Production

  Current Upcoming
Production 2020.07.2 2020.08.0 Production release is scheduled to begin deployment on August 10
Preview 2020.08.0

2020.08.1 Preview release is scheduled to begin deployment on August 12

July 2020

2020.07.0: Monthly Production release began deployment on July 13

* Features may not be available in all Okta Product SKUs.

Content

Generally Available Features

New Features

LDAP agent, version 5.6.6

This release provides the same functionality as release 5.6.5. Some default settings have been updated. See Okta LDAP agent version history.

Reduced LDAP Interface inactive connection time out

The time out for inactive LDAP Interface connections that don't receive LDAP operations has been reduced from 120 seconds to 30 seconds, and they are now disconnected after 30 seconds of inactivity. Connections that receive an LDAP bind operation time out after 120 seconds.

Warning message added to the Import Settings page

A warning message now appears on the Active Directory Import Settings page to warn users that changing the user and group organizational unit settings can result in the deprovisioning of users.

App integration logos

The maximum size for an app integration logo has been increased from 100 KB to 1 MB. For best results, use a PNG file with a minimum resolution of 420 x 120 pixels, with landscape orientation, and with a transparent background.

Terms of Service acceptance required

Terms of Service acceptance is required from the first super admin to initiate access to OCC (Okta Cloud Connect), Developer, and Free Trial editions of Okta.

New Group Membership Admin role

The new Group Membership Admin role grants permission to view all users in an org and manage the membership of groups. See The Group Membership Admin role.

Dynamic authentication context for SAML apps

Admins can configure a custom attribute statement for SAML assertions to send user's authentication context to SAML apps during the app authentication process. The app uses this information to limit access to certain app-specific behaviors and calculate the risk profile for the signed-in user. See Pass Dynamic Authentication Context to SAML Apps.

Prevent web browsers from saving sign-in credentials

You can prevent browsers such as Chrome from saving  an end user's sign-in credentials for Okta as well as for third-party apps accessed through the Okta Dashboard. See Prevent web browsers from saving sign-in credentials.

ASN Support for Dynamic Zones

Admins can now enter ASNs (Autonomous System Numbers) when creating or editing a dynamic zone. See Dynamic Zones.

DocuSign support update

DocuSign now supports workers who have an Activation Sent status in DocuSign.

Schema Discovery for Cornerstone On Demand

The Cornerstone On Demand provisioning app now supports Universal Directory and Schema Discovery. See the Cornerstone On Demand Provisioning Guide.

Profile Mastering and Push can be enabled together

Admins can enable both Profile Master and Push for an app. This allows all Okta-to-App mappings to push, regardless of whether Active Directory is the Profile Master.

OIN Manager supports multiple application submissions

When submitting a new application integration for review by Okta, the OIN Manager now supports multiple concurrent application submissions:

 

Risk Scoring sign-on policy rule

Admins can now set a risk level as part of a sign-on policy rule. Setting a risk level helps determine potential security risks that are associated with an end user when they attempt to sign in to their org. This feature will be gradually made available to all orgs.

see Risk Scoring.

Generally Available Enhancements

Okta Browser Plugin enhancements

The following improvements have been added to the Okta Browser Plugin:

  • The plugin icon displays a green exclamation point (!) to alert users of new plugin features that have been added.
  • The plugin settings highlights new opt-in features when they are made available.
  • In Firefox, the Close tab button, shown to users after granting privacy-related permissions for the Okta Browser Plugin, is removed due to browser limitations.
  • In Chrome, when the Offer to Save Passwords setting is controlled by a group policy, the popover setting to prevent the browser from prompting to save passwords is hidden from end-users.

Inline Hook links to Overview page

In the Okta Admin Console > Inline Hooks page, clicking an Inline Hook now directly opens the Overview page. See Inline Hooks.

File size and file hash information for Okta Active Directory and LDAP agents

File size and file hash information is now provided for the Okta Active Directory and Okta LDAP agents on the Okta Admin Console > Downloads page.

Early Access Features

New Features

Tor Anonymizer recommendation

Admins can see a new HealthInsight recommendation to view failed sign-in rates from IPs categorized as Tor Anonymizer Proxies. Okta recommends using Dynamic Zones to blacklist IPs that are categorized as Tor anonymizer proxies. See Blacklist proxies with high sign-in failure rates.

New RADIUS agent, version 2.13

This version includes security enhancements, a buffer overrun fix, and a dialog title change to the RADIUS Agent installer. See Okta RADIUS Server Agent Version History.

Litmos supports Advanced Custom Attributes

The Litmos provisioning app now supports Advanced Custom Attributes. See Litmos Provisioning Guide.

Enhancements

New Okta End-User Dashboard enhancements

The following improvements have been added to the new Okta End-User Dashboard:

  • A new onboarding flow is available to users who visit the dashboard for the first time. Admins may disable onboarding guides for the new dashboard in the Okta Admin Console > Settings > Customization > Okta User Communication by enabling Opt out of Okta User Communication for this Org.
  • The Quick Access section of the new Okta End-User Dashboard has been renamed as Recently Used. Admins can disable this section for their end users.
  • App names now have a maximum length of two lines.
  • Apps added by admins are now indicated as New on the dashboard before being used for the first time.
  • End users now receive a notification on the dashboard when a new app is assigned to them by an admin.

Fixes

General Fixes

OKTA-290791

Users who switched to a new app section in the Okta Browser Plugin weren't redirected to the top of that section.

OKTA-292056

The percentage listed in messages on the Okta Admin Dashboard occasionally contained an extra percentage symbol.

OKTA-292816

Group membership roles on the Assignments tab didn't reflect the actual membership roles of users in the Confluence app.

OKTA-296301

Users configuring voice call as an MFA factor were redirected to a wrong page if they refreshed the page during the setup.

OKTA-302908

Admins received a 404 error when opening the Rules tab on the Groups page in a new tab.

OKTA-304503

Users repeatedly received prompts to reinstall or update the Okta Browser Plugin regardless of its version and were given false warnings that the plugin was infected or unsafe.

OKTA-304770

The publisher for the Okta Browser Plugin for Internet Explorer was incorrectly listed as Internal Okta CA instead of Okta, Inc. in Internet Explorer > Tools > Manage add-ons.

OKTA-306546

The incorrect plugin version number was displayed for the Okta Browser Plugin in Internet Explorer > Tools > Manage add-ons.

OKTA-306663

Custom string attributes couldn't be updated for NetSuite.

App Integration Fixes

The following SWA app was not working correctly and is now fixed

  • Meraki Dashboard (OKTA-305864)

Applications

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN as partner-built:

New RADIUS integration

The Cisco Meraki RADIUS app is now available.

SAML for the following Okta Verified applications

  • Catalyser (OKTA-304474)

  • Flux (OKTA-306648)

  • InSights (OKTA-296073)

SWA for the following Okta Verified applications

  • Openpath (OKTA-296212)

  • United HealthCare Oxford (OKTA-306125)

OIDC for the following Okta Verified application

Weekly Updates

July 20

Fixes

General Fixes

OKTA-296243

Admins experienced significant delays when trying to load the Provisioning tab for custom SAML apps with SCIM provisioning.

OKTA-296456

Using the API to unlock a user that was also in a suspended state incorrectly returned a successful response.

OKTA-296598

When successfully authenticating using email as an MFA factor, users received an error message due to duplicate verification requests.

OKTA-303162

The Learn More documentation link in the Need more provisioning for this App? section of the SAML application settings was outdated.

OKTA-305486

Attributes weren't visible for some Okta-mastered users under Directory > People > User Profile > Profile.

OKTA-312218

Users using the new Okta End-User Dashboard received notifications that VPN was required when accessing apps that were configured to ignore VPN notification rules.

OKTA-312248

The Help documentation link for Office 365 Silent Activation was broken.

OKTA-312957

In some scenarios, the custom sign-in page did not properly encode all parameters.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • Bloomberg (OKTA-310150)

  • Cisco Webex Meetings (OKTA-306061)

  • Concur - ProTrav (OKTA-309107)

  • Wrike (OKTA-305767)

Applications

New Integrations

SAML for the following Okta Verified applications

  • DeployGate (OKTA-305110)

  • Ebenefit Sync (OKTA-309219)

  • Procaire (OKTA-309779)

  • S&P Market Intelligence (OKTA-306170)

  • Skedda (OKTA-310320)

  • Textline (OKTA-306986)

  • User Interviews (OKTA-306649)

OIDC for the following Okta Verified application

  • Nedap ONS: For configuration information, see Single Sign-On instructions.

Mobile application for use with Okta Mobility Management (OMM) (Android and iOS)

  • NowSpace (OKTA-309446)

Mobile application for use with Okta Mobility Management (OMM) (Android)

  • AuthControl Mobile (OKTA-306981)

  • Twilio Authy (OKTA-306982)

August 3

Fixes

General Fixes

OKTA-275700

Updates to tabs managed by admins on the new Okta End-User Dashboard were incorrectly shown as banners, rather than notifications in the Notifications tab.

OKTA-294716

The Import Groups option couldn't be disabled when using Google Push Group functionality.

OKTA-296526

Report Admins were unable to view YubiKey reports due to insufficient permissions in Reports > YubiKey Report.

OKTA-298061

If an IP range was configured in a network zone that included IP addresses that are part of the Okta infrastructure, users coming from that range didn’t receive MFA prompts.

OKTA-298724

Adding an admin who already had admin roles resulted in that admin's permissions being overwritten rather than updated.

OKTA-299210

When using a custom URL domain, attempts to download metadata for an identity provider from the Okta Admin Console sometimes failed.

OKTA-302644

Address attributes from a generic OIDC identity provider weren't correctly mapped to an Okta user profile during social login.

OKTA-302876

Disabling the Import Groups option under Org2Org provisioning incorrectly created duplicate groups and threw timeout errors.

OKTA-304184

The Allow Pushing Null Values functionality of Salesforce failed when applied to the manager id field during SOAP integration.

OKTA-304895

UltiPro User Imports failed for users who were missing the External Id attribute in UltiPro.

OKTA-305272

The Group Membership Admin role was still available in the drop down under Settings > Account > Admin Email Notifications after the role was disabled.

OKTA-305287

A button linking to the Tasks page was incorrectly shown to users who had no pending tasks on the new Okta End-User Dashboard.

OKTA-306031

When setting up a custom domain that had previously been verified, uploading TLS certificates failed if the admin had skipped the domain verification step.

OKTA-307235

When trying to access an OIDC app using Desktop SSO in a Preview environment, some users experienced sign-in loops.

OKTA-313477

Some life cycle event hooks for user activation incorrectly failed because Certificate Authority endpoints were unrecognized.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • Acronis Cloud (OKTA-313976)

  • Formstack (OKTA-314095)

  • Lucernex IWMS (OKTA-315510)

  • Timesheet (OKTA-311299)

Applications

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN as partner-built:

SAML for the following Okta Verified applications

  • Appaegis Access Cloud (OKTA-310778)

  • BoostUp (OKTA-310661)

  • DEEM SAML (OKTA-291393)

  • Galaxkey (OKTA-304840)

  • Hub Planner (OKTA-312621)

  • Kiva (OKTA-303274)

  • Land Gorilla (OKTA-306647)

  • Marin One (OKTA-310324)

  • Proggio (OKTA-312282)

  • Reftab (OKTA-306646)

  • seoClarity (OKTA-312622)

  • Syxsense (OKTA-311073)

  • Zercurity (OKTA-311985)

SWA for the following Okta Verified application

  • John Hancock Pensions (OKTA-312845)

  • ManageEngine EventLog Analyzer (OKTA-309417)

  • TicketMaster (OKTA-309879)

OIDC for the following Okta Verified applications

Mobile application for use with Okta Mobility Management (OMM) (iOS)

  • Microsoft Whiteboard (OKTA-312273)

June 2020

2020.06.0: Monthly Production release began deployment on June 8

* Features may not be available in all Okta Product SKUs.

Content

Generally Available Features

New Features

Deprecated metrics removed from the Okta Admin Dashboard

The following aggregated metrics have been removed from the Okta Admin Dashboard:

  • Count users who have never signed in
  • Count users who have signed in
  • Count apps with unused assignments
  • Count unused app assignments

All reports are still available. See The Administrator Dashboard.

Okta Browser Plugin for Internet Explorer, version 5.38.1

This version includes the following:

  • With the Okta Browser Plugin, end users can prevent browsers from prompting to save their sign-in credentials for Okta or any third-party apps accessed through the Okta End User Dashboard. See Prevent web browsers from saving sign-in credentials. Note that this feature is only available in Preview orgs.
  • For the new Okta End-User Dashboard: Search in the Okta Browser Plugin is updated to have the same search accuracy as the Okta End-User Dashboard.
  • Font sizes in the Okta Browser Plugin popover are updated.

See Okta Browser Plugin: Version History.

Okta Browser Plugin: Password Suppression UI changes

The two plugin UI elements that configure blocking browsers from saving passwords are now managed by end users in the plugin popover, and have been removed from the Admin customization settings.

Old UI

New UI

Improvements to the Disconnect People from Active Directory page

In the Okta Admin Console, the Disconnect People from Active Directory page now displays all users and not just those from the first app instance. See Disconnect users from Active Directory.

ODSEE LDAP Support

Okta now supports Oracle Directory Server Enterprise Edition (ODSEE) LDAP integrations with the upgrade to LDAP agent version 5.6.3 and later. See Oracle Directory Server Enterprise Edition LDAP integration reference.

Extensibility Inline Hooks usage metrics

Hook metrics display all successful and unsuccessful executions of enabled Inline Hooks. Admins can use metrics to assess the performance of their hooks and troubleshoot unexpected behavior. See Inline hooks.

Generally Available Enhancements

Improved Risk Scoring model

Risk scoring evaluation has been enhanced to improve the detection of high risk sign-on activity. See Risk Scoring.

Improvements to developer onboarding experience

The Okta developer site has enhanced the onboarding experience for new developers:

  • Added task for customizing developer goals
  • Updated text on the developer profile panel
  • Added numbering to tasks
  • Improved usability and process flow

File size and hash added to Downloads page

The Downloads page now displays the file size and SHA-512 hash for the RADIUS and OPP agents. Admins can use the file size and hash to verify the integrity of the files. See Install and configure the Okta RADIUS Server agent and Okta Provisioning Agent and SDK Version History.

Box integration enhancement

When Box users are deactivated, and the option Transfer user’s files to account user is selected, the following warning is displayed: Caution: Files owned by the user will be inaccessible while they are being transferred. This also means that any shared content owned by the user may be inaccessible to all collaborators during the move. Depending on the volume of content, this operation may take a significant amount of time.

Early Access Features

New Features

Smart Card Authentication

When initially accessing applications using a custom sign-in widget, users have the option to use a PIV/CAC card for authentication. See Identity Providers.

Enhancements

New Okta End-User Dashboard enhancements

  • App cards have been resized to create more spacing and shorten the cards.
  • When an app card is hovered over, a lock icon notifies users if an admin has denied access to that app.

Fixes

General Fixes

OKTA-280844

In some Group Rules, if the User Attribute was very long, the value field didn't display properly.

OKTA-282532

In the new Okta End-User Dashboard, after dragging and dropping an app, end users were scrolled to the top of the dashboard.

OKTA-284835

The new Applications page used the term WS-Fed instead of WS-Federation.

OKTA-292924

User import from Workday failed if a username exceeded 100 characters.

OKTA-299093/299098

The Email as an MFA Factor for Authentication feature was not made available for some orgs when it was released earlier. Some customers who were eligible to use the Email factor with the factor API could not use the Email factor with the authentication API.

OKTA-299102

The Importing People page had the wrong documentation link.

OKTA-300069

When creating an event hook, if Subscribe to events was set to any of the Application life cycle events options, it resulted in the error Invalid list of events provided.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • Acorns (OKTA-299038)

  • Adobe.com (OKTA-299039)

  • Aetna Health Insurance (OKTA-301364)

  • AT& T (OKTA-299679)

  • Bitdefender (OKTA-301600)

  • Chase (OKTA-299437)

  • Delighted (OKTA-300045)

  • Expensify (OKTA-299222)

  • iHeartRadio (OKTA-301357)

  • iOvation (OKTA-300980)

  • Jetblue (OKTA-301355)

  • Kace (OKTA-299033)

  • LucidPress (OKTA-300843)

  • Mathworks (OKTA-299040)

  • myuhc - United Healthcare (OKTA-301360)

  • Sophos Partner Portal (OKTA-300844)

  • Staples Advantage (OKTA-297714)

Applications

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN as partner-built:

SAML for the following Okta Verified application

  • Otter.ai (OKTA-298298)

OIDC for the following Okta Verified applications

Weekly Updates

June 15

Fixes

General Fixes

OKTA-277693

When the Application Entitlement Policy feature was enabled and the admin was prompted to Reapply Mapping for some fields on the App Assignment page, the Username field appeared blank.

OKTA-282323

Editing the single sign-on URL for a custom SAML app sometimes resulted in an internal server error.

OKTA-286106

When the Application Entitlement Policy feature was enabled, some attribute types in the Provisioning tab of an app displayed incorrect values.

OKTA-287941

Group names and descriptions on the Assignments page were incorrectly auto-capitalized.

OKTA-287962

When using Okta Verify for MFA, users received duplicate error messages if they clicked the Verify button without entering a code.

OKTA-287972

Admins using Internet Explorer 11 didn't get user-reported suspicious activity notifications in the Okta Admin Dashboard.

OKTA-304082

Under specific conditions, a new user may have been able to login to Okta using an expired password only during the LDAP JIT flow.

OKTA-305356H

Default settings for the LDAP agent version 5.6.5 were incorrect. To obtain the new, correct default settings, please download LDAP agent version 5.6.6.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • Markel Insurance (OKTA-302146)

  • Palo Alto Networks (OKTA-301935)

  • Replicon (OKTA-302143)

  • Sherweb (OKTA-302150)

  • Zscaler (OKTA-301359)

Applications

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN as partner-built:

SAML for the following Okta Verified applications

  • Ally.io (OKTA-300334)

  • Clue (OKTA-299668)

  • VictorOps (Beta) (OKTA-299182)

SWA for the following Okta Verified application

  • CitiDirect BE (OKTA-298279)

OIDC for the following Okta Verified application

June 22

Fixes

General Fixes

OKTA-258780

Admins were unable to properly scroll in the Edit Group Assignment and Edit App User Assignment pop-up windows.

OKTA-285380

When using the override with mapping feature, username was incorrectly editable on the Profile Editor > Edit Mappings > App to Okta page.

OKTA-291912

For end user password resets, the Password is managed by a different application customization option didn't work if a custom URL domain was also configured.

OKTA-299448

When the new provisioning settings UI for Active Directory was enabled on the Active Directory Settings > Assignments tab, the Assign button was incorrectly displayed.

OKTA-299708

Some deactivated end users weren't deprovisioned from their applications.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • Bank of America (OKTA-294552)

  • Barracuda Networks (OKTA-303543)

  • General Motors GlobalConnect (OKTA-303400)

  • LastPass (OKTA-303982)

  • Polygon (OKTA-304216)

Applications

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN as partner-built:

SAML for the following Okta Verified applications

  • Greenhouse Recruiting (Subdomain) (OKTA-303238)

  • Kisi Physical Security (OKTA-303807)

  • Pymetrics (OKTA-299069)

  • TeamMood (OKTA-302178)

  • Valotalive (OKTA-298057)

OIDC for the following Okta Verified application

June 29

Fixes

General Fixes

OKTA-292734

The System Log didn't log an entry when a push notification for MFA was sent to a user.

OKTA-297792

When using email as an MFA factor, for some languages the text on the Sign-In page didn't display properly.

OKTA-298362

Workday imports sometimes failed when the Incremental Imports feature was enabled and used with Constrained Security Users (not recommended by Okta) instead of Unconstrained Security Users.

OKTA-301607

The Cancel and Request buttons on the Request Apps dialog in the new Okta End-User Dashboard were placed too closely together.

OKTA-301654

Some icons for MFA factor resets and enrollment policies were outdated.

OKTA-305633

When requests to the /auth/services/devicefingerprint failed, users trying to authenticate got stuck on the Sign-In page.

App Integration Fixes

The following SWA app was not working correctly and is now fixed

  • Nice inContact (OKTA-303178)

Applications

New Integrations

SAML for the following Okta Verified applications

  • aapi (OKTA-303606)

  • Github (OKTA-304435)

  • Go Moment (OKTA-302199)

  • Ironclad (OKTA-305082)

  • ProProfs Knowledgebase (OKTA-297807)

  • Rewatch (OKTA-303581)

  • S&P CapitalIQ (OKTA-300125)

Mobile application for use with Okta Mobility Management (OMM) (Android and iOS)

  • 1Password Business (OKTA-297855)

OIDC for the following Okta Verified applications

June 29

Fixes

General Fixes

OKTA-289516

When configuring the AWS application with AWS China Connected Accounts, and then trying to save the Provisioning tab settings, the following error was displayed: The security token included in the request is invalid.

OKTA-298403

Users that were assigned custom SAML apps through group assignment incorrectly retained custom attributes in their user profiles after the group was deleted.

OKTA-300720

The interstitial page during the Agentless Desktop SSO sign-in flow incorrectly displayed a server status banner when the server was in read-only.

OKTA-303164

The Using Groups Claim documentation link in the OIDC Application Settings page was outdated.

OKTA-303168

The Learn more documentation link for SAML settings on a SAML app page > General Settings tab was outdated.

OKTA-306103

The password icon for the Okta sign-in widget was inconsistent with the look and feel of other authentication factors.

OKTA-306978

The password icon in the Okta Admin Console was outdated.

App Integration Fixes

The following SWA app was not working correctly and is now fixed

  • App Store Connect (OKTA-302169)

  • YM Careers Partner (OKTA-304814)

Applications

New Integrations

New SCIM Integration Application

The following partner-built provisioning integration app is now Generally Available in the OIN as partner-built:

SWA for the following Okta Verified applications

  • Kamer van Koophandel (OKTA-304857)

  • Snap-on B2B (OKTA-285600)

SAML for the following Okta Verified applications

  • Adaptive Shield (OKTA-306991)

  • Charthop (OKTA-305581)

  • Clarizen One (OKTA-306617)

  • Lightstep (OKTA-305088)

  • Segment (OKTA-304217)

  • Spendesk (OKTA-303931)

OIDC for the following Okta Verified applications

May 2020

2020.05.0: Monthly Production release began deployment on May 11

* Features may not be available in all Okta Product SKUs.

Content

Generally Available Features

New Features

LDAP agent, version 5.6.5

This version of the agent contains internal improvements, including updating the JDK to Amazon Corretto and eDirectory support. See Okta LDAP agent version history.

Application Lifecycle Event Hook

Application Lifecycle events are now available for use as Event Hooks. See Event Types for a list of Events that can be used with Event Hooks.

Assign users to multiple groups in one group rule

Users can be assigned to multiple groups in one group rule. It is no longer necessary to set up multiple rules for the same criteria to accommodate different groups. See About group rules. This feature is now available for more orgs.

Rate limit behavior for SAML sign-ins

When Just-In-Time provisioning is enabled and the number of users attempting to sign in using SAML or a Social Identity Provider exceeds rate limits, Okta displays a message that it will automatically retry the JIT request after waiting a few seconds.

Disable Import Groups per app

Admins have the option to choose whether groups are included in imports from apps. This new option is available when setting up provisioning for an app.

This feature should be used with care as disabling group imports will have the result of deleting all groups from the app you are configuring. As such, we provide a warning prior to disabling group imports:

Note that you will be unable to disable group imports for an app if the following conditions exist:

  • App Assignments based on Group exist
  • Group policy rules exist
  • Group Push mappings exist

In these cases, an error is displayed.

OIN App Catalog V2 available for Developer Edition and SKU Edition orgs

The enhanced OIN Catalog is now enabled for all new and existing Developer Edition or SKU Edition orgs.

This feature will be gradually made available to all orgs.

Enhancement: MFA phone-number enrollment restricted

End users are now prevented from enrolling premium numbers for SMS and phone multifactor authentication. Premiums numbers are those reserved for various services. In the U.S., they include numbers that begin with a zero or use area codes 900, 911, and 411. Internationally, the following phone-number types are restricted: Audiotext, Carrier selection, National rate, Premium rate, Shared cost, Satellite, and Short Code.

eDirectory LDAP support

Okta now supports eDirectory LDAP integrations with the upgrade to the LDAP agent version 5.6.2 or later. See eDirectory LDAP integration reference.

OUD LDAP Support

Okta now supports Oracle Unified Directory (OUD) LDAP integrations. See Oracle Unified Directory LDAP integration reference.

Deactivated admin users

When a user who has an admin role and privileges assigned to them is deactivated, their admin privileges are revoked. The deactivated user is removed from the Administrators page and from the CSV download list of administrators. See Administrators.

App-level safeguard

To guard against an unusual number of app un-assignments during user import, the admin can set the safeguard to org-level, app-level, or both. See About import safeguards.

This feature will be gradually made available to all orgs.

Generally Available Enhancements

New HealthInsight recommendation and updates

HealthInsight now recommends enabling Okta Verify for MFA. The existing recommendation to enable strong MFA factors now also recommends disabling weaker factors. See HealthInsight.

Copy and paste groups for admin permissions

You can now copy and paste group assignments when creating admin permissions. See Grant admin privileges.

Early Access Features

New Features

Okta RADIUS Server agent, version 2.11.0

This version includes support for EAP-TTLS. See Okta RADIUS Server Agent Version History.

Enhancements

Enhancements to the new Okta End-User Dashboard

The new Okta End-User Dashboard now includes the following enhancements:

  • The Add Apps button has been removed.
  • Apps can be configured to launch automatically after users sign in to Okta.
  • Searches place more relevant options at the top of the search results.
  • Sections can be collapsed or expanded.

Fixes

General Fixes

OKTA-210751

GitHub import into Okta only updated a subset of users.

OKTA-249695

The filter on the Directory > Profile Editor > Apps page didn't work for Org2Org and Bookmark apps.

OKTA-257761

Email templates that contain invalid or unknown expressions didn't display the right error message and were still saved.

OKTA-276226

Application group assignment windows didn't resize correctly when input was added.

OKTA-278184

In some cases, when a large number of groups were assigned to an application, assigning users to these groups took longer than usual.

OKTA-282594

Users couldn't use the arrow keys to navigate through app search results on the new Okta End-User Dashboard.

OKTA-282919

End users using the new Okta End-User Dashboard were incorrectly prompted to install or upgrade the Okta Browser Plugin even if it was IT-managed.

OKTA-284665

CSV files generated in the System Log sometimes incorrectly included carriage returns.

OKTA-284954

Search results were incorrectly sorted when searching for an app on the new Okta End-User Dashboard.

OKTA-286081

When Factor Sequencing was enabled and the authentication policy contained a method set to Password / Any IDP, the sign-in window froze when users reset their password.

OKTA-287673

Some users became stuck in an authentication loop when trying to access an app from the new Okta End-User Dashboard.

OKTA-288389

Some admins received errors when trying to approve app requests from end users made through the new Okta End-User Dashboard.

OKTA-289511

The Smart card sign-in button was visible without a Smart Card Identity Provider configured within the customer org.

OKTA-291259

Some identity providers didn't show up in the Device Identity Provider list when configuring Device Trust.

OKTA-291935

Users were prevented from disabling both app-level and org-level roadblocks.

OKTA-293240

When profile mastering was enabled, the Update application username field under the AD Provisioning settings tab didn't render correctly.

OKTA-294767

The Email as an MFA Factor feature was not made available for some orgs when it was released earlier. We are re-releasing it in 2020.05.0.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • 1Password Business (OKTA-291540)

  • 2020 Spaces (OKTA-293863)

  • Airship (OKTA-292749)

  • Bill.com (OKTA-292940)

  • CalPERS (OKTA-294342)

  • Cisco Webes (OKTA-292505)

  • IBM Cloud (OKTA-293426)

  • Sauce Labs (OKTA-292506)

  • Thomson Reuters MyAccount (OKTA-291630)

  • Twitter (OKTA-287886)

  • WP Engine (OKTA-293338)

Applications

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN as partner-built:

SAML for the following Okta Verified applications

  • ACALL (OKTA-292094)

  • BigChange (OKTA-294316)

  • Freshworks (OKTA-290904)

  • Kintaba (OKTA-291174)

  • Lingotek (OKTA-292197)

  • Mapbox (OKTA-294374)

  • Odo (OKTA-294315)

  • Prezi (OKTA-293858)

  • Seculio (OKTA-293141)

  • Statusbrew (OKTA-292827)

SWA for the following Okta Verified application

  • Spreadshirt (OKTA-291601)

OIDC for the following Okta Verified application

  • FiveToNine: For configuration information, see FiveToNine documentation (note you need appropriate permissions to view this doc).

Weekly Updates

May 18

Fixes

General Fixes

OKTA-288102

Non-Okta-mastered groups incorrectly appeared in the Application Access Audit, Okta Usage, and Application Usage reports that were intended only for Okta-mastered groups.

OKTA-294756

In some cases when the server was in Read Only mode, the interstitial page displayed an error message in the browser console log.

OKTA-298064H

Samanage (Solarwinds) changed their API for Fetch Custom Forms which resulted in errors during user import operations from Samanage.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • Business Insider Prime (OKTA-295295)

  • Freshworks (OKTA-296513)

  • Hoovers (OKTA-296255)

  • HR Downloads (OKTA-295323)

  • John Hancock - MyLifeNow (OKTA-296484)

  • McMaster-Carr (OKTA-295420)

  • oDesk (OKTA-295425)

  • SEMrush (OKTA-292973)

  • Sophos Cloud (OKTA-294861)

Applications

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN as partner-built:

SAML for the following Okta Verified applications

  • Apperio (OKTA-294671)

  • Valimail for Twilio SendGrid (OKTA-293379)

SWA for the following Okta Verified applications

  • Amazon Marketing Services (OKTA-292908)

  • Palo Alto Networks (OKTA-291327)

OIDC for the following Okta Verified application

May 26

Fixes

General Fixes

OKTA-283143

The default rule didn't follow the HealthInsight recommendation for the session lifetime for Default Policies to be two hours.

OKTA-289276

When launching Agentless Desktop Single Sign-on from a browser, the Japanese translation of the Verifying Desktop SSO message rendered incorrectly.

OKTA-296165

A banner that notifies users to trust the Okta account in the Okta Browser Plugin was missing from the new Okta End-User Dashboard.

App Integration Fixes

The following SAML app was not working correctly and is now fixed

  • YardiOne Dashboard (OKTA-295097)

The following SWA apps were not working correctly and are now fixed

  • 1Password Business (OKTA-298126)

  • Ebay (OKTA-296547)

  • Staples (OKTA-295631)

  • TriNet HR Passport (OKTA-296653)

The following Mobile app was not working correctly and is now fixed

  • MS Office (OKTA-296210)

Applications

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration app is now Generally Available in the OIN as partner-built:

SAML for the following Okta Verified applications

  • Blink (OKTA-296246)

  • edQuire (OKTA-295419)

  • ideiio (OKTA-293373)

  • Intercom (OKTA-292194)

  • Proggio (OKTA-278233)

  • Shopify Plus (OKTA-292196)

June 1

Fixes

General Fixes

OKTA-283868

The new Okta End-User Dashboard didn’t display the VPN Required prompt for any app that required VPN access.

OKTA-293415

Okta Support Services sign-in didn’t differentiate users based on their organization and their unique identifier.

OKTA-297532

Certificate chains that were set up with custom URL domains had key length restrictions.

OKTA-297833

The help link on the Profile Editor page on the Okta Admin Console was broken.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • Cisco WebEx Meeting Center (OKTA-291966)

  • ComplianceDepot (OKTA-297545)

  • DoorDash (OKTA-297476)

  • John Hancock Pensions (OKTA-297543)

  • Lucidchart (OKTA-298005)

  • MINDBODY (OKTA-297847)

  • SalesLoft (OKTA-298142)

  • Siteimprove (OKTA-297116)

  • VSP (OKTA-297671)

  • Wayfair (OKTA-297401)

Applications

New Integrations

New SCIM Integration Application

The following partner-built provisioning integration app is now Generally Available in the OIN as partner-built:

SAML for the following Okta Verified applications

  • Anvil Riskmatics (OKTA-296063)

  • Bugfender (OKTA-297637)

  • Cirricula (OKTA-296050)

  • ComplySci (OKTA-299148)

  • Jedox (OKTA-296058)

  • Moqups (OKTA-297808)

  • MyAryaka (OKTA-285423)

  • Oracle Identity Cloud Service (OKTA-297793)

  • Roadmunk (OKTA-296251)

SWA for the following Okta Verified application

  • Template Frame Plugin App (OKTA-294358)

June 2020

2020.06.0: Monthly Production release began deployment on June 8

* Features may not be available in all Okta Product SKUs.

Content

Generally Available Features

New Features

Deprecated metrics removed from the Okta Admin Dashboard

The following aggregated metrics have been removed from the Okta Admin Dashboard:

  • Count users who have never signed in
  • Count users who have signed in
  • Count apps with unused assignments
  • Count unused app assignments

All reports are still available. See The Administrator Dashboard.

Okta Browser Plugin for Internet Explorer, version 5.38.1

This version includes the following:

  • With the Okta Browser Plugin, end users can prevent browsers from prompting to save their sign-in credentials for Okta or any third-party apps accessed through the Okta End User Dashboard. See Prevent web browsers from saving sign-in credentials. Note that this feature is only available in Preview orgs.
  • For the new Okta End-User Dashboard: Search in the Okta Browser Plugin is updated to have the same search accuracy as the Okta End-User Dashboard.
  • Font sizes in the Okta Browser Plugin popover are updated.

See Okta Browser Plugin: Version History.

Okta Browser Plugin: Password Suppression UI changes

The two plugin UI elements that configure blocking browsers from saving passwords are now managed by end users in the plugin popover, and have been removed from the Admin customization settings.

Old UI

New UI

Improvements to the Disconnect People from Active Directory page

In the Okta Admin Console, the Disconnect People from Active Directory page now displays all users and not just those from the first app instance. See Disconnect users from Active Directory.

ODSEE LDAP Support

Okta now supports Oracle Directory Server Enterprise Edition (ODSEE) LDAP integrations with the upgrade to LDAP agent version 5.6.3 and later. See Oracle Directory Server Enterprise Edition LDAP integration reference.

Extensibility Inline Hooks usage metrics

Hook metrics display all successful and unsuccessful executions of enabled Inline Hooks. Admins can use metrics to assess the performance of their hooks and troubleshoot unexpected behavior. See Inline hooks.

Generally Available Enhancements

Improved Risk Scoring model

Risk scoring evaluation has been enhanced to improve the detection of high risk sign-on activity. See Risk Scoring.

Improvements to developer onboarding experience

The Okta developer site has enhanced the onboarding experience for new developers:

  • Added task for customizing developer goals
  • Updated text on the developer profile panel
  • Added numbering to tasks
  • Improved usability and process flow

File size and hash added to Downloads page

The Downloads page now displays the file size and SHA-512 hash for the RADIUS and OPP agents. Admins can use the file size and hash to verify the integrity of the files. See Install and configure the Okta RADIUS Server agent and Okta Provisioning Agent and SDK Version History.

Box integration enhancement

When Box users are deactivated, and the option Transfer user’s files to account user is selected, the following warning is displayed: Caution: Files owned by the user will be inaccessible while they are being transferred. This also means that any shared content owned by the user may be inaccessible to all collaborators during the move. Depending on the volume of content, this operation may take a significant amount of time.

Early Access Features

New Features

Smart Card Authentication

When initially accessing applications using a custom sign-in widget, users have the option to use a PIV/CAC card for authentication. See Identity Providers.

Enhancements

New Okta End-User Dashboard enhancements

  • App cards have been resized to create more spacing and shorten the cards.
  • When an app card is hovered over, a lock icon notifies users if an admin has denied access to that app.

Fixes

General Fixes

OKTA-280844

In some Group Rules, if the User Attribute was very long, the value field didn't display properly.

OKTA-282532

In the new Okta End-User Dashboard, after dragging and dropping an app, end users were scrolled to the top of the dashboard.

OKTA-284835

The new Applications page used the term WS-Fed instead of WS-Federation.

OKTA-292924

User import from Workday failed if a username exceeded 100 characters.

OKTA-299093/299098

The Email as an MFA Factor for Authentication feature was not made available for some orgs when it was released earlier. Some customers who were eligible to use the Email factor with the factor API could not use the Email factor with the authentication API.

OKTA-299102

The Importing People page had the wrong documentation link.

OKTA-300069

When creating an event hook, if Subscribe to events was set to any of the Application life cycle events options, it resulted in the error Invalid list of events provided.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • Acorns (OKTA-299038)

  • Adobe.com (OKTA-299039)

  • Aetna Health Insurance (OKTA-301364)

  • AT& T (OKTA-299679)

  • Bitdefender (OKTA-301600)

  • Chase (OKTA-299437)

  • Delighted (OKTA-300045)

  • Expensify (OKTA-299222)

  • iHeartRadio (OKTA-301357)

  • iOvation (OKTA-300980)

  • Jetblue (OKTA-301355)

  • Kace (OKTA-299033)

  • LucidPress (OKTA-300843)

  • Mathworks (OKTA-299040)

  • myuhc - United Healthcare (OKTA-301360)

  • Sophos Partner Portal (OKTA-300844)

  • Staples Advantage (OKTA-297714)

Applications

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN as partner-built:

SAML for the following Okta Verified application

  • Otter.ai (OKTA-298298)

OIDC for the following Okta Verified applications

Weekly Updates

June 15

Fixes

General Fixes

OKTA-277693

When the Application Entitlement Policy feature was enabled and the admin was prompted to Reapply Mapping for some fields on the App Assignment page, the Username field appeared blank.

OKTA-282323

Editing the single sign-on URL for a custom SAML app sometimes resulted in an internal server error.

OKTA-286106

When the Application Entitlement Policy feature was enabled, some attribute types in the Provisioning tab of an app displayed incorrect values.

OKTA-287941

Group names and descriptions on the Assignments page were incorrectly auto-capitalized.

OKTA-287962

When using Okta Verify for MFA, users received duplicate error messages if they clicked the Verify button without entering a code.

OKTA-287972

Admins using Internet Explorer 11 didn't get user-reported suspicious activity notifications in the Okta Admin Dashboard.

OKTA-304082

Under specific conditions, a new user may have been able to login to Okta using an expired password only during the LDAP JIT flow.

OKTA-305356H

Default settings for the LDAP agent version 5.6.5 were incorrect. To obtain the new, correct default settings, please download LDAP agent version 5.6.6.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • Markel Insurance (OKTA-302146)

  • Palo Alto Networks (OKTA-301935)

  • Replicon (OKTA-302143)

  • Sherweb (OKTA-302150)

  • Zscaler (OKTA-301359)

Applications

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN as partner-built:

SAML for the following Okta Verified applications

  • Ally.io (OKTA-300334)

  • Clue (OKTA-299668)

  • VictorOps (Beta) (OKTA-299182)

SWA for the following Okta Verified application

  • CitiDirect BE (OKTA-298279)

OIDC for the following Okta Verified application

June 22

Fixes

General Fixes

OKTA-258780

Admins were unable to properly scroll in the Edit Group Assignment and Edit App User Assignment pop-up windows.

OKTA-285380

When using the override with mapping feature, username was incorrectly editable on the Profile Editor > Edit Mappings > App to Okta page.

OKTA-291912

For end user password resets, the Password is managed by a different application customization option didn't work if a custom URL domain was also configured.

OKTA-299448

When the new provisioning settings UI for Active Directory was enabled on the Active Directory Settings > Assignments tab, the Assign button was incorrectly displayed.

OKTA-299708

Some deactivated end users weren't deprovisioned from their applications.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • Bank of America (OKTA-294552)

  • Barracuda Networks (OKTA-303543)

  • General Motors GlobalConnect (OKTA-303400)

  • LastPass (OKTA-303982)

  • Polygon (OKTA-304216)

Applications

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN as partner-built:

SAML for the following Okta Verified applications

  • Greenhouse Recruiting (Subdomain) (OKTA-303238)

  • Kisi Physical Security (OKTA-303807)

  • Pymetrics (OKTA-299069)

  • TeamMood (OKTA-302178)

  • Valotalive (OKTA-298057)

OIDC for the following Okta Verified application

June 29

Fixes

General Fixes

OKTA-292734

The System Log didn't log an entry when a push notification for MFA was sent to a user.

OKTA-297792

When using email as an MFA factor, for some languages the text on the Sign-In page didn't display properly.

OKTA-298362

Workday imports sometimes failed when the Incremental Imports feature was enabled and used with Constrained Security Users (not recommended by Okta) instead of Unconstrained Security Users.

OKTA-301607

The Cancel and Request buttons on the Request Apps dialog in the new Okta End-User Dashboard were placed too closely together.

OKTA-301654

Some icons for MFA factor resets and enrollment policies were outdated.

OKTA-305633

When requests to the /auth/services/devicefingerprint failed, users trying to authenticate got stuck on the Sign-In page.

App Integration Fixes

The following SWA app was not working correctly and is now fixed

  • Nice inContact (OKTA-303178)

Applications

New Integrations

SAML for the following Okta Verified applications

  • aapi (OKTA-303606)

  • Github (OKTA-304435)

  • Go Moment (OKTA-302199)

  • Ironclad (OKTA-305082)

  • ProProfs Knowledgebase (OKTA-297807)

  • Rewatch (OKTA-303581)

  • S&P CapitalIQ (OKTA-300125)

Mobile application for use with Okta Mobility Management (OMM) (Android and iOS)

  • 1Password Business (OKTA-297855)

OIDC for the following Okta Verified applications

June 29

Fixes

General Fixes

OKTA-289516

When configuring the AWS application with AWS China Connected Accounts, and then trying to save the Provisioning tab settings, the following error was displayed: The security token included in the request is invalid.

OKTA-298403

Users that were assigned custom SAML apps through group assignment incorrectly retained custom attributes in their user profiles after the group was deleted.

OKTA-300720

The interstitial page during the Agentless Desktop SSO sign-in flow incorrectly displayed a server status banner when the server was in read-only.

OKTA-303164

The Using Groups Claim documentation link in the OIDC Application Settings page was outdated.

OKTA-303168

The Learn more documentation link for SAML settings on a SAML app page > General Settings tab was outdated.

OKTA-306103

The password icon for the Okta sign-in widget was inconsistent with the look and feel of other authentication factors.

OKTA-306978

The password icon in the Okta Admin Console was outdated.

App Integration Fixes

The following SWA app was not working correctly and is now fixed

  • App Store Connect (OKTA-302169)

  • YM Careers Partner (OKTA-304814)

Applications

New Integrations

New SCIM Integration Application

The following partner-built provisioning integration app is now Generally Available in the OIN as partner-built:

SWA for the following Okta Verified applications

  • Kamer van Koophandel (OKTA-304857)

  • Snap-on B2B (OKTA-285600)

SAML for the following Okta Verified applications

  • Adaptive Shield (OKTA-306991)

  • Charthop (OKTA-305581)

  • Clarizen One (OKTA-306617)

  • Lightstep (OKTA-305088)

  • Segment (OKTA-304217)

  • Spendesk (OKTA-303931)

OIDC for the following Okta Verified applications

May 2020

2020.05.0: Monthly Production release began deployment on May 11

* Features may not be available in all Okta Product SKUs.

Content

Generally Available Features

New Features

LDAP agent, version 5.6.5

This version of the agent contains internal improvements, including updating the JDK to Amazon Corretto and eDirectory support. See Okta LDAP agent version history.

Application Lifecycle Event Hook

Application Lifecycle events are now available for use as Event Hooks. See Event Types for a list of Events that can be used with Event Hooks.

Assign users to multiple groups in one group rule

Users can be assigned to multiple groups in one group rule. It is no longer necessary to set up multiple rules for the same criteria to accommodate different groups. See About group rules. This feature is now available for more orgs.

Rate limit behavior for SAML sign-ins

When Just-In-Time provisioning is enabled and the number of users attempting to sign in using SAML or a Social Identity Provider exceeds rate limits, Okta displays a message that it will automatically retry the JIT request after waiting a few seconds.

Disable Import Groups per app

Admins have the option to choose whether groups are included in imports from apps. This new option is available when setting up provisioning for an app.

This feature should be used with care as disabling group imports will have the result of deleting all groups from the app you are configuring. As such, we provide a warning prior to disabling group imports:

Note that you will be unable to disable group imports for an app if the following conditions exist:

  • App Assignments based on Group exist
  • Group policy rules exist
  • Group Push mappings exist

In these cases, an error is displayed.

OIN App Catalog V2 available for Developer Edition and SKU Edition orgs

The enhanced OIN Catalog is now enabled for all new and existing Developer Edition or SKU Edition orgs.

This feature will be gradually made available to all orgs.

Enhancement: MFA phone-number enrollment restricted

End users are now prevented from enrolling premium numbers for SMS and phone multifactor authentication. Premiums numbers are those reserved for various services. In the U.S., they include numbers that begin with a zero or use area codes 900, 911, and 411. Internationally, the following phone-number types are restricted: Audiotext, Carrier selection, National rate, Premium rate, Shared cost, Satellite, and Short Code.

eDirectory LDAP support

Okta now supports eDirectory LDAP integrations with the upgrade to the LDAP agent version 5.6.2 or later. See eDirectory LDAP integration reference.

OUD LDAP Support

Okta now supports Oracle Unified Directory (OUD) LDAP integrations. See Oracle Unified Directory LDAP integration reference.

Deactivated admin users

When a user who has an admin role and privileges assigned to them is deactivated, their admin privileges are revoked. The deactivated user is removed from the Administrators page and from the CSV download list of administrators. See Administrators.

App-level safeguard

To guard against an unusual number of app un-assignments during user import, the admin can set the safeguard to org-level, app-level, or both. See About import safeguards.

This feature will be gradually made available to all orgs.

Generally Available Enhancements

New HealthInsight recommendation and updates

HealthInsight now recommends enabling Okta Verify for MFA. The existing recommendation to enable strong MFA factors now also recommends disabling weaker factors. See HealthInsight.

Copy and paste groups for admin permissions

You can now copy and paste group assignments when creating admin permissions. See Grant admin privileges.

Early Access Features

New Features

Okta RADIUS Server agent, version 2.11.0

This version includes support for EAP-TTLS. See Okta RADIUS Server Agent Version History.

Enhancements

Enhancements to the new Okta End-User Dashboard

The new Okta End-User Dashboard now includes the following enhancements:

  • The Add Apps button has been removed.
  • Apps can be configured to launch automatically after users sign in to Okta.
  • Searches place more relevant options at the top of the search results.
  • Sections can be collapsed or expanded.

Fixes

General Fixes

OKTA-210751

GitHub import into Okta only updated a subset of users.

OKTA-249695

The filter on the Directory > Profile Editor > Apps page didn't work for Org2Org and Bookmark apps.

OKTA-257761

Email templates that contain invalid or unknown expressions didn't display the right error message and were still saved.

OKTA-276226

Application group assignment windows didn't resize correctly when input was added.

OKTA-278184

In some cases, when a large number of groups were assigned to an application, assigning users to these groups took longer than usual.

OKTA-282594

Users couldn't use the arrow keys to navigate through app search results on the new Okta End-User Dashboard.

OKTA-282919

End users using the new Okta End-User Dashboard were incorrectly prompted to install or upgrade the Okta Browser Plugin even if it was IT-managed.

OKTA-284665

CSV files generated in the System Log sometimes incorrectly included carriage returns.

OKTA-284954

Search results were incorrectly sorted when searching for an app on the new Okta End-User Dashboard.

OKTA-286081

When Factor Sequencing was enabled and the authentication policy contained a method set to Password / Any IDP, the sign-in window froze when users reset their password.

OKTA-287673

Some users became stuck in an authentication loop when trying to access an app from the new Okta End-User Dashboard.

OKTA-288389

Some admins received errors when trying to approve app requests from end users made through the new Okta End-User Dashboard.

OKTA-289511

The Smart card sign-in button was visible without a Smart Card Identity Provider configured within the customer org.

OKTA-291259

Some identity providers didn't show up in the Device Identity Provider list when configuring Device Trust.

OKTA-291935

Users were prevented from disabling both app-level and org-level roadblocks.

OKTA-293240

When profile mastering was enabled, the Update application username field under the AD Provisioning settings tab didn't render correctly.

OKTA-294767

The Email as an MFA Factor feature was not made available for some orgs when it was released earlier. We are re-releasing it in 2020.05.0.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • 1Password Business (OKTA-291540)

  • 2020 Spaces (OKTA-293863)

  • Airship (OKTA-292749)

  • Bill.com (OKTA-292940)

  • CalPERS (OKTA-294342)

  • Cisco Webes (OKTA-292505)

  • IBM Cloud (OKTA-293426)

  • Sauce Labs (OKTA-292506)

  • Thomson Reuters MyAccount (OKTA-291630)

  • Twitter (OKTA-287886)

  • WP Engine (OKTA-293338)

Applications

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN as partner-built:

SAML for the following Okta Verified applications

  • ACALL (OKTA-292094)

  • BigChange (OKTA-294316)

  • Freshworks (OKTA-290904)

  • Kintaba (OKTA-291174)

  • Lingotek (OKTA-292197)

  • Mapbox (OKTA-294374)

  • Odo (OKTA-294315)

  • Prezi (OKTA-293858)

  • Seculio (OKTA-293141)

  • Statusbrew (OKTA-292827)

SWA for the following Okta Verified application

  • Spreadshirt (OKTA-291601)

OIDC for the following Okta Verified application

  • FiveToNine: For configuration information, see FiveToNine documentation (note you need appropriate permissions to view this doc).

Weekly Updates

May 18

Fixes

General Fixes

OKTA-288102

Non-Okta-mastered groups incorrectly appeared in the Application Access Audit, Okta Usage, and Application Usage reports that were intended only for Okta-mastered groups.

OKTA-294756

In some cases when the server was in Read Only mode, the interstitial page displayed an error message in the browser console log.

OKTA-298064H

Samanage (Solarwinds) changed their API for Fetch Custom Forms which resulted in errors during user import operations from Samanage.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • Business Insider Prime (OKTA-295295)

  • Freshworks (OKTA-296513)

  • Hoovers (OKTA-296255)

  • HR Downloads (OKTA-295323)

  • John Hancock - MyLifeNow (OKTA-296484)

  • McMaster-Carr (OKTA-295420)

  • oDesk (OKTA-295425)

  • SEMrush (OKTA-292973)

  • Sophos Cloud (OKTA-294861)

Applications

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN as partner-built:

SAML for the following Okta Verified applications

  • Apperio (OKTA-294671)

  • Valimail for Twilio SendGrid (OKTA-293379)

SWA for the following Okta Verified applications

  • Amazon Marketing Services (OKTA-292908)

  • Palo Alto Networks (OKTA-291327)

OIDC for the following Okta Verified application

May 26

Fixes

General Fixes

OKTA-283143

The default rule didn't follow the HealthInsight recommendation for the session lifetime for Default Policies to be two hours.

OKTA-289276

When launching Agentless Desktop Single Sign-on from a browser, the Japanese translation of the Verifying Desktop SSO message rendered incorrectly.

OKTA-296165

A banner that notifies users to trust the Okta account in the Okta Browser Plugin was missing from the new Okta End-User Dashboard.

App Integration Fixes

The following SAML app was not working correctly and is now fixed

  • YardiOne Dashboard (OKTA-295097)

The following SWA apps were not working correctly and are now fixed

  • 1Password Business (OKTA-298126)

  • Ebay (OKTA-296547)

  • Staples (OKTA-295631)

  • TriNet HR Passport (OKTA-296653)

The following Mobile app was not working correctly and is now fixed

  • MS Office (OKTA-296210)

Applications

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration app is now Generally Available in the OIN as partner-built:

SAML for the following Okta Verified applications

  • Blink (OKTA-296246)

  • edQuire (OKTA-295419)

  • ideiio (OKTA-293373)

  • Intercom (OKTA-292194)

  • Proggio (OKTA-278233)

  • Shopify Plus (OKTA-292196)

June 1

Fixes

General Fixes

OKTA-283868

The new Okta End-User Dashboard didn’t display the VPN Required prompt for any app that required VPN access.

OKTA-293415

Okta Support Services sign-in didn’t differentiate users based on their organization and their unique identifier.

OKTA-297532

Certificate chains that were set up with custom URL domains had key length restrictions.

OKTA-297833

The help link on the Profile Editor page on the Okta Admin Console was broken.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • Cisco WebEx Meeting Center (OKTA-291966)

  • ComplianceDepot (OKTA-297545)

  • DoorDash (OKTA-297476)

  • John Hancock Pensions (OKTA-297543)

  • Lucidchart (OKTA-298005)

  • MINDBODY (OKTA-297847)

  • SalesLoft (OKTA-298142)

  • Siteimprove (OKTA-297116)

  • VSP (OKTA-297671)

  • Wayfair (OKTA-297401)

Applications

New Integrations

New SCIM Integration Application

The following partner-built provisioning integration app is now Generally Available in the OIN as partner-built:

SAML for the following Okta Verified applications

  • Anvil Riskmatics (OKTA-296063)

  • Bugfender (OKTA-297637)

  • Cirricula (OKTA-296050)

  • ComplySci (OKTA-299148)

  • Jedox (OKTA-296058)

  • Moqups (OKTA-297808)

  • MyAryaka (OKTA-285423)

  • Oracle Identity Cloud Service (OKTA-297793)

  • Roadmunk (OKTA-296251)

SWA for the following Okta Verified application

  • Template Frame Plugin App (OKTA-294358)

April 2020

2020.04.0: Monthly Production release began deployment on April 13

* Features may not be available in all Okta Product SKUs.

Content

Generally Available Features

New Features

OAuth authentication for Workplace by Facebook

Workplace by Facebook now uses OAuth authentication instead of the custom Facebook authentication method that was used before.

Note: Existing customers have been migrated to use the new authentication method; new customers will only be able to use the new authentication method (OAuth).

Third-party admin role

Some organizations have a business need to to set up administrator roles in Okta for individuals who perform admin functions but are not direct employees of the organization. By introducing the concept of a third-party admin in Okta, we are able to treat these admins differently than the typical Okta admins who interact directly with the Okta Admin Console. See Third-Party admins.

User Group Reassignments

When a user is moved to a different Okta group, that change is now reflected in Active Directory. For more information, see Enable Okta-mastered user Organizational Unit updates.

OAuth for Okta

With OAuth for Okta, you are able to interact with Okta APIs using scoped OAuth 2.0 access tokens. Each access token enables the bearer to perform specific actions on specific Okta endpoints, with that ability controlled by scopes that the access token contains. See OAuth for Okta guide.

Note that at this time, OAuth for Okta works only with the APIs listed in the Scopes & supported endpoints section of our developer docs. We are actively working towards supporting additional APIs. Our goal is to cover all Okta public API endpoints.

Dynamic SAML attribute statements for OIN apps

The Dynamic SAML feature allows admins to add and preview dynamic attribute statements to the SAML Assertion for existing OIN apps. For information how to use the SAML Attribute Statements, see Define Attribute Statements.

Email as a factor for MFA

Email is now an accepted factor for multifactor authentication for convenience and to expedite migration from legacy identity platforms. After setup, your end users receive a code in an email message to use during Okta sign in. For details on setting up this factor, see Multifactor Authentication .

User type support in Okta user profiles

Universal Directory now supports custom user types. You can customize the attributes in up to nine user types.

See About custom user types in Universal Directory.

New developer on-boarding experience

An updated developer on-boarding experience has been rolled out for new development orgs. New signups will be asked a series of questions about their goals and the initial on-boarding tasks will be tailored to match these requirements.

Generally Available Enhancements

Improvements to App Search results

When searching for an integration, the App Catalog results now display the protocol and capabilities alongside the app name, rather than the associated categories. To expand the results, click See All Results.

HealthInsight recommendation for SAML-based apps

A new HealthInsight recommendation now notifies an admin of all existing SAML-based apps that aren't using SAML authentication. See Enable SAML or OIDC authentication for supported apps.

Admin CSV file name updated

The naming format for Administrator CSV files has been updated to contain the report type and the org ID.

Admin role descriptions added

Admin role descriptions have been added to the Add Administrator and Edit Administrator dialog boxes. See Grant admin privileges.

Google Push Group enhancement

Google Push Group functionality remains available even when the ability to import groups has been disabled. See About Group Push

Enhanced UI for network zones

The network zones UI has been enhanced to improve readability and flow for IP, location, and ASN data. See Network Security.

New device behavior detection enhancement

The behavior detection of new devices has been updated to re-evaluate certain scenarios where a device fingerprint is missing when users sign in. See Security Behavior Detection.

Additional validation to curtail abuse

For free and paid developer orgs, we have added additional validation to the org name and some user profile fields to curtail abuse.

Early Access Features

New Features

Okta RADIUS Server agent, version 2.10.1

This version includes support for Linux, including .rpm and .deb installers. See Okta RADIUS Server Agent Version History.

LDAP agent, version 5.6.4

This version of the agent contains internal improvements. See Okta LDAP agent version history.

Fixes

General Fixes

OKTA-128110

When editing an administrator's roles, toggling the Super Administrator check box on and off sometimes caused the UI to mistakenly issue a warning that no roles were selected.

OKTA-262777

New SAML apps had an active SAML assertion Inline Hook assigned to them automatically.

OKTA-267840, OKTA-274937, OKTA-279424, OKTA-279458

Several UI elements contained minor translation errors (Dutch, Korean, French, and Portugese).

OKTA-274995

After an admin enabled and configured SCIM for a wizard app, then disabled SCIM, the UI element to enable SCIM disappeared.

OKTA-275270

When using the Token Preview tool, an access policy was sometimes incorrectly applied for the client credentials flow.

OKTA-278738

In some cases, a SAML assertion incorrectly included extra Attribute Statements.

OKTA-280692

The Update application username field under the Provisioning settings tab didn't render correctly when profile mastering was enabled.

OKTA-281236

The Admin CSV file didn't have the Third-Party Admin column for orgs that have enabled the third-party admin assignment settings.

OKTA-282208, OKTA-286053

Modifying the settings in the Profile and Lifecycle Mastering section of the new import and provisioning settings experience for Active Directory sometimes failed.

OKTA-282798

Error messages concerning SAML Inline Hooks sometimes didn't populate in the System Log.

OKTA-283605

Sometimes when Application Entitlement Policy and Import Sync Callback feature flags were enabled, AD-imported attributes were not updated by mapping.

OKTA-284589

The App Catalog page sometimes did not render properly when the resolution was 1024x768 or lower.

OKTA-284903

Okta internal logging didn't handle valid special characters in the log field, resulting in issues.

OKTA-286144

When Federation Broker Mode was enabled for a SAML app using encryption, attempts to SSO into that app failed with a 400 Bad Request error.

OKTA-286370

Search results for users with invalid profile data due to a schema change incorrectly resulted in a 500 error instead of a 409 conflict error.

OKTA-286419

Add Section and Edit Section Name buttons didn't function properly in the new Okta End-User Dashboard in Internet Explorer 11 and Edge. Dragging application icons functionality didn't work in Internet Explorer 11.

OKTA-286428

Some UI elements were missing from the app settings sidebar in the new Okta End-User Dashboard in Internet Explorer 11 and Edge.

OKTA-287667

The Install the plugin button didn't display consistently in Internet Explorer 11 and Edge.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • Assure Sign (OKTA-284353)

  • AvaTax Admin Console (OKTA-285170)

  • Chase Mastercard (OKTA-284914)

  • Citi Credit Cards (OKTA-285965)

  • Citi Velocity (OKTA-286149)

  • Custom Report Sharing (OKTA-284638)

  • ezeep (OKTA-286381)

  • GoNoodle (OKTA-286382)

  • Meraki Dashboard (OKTA-286379)

  • Monster Hiring (OKTA-285556)

  • MyLexia (OKTA-286148)

  • Pinterest (OKTA-285778)

  • PremiumBeat (OKTA-284402)

  • Sagitta Propel Insurance (OKTA-285845)

  • Secureworks (OKTA-285995)

  • Service Channel (OKTA-286147)

  • Standout M (OKTA-284911)

  • TapInfluence (OKTA-286380)

  • TeamPassword (OKTA-286378)

  • The Business of Fashion (OKTA-280914)

  • Zapier (OKTA-284033)

Applications

New Integrations

New SCIM Integration applications

The following partner-built provisioning integration apps are now Generally Available in the OIN as partner-built:

SAML for the following Okta Verified applications

  • BlogIn (OKTA-284052)

  • DiversityEduLLC (OKTA-284062)

  • Doppler (OKTA-283629)

  • Inspire (OKTA-283636)

  • Lola (OKTA-284376)

  • MyRIACompliance (OKTA-279290)

  • Paylocity Web Pay (OKTA-285418)

  • Psono Password Manager (EE) (OKTA-284898)

  • SurveyGizmo (OKTA-282980)

  • TelemetryTV (OKTA-284380)

SAML for the following Community Created application

  • The Respond Analyst (OKTA-278325)

SWA for the following Okta Verified application

  • Membee (OKTA-268688)

Weekly Updates

April 20

Fixes

General Fixes

OKTA-267519

Several UI elements contained minor translation errors (Dutch and German).

OKTA-277075

Switching back to the old interface from the Okta End-User Dashboard didn't also switch back to the old interface for the Okta Browser Plugin as expected.

OKTA-284391

In some cases, stale data from a removed Beta feature affected the ability to toggle Okta Verify.

OKTA-284861

In some cases, where Office 365 app was configured with SWA SSO, the updated General Settings couldn't be saved.

OKTA-286132

In some cases, when Agentless Desktop SSO state token support was enabled, Agentless Desktop SSO stopped working.

OKTA-288059

When an end user enrolling in Okta Verify clicked scan the barcode again and scanned the code, an incorrect error message appeared instead of signing the user out.

OKTA-289620

In some cases, personal apps were incorrectly counted in SAML-capable apps in the HealthInsight recommendation.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • ADP Run (OKTA-283497)

  • AIA (OKTA-287940)

  • CUES (OKTA-287109)

  • Goldman Sachs Personal Financial Management (OKTA-287106)

  • Greenhouse (OKTA-288627)

  • HelloSign (OKTA-288637)

  • Microsoft Office 365 (OKTA-283156)

  • MyLevel3 (OKTA-287098)

  • MyRouteOnline (OKTA-287112)

  • Olapic (OKTA-288638)

  • RescueAssist (OKTA-287108)

  • Soundcloud (OKTA-287116)

  • Unity Asset Store (OKTA-288616)

  • Wells Fargo Funding (OKTA-286470)

Applications

New Integrations

SAML for the following Okta Verified applications

  • Egencia (OKTA-287065)

  • k6 Cloud (OKTA-278242)

  • LogicGate (OKTA-286401)

  • MongoDB (OKTA-287432)

  • Pastel (OKTA-286360)

  • Splashtop (OKTA-284895)

  • Trelica (OKTA-288973)

SWA for the following Okta Verified applications

  • Aquera (OKTA-287101)

  • Foley (OKTA-286327)

  • Tenable.io (OKTA-287675)

  • TurboTax (OKTA-284883)

May 4

Fixes

General Fixes

OKTA-276722

Users imported from AD with a Staged status weren't automatically activated when they signed in with Just-in-Time provisioning and Interactive Windows Authentication.

OKTA-277814

Some directory logos (Directory > Directory Integrations > LDAP Integrations) didn't appear properly.

OKTA-277999

When all Behavior Detection policies for Adaptive MFA were set to Inactive, and the first rule in the sign-on policy included a risk condition, the first rule was applied without evaluating the risk score.

OKTA-279173

In some cases, when testing a SCIM connection on Okta, Okta returned an authentication error even when the certification was correctly installed on the server and was valid.

OKTA-281485

iPad versions 10 and above identified themselves as macOS devices and caused some Device Trust authentication flows to fail on those devices.

OKTA-281527

When a New Geo-location was enabled in Behavior Detection, some users received MFA prompts each time they signed in, even when they were signing in from the same location.

OKTA-282209

In some cases, the Okta Browser Plugin didn't auto-populate credentials for SWA apps using the basic authentication template.

OKTA-284330

Successful authentication responses didn't contain the sessionToken value when the response contained a state token.

OKTA-285857

When BambooHR SAML authentication was changed from API to OIDC, admins received an error when updating profiles for assigned users.

OKTA-286225

When the Workday Incremental Imports Early Access feature was enabled, incremental imports wrote null values to the uniquely mapped attributes when a user updated a Workday user profile.

OKTA-287647

A performance issue prevented Group Administrators, who manage a large number of groups, from saving additional groups in the Okta Admin Console.

OKTA-290828

Switching to another MFA factor verification sometimes failed if an Okta Verify push was already in progress.

OKTA-294630H

In some circumstances, changing an app's provisioning settings caused custom settings to revert to default values

OKTA-296659H

iPad using iOS 13.1 sometimes did not follow the login flow correctly.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • 1Password Business (OKTA-288555)

  • Adobe Sign Provisioning (OKTA-285816)

  • Cisco AMP for Endpoints (OKTA-289504)

  • Cisco Webex (OKTA-291196)

  • Customer.io (OKTA-290633)

  • Drift (OKTA-290029)

  • GSA EBUY (OKTA-290030)

  • Optimal Workshop (OKTA-290827)

  • Technology Review (OKTA-290023)

Applications

New Integrations

New SCIM Integration applications

The following partner-built provisioning integration apps are now Generally Available in the OIN as partner-built:

SAML for the following Okta Verified applications

  • Atscale (OKTA-291235)

  • AWS ClientVPN (OKTA-286416)

  • Lenses (OKTA-288610)

  • LIRNProxy (OKTA-289322)

  • Odo (OKTA-290019)

  • OpenAir (OKTA-290021)

  • Qualtrics XM (OKTA-286415)

  • Sobol (OKTA-289289)

  • SurveyGizmo (OKTA-290020)

  • Tradable Bits (OKTA-287954)

  • VNDLY (OKTA-284670)

  • Zenduty (OKTA-287957)

SWA for the following Okta Verified applications

  • Heritage Commercial Online Banking (OKTA-291006)

  • Immigration Connect by Fragomen (OKTA-286317)

Mobile application for use with Okta Mobility Management (OMM) (Android and iOS)

  • Miro (formerly RealtimeBoard) (OKTA-284127)

OIDC for the following Okta Verified applications

March 2020

2020.03.0: Monthly Production release began deployment on March 9

* Features may not be available in all Okta Product SKUs.

Content

Generally Available Features

New Features

Changes to admin permissions

Super admins can no longer edit their own role assignment. The Edit and Delete actions are removed from their profile row on the Administrators page. See The Super admin role.

Pagination is now available when listing Authorization Servers

Pagination is now available for lists of authorization servers. See API Access Management.

Custom Email events added to the System Log

Updates to custom email templates are now tracked in the System Log.

Email verification added as optional enrollment factor

If admins configure email verification as an optional MFA factor, end users can select email as a factor during MFA enrollment. To complete enrollment, end users enter the code sent to their primary email address. The verification UI is redesigned.

Sign-in attempt behavior evaluation is logged when there is no client information

Sign-in attempt behavior evaluation is logged in the debugContext object of the user.session.start and policy.evaluate.sign_on events even when client information is missing for all behaviors.

Jira Authenticator, version 3.1.3

This release contains a bug fix for SAML SP-initiated flows, to ensure that all supported URLs redirect to Okta.  See Okta Jira Authenticator Version History.

Active Directory improvements

To assist orgs with more than 10,000 Organizational Units (OUs), improvements were made to the User OUs connected to Okta and Group OUs connected to Okta fields on the Active Directory Settings page.

Mobile tab available for mobile-capable apps

The Mobile tab available in the Admin Console for mobile-capable OIN apps allows you to publish mobile applications to an App Store and deploy them to your end users. See Enable access to managed mobile apps.

Deleted admin users

When a user who has an admin role and privileges assigned to them is deleted, their admin privileges are revoked. The deleted user is removed from the Administrators page and CSV download list of administrators. For information about Admin roles, see Administrators.

Generally Available Enhancements

Salesforce integration supports pushing null values

The Salesforce integration supports pushing null values to user profile updates. To enable this functionality, select the Allow Pushing Null Values option on the Provisioning tab.

Veeva Vault integration update

The Veeva Vault integration has a new check box on the Provisioning tab that allows admins to choose whether to use Email instead of Username.

Spotlight search bar changes

The spotlight search bar is no longer visible to Report Admins because they do not have search permissions.

Accessibility enhancement for Okta Sign-in Widget

The Username and Password form fields on the Sign-In page now include the aria-required property. This property is not visible to end users, but indicates to screen readers that these fields are required.

Profile Editor improvements

The Profile Editor page has been improved to simplify navigation and clarify functionality.

Early Access features from this release are now Generally Available.

Fixes

General Fixes

OKTA-267829

App admins were able to modify all profiles in the Profile Editor even when the admin was limited to only administer certain apps.

OKTA-268943

The Okta Admin Console displayed options to delete or deactivate app instances that can't be deleted or deactivated.

OKTA-277589

When the App Catalog feature was enabled, app admins with required permissions received a blank page when they clicked the Add Application button.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • Blanchard Exchange (OKTA-278301)

  • ConnectWise Automate (OKTA-278300)

  • Playbook (OKTA-279423)

Applications

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN as partner-built:

SAML for the following Okta Verified applications

  • Halogen (OKTA-280008)

  • OneDesk (OKTA-276015)

  • Parabol (OKTA-278665)

SWA for the following Okta Verified application

  • Altair Eyewear (OKTA-277992)

Weekly Updates

March 16

Fixes

General Fixes

OKTA-235986

Searches for an app didn't yield any results in the Current Assignments report.

OKTA-259823

Password sync failed for the Org2Org app.

OKTA-263028

A 500 error instead of a 409 conflict error was thrown when searches for users failed due to invalid profile data.

OKTA-264155

In some cases, Event Hook verification failed when using certain Certificate Authorities.

OKTA-269534

Users saw an erroneous error message when they refreshed the page after completing self registration.

OKTA-271407

Admins assigned the App Admin role for selected apps were able to see private apps in the Add Application dialog.

OKTA-277954

For Preview orgs, User OUs and Group OUs failed to load the AD integrations Settings page.

OKTA-278961

Individual Admin Email Notification settings were not overwritten by global settings as expected.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • American Express Online by Concur (OKTA-281727)

  • Calpers (OKTA-281186)

  • Deltek Customer Care Connect (OKTA-281926)

  • Formstack (OKTA-280358)

  • Hippocmms (OKTA-281189)

  • MyFonts (OKTA-279931)

  • New York Magazine (OKTA-280591)

  • Office Vibe (OKTA-281190)

  • SAP Concur Solutions (OKTA-281180)

  • UserTesting (OKTA-280586)

Applications

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN as partner-built:

SAML for the following Okta Verified applications

  • Axonius (OKTA-273528)

  • CrossKnowledge Learning Suite (OKTA-276017)

  • Keeni Operating Procedures (OKTA-279019)

  • Tevora Portal (OKTA-266963)

  • Virtru (OKTA-274953)

SWA for the following Okta Verified applications

  • Fisher Scientific (OKTA-279867)

  • Sagitta (OKTA-276292)

  • Thermofisher (OKTA-280605)

March 23

Fixes

General Fixes

OKTA-257061

Okta to DocuSign Provisioning mistakenly sent the same value for DocuSign attributes Title and JobTitle.

OKTA-263259

When Factor Sequencing was enabled, users that authenticated for the first time were incorrectly prompted for MFA enrollment.

OKTA-266146

Users with fewer than 13 apps were unnecessarily shown the Quick Access Apps page on the new Okta End-User Dashboard.

OKTA-267210

The new Okta End-User Dashboard redundantly displayed the Get the Plugin button.

OKTA-269649

When the meta data cache for an app was invalidated because the app was created or updated, the generated System Log event did not have a description.

OKTA-270685

When users searched for applications that didn't exist in the new Okta End-User Dashboard, the App catalog search result was empty with no message for the user.

OKTA-276950

Deleting pushed app groups in the Service Provider resulted in duplicate groups being created in Okta.

OKTA-277794

In some cases, testing a SCIM connection on Okta resulted in an authentication error.

OKTA-277802

The copyright year listed on the My Apps homepage on the new Okta End-User Dashboard was outdated.

OKTA-277898

After their session expired, end users on the new Okta End-User Dashboard were unable to access their apps instead of being prompted to sign in again.

OKTA-280874

The Edit App button on the new Okta End-User Dashboard was missing an ARIA attribute.

OKTA-282045

When a SWA app was set up with the sign-on policy Administrator sets username, password is the same as user's Okta password, end users that launched the app from the new Okta End-User Dashboard weren't properly redirected to the app sign-in page.

OKTA-282433

When apps were loading on the new Okta End-User Dashboard, end users incorrectly saw an Add apps to launcher message.

OKTA-282527

On the new Okta End-User Dashboard, the Help link in the footer incorrectly redirected to the Technical Contact even when the Help link was provided.

OKTA-283160

The Event Hook user.account.report_suspicious_activity_by_enduser was not visible in the Okta Admin Console UI.

OKTA-283333

Lists containing more than 10 IPs were not truncated in the Networks section in the Okta Admin Console.

OKTA-285079H

WebAuthN factors originally enrolled as U2F failed in some Preview orgs.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • Intercom (OKTA-282204)

  • Zoho Personal (OKTA-282338)

Applications

Application Update

The SolarWinds (formerly SAManage) provisioning app now supports Token Authentication.

Note that SolarWinds will be deprecating username/password authentication support. See SolarWinds Provisioning Guide.

New Integrations

SAML for the following Okta Verified applications

  • Arkphire - Ordering Portal (OKTA-274302)

  • Clock PMS (OKTA-282395)

  • Databook (OKTA-281177)

  • HackEDU (OKTA-281019)

  • Shutterstock (OKTA-278237)

SWA for the following Okta Verified application

  • Department 31 (OKTA-277108)

April 6

Fixes

General Fixes

OKTA-245252

In some cases, the custom domain URL of an org was not honored during certificate-based primary authentication using a Personal Identity Verification (PIV) card.

OKTA-261138

In the new Admin App Catalog, expanding the search results and clicking Show more didn't correctly fetch both public and private apps.

OKTA-273907H

Some users imported from Workday using Real Time Sync were subsequently deactivated in Workday.

OKTA-282600H

Routing rules for Agentless Desktop SSO sometimes failed for OIDC apps.

OKTA-282659

The new App Catalog didn't load properly and displayed a blank page if an App Catalog endpoint was down.

OKTA-282925

In the new Admin App Catalog, the inactive Add button for an app was clickable.

OKTA-284290

The Extra Verification section on the Okta End-User Dashboard > Settings page sometimes displayed Email as a factor even when the end user's policy didn't allow it.

OKTA-284451

The download link for Okta RADIUS Server Agent for Debian (Linux) was missing from the Downloads page for orgs that had the EA agent enabled.

OKTA-286344H

The Windows Autopilot feature did not appear on the Open Betas page in Okta.

App Integration Fixes

The following SWA app was not working correctly and is now fixed

  • MongoDB Cloud Manager (OKTA-282962)

Applications

New Integrations

SAML for the following Okta Verified applications

  • AssetSonar (OKTA-282381)

  • Blissfully (OKTA-280020)

  • Bridgecrew (OKTA-283634)

  • Planhat (OKTA-279291)

  • Reprise (OKTA-281179)

SWA for the following Okta Verified applications

  • 1Password (OKTA-274741)

  • Saba TalentSpace (OKTA-283095)

February 2020

2020.02.0: Monthly Production release began deployment on February 18

* Features may not be available in all Okta Product SKUs.

Content

Generally Available Features

New Features

 

Active Directory, new import and provisioning settings experience

The AD settings user interface had been updated. It is now more consistent with how other application settings are configured. All orgs will now use the Okta expression language for the Okta username format field.

If your org was created before October 4th (Preview) or October 9th, 2017 (Production), a legacy expression language that is different than the Okta expression language was used for the Okta username format field. For more information, see Configure the Okta Active Directory (AD) agent: new user interface and Updated AD Profile Mapping options.

This feature will be gradually made available to all orgs.

Enhanced provisioning for Office 365

With additional enhancements to Microsoft Office 365 integration admins can now synchronize identities from on-premises to cloud-based Office 365, provision a user profile that is extended further to include over 100 attributes, as well as synchronize distribution groups, contacts, and resources such as conference rooms.

Admins can also manage user licenses and roles, independent of other provisioning flows. The new provisioning type for Office 365, License/Roles Management Only, allows admins to manage user license assignment and role delegation for existing Office 365 users and for users provisioned to Office 365 with third-party tools. For more details, see Okta Enhancements with Microsoft Office 365 Integration.

Password Import Inline Hook

The Password Import Inline Hook lets you interface with an external service to verify a user-supplied password when the user signs in to Okta for the first time. This supports scenarios in which users are migrated from an existing user store while allowing them to retain their passwords.

See Inline Hooks

SAML Assertion Inline Hook now supports URI formatting in claims

Okta now supports URI claims with SAML assertion hooks. When you need to replace or add a URI claim, you must encode the claim name within the command based on the JavaScript Object Notation (JSON) Pointer specification. Specifically, this replaces ~ with ~0 and / with ~1.

See Inline Hooks

Changes to admin permissions

Only super admins and org admins can edit their org's custom domain settings.

OAuth for Okta Enabled for Policy API

The Policy API now has OAuth for Okta enabled.

Sign-in widget error messaging

The error message Unable to sign in is now displayed if authentication fails when signing in to Okta.

Provisioning Capable Apps report

The Provisioning Capable Apps report contains data about available apps for orgs that can have provisioning enabled.

See Reports

Okta Browser Plugin, version 5.37.0 for all browsers

This version includes:

  • New user experience for the plugin (available as an EA feature), see New Okta End-User experience
  • Fix for re-authentication modal getting stuck in some browsers
  • Fix for the Firefox download link in the Okta Admin Console > Downloads page
  • For Internet Explorer installer, the name Okta Secure Web Authentication Plugin changed to Okta Browser Plugin
  • Back-end enhancements

See Okta Browser Plugin: Version History

Get User API Support for sort parameters

The Get User API now supports sortBy and sortOrder parameters.

New System Log event for user type changes

A new System Log event is added when the user type for an end user changes.

Send Device Context using Limited Access

Limited Access allows you to configure Okta to pass device context to certain SAML apps through the SAML assertion during app authentication. The app uses this data to limit access to certain app-specific behaviors. For more information, see Pass Device Context to SAML apps using Limited Access.

Enhancements to identify user addition and removal status and improve performance

The addition or removal of users from a group now runs as a background task. During the process, the Manage People button is inactive and a notification appears to indicate the progress of the request. For more information, see About group rules.

Enhancements to identify org user deactivation status and improve performance

Org user deactivation now runs as a background task. Notifications have been added to indicate request progress and successful request completion. For more information, see Activate and deactivate users.

Early Access Features

New Features

Okta ADFS Plugin version 1.7.5

This version includes:

  • A fix that removed an extra scroll bar when integrated on an ADFS page with two or more factors.
  • Security enhancements and bug fixes

See Okta ADFS Plugin Version History

Okta RADIUS Server Agent for Windows, version 2.9.6

This version includes:

  • An update that no longer requires entering a port or shared secret in the installer.
  • Various bug fixes

See Okta RADIUS Server Agent Version History

Okta Windows Credential Provider, version 1.2.4

This version includes security enhancements. See Okta MFA Credential Provider for Windows Version History

LDAP agent, version 5.6.3

Support for Oracle Directory Server Enterprise Edition (ODSEE). See Okta LDAP agent version history

Windows Device Registration Task, version 1.4.1

This release fixed the following issues:

  • If there was a space in the sAMAccountName, an error appeared when installing the Okta Device Registration task and the installation completed but didn't function.
  • An unknown publisher warning appeared after double-clicking the Okta Device Registration MSI file.

Affected customers should uninstall the registration task and install 1.4.1 or later.

See 2.2 — Obtain and install the Device Registration Task and Device Trust for Windows Desktop Registration Task Version History

New Okta End-User Dashboard and Okta Browser Plugin

The newly redesigned Okta End-User Dashboard and Okta Browser Plugin boost user productivity and provides a faster, more intuitive, and more responsive user experience.. See New Okta End-User experience

Fixes

General Fixes

OKTA-193648

A user inadvertently retained access to an admin app when the only group/app assigned to the user was deleted.

OKTA-251904

Attributes with null or blank values were not updated to RingCentral.

OKTA-259534

When a user was locked out due to multiple failed password attempts, the UI incorrectly showed the following error message: Your account was locked due to excessive MFA attempts.

OKTA-260403

When an end user set their preferred language to Spanish, email notifications in English that were sent to the user contained a typo.

OKTA-263494

When using the SAML Assertion Inline Hook, if there was an optional attribute statement configured for the app and the attribute statement had no value specified, commands returned from SAML Inline Hook responses were not applied.

OKTA-268604

When using a custom domain, the PIV button look and feel was inconsistent on the sign-in page.

OKTA-269675

When batch imports were enabled, group memberships were sometimes not handled correctly.

OKTA-272601

Deleted OIDC App Instances still showed up as inactive in database.

App Integration Fixes

The following SAML apps were not working correctly and are now fixed

  • Qualys Guard (OKTA-270318)

  • Sage Intacct (OKTA-268392)

  • Socialbakers (OKTA-273050)

The following SWA apps were not working correctly and are now fixed

  • Adobe (OKTA-272864)

  • Adobe Creative (OKTA-272880)

  • Adobe Enterprise (OKTA-272879)

  • Apple Business Manager (OKTA-264263)

  • connectwise_automate (OKTA-272812)

  • Iola (OKTA-272811)

  • Statuspage (OKTA-272865)

Applications

Application Updates

Provisioning support has been removed from the Crashplanpro, Bloomfire, and Confluence apps due to their low customer usage, lack of standards based integration, and high supportability cost.

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN as partner-built:

Note: The following apps were previously released as Early Access, but as part of our process changes the apps have now been updated and released as Generally Available, Okta Verified.

SAML for the following Okta Verified applications

  • activpayroll - activ8 (OKTA-271002)

  • Nethris (OKTA-266636)

  • Octarine (OKTA-272822)

  • Openpath Security (OKTA-272571)

  • Reachdesk (OKTA-272823)

  • Rescana (OKTA-270985)

SWA for the following Okta Verified application

  • Aquera (OKTA-272801)

Weekly Updates

February 24

Fixes

General Fixes

OKTA-275403

The System Log Advanced Search feature incorrectly listed the least common fields, rather than the most common fields, in the results.

OKTA-243812

The link text for the SolarWinds Service Desk app configuration documentation was wrong.

OKTA-250348

The .self scopes were displayed for Service clients on the Okta API Scopes page, despite the clients not having a user context.

OKTA-255236

MFA Enroll and MFA Reset emails in foreign languages contained an untranslated word.

OKTA-255878

The German translation on the Email Preview page contained incorrect capitalization.

OKTA-258904

The Dutch translation for the Phone Call factor contained a typo.

OKTA-260542

When deleting the SSPR factor on the Okta End-User Dashboard, Internet Explorer and Edge displayed a transparent window.

OKTA-266380

Import inline hooks was incorrectly triggered multiple times for the same user.

OKTA-267851

The WebAuthn(FIDO2) MFA enrollment prompt page did not support translation.

OKTA-268306

Expired AD users received different authentication errors depending on whether the Passwordless Policy was enabled or disabled.

OKTA-272891

Office 365 metadata in the /mex endpoint contained an unsupported URL that caused Single Sign-On to occassionally fail on Microsoft Dynamics CRM.

OKTA-273352

Authentication API returned a 500 error message instead of a 400 error message when the request was submitted in a SUCCESS state.

OKTA-274852

The name Import inline hook was not updated to reflect the current UI. It is now renamed as User import inline hook.

OKTA-275331

In certain SP-intiated flows, users were repeatedly prompted for credentials when ForceAuthN was requested.

OKTA-276093

When an admin's last role was revoked using the Roles API, it sometimes did not trigger a System Log event.

OKTA-276168

The autocomplete results for the field debugContext.debugData.url in the System Log Advanced Search feature affected performance and were removed. This field is still usable for queries in the System Log UI and in the Logs API.

OKTA-277609

Chromium-Edge new users who had not installed the Okta Browser plugin were displayed a banner stating that the plugin was required but the browser was unsupported.

App Integration Fixes

The following SAML app was not working correctly and is now fixed

  • RightScale (OKTA-274507)

The following SWA apps were not working correctly and are now fixed

  • Apple Search Ads (OKTA-276421)

  • Brex (OKTA-276715)

  • Brex (OKTA-274478)

  • Cisco WebEx Meeting Center (OKTA-270559)

  • Director's Desk (OKTA-275986)

  • Discovery Benefits (OKTA-274220)

  • Innovative (OKTA-274248)

  • RIMS (OKTA-275987)

  • Rubicon Project (OKTA-275990)

  • Safeco (OKTA-275248)

  • Spotlight Reporting (OKTA-275991)

  • Squarespace V5 (OKTA-277555)

  • The Economist (OKTA-274254)

  • Twitter Developer (OKTA-277553)

  • Webtrends Analytics (OKTA-275988)

  • Zions Bank (OKTA-277344)

  • Zoho CRM (OKTA-274715)

Applications

New Integrations

New SCIM Integration Application

The following partner-built provisioning integration apps is now Generally Available in the OIN as partner-built:

SAML for the following Okta Verified applications

  • Folloze (OKTA-272837)

  • Orca Security (OKTA-273918)

  • Ovio Explore (OKTA-274954)

  • Percy (OKTA-275268)

  • Topbox.io (OKTA-274250)

  • Zoho Directory (OKTA-272820)

SWA for the following Okta Verified applications

  • AccessVA ID.me (OKTA-276941)

  • AssetWorks FleetFocus (OKTA-277749)

  • Brainerd Dispatch (OKTA-274549)

  • Colorado Springs Employee Self Service (OKTA-269168)

  • Elimity (OKTA-276935)

  • IBM Sterling File Gateway (OKTA-275226)

  • PSI True Talent (OKTA-277332)

Mobile application for use with Okta Mobility Management (OMM) (Android and iOS)

  • Kisi Physical Security (OKTA-276272)

OIDC for the following Okta Verified application

March 2

Fixes

General Fixes

OKTA-255792

Email notifications for MFA factor resets displayed no location if there was no geo-location information available for the event.

OKTA-258881

When the Factor Sequencing EA feature was enabled, some users were incorrectly switched to a new factor chain after verifying the first factor of the default factor chain.

OKTA-264155

Event Hook verification failed in some cases when using certain HTTPS certificate authorities.

OKTA-274239

Certificates that contained wildcards in CN or SAN were wrongfully considered valid for subdomain.domain.com when they were issued for *.subdomain.domain.com.

OKTA-275890

When a customer configured a dynamic attribute for an OIN SAML 2.0 app, and then Okta added an attribute with the same name to that app, both attributes were sent in the SAML assertion. The assertion should have contained the customer's dynamic attribute only.

OKTA-275981

The Russian translation for set up was incorrect in the Extra Verification settings section of the end-user dashboard.

OKTA-277702

In some cases, the IP Address field for security events was not properly populated in the System Log.

OKTA-278773

If a sign-in did not have a device fingerprint it was not treated as a new device sign-in by the behavior policy rule for new device.

OKTA-280084

Users of free and developer editions of Okta could create and send customized email templates as an Automation action.

OKTA-280571

Testing API Credentials failed when adding additional child accounts to Connected Accounts IDs (optional) in AWS -Multiple instances.

OKTA-281195H

The Max Import Unassignment setting for some integrations could not be edited.

OKTA-281501H

The Import Safeguard Percentage setting from the AD integrations UI could not be edited.

App Integration Fixes

The following SAML apps were not working correctly and are now fixed

  • G Suite (OKTA-277619)

  • Mimeo (OKTA-268673)

The following SWA apps were not working correctly and are now fixed

  • Abstract (OKTA-278327)

  • Adobe Sign Provisioning (OKTA-275000)

  • Dell Boomi (OKTA-278299)

  • GatherContent (OKTA-278914)

  • Instacart (OKTA-277552)

  • Kenshoo (OKTA-277701)

  • MURAL (OKTA-278294)

  • ReverseRisk (OKTA-277977)

  • Roadmunk (OKTA-278298)

  • SharpSprings (OKTA-277613)

  • Society of Actuaries (OKTA-278302)

  • Woobox (OKTA-278292)

  • Wrike (OKTA-278293)

Applications

New Integrations

SAML for the following Okta Verified applications

  • Logikcull (OKTA-276909)

  • Odo (OKTA-277131)

  • Terranova Security Awareness Platform (OKTA-277333)

  • Zoomifier (OKTA-274951)

SWA for the following Okta Verified applications

  • AIB (OKTA-277420)

  • Nave Jira (OKTA-276706)

  • Titlesdesk (OKTA-277420)

January 2020

2020.01.0: Monthly Production release began deployment on January 13

* Features may not be available in all Okta Product SKUs.

Content

Generally Available Features

New Features

Okta Browser Plugin version 5.36.1 for Chromium-based Microsoft Edge and Mozilla Firefox

This version includes the following:

For version history, see Okta Browser Plugin: Version History

New System Log event for Grant User Privilege

The Grant User Privilege System Log event now logs activity for each user in a group when an Admin role is assigned to the group.

New System Log events for OIDC scope grants

System Log events are now triggered when an administrator grants consent for OpenID Connect scopes.

Rogue Accounts Report End of Life (EOL)

The Rogue Accounts Report feature has been removed due to low usage, high cost of maintenance, and the availability of custom solutions. For example, admins can retrieve similar data by using the List Users Assigned to Application API to see users who were assigned to an app in Okta, and then using custom code to generate a list of users assigned in the app itself. For more information, see this Support Article.

Federate multiple Office 365 domains in a single app instance

You can automatically federate multiple Microsoft Office 365 domains within a single Office 365 app instance in Okta. This eliminates the need to configure a separate Office 365 app instance for each Office 365 domain. This feature will be slowly made available to all orgs. For more information, see Federate multiple Office 365 domains in a single app instance.

Support for Salesforce Government Cloud

You can create instances of the Salesforce app that can integrate with Salesforce Government Cloud. For more details, see the Salesforce Provisioning Guide.

Box integration enhancement

The Box integration is enabled for Universal Directory and is enhanced by the following additional properties in the User Profile:

  • firstName
  • lastName
  • timezone
  • language
  • space_amount (RO)
  • max_upload_size (RO)
  • job_title
  • phone
  • address
  • avatar_url (RO)
  • groups
  • space_used (RO)

See the Box Provisioning Guide for more information.

Resumable Import

Resumable Import is a performance enhancement that prevents imports from starting over in the event of a deployment or infrastructure issue. Instead, the import automatically pauses and continues from the most recently completed step. For information on importing users, see Import users.

HealthInsight

HealthInsight audits an organization’s security settings and suggests recommended tasks to improve an org's security posture. Security tasks and recommendations are intended for admins who manage employee security within their organization.

HealthInsight may now be accessed directly from the Admin Console dashboard.

Fore more information, see HealthInsight.

App Catalog Search Improvements

The enhanced Okta Integration Network (OIN) App Catalog now features:

  • A new incremental search and an improved search results preview
  • Expanded search capabilities to check app integration names, descriptions, or categories
  • Fuzzy search logic to match partial hits and name variations
  • Tiles highlight the protocols supported by the app integration

This feature will be gradually made available to all orgs.

Generally Available Enhancements

UI Enhancements for HealthInsight

The HealthInsight card on the Admin Console dashboard and HealthInsight actions have been updated for improved usability. For more information about HealthInsight, see HealthInsight.

Additional context in MFA authentication in some apps

We have added an additional target element containing application information to MFA events triggered by authentication to Epic Hyperspace EPCS (MFA) and Microsoft RDP (MFA) apps.

Improved text in single line challenge for RADIUS MFA

The text displayed during the a single line MFA challenge via RADIUS authentication has been improved to fixed grammatical errors.

Notification when adding a user to an Admin group

Admins now see a notification that admin privileges will be granted when adding a user to a group with Admin privileges.

Updated Privacy Policy

Okta has updated its Privacy Policy. See https://okta.com/privacy-policy/ to review the latest version.

Condition update for MFA Enrollment policy rules

The name of the setting for the Any Application condition has been updated to specify app support for MFA Enrollment. For more information, see App Condition for MFA Enrollment Policy.

UI enhancements for profile and attribute selection

The appearance of profile and attribute selection elements is updated to be more consistent with other Okta select elements.

Toggle on/off the end user onboarding screen

In the Settings > Appearance settings in the Admin Console, admins can control whether or not new end users see the onboarding screen upon their first sign in to the Okta End User dashboard.

This release does not have any Early Access features.

Fixes

General Fixes

OKTA-243820

The word Password was incorrectly translated in Dutch.

OKTA-246764

French translation for the Self-Service Unlock when Account is not Locked email template was not intuitive.

OKTA-253397

Microsoft RDP (MFA) prompts did not display the official Okta logo.

OKTA-257479

After an application was selected from the Okta Safari plugin toolbar menu, the selection window did not close as expected.

OKTA-259962

Searching for an app in App Administration Assignment did not display exact matches.

OKTA-262560

Fido 2.0 (Webauth) set as a secondary factor on Factor Sequencing failed on the user sign-in with the error We found some errors. Please review the form and make corrections.

OKTA-262649

In Okta Device Trust with VMware Workspace ONE implementations, app sign-on policy denied access on Android 10 even if the device was trusted.

OKTA-266237

App Admins who were configured to only see a subset of apps in the catalog were able to see all apps.

OKTA-267712

When creating a SAML integration using the AIW, the instructions contained the outdated acronym OAN instead of the current OIN (Okta Integration Network) acronym.

OKTA-268637

For orgs that had opted into the New Import and Provisioning Settings Experience for Active Directory EA feature, placeholder text was displayed instead of the correct text in the warning dialogue when the Profile and Lifecycle Mastering checkbox under Active Directory provisioning settings was checked and the Update Users checkbox was previously enabled.

OKTA-268720

The Settings tab for app provisioning failed to render in Internet Explorer 11.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • Aha (OKTA-266200)

  • American Express Work Reconciliation (OKTA-266198)

  • Apple ID (OKTA-264195)

  • Aveda (OKTA-266196)

  • Blackbaudhost Citrix (OKTA-266199)

  • Bloomfire (OKTA-266193)

  • Brex (OKTA-266241)

  • Cisco WebEx Meeting Center (OKTA-262750)

  • Citrix RightSignature (OKTA-268537)

  • DoorDash (OKTA-268780)

  • Firefox (OKTA-266201)

  • FullContact Developer Portal (OKTA-268538)

  • Google Analytics (OKTA-266914)

  • Impraise (OKTA-268534)

  • MKB Brandstof (OKTA-267534)

  • Nest (OKTA-267942)

  • NewEgg Business (OKTA-268840)

  • OnePath Advisor (OKTA-266925)

  • Principal Financial Personal (OKTA-268782)

  • RescueTime (OKTA-266197)

  • Rhino3d (OKTA-268531)

  • Seek (AU) - Employer (OKTA-266703)

  • Shipwire (OKTA-266919)

  • Site24x7 (OKTA-268622)

  • Vindicia (OKTA-266192)

  • Wombat Security Awareness (OKTA-268532)

The following SAML app was not working correctly and is now fixed

  • Datadog (OKTA-267430)

Applications

Application Updates

  • Zoom provisioning application now supports updating user email addresses.
  • Citrix NetScaler Gateway has changed its name to Citrix Gateway.

New Integrations

New SCIM Integration Application

The following partner-built provisioning integration apps are now Generally Available in the OIN as partner-built:

SAML for the following Okta Verified applications

  • AppOmni (OKTA-266642)

  • Appsian Security Platform for PeopleSoft (Encrypted) (OKTA-265400)

  • Clinical Maestro (OKTA-264130)

  • Cmd (OKTA-266400)

  • Freshworks (OKTA-262038)

  • Grammarly (OKTA-266950)

  • Kisi Physical Security (OKTA-265701)

  • LoanBuddy (OKTA-266952)

  • Mode Analytics (OKTA-260404)

  • Reducer (OKTA-265134)

  • TeamzSkill (OKTA-265665)

SWA for the following Okta Verified application

  • Miniter (OKTA-262048)

Weekly Updates

January 21

Fixes

General Fixes

OKTA-172858

Help Desk and User admins could see the System Log page although it did not contain any events.

OKTA-239389

The Radius agent rpm uninstall command did not remove the .pid file.

OKTA-260178

Group rules that included a custom attribute based on a class name resulted in an Error in evaluating expression error.

OKTA-262628

A non-descriptive validation error was displayed when providing a non-unique value for a unique attribute during self-service registration. The error message now shows an appropriate message.

OKTA-265119

Profile Updates and User Deprovisioning did not run sequentially, which sometimes resulted in errors.

OKTA-265977

New users who tried to create an account received a 400 error when federating into applications such as Office 365.

OKTA-266061

The warning for Custom SMS stated that custom messages were limited to 160 characters instead of 159 characters.

OKTA-267419

For orgs with the latest App Catalog Search enabled, admins using Internet Explorer 11 who searched for an app to add were not redirected correctly to add applications.

OKTA-269174

The Chromium Edge Plugin store link was missing from the Downloads page in the Admin Console.

OKTA-270440H

Signing in from status.okta.com hung on the interstitial page.

OKTA-270581H

Attempts to access the HealthInsight section returned a 500 error.

App Integration Fixes

The following SAML app was not working correctly and is now fixed

  • Salesforce Marketing Cloud (OKTA-231271)

The following SWA apps were not working correctly and are now fixed

  • Guardian Insurance (OKTA-256039)

  • ARIN (OKTA-267889)

  • WealthEngine (OKTA-269191)

Applications

New Integrations

New SCIM Integration Application

The following partner-built provisioning integration app is now Generally Available in the OIN as partner-built:

February 03

Fixes

General Fixes

OKTA-252831

During PIV sign on, the error message for missing and invalid certificates did not instruct the user to close their browser before continuing, resulting in an error.

OKTA-253461

Attempts to use On-Prem MFA as an Authentication Method failed with a NullPointerException error.

OKTA-256707

When G-Suite is configured as Profile Master, custom attributes were not updated or imported from G-Suite apps to Okta.

OKTA-258610

Routing rules were incorrectly implemented for Chrome OS devices.

OKTA-259379

A non-existent Devices attribute for the Okta profile was displayed in the profile for Okta-mastered users.

OKTA-259826

Some users who had two sessions for the same authentication factor could become stuck in an infinite loop when they clicked the Edit Profile button on the end user dashboard.

OKTA-261365

When using Okta Verify and the LDAP Interface for authentication, rate limits sometimes caused OpenVPN account lockouts.

OKTA-261852

In specific use-cases, application-level MFA was not enforced for OIDC applications.

OKTA-262294

App assignment tasks for missing app username with AD SAM account name as the app username format were not updated after the AD SAM account name was defined for the user.

OKTA-262345

In the passwordless flow, AD users whose passwords were about to expire were not prompted to change or skip their passwords.

OKTA-262942

Okta Mobile on iOS devices that had never enrolled in the secure device mode received a session expired error after entering MFA.

OKTA-264570

A grant group privilege event was not logged when an admin role was assigned to a group of users.

OKTA-266432

The Okta Widget on the ADFS page generated a double scrolling bar when there were multiple factors available to enroll.

OKTA-267282

The browser name Chrome was logged in the System Log for newer versions of Edge.

OKTA-267492

In some cases, OAuth Clients erroneously displayed User Consent settings.

OKTA-268277

System Log events were logged for revoking user roles even when the deleted user was not assigned those roles.

OKTA-269153

SolarWinds Service Desk app API attribute mapping was sending incorrect values to Okta.

OKTA-269885

Sometimes the Self Service Registration form did not correctly display required custom properties.

OKTA-270752

When a user signs on using a PIV/CAC card, the IdP-based session timeout criteria were not applied.

OKTA-270835

Office 365 Admin Consent Flow did not respond after an admin clicked Accept.

OKTA-272110

A role to group assignment event was not logged.

OKTA-77623

The bar chart for Count of events per target displayed bars for null/unknown targets.

App Integration Fixes

The following SAML app was not working correctly and is now fixed

  • OpenAir (OKTA-267934)

The following SWA apps were not working correctly and are now fixed

  • Atlassian Jira Service Desk (OKTA-271831)

  • BPF Schilders Dolphijn (OKTA-253876)

  • Concur (OKTA-266431)

  • Hilti (OKTA-251935)

  • MongoDB Cloud Manager (OKTA-272327)

  • ReadyRefresh (OKTA-270892)

  • Vonage Business (OKTA-271832)

  • Wrike (OKTA-259989)

Applications

New Integrations

New SCIM integration applications

The following partner-built provisioning integration apps are now Generally Available in the OIN as partner-built:

SAML for the following Okta Verified applications

  • BoardBookit (OKTA-270961)

  • BoardBookit Admin (OKTA-270960)

  • LogSnitch (OKTA-268634)

  • Pipedrive (OKTA-268053)

  • WEDO (OKTA-270937)

SWA for the following Okta Verified applications

  • Adesa CA (OKTA-265308)

  • Adobe (OKTA-272918)

  • Anyone Home CRM Outlook Login (OKTA-265223)

  • Bonusly (OKTA-269382)

  • CloudManager (OKTA-264840)

  • Collaboration Center (OKTA-261989)

  • ETQ Reliance (OKTA-263913)

  • Financial Accounting Support Tool (OKTA-249634)

  • Google Domains (OKTA-265048)

  • Google My Maps (OKTA-262690)

  • i-Ready (OKTA-265367)

  • New Hampshire MMIS Health Enterprise Portal (OKTA-270196)

  • NordVPN Teams (OKTA-267518)

  • USAC Applicant Login (OKTA-267402)

Mobile applications for use with Okta Mobility Management (OMM) (Android and iOS)

  • Envi MMIS (OKTA-264922)

  • Envoy (OKTA-264995

Mobile application for use with Okta Mobility Management (OMM) (iOS)

  • LiquidText (OKTA-267860)

December 2019

2019.12.0: Monthly Production release began deployment on December 16

* Features may not be available in all Okta Product SKUs.

Content

Generally Available Features

New Features

 

Okta Browser Plugin version 5.35.0 for Safari and Internet Explorer

This version includes the following:

  • Bug fixes for custom URL domain support for the plugin
  • Okta privacy link
  • Back-end enhancements

For version history, see Okta Browser Plugin: Version History.

Okta Confluence Authenticator, version 3.1.2

This release contains a fix for OpenSaml initialization in OSGi environment and an update to OpenSaml library version 3.2.0. For version history, see Okta Confluence Authenticator Version History

Okta SAML Toolkit for Java, version 3.1.2

This release contains a fix for OpenSaml initialization in OSGi environment and an update to OpenSaml library version 3.2.0. For version history, see Okta SAML Toolkit for Java Version History

SAML or SCIM applications created in certain developer cells can now submit to ISV portal

Developers in the OK7 developer cell who create and test SAML or SCIM applications using the App Wizard can now submit directly to the ISV portal at oinmanager.okta.com.

Increased timeout for Okta Sign In page

The initial timeout duration has been extended on the Okta Sign-In page.

ACS Limit Increased

The maximum number of Assertion Consumer Service (ACS) URLs for a SAML app is increased to 100.

LDAP Password Push

Okta now supports Password Push for LDAP. This allows each user's LDAP password to be synced to their Okta password. Any subsequent password changes users make are pushed to their user profile in LDAP. In addition to simplifying password management for orgs using LDAP, organizations using both Active Directory (AD) and LDAP can now synchronize their user passwords from AD through Okta to LDAP. For details, see the Provisioning section in Install and Configure the Okta Java LDAP Agent.

Suspicious Activity Reporting

End users can now report unrecognized activity to their org admins when they receive an account activity email notification. This feature is now available through the EA feature manager. See Suspicious Activity Reporting.

Group rules triggered by user reactivations

Group rules are now triggered when a user is reactivated. See About group rules for more information.

Multifactor Authentication for admins

MFA for Admins allows Super admins to enable mandatory multifactor authentication for all administrators accessing admin functionality. For details see Authentication.

Beta features available in Feature Manager

You can now enroll your Preview org in Open Betas in the Feature Manager. When you enroll in a Beta feature, you receive an email with further details. For details, see Manage Early Access and Beta features.

SAML Inline Hook

The SAML Inline Hook enables you to customize the authentication flow by allowing you to add attributes or modify existing attributes in outbound SAML assertions. For details, see our SAML Inline Hook page.

Admin Getting Started tasks

The new Admin Getting Started page helps super admins begin configuring their new Okta org.

For more information, see Get started with Okta.

Token Inline Hook

The Token Inline Hook enables you to integrate your own custom functionality into the process of minting OAuth 2.0 and OpenID Connect tokens. For details, see our Token Inline Hook page.

System Log events for successful Office 365 logins

A new System Log event is added when an end user successfully signs in to Office 365 using any of the Office 365 app chiclets on the dashboard.

SCIM Template Apps include ISV portal link

Any apps created from the SCIM app templates display a banner that directs developers to use the ISV portal at oinmanager.okta.com to submit their SCIM app to the OIN.

SAML App Wizard change for software developers

During the creation of a SAML app with the App Wizard, software vendors receive a link to the ISV portal at oinmanager.okta.com to submit their app to the OIN. If the software vendors elect not to submit through the App Wizard, a banner appears on their app configuration page with the link to the ISV portal.

Custom URL domain support for the Okta Browser Plugin

This support enables the Okta Browser Plugin to work on the configured custom URL domain. See Configure custom URL domain.

Improved People page filter and Profile page details

We’ve added more detail to the user state labels on the People page.

And now provide the action required for users in a pending state on the User Profile page.

Generally Available Enhancements

OAuth Consent UX Enhancements

  • The OAuth Consent end-user dialog has been modified to improve the user experience.
  • For OAuth Scopes created for a new Authorization Server, the default values for Display Name and Description are updated to be more informative.

Select group UI enhancement

The appearance of Select Group elements are enhanced throughout the UI to be more visually intuitive and consistent with other Okta select elements:

Application Settings enhancements

  • When you create a new application in the dashboard, it will be created with a default Post Logout Redirect URI (previously this field existed but defaulted to blank).
  • When you create a new application of type Single Page Application (SPA), it will default to using Authorization Code with PKCE instead of defaulting to Implicit Flow.
  • The Post Logout Redirect URI only impacts users using our /logout API call (not using any of our SDKs), and it is a list of possible values just like the (Login) Redirect URI.

Event hooks support for MFA factor events

Event hooks are now enabled for MFA factor life-cycle events such as activating or resetting a factor.

Windows Mobile and Blackberry options removed

The option in the Okta Sign In Widget and in the End User Settings to enroll in Okta Verify or Google Authenticator using Windows Mobile or Blackberry devices is now removed.

Sorting functionality added for inline hooks and event hooks

Admins can now sort inline hooks by Status, Type, or Name, and event hooks by Verification, Status, or Name. For more information, see Inline Hooks and Event hooks.

Authentication Server display name enhancement

The Authorization Server scope display name for new entries is now limited to 40 characters.

Use of admin information

Additional legal text regarding use of admin information is added to Settings > Account >Admin email notifications.

Email notification when org licensing changes

Super admins will now receive an email when their org is converted from a free trial and licensed based on a new active contract.

Addition of status text to status icons

The On-Prem MFA and RSA SecureID Agents status icons relied on color to provide status. Status is now also represented by text for improved accessibility.

Workplace by Facebook domain update

When setting up a Workplace by Facebook app, you now have the option to switch from the default org.facebook.com domain to the org.workplace.com domain.

Device fingerprinting for custom org URLs

Custom org URLs now support device fingerprinting for improved accuracy of new sign-in notifications and new device detection.

New device behavior detection

New device behavior detection is improved to provide better accuracy with new devices.

New warning modal for provisioning to apps

Admins who enable Profile Master and Push for the same app are now warned of the potential for overwritten attributes and the risk of lost data. For more information, see About profile mastering.

This release does not have any Early Access features.

Fixes

General Fixes

OKTA-250443

When using Factor Sequencing, the Custom Password label did not appear in the Password field on the Sign-In page.

OKTA-251904

Okta did not update null/blank profile attributes into RingCentral.

OKTA-253324

In some cases, an incorrect System Log event of INVALID_OKTA_MOBILE_ID was logged even when OMM Device Trust was not enabled.

OKTA-256102

Country Code prefix for Kosovo was set to +undefined when enrolling SMS as a factor.

OKTA-259414

In some cases, Reapply mapping was displayed incorrectly when editing app users with an app user property that was sourced from two different groups.

OKTA-260360H

Social Login created a race condition with Self Service Registration.

OKTA-261676

LDAPi searches using a filter containing entryDN=* failed with result code 80.

OKTA-263016

For customers who opted into the New Import and Provisioning Settings Experience for Active Directory Early Access feature, if an admin entered an invalid custom expression into the AD username format field on the AD Settings page, clicking Save caused infinite loading of the page without saving the settings.

OKTA-263017

Customers who opted into the New Import and Provisioning Settings Experience for Active Directory Early Access feature could not see the UI control for previewing the result of the custom expression underneath the AD username format field when custom was chosen in the drop down.

OKTA-263915

Additional customizations applied to the ADFS site were not displayed when users accessed the ADFS second factor challenge page.

OKTA-264334

In some cases, customers importing users from Workday (as a Master) got an undefined error when executing profile matching.

App Integration Fixes

The following SWA app was not working correctly and is now fixed

  • Ingram Micro (OKTA-260621)

Applications

Application Updates

Provisioning support has been removed from the following apps due to low customer usage, lack of standards based integration, and high supportability cost:

  • Veeva
  • Replicon
  • Roambi Business
  • Gooddata
  • Rightscale

New Integrations

New SCIM integration applications

The following partner-built provisioning integration app is now Generally Available in the OIN as partner-built:

SAML for the following Okta Verified applications

  • Appsian Security Platform for PeopleSoft (OKTA-258107)

  • Cincopa (OKTA-260900)

  • Cisco Webex (OKTA-263286)

  • Firmex VDR (OKTA-262869)

  • Juro (OKTA-258096)

  • TripActions (OKTA-263057)

  • Wochit Studio (OKTA-263299)

Weekly Updates

January 6

Fixes

General Fixes

OKTA-252780

When a super admin canceled edits made to the email settings for an admin type, the edits were not actually canceled.

OKTA-260752

Dynamic SAML attributes appeared in read-only mode with the name, type, and value. Attributes now show only the name and value.

OKTA-261688

When adding Dynamic Attributes to a new SAML 2.0 app instance with long names or values, the text did not wrap correctly on the screen.

OKTA-261738

When creating a new SAML 2.0 app instance, the Attribute fields were auto-expanded, however the Expand button indicated that they were collapsed.

OKTA-262950

Okta Verify Push could be enabled even when Okta Verify was an inactive factor.

OKTA-264060

UNIQUE_PROPERTIES_UI caused delays and 500 errors for Postman DELETE USER API.

OKTA-264158

When OU_PICKER_V2_IN_AD_SETTINGS and AD_GROUP_PUSH were enabled, the organizational unit tree in the Push Groups tab on the AD Settings page rendered without formatting and check boxes.

OKTA-267811H

When AAD Graph API was enabled, role assignment and imports from Office365 sometimes failed.

App Integration Fixes

The following SAML apps were not working correctly and are now fixed

  • GaggleAMP (OKTA-265520)

  • NetFortris HUD Web (OKTA-264119)

  • Open Air (OKTA-252147)

The following SWA apps were not working correctly and are now fixed

  • AmericanFunds Retirement Solutions (OKTA-264261)

  • BioWorld (OKTA-265878)

  • BridgeBank Business eBanking (OKTA-263159)

  • eBay (OKTA-265287)

  • Kamer van Koophandel (OKTA-265639)

  • Mimecast (OKTA-263189)

  • Netskope (OKTA-265465)

  • Principal Advisor (OKTA-263869)

  • The Daily Beast (OKTA-266188)

  • WebRoot Anywhere (OKTA-264805)

The following Mobile apps were not working correctly and are now fixed

  • NetSuite (OKTA-263316)

  • SAP Cloud for Customer (OKTA-263312)

Applications

New Integrations

The following partner-built provisioning integration apps are now Generally Available in the OIN as Okta Verified:

SAML for the following Okta Verified application

  • Blocks Edit (OKTA-264267)

SWA for the following Okta Verified applications

  • AuctionAccess (OKTA-263763)

  • Hunter Communications (OKTA-264917)

  • HYPR (OKTA-264057)

  • MKB Brandstof (OKTA-262883)

  • Savannah Morning News (OKTA-265411)

  • The Daily Beast (OKTA-264753)

Mobile applications for use with Okta Mobility Management (OMM) (Android and iOS)

  • Adobe Experience Manager (OKTA-263294)

  • FieldGlass SAML (OKTA-263295)

November 2019

2019.11.0: Monthly Production release began deployment on November 11

* Features may not be available in all Okta Product SKUs.

Content

Generally Available Features

New Features

Agentless Desktop SSO migration

Customers who enabled Agentless Desktop SSO using the registry key configuration method must migrate to the Kerberos alias supported configuration. Contact Support to enable ENG_ADSSO_MIGRATION_READINESS_CHECK which allows you to check your readiness prior to migrating.

For a list of complete migration steps refer to Migrate your agentless Desktop Single Sign-on configuration.

New System Log events for Okta user groups

System Log events have been added to indicate when Okta user groups are successfully created or deleted.

Sign-in widget for end-user factor enrollment

The sign-in widget is now displayed if an end user enrolls in a factor manually or resets a factor from the End User Dashboard settings. This feature is being released to Production orgs gradually over the month of November.

Minor visual changes to the Feature Manager

The Feature Manager user interface has been updated with minor changes including:

  • The Early Access auto-enroll option is now at the bottom of the Early Access section.
  • When a feature is auto-enabled in EA, the date of enrollment is listed beside the toggle switch.

Agentless Desktop SSO

Agentless desktop SSO and Silent Activation now support Kerberos alias authentication for customers implementing these features for the first time. See Configure agentless Desktop Single Sign-on and Office 365 Silent Activation: New Implementations. This feature is Generally Available in Production for new orgs only.

Web Authentication for MFA

Admins can enable Web Authentication as a factor as defined by WebAuthn standards. Web Authentication supports both security key authentication such as YubiKey devices and platform authenticators. For more information, see Web Authentication (FIDO2) .

Automations

Automations enable you to quickly prepare and respond to situations that occur during the lifecycle of end users who are assigned to an Okta group. You can set up two types of Automations and perform actions such as changing user lifecycle states and notifying users:

  • Recurring Automations to check for conditions such as user inactivity and password expiration
  • One-time Automations to bulk suspend and notify users belonging to a particular group irrespective of their activity

For more information, see Automations.

Required update for Microsoft Dynamics CRM, admin consent needed

We have updated the landing URL for the Microsoft Dynamics 365 app to use OAuth and to be accessible globally. The updated app resolves the issue where end-users outside the USA could not access Dynamics 365 and were redirected to an error page.

You need to provide or renew Admin consent within the Okta Office 365 app instance to continue using Dynamics 365 app in your Okta org.

See Provide Microsoft admin consent for Okta.

Security Behavior Detection

To provide additional security without overburdening your end users, you can configure a Sign On policy for your organization to require additional authentication for behaviors defined as higher risk based on variance from individual users' prior sign ins. Admins can configure the system so that individual end users are only prompted for an additional MFA factor when there is a change in behavior that the admin defines. For more information, see Security Behavior Detection.

Generally Available Enhancements

Admin roles for groups

Admin roles can now only be granted to groups with less than 5000 members.

For more information, see Assign admin privileges.

Admin settings for end-user suspicious activity reporting

In account settings, admins now have the option to exclude themselves or other admins from receiving user-reported notifications about suspicious account activity.

For more information, see Suspicious Activity Reporting.

WebAuthn UI enhancement

The description and icon for the WebAuthn factor have been updated both in the Admin Console and Sign-in Widget.

For more information, see Web Authentication (FIDO2) .

Early Access Features

New Features

Workday Field Overrides

As part of our new Workday connector, Field Overrides are an alternate way to pull custom attribute information from Workday that replaces the existing custom report facility.

For more information, see Workday Field Overrides.

Okta RADIUS Service Agent Update, version 2.9.5

The Okta RADIUS Server Agent version 2.9.5 is updated to run under the LocalService account, which has lower privileges than LocalSystem. The service has also been configured with a write-restricted token to further restrict access.

For more information, see Okta RADIUS Server Agent Version History.

Okta MFA Credential Provider for Windows, version 1.2.2

The Okta MFA Credential Provider version 1.2.2 includes bug fixes and adds self-service password reset.

For more information, see Okta MFA Credential Provider for Windows Version History .

Admin settings for selecting identity providers

Admins now have the option to configure a sign-on policy based on a specific identity provider.

For more information, see Adding Rules in Security Policies.

Fixes

General Fixes

OKTA-212852

Group rules were not applied to reactivated users.

OKTA-221328

With Routing Rules enabled, users saw the message This is the first time you are connecting to [an application] from this browser even though they had logged in before.

OKTA-240039

With Routing Rules enabled, users saw the message This is the first time you are connecting to [an application] from this browser even though they had logged in before.

OKTA-241929

Custom TOTP factors were not supported as part of the authentication flow in Factor Sequencing.

OKTA-249465

On some web browsers, switching between Okta Verify and WebAuthn caused an error.

OKTA-254641

Changes to Max Import Unassignment settings were not logged in the System Log.

OKTA-254723

WebAuthn factor types were incorrectly named as Windows Hello in the MFA Usage Report.

OKTA-255688

The Reset via Email button on a custom sign-in page was visible and active even when that option was disabled for custom URL domains.

OKTA-257032

The Agentless Desktop SSO flow failed to authenticate users accessing custom-domain URLs.

OKTA-257269

In some cases, end users registering for Okta Verify were enrolled in One-Time Password but not in Push.

OKTA-257277

Some admins with MFA for Admin configured entered an infinite page-loading loop when signing into the Admin Console.

OKTA-257315

The HealthInsight page did not load properly for certain Okta orgs.

OKTA-56159

Re-authentication defined in sign-on policies only supported SAML-based apps and did not support SWA.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • Adobe Stock (OKTA-257769)

  • GoToWebinar (OKTA-255869)

  • Grammarly (OKTA-258776)

  • Instacart (OKTA-258045)

  • Sainsburys Groceries (OKTA-258041)

  • Twenty20 Stock (OKTA-257496)

  • Twilio (OKTA-258047)

Applications

Application Updates

Provisioning support has been removed from the following apps due to low customer usage, lack of standards based integration, and high supportability cost:

  • OutSystems
  • ExactTarget
  • RightnowCX
  • SugarCRM

New Integrations

SAML for the following Okta Verified application

  • GainsightPX (OKTA-253926)

SWA for the following Okta Verified applications

  • Ontario MC EDT (OKTA-244471)

  • ParcelQuest (OKTA-249541)

  • WatchGuard Evidence Library (OKTA-244478)

Weekly Updates

November 18

Fixes

General Fixes

OKTA-162537

The Testing IWA Web App help link on the Delegated Authentication page was broken.

OKTA-218841

End users did not receive proper credential update exceptions when there was an issue with their change password flow.

OKTA-235243

Group Push stopped on the first failure received by O365 and did not display any warnings in the System Log to indicate the issue.

OKTA-236583H

The error message for when a user was locked out did not respect the Group Password Policy settings.

OKTA-244438

In some cases a user could not be unassigned from a SCIM app if the SCIM Server had a slow response time.

OKTA-250498

Super admins were able to select the Rate limit warning and violation email notification when the feature was not enabled for their org.

OKTA-251844

Users were unable to sign in due to a 400 error that was caused by the following conditions: using Internet Explorer, using an SP-initiation SAML sign on, IDP Discovery was enabled, IWA and an MFA prompt were configured.

OKTA-257469

Due to hard validation, attempts to use group functions between profile-mastered appuser to Okta user mapping resulted in validation errors.

OKTA-260343

The Firefox plugin could not be downloaded from the Mozilla Add-ons store. The Firefox plugin version 5.34.0 is now available from the Admin Console, Settings > Downloads menu.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • BombBomb (OKTA-258406)

  • Mimecast Personal Portal v2 (OKTA-258584)

  • MyGeotab (OKTA-258044)

  • Veeva Vault (OKTA-258852)

  • WebEx Premium (OKTA-258040)

  • WP Engine (OKTA-259045)

Applications

New Integrations

The following partner-built provisioning integration apps are now Generally Available in the OIN as Okta Verified:

SAML for the following Okta Verified applications

  • Concur Travel and Expense (OKTA-254835)

  • JazzHR (OKTA-246402)

  • NetFortris HUB Web (OKTA-250307)

  • Netskope User Enrollment (OKTA-253910)

  • Portnox CLEAR (OKTA-253896)

  • Portnox CLEAR Self-onboarding (OKTA-253895)

  • Udemy for Business (OKTA-258121)

  • Vant SSO Proxy (OKTA-257483)

  • YouAttest (OKTA-259546)

SWA for the following Okta Verified applications

  • Dealerpull (OKTA-248564)

  • Encompass TPO Connect (OKTA-241362)

  • Global Database InvestmentMetrics (OKTA-245640)

  • Global Database InvestmentMetrics (OKTA-245640)

  • Informa (OKTA-245651)

  • Instacart Canada (OKTA-248835)

  • k-eCommerce (OKTA-256824)

  • Safeco Agent (OKTA-247347)

  • Southwest Traveler (OKTA-244178)

  • Stetson Insurance Funding Agent Login (OKTA-247772)

  • Street Smart by CycloMedia (OKTA-247460)

  • Transus (OKTA-247849)

Mobile applications for use with Okta Mobility Management (OMM) (Android and iOS)

  • Jive (OKTA-245483)

  • ShareFile (OKTA-260468)

Mobile application for use with Okta Mobility Management (OMM) (Android iOS)

  • Jive Communications (OKTA-245485)

December 2

Fixes

General Fixes

OKTA-247115

Some links in Suspicious Activity Reporting events did not work as expected.

OKTA-260013

The MFA Usage Report did not display some MFA factors when it was generated for all users.

OKTA-262346H

Some provisioning operations for some orgs failed with 409 errors.

OKTA-262644H

For some orgs, the Upload Logo button (Settings > Appearance) did not work.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • Acronis Cloud (OKTA-261592)

  • Dell Boomi (OKTA-260860)

  • eOriginal (OKTA-260858)

  • HotSchedules (OKTA-259809)

  • Lola (OKTA-259813)

  • Nationwide Eviction (OKTA-261405)

  • Percolate (OKTA-259811)

  • U.Chicago Dist. Ctr. (OKTA-259812)

Applications

New Integrations

The following partner-built provisioning integration app is now Generally Available in the OIN as Okta Verified:

SAML for the following Okta Verified applications

  • PrinterLogic SaaS (OKTA-257046)

  • PTO Exchange (OKTA-259997)

SWA for the following Okta Verified applications

  • Bannockburn Global Forex (OKTA-252379)

  • Booking Admin (OKTA-257151)

  • Brex (OKTA-254738)

  • Crown Mark (OKTA-255472)

  • Dealer Daily Toyota (OKTA-253563)

  • Empower (OKTA-248283)

  • Firemax - G5 (OKTA-249415)

  • Health Assured UK (OKTA-258033)

  • Rileys eStore (OKTA-248900)

  • RUN Powered by ADP (OKTA-251863)

  • SafetySync (OKTA-248899)

  • State of California Department of Motor Vehicles (OKTA-256771)

  • Untangle (OKTA-250112)

  • Wipster (OKTA-248068)

  • WordFly (OKTA-251885)

December 9

Fixes

General Fixes

OKTA-244018

Signing out from Okta from within the password re-authentication screen caused a new Okta Sign In page to appear within the existing Okta UI.

OKTA-246083

When configured to add apps on the fly, the Okta Browser Plugin did not always offer to save credentials for some apps.

OKTA-249009

Attempts to Push Groups from Okta to ShareFile failed and produced an error.

OKTA-252921

The wrong attribute values were mapped from Okta to PagerDuty if the values limited_user or team_responder were selected in the app assignment for a user.

OKTA-253183

When an admin attempted to modify an existing admin’s role by unchecking all roles, then clicked Update Administrator, a non-user-friendly error message was returned instead of the message At least one role must be selected.

OKTA-256370

CSV imports failed when there were unique custom properties in the user profile and imported users had non-empty values set for the unique properties.

OKTA-257508

A 500 error rather than a user-friendly error was returned when an invalid factor was used during the credential authentication flow.

OKTA-257703

An application.provision.user.sync event was generated with a successful outcome before provisioning was attempted.

OKTA-258832

Imports from Confluence 7.0 failed with the error No such operation getUser.

OKTA-259741

Additional MFA factors were not enforced for Okta Mobile if an org created a sign-on policy using Okta as IDP as the priority one rule that defined additional MFA factors.

OKTA-261115

In some cases, the My Applications button was not visible on the admin console.

OKTA-262419

Not all Yubikey device names were displayed after they were enrolled for WebAuthn.

App Integration Fixes

The following SAML app was not working correctly and is now fixed

  • Cisco Webex Teams (OKTA-259313)

The following SWA apps were not working correctly and are now fixed

  • Adobe Reseller Console (OKTA-263079)

  • AlertLogic (OKTA-261300)

  • Apple Store (OKTA-262873)

  • Avalara CertCapture (OKTA-262331)

  • BioWorld (OKTA-262957)

  • CallTower (OKTA-262327)

  • Experian (OKTA-262329)

  • General Motors GlobalConnect (OKTA-262328)

  • Inspired eLearning (OKTA-262335)

  • Kamer van Koophandel (OKTA-262334)

  • Percipio (OKTA-262330)

  • Southwest Traveler (OKTA-262925)

  • WeWork (OKTA-261968)

  • Work Number Commercial Verifier (OKTA-261507)

Applications

New Integrations

The following partner-built provisioning integration apps are now Generally Available in the OIN as Okta Verified:

  • Clearwage: For configuration information, see the Clearwage Provisioning and SSO Configuration guide.
  • Vant SSO Proxy: Note: The configuration guide for this app is not public. The ISV will provide the internal link to this documentation to the engineers who will be using this integration directly.
  • Book4time: For configuration information, see Book4time SCIM Setup Guide.

SAML for the following Okta Verified applications

  • KindLink (OKTA-259556)

  • Mitel Connect (OKTA-262010)

  • NetFortris HUD (OKTA-261151)

  • Netskope User Enrollment (OKTA-261565)

  • TeamzSkill (OKTA-262037)

  • Visit.org (OKTA-261400)

SWA for the following Okta Verified applications

  • Amazon ES (OKTA-259282)

  • Applied Epic Assuredpartners (OKTA-256238)

  • ASIC - Registered Agents (OKTA-260407)

  • Averon (OKTA-260126)

  • ConnectWise Automate (OKTA-252945)

  • Double Dutch Event (OKTA-256694)

  • Nx2me Clinician Portal (OKTA-259247)

  • OneNote (OKTA-259831)

  • RFPIO (OKTA-259502)

  • SALTO KEYS (OKTA-260440)

  • The Hartford Customer Service Center (OKTA-257302)

  • USA Today (OKTA-261633)

  • Welltower Portal (OKTA-254521)

  • WestJet Biz (OKTA-261389)

October 2019

2019.10.0: Monthly Production release began deployment on October 14

* Features may not be available in all Okta Product SKUs.

Content

Generally Available Features

New Features

Reports calendar selections limited to past 3 months

The calendar date range for a report displays the past three months only. This matches the maximum date range for report data.

Tokens transform events no longer available

Token transform System Log [events]() will no longer fire for SAML and Token inline hooks. They are retained in Inline Hook events.

See API event types.

Device Trust applies to apps in Okta Mobile for iOS

Any Device Trust policies configured in your environment are now also enforced when iOS device users access resources through Okta Mobile. This functionality is enabled by default. To change it, go to Security > General > Okta Mobile.

See Okta Mobile Settings.

Okta Browser Plugin version 5.33.0 for all browsers

This version includes the following:

  • Security warning and anti-phishing whitelist
  • Reflection of real-time app and profile changes in the end user dashboard
  • Custom URL domain support for the plugin (available in Preview orgs)
  • New look (available in beta)
  • Back-end enhancements

See Okta Browser Plugin: Version History.

OPP agent, version 1.3.4

This version of the OPP agent:

  • Improves networking utilities and recovery speed after a DR event
  • Improves log correlation between the agent and Okta
  • Fixes a bug that read special characters from a CSV incorrectly

See Okta Provisioning Agent and SDK Version History.

Active Directory agent, version 3.5.9

This release of the AD agent fixes an issue where meta data about Active Directory domains was not updated in Okta during imports from AD. In some cases this prevented features which rely on this meta data, for example Agentless Desktop SSO, from working correctly or being configured for the first time.

See Okta Active Directory agent version history.

JIRA Authenticator Toolkit, version 3.1.2

This release includes the following bug fix: JIRA service failed to start after upgrading the JIRA Authenticator from 3.0.7 to 3.1.1.

See Okta Jira Authenticator Version History.

Okta Browser Plugin reflects real-time app and profile changes in the end user dashboard

The Okta Browser Plugin now reflects the real-time state of the end user dashboard, eliminating the need to refresh the dashboard for the plugin to reflect the latest app and profile changes. This feature is available on Okta Browser Plugin version 5.29.0 or higher. For more information, see Okta Browser Plugin.

App condition for MFA enrollment policy

Admins can now use a new condition when setting a rule for an MFA enrollment policy. When this condition is configured, end users are prompted for factor enrollment when accessing all of their applications or only for those selected by their org admin. For more information, see App Condition for MFA Enrollment Policy.

Add event hooks from the Admin Console

Admins can now add event hooks from the Admin Console. Event hooks send outbound calls from Okta that trigger asynchronous process flows in admins' own software. For more details, see Event Hooks.

LDAP Admin password reset

For orgs integrated with LDAP, admins can now perform password resets for an active individual end user. For details see Reset user passwords.

Generally Available Enhancements

Adobe CQ Enhancement

You can specify whether to ignore inactive users or not during imports to/from Adobe CQ.

Group Admin behavior change

When a group admin with permissions to manage a single group adds a new user to the org, the group name is automatically populated.

New System Log event for email challenge

The new event now includes more debugData information to indicate whether an email challenge was answered (redeemed) using the same browser from which it was initiated.

Scope Naming Restriction

OAuth Scopes may not start with the okta. prefix. See Create scopes.

Early Access features from this release are now Generally Available.

Fixes

General Fixes

OKTA-220377

When assigning users to Microsoft Office 365, a Profile push error message was displayed. Users could still sign in and their profiles were updated correctly.

OKTA-221078, OKTA-231642

When Okta MFA for Azure AD Conditional Access was enabled, admins were unable to configure Microsoft Office 365 using the I want to configure WS-Federation myself using PowerShell option.

OKTA-233578

Deactivated users were imported from Adobe CQ.

OKTA-235187

In OAuth 2.0/OIDC /authorize request, the Okta Sign-In Widget incorrectly rendered the login_hint parameter, substituting + with a space.

OKTA-236849

Users were unable to sign in to the GoAnywhere SWA app automatically and had to enter their credentials manually.

OKTA-237085

Admins could not add an IP to a Network Zone in the System Log if there were more than 20 Network Zones. Only the first 15 zones were displayed.

OKTA-240197

The group icon for the Namely app was incorrectly displayed on the Directory > Groups page.

OKTA-240375

MFA factor enrollment policies were not enforced when Factor Sequencing was enabled.

OKTA-243056

When admins removed a user from a group with more than one # character in the group name, the confirmation message ignored all text preceding the last #. This resulted in an incorrect confirmation message.

OKTA-244957

Users were able to sign in to the NorthWest Evaluation Association MAP app only when using Sign in with 1 click.

OKTA-245114

Imports failed in Preview instances of the WebEx (Cisco) app.