA-380563)

  • Blacklane Car Service (OKTA-380186)

  • Bookmark App (OKTA-377640)

  • DHL Express (OKTA-380565)

  • Fortune (OKTA-380576)

  • ImpactOffice (OKTA-380575)

  • Music Vine (OKTA-380580)

  • mySE: My Schneider Electric (OKTA-375671)

  • Tumblr (OKTA-380562)

  • WordFly (OKTA-380953)

The following SAML app was not working correctly and is now fixed

  • Mimecast Personal Portal v3 (OKTA-381518)

Applications

New Integrations

SAML for the following Okta Verified applications

  • Altitude Networks (OKTA-369534)

  • Cerby (OKTA-381104)

  • LogMeOnce (OKTA-376650)

  • Millie (OKTA-378822)

  • Sketchboard (OKTA-377849)

  • Starred (OKTA-379901)

  • Vulcan Cyber (OKTA-366907)

Weekly Updates

April 19

Generally Available Features

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Okta Sign-In Widget Guide.

Generally Available Enhancements

Password Health Report enhancement

Date columns in the Password Health Report are now in ISO 8601 format to improve readability.

Increased authorization code lifetime

The OAuth authorization code lifetime is increased from 1 to 5 minutes.

Fixes

General Fixes

OKTA-360669

Errors on the App Sign On Policy page were displayed at the top of the page rather than near the respective fields.

OKTA-360937

In some cases, Okta didn't import all users from ServiceNow.

OKTA-362325

Attributes with the number data type were reported to have been updated after CSV Directory imports even if nothing had changed.

OKTA-362647

Self-Service Registration, a super admin feature, incorrectly appeared in the Directory menu for group admins.

OKTA-375536

Developer org admins were incorrectly redirected to the user app page instead of the Admin Dashboard.

OKTA-375698

In some cases, the OAuth access token for Salesforce expired daily, which caused issues with provisioning.

OKTA-377265

In some cases, admins received a 500 error while creating a new user with JIT provisioning.

OKTA-380356

The Trusted Origin field in the new App Integration Wizard appeared even if the user didn't have the permission to manage the field.

OKTA-380892

Some help documentation links in the Agentless Desktop SSO and Silent Activation section didn't work.

OKTA-382214

In some cases, Group Administrators were incorrectly displayed as User Administrators in the Email Notification dropdown on the Account Settings page.

OKTA-382433

The text in the App Embed Link section of the Custom SAML App page was misaligned.

OKTA-385342

The new App Integration Wizard showed an error when creating an API Services app due to incorrect response type validation.

OKTA-388027

The Email Change Confirmed Notification configuration (part of Email & SMS Customization) didn’t have an option to specify whether admins only, or admins and end users received the notification.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • Carta (OKTA-380324)

Applications

Updates

  • The Nature.com SWA integration is deprecated from the OIN.

    Use the Nature Research SAML app instead.

New Integrations

SAML for the following Okta Verified applications

  • Productive.io (OKTA-377469)

  • TigerConnect (OKTA-382369)

OIDC for the following Okta Verified application

May 03

Generally Available

Okta Sign-In Widget, version 5.5.4

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Okta Sign-In Widget Guide.

Fixes

General Fixes

OKTA-355894

The Recently Used tab on the Okta End-User Dashboard wasn't translated for all languages.

OKTA-361861

During a full import, profile updates occurred in Workday even if no attributes were changed for the user in Okta.

OKTA-369527

AD-sourced users received misleading error messages when they attempted to reset their passwords while the AD agent was down.

OKTA-371158

Some LDAP-sourced users' temporary passwords became their main passwords after they used them to sign in.

OKTA-373409

Some AD-sourced users were redirected to the default Okta org when they clicked the activation link in their welcome email.

OKTA-373578

Some Dynamic Network zones didn't block traffic as configured.

OKTA-375317

Some users received errors when they authenticated to Okta from ADFS with a custom domain.

OKTA-376991

After reactivation, some users weren't properly reassigned their applications.

OKTA-377853, OKTA-379764

International phone numbers were incorrectly parsed during profile updates in Workday.

OKTA-378405

Pushing AD-imported groups from one Okta instance to another failed.

OKTA-379707

The ThreatSuspected field in the System Log wasn’t consistently updated.

OKTA-380165

Previously scheduled Workday imports were still shown on the Import Monitoring dashboard after provisioning was disabled.

OKTA-381764

Some admins couldn't save settings for Incremental Import Schedule when they integrated a new CSV Directory.

OKTA-382686

The Upload CSV button wasn't clearly visible on the Application Import page of the new Okta Admin Console.

OKTA-382711

Syntax highlights were not correct in the Okta Admin Console code editors for the Custom Sign-In Widget and the Custom Error pages.

OKTA-383630

Preview and test emails in the Okta Admin Console didn’t render customization variables in the email subject field.

OKTA-383632

After a custom domain was configured, the test email dialog in the Okta Admin Console displayed the default email sender details as Okta <noreply@okta.com>.

OKTA-383647

Admins received timeout errors when they deactivated AD-sourced users through imports from Active Directory.

OKTA-384306

Icons in the Okta API Scopes tab were misaligned for OAuth apps.

OKTA-385297

Text on the Sign On tab was misaligned for some apps.

OKTA-389502H

In some cases when the new Okta End-User Dashboard was enabled, Okta incorrectly made hourly token renewal requests that caused user sessions to be active longer than configured.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • Accertify (OKTA-388719)

  • Adobe (OKTA-385008)

  • ADP IPayStatements (OKTA-389106)

  • Apollo (OKTA-382989)

  • Beeline TMS (OKTA-383007)

  • Calendly (OKTA-382474)

  • Citi Credit Cards (OKTA-385007)

  • Cradlepoint NetCloud (OKTA-388566)

  • Delta Dental (OKTA-379327)

  • Dow Jones Private Equity and Venture (OKTA-388720)

  • Federal Procurement Data System (OKTA-382991)

  • Grammarly (OKTA-388717)

  • Jitterbit (OKTA-385006)

  • KeyBank (OKTA-385011)

  • LastPass Sync (OKTA-386955)

  • Milestone XProtect Smart Client (OKTA-386601)

  • MongoDB Cloud (OKTA-385010)

  • Portal Nutanix (OKTA-386598)

  • Shatswell MacLeod (OKTA-386604)

  • WEX Health Cloud (OKTA-385013)

  • WorkFlowy (OKTA-386597)

  • XpertHR (OKTA-382990)

  • ZeeMaps (OKTA-388718)

Applications

Application Updates

  • Our Dynamic Signal integration has been updated as follows:

    • The existing Dynamic Signal integration is deprecated and renamed Dynamic Signal (Deprecated).

    • A new Dynamic Signal integration is now available, without provisioning functionality.

  • The following SWA integrations are deprecated from the OIN:

    • Crazy Egg

    • Dow Jones Private Equity and Venture

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN as partner-built:

  • Cato Networks Provisioning: For configuration information, see Cato Networking documentation here. Note that this documentation is only available for Cato authenticated users.

SAML for the following Okta Verified applications

  • brandworkz (OKTA-380978)

  • Dooly (OKTA-384467)

  • Feroot (OKTA-387002)

  • Folia (OKTA-369123)

  • Jobcan (OKTA-383754)

  • JoVE (OKTA-386197)

  • LINE WORKS (OKTA-387869)

  • MPulse 9 (OKTA-379463)

  • Open Practice Solutions (OKTA-379650)

  • Planisware Enterprise (OKTA-382573)

  • Propel PRM (OKTA-385027)

  • QReserve (OKTA-383759)

  • Thrive LXP (OKTA-385858)

  • Webcasts Admin (OKTA-382549)

SWA for the following Okta Verified applications

  • Atlanta Fine Homes (OKTA-383598)

  • Walkthechat (OKTA-385436)

  • WSRB (OKTA-385426)

OIDC for the following Okta Verified applications

  • Mantra: For configuration information, see Okta SSO.

March 2021

2021.03.0: Monthly Production release began deployment on March 8

* Features may not be available in all Okta Product SKUs.

Content

Generally Available Features

New Features

LDAP agent, version 5.7.2

This version of the agent contains:

  • Support for Lightweight Directory Access Protocol (LDAP) group password policies

  • Internal improvements and security fixes

  • Bug fixes

To view the agent version history, see Okta LDAP Agent version history.

RADIUS Agent, version 2.15.1

RADIUS agent version 2.15.1 GA contains all updates release since version 2.7.4 EA, including:

  • Support for EAP-GTC and EAP-TTLS to improve security and extend support network access vendors, such as Netmotion Mobility.

  • Support for TLS 1.2, which is required for all connections to Okta.

  • Support for internet proxies.

  • A simplified installer, which no longer requires shared secrets and ports.

And has been tested on new Linux operating systems:

  • CentOS 7.6.

  • Ubuntu 20.04.1 LTS.

  • Red Hat Enterprise Linux release 8.3.

  • Windows Server 2016.

  • Windows Server 2019.

In summary, the new agent provides admins with an easier installation, configuration, and run-time experience, and we recommend it for all Okta RADIUS customers.

See Okta RADIUS Server Agent Version History.

Okta Sign-In Widget, version 5.4.0

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Okta Sign-In Widget Guide.

New number challenge options in Okta Verify admin settings

New Okta Verify settings in the Admin Console now allow admins to control when users receive a number challenge. Number challenge is an existing Okta Verify feature in eligible orgs that helps Android and iOS users enrolled in Okta Verify with Push avoid accepting fraudulent push notifications when they try to access a protected app. Completing the challenge ensures that the sign-in attempt came from the user and not from an unauthorized person. Admins can now choose to never challenge users, challenge with all push notifications, or challenge only for high-risk sign-in attempts. See Number Challenge prerequisites and end-user experience.

Option to switch between Admin Experience Redesign and the old experience

Super admins can now switch between Admin Experience Redesign and the old experience by using the option provided on the Okta Admin Dashboard. This gives admins time to adapt to the new user experience, which is on by default, and the option to revert to the old experience if required.

OIN Catalog enhancements

The OIN catalog adds several customer identity categories, highlights key app integrations, and now shows relevant Okta Workflow connectors and templates. Administrators can click Add integration to add a specific app integration directly to their org. These improvements make it easier for administrators and application developers to learn about Okta’s customer identity integrations. They can browse for relevant integrations like social identity providers and identity proofing solutions and add these integrations to their Okta org.

This feature will be gradually made available to all orgs.

Deleted schema property scrubber

All existing data associated with a schema property is now removed when a schema property is deleted. To prevent data corruption, the property cannot be recreated until the existing data is fully removed. Previous data is no longer restored when recreating a deleted schema property with the same definition. This new functionality prevents the corruption of profile data and the associated Elastic search issues. See Add or remove custom directory schema attributes.

This feature will be gradually made available to all orgs.

OIDC App tab improvements

The following improvements have been made to the OIDC App tab:

  • The default tab is now General instead of Assignments.

  • Client Credentials moved to the top of the page.

  • Downloaded sample apps now have pre-populated environment variables.

See Create OIDC app integrations using AIW.

This feature is available for all new Production orgs.

LDAP self-service password reset

End users can now perform a self-service reset of their LDAP password using SMS (Short Message Service). Without compromising security, this functionality simplifies the password reset process and removes the need to involve IT Help Desk for credential management. Using SMS for password resets reduces the Help Desk workload and support costs. See Manage self-service password reset.

Improved auto-complete functionality

To improve the accuracy and speed of user searches, the auto-complete functionality on the Okta Admin Console administrator pages is updated.

Generally Available Enhancements

Improvements to the OIN Manager submission QA process

The Okta Operations team now conducts a final internal QA test for app integration submissions in the OIN Manager Portal and sends an email when the final review is complete. If the review is successful, your submission is automatically published in the OIN. These changes streamline the QA and approval process for OIN app integrations.

OIN Manager additional fields

The OIN Manager portal now accepts encrypted SAML assertion certificates. Also, fields are added to clarify OIDC configuration requirements and to confirm that SCIM app integrations are prepared properly for submission. See Configure protocol-specific settings. These changes simplify the ISV submission process, reducing unnecessary communications with the Okta Operations team.

Early Access Features

New Features

Custom help links on the Sign-In Widget

Admins can now customize the help links on the MFA verification page of the Sign-In Widget. This allows admins to link their end users to a custom app or page for factor resets. See Customize text on your sign-in page.

Fixes

General Fixes

OKTA-209671

Updating a user address field with a string that was too long returned a 500 error response instead of a 400 error with appropriate details.

OKTA-335776

In rare cases when an admin re-typed their password in the Office 365 Admin Password field and then clicked Fetch and Select on the Sign On tab, the Fetch and Select command failed with an error.

OKTA-336326

Sometimes, when the Office 365 Provisioning option was selected to Licenses/Roles Management Only, roles and licenses assigned to Office 365 users in Okta didn't sync in Microsoft.

OKTA-346766

Text on some AD Import pages in the new Okta Admin Console was misaligned.

OKTA-352294

Workday incremental imports sometimes failed with a NullPointerException error.

OKTA-359091

Expanding Admin Tasks on the Admin Dashboard changed the index value of the tasks.

OKTA-367327

When IDP as Factor was enabled, some users received the Invalid Token error on stale sign-in pages.

OKTA-367834

The QR code image in the Setup Okta Verify flow didn't include alt text, which caused screen readers to not recognize the image.

OKTA-367844

The SCIM provisioning feature was not enabled for the Lifecycle Management SKUs included with API products.

OKTA-367999

Some end users were stuck in an authentication loop when trying to sign in to Okta.

OKTA-370037

Text on some pages in the new Okta Admin Console was misaligned.

OKTA-371599

Text on the LDAP tab of the Delegated Authentication page was not rendered properly.

OKTA-372049

Text on the Sign On tab of the App Settings page was misaligned.

OKTA-372436

An issue with ThreatInsight was resolved for some organizations who upgraded a free trial edition to Production.

OKTA-372678

Sometimes the sign-in page didn't refresh if the token was expired.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • Aflac (OKTA-372087)

  • Alarm (OKTA-372091)

  • CBRE (Employee Login - The Navigator) (OKTA-370216)

  • Frontier Communications (OKTA-370218)

  • GoCompare (OKTA-370219)

  • MX Merchant (OKTA-370217)

  • MxToolbox (OKTA-370503)

  • Premium Audit Advisory Service (PAAS) (OKTA-368399)

  • Rippe and Kingston LMS (OKTA-372081)

  • ShopAtHome (OKTA-372067)

  • The Economist (OKTA-372207)

  • Visage MobilityCentral (OKTA-372095)

Applications

New Integrations

SAML for the following Okta Verified applications

  • Banyan Command Center (OKTA-370640)

  • Five9 Plus Adapter for Microsoft Dynamics CRM (OKTA-367992)

  • Noticeable (OKTA-370631)

SWA for the following Okta Verified application

  • Clarizen One (OKTA-371928)

OIDC for the following Okta Verified application

Weekly Updates

March 15

Fixes

General Fixes

OKTA-337155

Sometimes, if a refresh token flow contained an invalid refresh token, the hash was not logged in the System Log.

OKTA-340754

In some cases, users couldn't be assigned to or removed from a group from their Okta Profile.

OKTA-347379

The Okta Browser Plugin incorrectly suggested a new password for the ServiceNow app.

OKTA-362310

The Dutch translation for password requirements on the password reset screen was incorrect.

OKTA-369737

Search boxes on some pages under Security had a CSS issue.

OKTA-370192

Some admins couldn't create users for Box if the default input value for the parent folder path was left empty in Okta.

OKTA-370944

In some cases, after a user deletion legitimately failed, admins were unable to delete other users.

OKTA-378843H

Invalid token requests resulted in a 500 error.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • Benchmarking (OKTA-375324)

  • Forbes (OKTA-372724)

  • Fusion MortgagebotLOS (OKTA-373862)

  • Google Workspace (OKTA-374871)

  • Hawaiian Airlines (OKTA-375320)

  • Papertrail (OKTA-375327)

  • Pingdom (OKTA-375323)

  • Schwab Advisors (OKTA-358544)

  • Taboola (OKTA-371937)

  • WorkdayCommunity (OKTA-374314)

  • Zapier (OKTA-374811)

  • Zoom (OKTA-372449)

Applications

Application Updates

Our OrgWiki integration has been updated as follows:

  • The existing OrgWiki integration is renamed OrgWiki (Deprecated).

  • Customers should now use the OrgWiki (SCIM) integration in our catalog.

New Integrations

SAML for the following Okta Verified applications

  • Admin By Request (OKTA-372458)

  • Fortanix Self Defending Key Management Service (OKTA-373374)

  • Taskize Connect (OKTA-369898)

March 22

Generally Available Features

Okta Sign-In Widget, version 5.4.3

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Okta Sign-In Widget Guide.

Fixes

General Fixes

OKTA-297743

Apps weren't highlighted automatically if they matched a user’s search terms in the App Catalog.

OKTA-319109

In orgs with the Admin Experience Redesign feature enabled, the Imports Paused task was missing from the Dashboard page in the Okta Admin Console.

OKTA-345217

Some user interface elements on sign-on policy pages for apps were formatted incorrectly.

OKTA-355148

LDAP-sourced users received a 500 error error while attempting a self service password reset that violated common password patterns.

OKTA-362677

In orgs with the Admin Experience Redesign feature enabled, when admins clicked Workflow > Workflow console, the page didn't open in a new browser tab.

OKTA-368354H

Some Adobe Experience Manager imports failed.

OKTA-370306

The side navigation in the Okta Admin Console didn't scroll automatically to a selected item.

OKTA-371058

In some cases, users experienced performance issues on the Okta End-User Dashboard and had to refresh the page manually.

OKTA-372440