Production

  Current Upcoming
Production 2021.06.1 2021.06.2 Production release is scheduled to begin deployment on June 21
Preview 2021.06.2

2021.06.3 Preview release is scheduled to begin deployment on June 23

June 2021

2021.06.0: Monthly Production release began deployment on June 7

* Features may not be available in all Okta Product SKUs.

Content

Generally Available Features

New Features

Okta Sign-In Widget, version 5.7.0

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Sign-In Widget Guide.

MFA Credential Provider for Windows, version 1.3.1

The MFA Credential Provider for Windows version 1.3.1 includes hardening around certain security vulnerabilities, support for Windows 2019, and other general bug fixes and improvements. See Okta MFA Credential Provider for Windows Version History

Okta Device Registration Task, version 1.3.1

This release is based on Python 3, to support macOS 10.15.xx (Catalina) and above. It addresses the known issue of device enrollment failures. You can download this version from the Settings > Downloads section of the Admin Console. See Enforce Okta Device Trust for Jamf Pro managed macOS devices and Device Trust for macOS Registration Task Version History.

LDAP Interface sign on policy

When creating a sign on policy, you can now create rules that apply only to LDAP Interface user authentications. With this change, you can apply a sign on policy to LDAP Interface authentications and exclude other authentication methods. See Sign-on policies.

Import Safeguard Event Hook

The Import Safeguard event is available for use as an Event Hook. Admins can use the Import Safeguard event to generate a notification when an import safeguard occurs. See About import safeguards and Event Types.

App Integration Wizard improvements

The App Integration Wizard has been updated with several usability improvements. For quicker access, you can now launch the wizard from either the Applications page or the Browse App Integration Catalog page. The platform and sign-on method selection process has been streamlined to remove unnecessary inputs. Help hints in the wizard have been improved to eliminate the need to look up definitions and guidance from the documentation. To save time, trusted origins and group assignment tasks can now be completed as part of the process rather than after the wizard creates the app integration. See Create a new Okta app integration.

Polling support for Agentless Desktop Single Sign-on and Integrated Windows Authentication authentication sessions

Agentless Desktop Single Sign-on (ADSSO) and Integrated Windows Authentication (IWA) authentication sessions now include polling to reduce the likelihood of service disruptions during periods of high bandwidth use. For users authenticating with ADSSO or IWA during peak periods, this change increases the likelihood that a server will be available to process their authentication request. See Active Directory Desktop Single Sign-on.

Okta Verify support for risk-based authentication

Okta Verify with Push now supports risk-based authentication. With this feature, admins can assess the level of risk when an end user signs in to their org and attempts to authenticate with Okta Verify. See About Okta Verify. This feature will be gradually made available to all orgs.

RADIUS support for EAP-TTLS

The RADIUS agents now support the EAP-TTLS network authentication protocol. See the supported factors section in any RADIUS Integrations. This feature is made available to all orgs.

Recently Used Apps

A Recently Used apps section has been added to the top of the Okta End-User Dashboard and the Okta Browser Plugin to make it easier for end users to access their applications. End users can enable and disable the Recently Used setting in their Preferences panel or Account Settings on the Okta End-User Dashboard.

When enabled, the Recently Used apps section is visible at the top of the Okta End-User Dashboard regardless of the number of apps assigned to the end user or whether any apps have been launched. If an end user re-enables the Recently Used apps section, apps that were used when the feature was previously enabled are not preserved. See Recently used applications. This feature will be gradually made available to all orgs.

Recently used apps section on the Okta dashboard

Enhancements

OIN Manager category selection changes

The choices in the OIN Manager App category selection list have been updated to match the categories available in the public OIN catalog. For existing submissions, the category choice isn't changed until the ISV updates the app submission in the OIN Manager. ISVs can also now select up to three categories for their app integration. See Submit an app integration.

OIN Manager OIDC enhancements

ISVs can now select which OpenID Connect modes their application supports: Single-Page Application (SPA) or Web. See OIDC settings.

Rate limit System Log Event Hook enhancements

The system.operation.rate_limit.warning event has been updated and now notifies administrators when their org is approaching an Event Hook rate limit.

The system.operation.rate_limit.violation event has been updated and now notifies administrators when their org has exceeded an Event Hook rate limit.

See Event Types.

OAuth scope flexible consent

When user consent is required for an OAuth scope, a new check box is available to enable Flexible consent, which blocks services from requesting the scope. See Create Scopes.

Combined OAuth claim evaluation events

To reduce system load and operational cost, a single app.oauth2.as.evaluate.claim event is now recorded per request, instead of separate events for access tokens and ID tokens.

Updated UI for provisioned username options

If an app integration doesn't support the Create only option in the Application username format drop-down menu, the option is now disabled rather than hidden.

Session synchronization

All browser tabs that access the Okta End-User Dashboard now maintain the same session lifetime.

Hidden fields in Sign-In Widget

Hidden username and password fields in the Sign-In Widget are no longer identifiable by screen readers.

File upload tool tips

Tool tip text formatting has been standardized on the App Instance page.

Active SAML certificate warning

A warning now appears when currently active SAML certificates are set as inactive in the Okta Admin Console.

Early Access Features

New Features

Rate Limits Dashboard

The new Rate Limit Dashboard helps you investigate the cause of rate limit warnings and violations. You can also use it to view historical data and top consumers by their IP address. This helps you: Isolate outliers. Prevent issues in response to alerts. Find and address the root cause of rate limit violations. You can access the dashboard using the link provided in the rate limit violation event in the System Log. See Rate Limits Dashboard.

Fixes

General Fixes

OKTA-371017

Assigning attributes when provisioning to Webex sometimes resulted in errors.

OKTA-374204

When a custom sign-out page was configured, users who reset their password with SMS and then clicked Back to sign in were redirected to the custom page.

OKTA-386816

Some app tasks that weren't mapped to Okta users didn't appear on the Admin Dashboard.

OKTA-387918

Admins were unable to view the Import Monitoring dashboard for applications when the application admin role was assigned to specific applications.

OKTA-388914

Okta erroneously pushed profile updates to Rally upon user reactivation when updates to user attributes were disabled.

OKTA-389233

The Sign-In Widget appeared blank for users who attempted to sign in while using multiple WebAuthn authenticator enrollments.

OKTA-393663

Some Firefox 88.0 users on Mac devices were presented with a blank page after signing in to Okta.

OKTA-395953

An incorrect error message was displayed when a user was created with a duplicate unique property.

OKTA-396812

If a user tried to re-enroll via RADIUS after their SMS factor was reset, they weren't prompted to verify their phone number.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • Addepar (OKTA-396929)

  • Ustream (OKTA-396921)

Applications

Application Updates

Adobe Sign now supports OAuth and REST API mode for provisioning for new app instances. Existing app instances should be migrated to the new app, see the Adobe Sign Migration Guide for details.

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration app is now Generally Available in the OIN as partner-built:

SAML for the following Okta Verified applications

  • AlphaSense (OKTA-394744)

  • cloudtamer.io (OKTA-399136)

Weekly Updates

Generally Available

Sign-In Widget, version 5.7.1

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Sign-In Widget Guide.

Fixes

General Fixes

OKTA-386890

Automation rules that were created to delete inactive users sometimes failed due to deprovisioning errors.

OKTA-388300

When the new Admin redesign experience was enabled, the Agents Dashboard displayed incorrect version information about upgraded RADIUS agents.

OKTA-388727

The Clear Unconfirmed Users button didn't work consistently on the Active Directory (AD) Import page.

OKTA-389975

The Sign On page was unresponsive after the Credentials Details section of Bookmark apps was updated.

OKTA-391272

Provisioning errors occurred when email addresses were pushed from Okta to UltiPro after being updated in Active Directory.

OKTA-398218

Syncplicity couldn't be provisioned for EU-based domains.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • 1Password Business (OKTA-398705)

  • Eden Workplace (OKTA-398670)

  • Gong (OKTA-394257)

  • Instagram (OKTA-398090)

  • Schwab Advisors (OKTA-401549)

Applications

Application Update

The existing Cacoo integration is deprecated and renamed Cacoo (deprecated). Customers should now use the Nulab Pass (Backlog Cacoo Typetalk) (SAML) integration in our OIN catalog.

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN catalog as partner-built:

OIDC for the following Okta Verified applications

May 2021

2021.05.0: Monthly Production release began deployment on May 10

* Features may not be available in all Okta Product SKUs.

Content

Generally Available Features

New Features

Okta Sign-In Widget, version 5.6.0

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Okta Sign-In Widget Guide.

Okta Browser Plugin, version 5.45.0 for all browsers

  • The Recently Used apps section is now visible and accessible from the plugin popover.

  • The Recently Used apps section can be configured by end users on the Okta End-User Dashboard.

  • Plugin popover loading times have been decreased.

  • The plugin’s design and images have been updated.

See Okta Browser Plugin: Version history.

Agentless Desktop Single Sign-on authentication progress screen updates

Agentless Desktop Single Sign-on (ADSSO) authentication progress screens have been updated to make authorization and verification progress more visible and improve the user experience. See Configure agentless Desktop Single Sign-on.

Group push mapping change

When admins create a group push mapping and link it to a group whose members were imported through another method, those users are now Okta sourced. See About Group Push.

New Select assignments to convert screen

The addition of a Select assignments to convert screen to the Okta Admin Console makes the conversion of app assignments from individually-managed to group-managed easier. With the click of a button you can now quickly locate, select, and then convert individual users, or convert all eligible assignments. See Convert an individual assignment to a group assignment.

Generally Available Enhancements

System Log enhancements

OAuth refresh token event details

System Log events now display information that indicates whether an OAuth refresh token is rotating or persistent.

System Log debug field changes

System Log Advanced Filters no longer support the Contains operator for the following fields:

  • debugContext.debugData.url

  • debugContext.debugData.requestUri

This is to ensure that service stability and operations aren't impacted.

actionId value now available in the System Log

To identify the Okta Active Directory agent used to process a delegated authentication request, the actionId value has been added to the user.authentication.auth_via_AD_agent event in the System Log . For orgs that use multiple agents, this value makes it easier to identify the specific location of log data used to resolve authentication issues. See System Log.

OIN Manager - SCIM submission enhancement

When submitting a SCIM app in the OIN Manager, ISVs can now specify the maximum number of group membership changes that can be included in a single PATCH request. See Configure protocol-specific settings.

Open On-Prem MFA and RSA SecurID page on select

When admins select either On-Prem MFA or RSA SecurID token names from Security > API, the associated MFA factor page now opens.

New help text for Initiate Login URI field

The Initiate login URI field, available in an application’s General Settings tab, now includes additional inline help text to clarify the correct URI to add to this field.

TLS certificate update for okta.com

The TLS certificate for okta.com will be updated beginning on May 6th, 2021, US Pacific Time. The updated certificate will be signed with a new trust chain and Root Certificate Authority (CA) trust anchor. The Root CA will change from the DigiCert High Assurance EV Root CA to the DigiCert Global Root CA. To avoid negative impact and service outages, customers who have a limited or non-standard set of certificates in their trust stores must take action prior to May 6th, 2021. See FAQs.

Password Health Report enhancement

Date columns in the Password Health Report are now in ISO 8601 format to improve readability.

Increased authorization code lifetime

The OAuth authorization code lifetime is increased from 1 to 5 minutes.

Early Access Features

New Features

Create and manage group profiles

You now have the flexibility to manage the default profile for Okta groups in the Profile Editor. This new functionality simplifies group management and lets you quickly add, edit, or remove custom profile attributes to groups. See Work with profiles and attributes.

Enhancements

Okta Admin Console Groups page enhancements

The Okta Admin Console Groups page has been updated to simplify the addition of large numbers of users to groups and reduce the likelihood that all users can be accidentally removed from a group. In addition, search functionality has been significantly improved to make adding and removing users from groups quicker and easier. See Manage groups.

Fixes

General Fixes

OKTA-379813

In some cases, end users who verified with IdP as a factor and selected the option to Remember this device were unable to save their configuration.

OKTA-379879

When signing in to a third-party identity provider (IdP), the sign in hint wasn’t provided as a request parameter to the IdP.

OKTA-380784

In some cases, the security.threat.detected event type in the System Log was missing geographic information when ThreatInsight was enabled.

OKTA-387800

Vanity URLs for deleted users incorrectly included stack trace information with the 404 error.

OKTA-390301

Radius authentication with Duo sometimes failed if Single-line MFA prompts were disabled.

OKTA-391166

The link from the OIN Manager to the OIDC concepts document was broken.

Applications

Application Updates

The catalog descriptions for many OIN app integrations have been updated to improve accuracy and show available capabilities.

New Integrations

New SCIM Integration Application

The following partner-built provisioning integration app is now Generally Available in the OIN as partner-built:

OIDC for the following Okta Verified applications

Weekly Updates

Generally Available

Okta Sign-In Widget, version 5.6.1

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Okta Sign-In Widget Guide.

Fixes

General Fixes

OKTA-215049

When an OpenID Connect application was created using a deactivated application's name, a Duplicate Client Name error appeared.

OKTA-374204

End users were incorrectly redirected to the sign-out page if they reset their password through SMS and clicked the Back to Sign In link on the Code Verification page.

OKTA-380326

When an application was edited, the Initiate login URI field was erroneously auto-populated with a default value.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • ADP Vantage HCM (OKTA-390470)

  • ISACA (OKTA-391074)

  • ServiceNow (OKTA-390773)

  • Ticketmaster Account Manager (OKTA-390224)

  • United Health Care Member Login (OKTA-390993)

  • Xandr (AppNexus) (OKTA-390469)

Applications

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN as partner-built:

SAML for the following Okta Verified applications

  • Assembly (OKTA-387208)

  • Calendly (OKTA-390432)

  • Crosschq (OKTA-392449)

  • Ground Truth Intelligence (OKTA-385029)

  • ICI App (OKTA-391167)

  • Kaonavi (OKTA-389262)

  • Listrak (OKTA-386611)

  • MaestroQA-Enterprise (OKTA-393110)

  • Malt (OKTA-389581)

  • Officebooking (OKTA-389582)

  • QueryPie (OKTA-388315)

  • Webcasts.com Admin (OKTA-391005)

OIDC for the following Okta Verified applications

Generally Available

Okta Sign-In Widget, version 5.6.3

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Okta Sign-In Widget Guide.

Fixes

General Fixes

OKTA-362581

End users who attempted to sign in to the new Okta End-User Dashboard while access was prevented were not redirected to the proper error page.

OKTA-369101

Admins couldn't save login mappings for some OIDC Identity Providers.

OKTA-376269

When some users updated their recovery question, the password import inline hook was erroneously triggered.

OKTA-379913

Admins couldn't use the Tab key to advance to the next text field in the Test Delegated Authentication modal.

OKTA-383803

Creating new users in Coupa through Okta provisioning failed with a password length error even though the Sync password option was not selected.

OKTA-386927

The Light Agent role was not available to the users assigned to the Zendesk app.

OKTA-387820

The Current Assignment report in Application Access Audit sometimes failed to load and returned a 500 error.

OKTA-389874

The Client Credentials Flow could not implement a custom claim named scope.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • 1Password Business (OKTA-392758)

  • Concur - ProTrav (OKTA-394860)

  • Cradlepoint NetCloud (OKTA-392389)

  • Lifeworks (OKTA-395025)

  • SAP Concur Solutions (OKTA-395184)

  • The Washington Post (OKTA-393397)

Applications

Application Updates

The following SWA integrations are deprecated from the OIN:

  • Mindtickle - Admin

  • Lead Apparel

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN as partner-built:

SAML for the following Okta Verified applications

  • Acronis Cyber Cloud (OKTA-393653)

  • Emerge (OKTA-393802)

OIDC for the following Okta Verified applications

Generally Available

Sign-In Widget, version 5.6.4

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Sign-In Widget Guide.

Content security policy enforcement on end-user pages

Content security policy is now enforced for end-user pages. Content Security Policy headers provide an additional layer of security that helps to detect attacks such as cross-site scripting and data injection by ensuring browsers know what kind of actions the webpage can execute. We already had a policy enforced in our admin pages from last year and in report-only mode for end-user pages. We plan that future iterations of our Content Security Policy enforcement for end-user pages will become stricter than this first release.

This feature will be gradually made available to all orgs.

Fixes

General Fixes

OKTA-330390

On the Onboarding tasks page, the Create an app integration task wasn’t marked Complete after an OIDC or OIN app was added.

OKTA-363972

The RelayState value sent from Jira on-prem to Okta was invalid.

OKTA-378981

SAML requests and responses weren't logged in the System Log as distinct event fields and lacked detail about the SAML assertion.

OKTA-385091

Attempts to push blank values from Okta to any custom app attributes in Google Workspace failed.

OKTA-386112

Imports of more than 2,000 users from Adobe Experience Manager sometimes failed.

OKTA-390477

Suspended users were automatically unlocked but appeared as suspended in the Admin Console.

OKTA-393682

Automatic provisioning of users to Google Workspace sometimes failed with a java.io.IOException error.

OKTA-396391

Some Internet Explorer users received a ScriptError alert when signing in to apps.

OKTA-398081

If the users and groups in an app-level policy were deleted, the Admin Console incorrectly showed the policy as applied to all users and groups.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • Airbnb (OKTA-395954)

  • Boxed (OKTA-396919)

  • CultureIQ (OKTA-396932)

  • Eden (OKTA-395029)

  • Fortune (OKTA-395031)

  • Gong (OKTA-394257)

  • Granite Rock Reports (OKTA-393958)

  • LivePerson Expert (OKTA-390448)

  • Moffi (OKTA-395032)

  • MURAL (OKTA-395023)

  • Notion (OKTA-395035)

  • Odoo (OKTA-394706)

  • Traackr (OKTA-396931)

Applications

Application Updates

The following SWA integrations are deprecated from the OIN:

  • EverFi NEXT

  • AppNexus (replaced by Xandr)

New Integrations

New SCIM Integration Application

The following partner-built provisioning integration app is now Generally Available in the OIN as partner-built:

  • Sisense for Cloud Data Teams: For configuration information, see Sisense SCIM documentation.

SAML for the following Okta Verified applications

  • iHASCO Training Suite (OKTA-396044)

  • Mursion (OKTA-394726)

  • PoliteMail (OKTA-393990)

  • Soveren (OKTA-389257)

  • Writer.com (OKTA-393658)

SWA for the following Okta Verified applications

  • IDEE MFA (OKTA-393819)

  • Xandr (OKTA-394701)

OIDC for the following Okta Verified applications

April 2021

2021.04.0: Monthly Production release began deployment on April 12

* Features may not be available in all Okta Product SKUs.

Content

Generally Available Features

New Features

Okta Sign-In Widget, version 5.5.4

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Okta Sign-In Widget Guide.

Okta Active Directory agent, version 3.6.1

This version of the agent contains:

  • Improved query performance for customers with a large number of organizational units.

  • Security enhancements.

  • Improved logging functionality to assist with issue resolution.

  • Managed service account support for the Okta Active Directory agent.

  • Bug fixes.

See Okta Active Directory agent version history.

New operators available in Advanced Filters for System Log

Admins can now filter using new Advanced Filters operators:

  • ends with

  • not equal

  • is present (value exists)

  • greater than

  • greater than or equal to

  • less than

  • less than or equal to

Additionally, admins can now use the not equal, ends with, and is present operators in the System Log search bar. These operators provide greater flexibility when filtering System Log events. See System Log filters and search.

Admin Experience Redesign

With the Admin Experience Redesign feature, the Okta Admin Console now has:

  • A modern look and feel with improved responsiveness for the new navigation side bar.

  • A redesigned Okta Admin Dashboard that displays more practical insights for admins.

  • An Agents page in the Okta Admin Dashboard that shows the status and version of every Okta agent that is connected to customers' on-premises servers.

This improves the accessibility of the product, improves admin productivity, and helps admins to be more proactive with security issues. See Admin Experience Redesign.

Okta Applications

Okta admins can now create app-based sign-on policies for the Okta Dashboard, Okta Admin Console, and Okta Browser Plugin.

Previously, sign-on policies couldn't be configured for these first party applications. With this release, policy based on context such as user location, device, behavior, risk level, group membership, and more is included. This gives admins more flexibility and granular control over sign-on requirements for these first party apps. For example, different MFA requirements might apply to the Okta Admin Console for different groups of people.

See Enable the new Okta End-User Experience.

Okta End-User Dashboard redesign

Generally Available Enhancements

TLS certificate update for okta.com

The TLS certificate for okta.com will be updated beginning on May 6th, 2021, US Pacific Time. The updated certificate will be signed with a new trust chain and Root Certificate Authority (CA) trust anchor. The Root CA will change from the DigiCert High Assurance EV Root CA to the DigiCert Global Root CA. To avoid negative impact and service outages, customers who have a limited or non-standard set of certificates in their trust stores must take action prior to May 6th, 2021. See FAQs.

Email notification settings

Email notification settings for New sign-on, MFA enrolled, and MFA reset are no longer enabled by default for new orgs. This change prevents new orgs from unintentionally sending email notifications to end users. See General Security.

NetSuite integration enhancement

Okta can now import the supervisor/manager ID for an employee from NetSuite, removing the dependency on Active Directory.

OIN Manager supports variable SAML ACS URLs

SAML app integrations that support multiple ACS URLs can now use app instance property variables to create non-static single sign-on URLs in their submissions.

Okta ThreatInsight free trial

Orgs that use free trial editions now see a limited functionality notification in the Okta ThreatInsight Settings section of the Security > General page. See General Security.

End users on new dashboard can request apps

End users can now request an app through the link in the footer of the new Okta End-User Dashboard. To turn this setting on, go to the Okta Admin Console > Applications > Self Service and enable Allow users to email "Technical Contact" to request an app.

Early Access Features

New Features

Customize Okta domains

The ability to customize your Okta domain has now been rolled out to all orgs. With this feature, you can customize your Okta organization by replacing the Okta domain name with your own domain name. This allows you to create a seamless branded experience for your users so that all URLs look like your application. See Custom Domain API.

Enhancements

Group Push enhancements

Group Push now supports the ability to link to existing groups in NetSuite. You can centrally manage these apps in Okta. This is important because it allows you to set up and push Okta groups into NetSuite instead of recreating them in NetSuite. See About Group Push.

Fixes

General Fixes

OKTA-336939

For some orgs, the user activation page didn't display logos correctly if it was accessed through the redirect link in the User Activation email.

OKTA-337030, OKTA-375978, OKTA-378809, OKTA-379613, OKTA-380069, OKTA-380636, OKTA-381076, OKTA-381639

Some orgs that have the Admin Redesign Experience feature enabled had the following issues:

  • Scrolling functionality didn’t work as expected on some pages.

  • The Okta Admin Dashboard reached the rate limit threshold rapidly, causing a failure to load data in the Admin Dashboard widgets.

  • The spotlight search input field had extra padding.

  • Some pages had layout issues.

  • Some dialog boxes had unwanted scrollbars.

  • Some conditions in group rules were unreadable.

  • Group icons weren't display properly on the Group Assignment page.

OKTA-362647

Self-Service Registration incorrectly appeared in the Directory menu for group admins. This feature is available to super admins only.

OKTA-363849

The 12-hour timestamp on the Import Monitoring Dashboard didn’t display AM or PM.

OKTA-369992

The Report Suspicious Activity page didn’t display the geolocation and the IP address of the suspicious request.

OKTA-373689H

Sometimes the public OAuth metadata API responses did not include a Vary: Origin header, resulting in some browsers incorrectly caching the response across Origins.

OKTA-373957

Some iPhone and iPad users using Okta Mobile couldn’t sign in to Microsoft Teams.

OKTA-375702

The Okta Workflows app erroneously counted towards an org's app limit.

OKTA-375878

The Import Safeguard help documentation link on the Directories page was broken.

OKTA-376041

Some pop-up messages during the OAuth validation process incorrectly had scrollbars.

OKTA-376281

During creation of a new SPA app integration, the App Integration Wizard incorrectly enabled the Allow Access Token option under the Implicit grant type by default.

OKTA-376795

Registration Inline Hook sometimes failed during the self-service registration process.

OKTA-378045H

The Applications page in Developer orgs didn't have clear instructions about how to create more custom apps by upgrading to an Enterprise plan.

OKTA-378989

For some orgs, SAML inline hooks didn’t work as expected.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • AlertLogic (OKTA-380563)

  • Blacklane Car Service (OKTA-380186)

  • Bookmark App (OKTA-377640)

  • DHL Express (OKTA-380565)

  • Fortune (OKTA-380576)

  • ImpactOffice (OKTA-380575)

  • Music Vine (OKTA-380580)

  • mySE: My Schneider Electric (OKTA-375671)

  • Tumblr (OKTA-380562)

  • WordFly (OKTA-380953)

The following SAML app was not working correctly and is now fixed

  • Mimecast Personal Portal v3 (OKTA-381518)

Applications

New Integrations

SAML for the following Okta Verified applications

  • Altitude Networks (OKTA-369534)

  • Cerby (OKTA-381104)

  • LogMeOnce (OKTA-376650)

  • Millie (OKTA-378822)

  • Sketchboard (OKTA-377849)

  • Starred (OKTA-379901)

  • Vulcan Cyber (OKTA-366907)

Weekly Updates

April 19

Generally Available Features

Okta Sign-In Widget, version 5.5.4

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Okta Sign-In Widget Guide.

Generally Available Enhancements

Password Health Report enhancement

Date columns in the Password Health Report are now in ISO 8601 format to improve readability.

Increased authorization code lifetime

The OAuth authorization code lifetime is increased from 1 to 5 minutes.

Fixes

General Fixes

OKTA-360669

Errors on the App Sign On Policy page were displayed at the top of the page rather than near the respective fields.

OKTA-360937

In some cases, Okta didn't import all users from ServiceNow.

OKTA-362325

Attributes with the number data type were reported to have been updated after CSV Directory imports even if nothing had changed.

OKTA-362647

Self-Service Registration, a super admin feature, incorrectly appeared in the Directory menu for group admins.

OKTA-375536

Developer org admins were incorrectly redirected to the user app page instead of the Admin Dashboard.

OKTA-375698

In some cases, the OAuth access token for Salesforce expired daily, which caused issues with provisioning.

OKTA-377265

In some cases, admins received a 500 error while creating a new user with JIT provisioning.

OKTA-380356

The Trusted Origin field in the new App Integration Wizard appeared even if the user didn't have the permission to manage the field.

OKTA-380892

Some help documentation links in the Agentless Desktop SSO and Silent Activation section didn't work.

OKTA-382214

In some cases, Group Administrators were incorrectly displayed as User Administrators in the Email Notification dropdown on the Account Settings page.

OKTA-382433

The text in the App Embed Link section of the Custom SAML App page was misaligned.

OKTA-385342

The new App Integration Wizard showed an error when creating an API Services app due to incorrect response type validation.

OKTA-388027

The Email Change Confirmed Notification configuration (part of Email & SMS Customization) didn’t have an option to specify whether admins only, or admins and end users received the notification.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • Carta (OKTA-380324)

Applications

Updates

  • The Nature.com SWA integration is deprecated from the OIN.

    Use the Nature Research SAML app instead.

New Integrations

SAML for the following Okta Verified applications

  • Productive.io (OKTA-377469)

  • TigerConnect (OKTA-382369)

OIDC for the following Okta Verified application

May 03

Generally Available

Okta Sign-In Widget, version 5.5.4

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Okta Sign-In Widget Guide.

Fixes

General Fixes

OKTA-355894

The Recently Used tab on the Okta End-User Dashboard wasn't translated for all languages.

OKTA-361861

During a full import, profile updates occurred in Workday even if no attributes were changed for the user in Okta.

OKTA-369527

AD-sourced users received misleading error messages when they attempted to reset their passwords while the AD agent was down.

OKTA-371158

Some LDAP-sourced users' temporary passwords became their main passwords after they used them to sign in.

OKTA-373409

Some AD-sourced users were redirected to the default Okta org when they clicked the activation link in their welcome email.

OKTA-373578

Some Dynamic Network zones didn't block traffic as configured.

OKTA-375317

Some users received errors when they authenticated to Okta from ADFS with a custom domain.

OKTA-376991

After reactivation, some users weren't properly reassigned their applications.

OKTA-377853, OKTA-379764

International phone numbers were incorrectly parsed during profile updates in Workday.

OKTA-378405

Pushing AD-imported groups from one Okta instance to another failed.

OKTA-379707

The ThreatSuspected field in the System Log wasn’t consistently updated.

OKTA-380165

Previously scheduled Workday imports were still shown on the Import Monitoring dashboard after provisioning was disabled.

OKTA-381764

Some admins couldn't save settings for Incremental Import Schedule when they integrated a new CSV Directory.

OKTA-382686

The Upload CSV button wasn't clearly visible on the Application Import page of the new Okta Admin Console.

OKTA-382711

Syntax highlights were not correct in the Okta Admin Console code editors for the Custom Sign-In Widget and the Custom Error pages.

OKTA-383630

Preview and test emails in the Okta Admin Console didn’t render customization variables in the email subject field.

OKTA-383632

After a custom domain was configured, the test email dialog in the Okta Admin Console displayed the default email sender details as Okta <noreply@okta.com>.

OKTA-383647

Admins received timeout errors when they deactivated AD-sourced users through imports from Active Directory.

OKTA-384306

Icons in the Okta API Scopes tab were misaligned for OAuth apps.

OKTA-385297

Text on the Sign On tab was misaligned for some apps.

OKTA-389502H

In some cases when the new Okta End-User Dashboard was enabled, Okta incorrectly made hourly token renewal requests that caused user sessions to be active longer than configured.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • Accertify (OKTA-388719)

  • Adobe (OKTA-385008)

  • ADP IPayStatements (OKTA-389106)

  • Apollo (OKTA-382989)

  • Beeline TMS (OKTA-383007)

  • Calendly (OKTA-382474)

  • Citi Credit Cards (OKTA-385007)

  • Cradlepoint NetCloud (OKTA-388566)

  • Delta Dental (OKTA-379327)

  • Dow Jones Private Equity and Venture (OKTA-388720)

  • Federal Procurement Data System (OKTA-382991)

  • Grammarly (OKTA-388717)

  • Jitterbit (OKTA-385006)

  • KeyBank (OKTA-385011)

  • LastPass Sync (OKTA-386955)

  • Milestone XProtect Smart Client (OKTA-386601)

  • MongoDB Cloud (OKTA-385010)

  • Portal Nutanix (OKTA-386598)

  • Shatswell MacLeod (OKTA-386604)

  • WEX Health Cloud (OKTA-385013)

  • WorkFlowy (OKTA-386597)

  • XpertHR (OKTA-382990)

  • ZeeMaps (OKTA-388718)

Applications

Application Updates

  • Our Dynamic Signal integration has been updated as follows:

    • The existing Dynamic Signal integration is deprecated and renamed Dynamic Signal (Deprecated).

    • A new Dynamic Signal integration is now available, without provisioning functionality.

  • The following SWA integrations are deprecated from the OIN:

    • Crazy Egg

    • Dow Jones Private Equity and Venture

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN as partner-built:

  • Cato Networks Provisioning: For configuration information, see Cato Networking documentation here. Note that this documentation is only available for Cato authenticated users.

SAML for the following Okta Verified applications

  • brandworkz (OKTA-380978)

  • Dooly (OKTA-384467)

  • Feroot (OKTA-387002)

  • Folia (OKTA-369123)

  • Jobcan (OKTA-383754)

  • JoVE (OKTA-386197)

  • LINE WORKS (OKTA-387869)

  • MPulse 9 (OKTA-379463)

  • Open Practice Solutions (OKTA-379650)

  • Planisware Enterprise (OKTA-382573)

  • Propel PRM (OKTA-385027)

  • QReserve (OKTA-383759)

  • Thrive LXP (OKTA-385858)

  • Webcasts Admin (OKTA-382549)

SWA for the following Okta Verified applications

  • Atlanta Fine Homes (OKTA-383598)

  • Walkthechat (OKTA-385436)

  • WSRB (OKTA-385426)

OIDC for the following Okta Verified applications

  • Mantra: For configuration information, see Okta SSO.

March 2021

2021.03.0: Monthly Production release began deployment on March 8

* Features may not be available in all Okta Product SKUs.

Content

Generally Available Features

New Features

LDAP agent, version 5.7.2

This version of the agent contains:

  • Support for Lightweight Directory Access Protocol (LDAP) group password policies

  • Internal improvements and security fixes

  • Bug fixes

To view the agent version history, see Okta LDAP Agent version history.

RADIUS Agent, version 2.15.1

RADIUS agent version 2.15.1 GA contains all updates release since version 2.7.4 EA, including:

  • Support for EAP-GTC and EAP-TTLS to improve security and extend support network access vendors, such as Netmotion Mobility.

  • Support for TLS 1.2, which is required for all connections to Okta.

  • Support for internet proxies.

  • A simplified installer, which no longer requires shared secrets and ports.

And has been tested on new Linux operating systems:

  • CentOS 7.6.

  • Ubuntu 20.04.1 LTS.

  • Red Hat Enterprise Linux release 8.3.

  • Windows Server 2016.

  • Windows Server 2019.

In summary, the new agent provides admins with an easier installation, configuration, and run-time experience, and we recommend it for all Okta RADIUS customers.

See Okta RADIUS Server Agent Version History.

Okta Sign-In Widget, version 5.4.0

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Okta Sign-In Widget Guide.

New number challenge options in Okta Verify admin settings

New Okta Verify settings in the Admin Console now allow admins to control when users receive a number challenge. Number challenge is an existing Okta Verify feature in eligible orgs that helps Android and iOS users enrolled in Okta Verify with Push avoid accepting fraudulent push notifications when they try to access a protected app. Completing the challenge ensures that the sign-in attempt came from the user and not from an unauthorized person. Admins can now choose to never challenge users, challenge with all push notifications, or challenge only for high-risk sign-in attempts. See Enable Number Challenge with Okta Verify with Push.

Option to switch between Admin Experience Redesign and the old experience

Super admins can now switch between Admin Experience Redesign and the old experience by using the option provided on the Okta Admin Dashboard. This gives admins time to adapt to the new user experience, which is on by default, and the option to revert to the old experience if required.

OIN Catalog enhancements

The OIN catalog adds several customer identity categories, highlights key app integrations, and now shows relevant Okta Workflow connectors and templates. Administrators can click Add integration to add a specific app integration directly to their org. These improvements make it easier for administrators and application developers to learn about Okta’s customer identity integrations. They can browse for relevant integrations like social identity providers and identity proofing solutions and add these integrations to their Okta org.

This feature will be gradually made available to all orgs.

Deleted schema property scrubber

All existing data associated with a schema property is now removed when a schema property is deleted. To prevent data corruption, the property cannot be recreated until the existing data is fully removed. Previous data is no longer restored when recreating a deleted schema property with the same definition. This new functionality prevents the corruption of profile data and the associated Elastic search issues. See Add or remove custom directory schema attributes.

This feature will be gradually made available to all orgs.

OIDC App tab improvements

The following improvements have been made to the OIDC App tab:

  • The default tab is now General instead of Assignments.

  • Client Credentials moved to the top of the page.

  • Downloaded sample apps now have pre-populated environment variables.

See Create an OIDC app integration using AIW.

This feature is available for all new Production orgs.

LDAP self-service password reset

End users can now perform a self-service reset of their LDAP password using SMS (Short Message Service). Without compromising security, this functionality simplifies the password reset process and removes the need to involve IT Help Desk for credential management. Using SMS for password resets reduces the Help Desk workload and support costs. See Manage self-service password reset.

Improved auto-complete functionality

To improve the accuracy and speed of user searches, the auto-complete functionality on the Okta Admin Console administrator pages is updated.

Generally Available Enhancements

Improvements to the OIN Manager submission QA process

The Okta Operations team now conducts a final internal QA test for app integration submissions in the OIN Manager Portal and sends an email when the final review is complete. If the review is successful, your submission is automatically published in the OIN. These changes streamline the QA and approval process for OIN app integrations.

OIN Manager additional fields

The OIN Manager portal now accepts encrypted SAML assertion certificates. Also, fields are added to clarify OIDC configuration requirements and to confirm that SCIM app integrations are prepared properly for submission. See Configure protocol-specific settings. These changes simplify the ISV submission process, reducing unnecessary communications with the Okta Operations team.

Early Access Features

New Features

Custom help links on the Sign-In Widget

Admins can now customize the help links on the MFA verification page of the Sign-In Widget. This allows admins to link their end users to a custom app or page for factor resets. See Customize text on your sign-in page.

Application SAML Certificates

Separate SAML signing certificates are now assigned when admins create new SAML applications or configure SAML-enabled OIN apps. Okta previously created SAML certificates that were scoped to an entire org. With this feature, SAML certificates are issued and scoped at the application level to provide more fine-grained control and a more secure solution overall. See Create a SAML integration using AIW.

SAML 2.0 Assertion grant flow

You can use the SAML 2.0 Assertion flow to request an access token when you want to use an existing trust relationship without a direct user approval step at the authorization server. The flow enables a client app to reuse an authorization by supplying a valid, signed SAML assertion to the authorization server in exchange for an access token. This flow is often used in migration scenarios from legacy Identity Providers that don't support OAuth. See Create Rules for Each Access Policy.

Fixes

General Fixes

OKTA-209671

Updating a user address field with a string that was too long returned a 500 error response instead of a 400 error with appropriate details.

OKTA-335776

In rare cases when an admin re-typed their password in the Office 365 Admin Password field and then clicked Fetch and Select on the Sign On tab, the Fetch and Select command failed with an error.

OKTA-336326

Sometimes, when the Office 365 Provisioning option was selected to Licenses/Roles Management Only, roles and licenses assigned to Office 365 users in Okta didn't sync in Microsoft.

OKTA-346766

Text on some AD Import pages in the new Okta Admin Console was misaligned.

OKTA-352294

Workday incremental imports sometimes failed with a NullPointerException error.

OKTA-359091

Expanding Admin Tasks on the Admin Dashboard changed the index value of the tasks.

OKTA-367327

When IDP as Factor was enabled, some users received the Invalid Token error on stale sign-in pages.

OKTA-367834

The QR code image in the Setup Okta Verify flow didn't include alt text, which caused screen readers to not recognize the image.

OKTA-367844

The SCIM provisioning feature was not enabled for the Lifecycle Management SKUs included with API products.

OKTA-367999

Some end users were stuck in an authentication loop when trying to sign in to Okta.

OKTA-370037

Text on some pages in the new Okta Admin Console was misaligned.

OKTA-371599

Text on the LDAP tab of the Delegated Authentication page was not rendered properly.

OKTA-372049

Text on the Sign On tab of the App Settings page was misaligned.

OKTA-372436

An issue with ThreatInsight was resolved for some organizations who upgraded a free trial edition to Production.

OKTA-372678

Sometimes the sign-in page didn't refresh if the token was expired.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • Aflac (OKTA-372087)

  • Alarm (OKTA-372091)

  • CBRE (Employee Login - The Navigator) (OKTA-370216)

  • Frontier Communications (OKTA-370218)

  • GoCompare (OKTA-370219)

  • MX Merchant (OKTA-370217)

  • MxToolbox (OKTA-370503)

  • Premium Audit Advisory Service (PAAS) (OKTA-368399)

  • Rippe and Kingston LMS (OKTA-372081)

  • ShopAtHome (OKTA-372067)

  • The Economist (OKTA-372207)

  • Visage MobilityCentral (OKTA-372095)

Applications

New Integrations

SAML for the following Okta Verified applications

  • Banyan Command Center (OKTA-370640)

  • Five9 Plus Adapter for Microsoft Dynamics CRM (OKTA-367992)

  • Noticeable (OKTA-370631)

SWA for the following Okta Verified application

  • Clarizen One (OKTA-371928)

OIDC for the following Okta Verified application

Weekly Updates

March 15

Fixes

General Fixes

OKTA-337155

Sometimes, if a refresh token flow contained an invalid refresh token, the hash was not logged in the System Log.

OKTA-340754

In some cases, users couldn't be assigned to or removed from a group from their Okta Profile.

OKTA-347379

The Okta Browser Plugin incorrectly suggested a new password for the ServiceNow app.

OKTA-362310

The Dutch translation for password requirements on the password reset screen was incorrect.

OKTA-369737

Search boxes on some pages under Security had a CSS issue.

OKTA-370192

Some admins couldn't create users for Box if the default input value for the parent folder path was left empty in Okta.

OKTA-370944

In some cases, after a user deletion legitimately failed, admins were unable to delete other users.

OKTA-378843H

Invalid token requests resulted in a 500 error.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • Benchmarking (OKTA-375324)

  • Forbes (OKTA-372724)

  • Fusion MortgagebotLOS (OKTA-373862)

  • Google Workspace (OKTA-374871)

  • Hawaiian Airlines (OKTA-375320)

  • Papertrail (OKTA-375327)

  • Pingdom (OKTA-375323)

  • Schwab Advisors (OKTA-358544)

  • Taboola (OKTA-371937)

  • WorkdayCommunity (OKTA-374314)

  • Zapier (OKTA-374811)

  • Zoom (OKTA-372449)

Applications

Application Updates

Our OrgWiki integration has been updated as follows:

  • The existing OrgWiki integration is renamed OrgWiki (Deprecated).

  • Customers should now use the OrgWiki (SCIM) integration in our catalog.

New Integrations

SAML for the following Okta Verified applications

  • Admin By Request (OKTA-372458)

  • Fortanix Self Defending Key Management Service (OKTA-373374)

  • Taskize Connect (OKTA-369898)

March 22

Generally Available Features

Okta Sign-In Widget, version 5.4.3

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Okta Sign-In Widget Guide.

Fixes

General Fixes

OKTA-297743

Apps weren't highlighted automatically if they matched a user’s search terms in the App Catalog.

OKTA-319109

In orgs with the Admin Experience Redesign feature enabled, the Imports Paused task was missing from the Dashboard page in the Okta Admin Console.

OKTA-345217

Some user interface elements on sign-on policy pages for apps were formatted incorrectly.

OKTA-355148

LDAP-sourced users received a 500 error error while attempting a self service password reset that violated common password patterns.

OKTA-362677

In orgs with the Admin Experience Redesign feature enabled, when admins clicked Workflow > Workflow console, the page didn't open in a new browser tab.

OKTA-368354H

Some Adobe Experience Manager imports failed.

OKTA-370306

The side navigation in the Okta Admin Console didn't scroll automatically to a selected item.

OKTA-371058

In some cases, users experienced performance issues on the Okta End-User Dashboard and had to refresh the page manually.

OKTA-372440

The Add Section button was missing from the new Okta End-User Dashboard app list when embedded in an iframe.

OKTA-373004

The Upload button for Encryption Certificates was missing from the Sign-On settings tab in the Okta Admin Console.

OKTA-373729

In some cases, importing users from Active Directory to Okta failed and app assignment didn't complete if a single user failed to import.

OKTA-373944

In orgs with the Admin Experience Redesign feature enabled, admins who didn't have search permissions could see the search box in a deactivated state.

OKTA-375432

In some cases, the onboarding checklist for new developer orgs wasn't populated correctly upon registration.

OKTA-375541

Some app sign-on policy pages had display issues.

OKTA-375953

Smart Card authentication failed if an org had multiple Smart Card Identity Providers (IdPs) configured.

OKTA-375998

The Help documentation link on the Active Directory introductory page redirected users to the wrong documentation page.

OKTA-376620

The error message shown to end users when the login page had an expired token was unclear.

OKTA-379196

End users that belonged to environments without the new Okta End-User Dashboard self-service feature enabled were presented with a blank page after signing onto a custom domain.

App Integration Fixes

The following SWA app was not working correctly and is now fixed

  • Domo (OKTA-373343)

Applications

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN as partner-built:

SAML for the following Okta Verified applications

  • JustCall (OKTA-375104)

  • Rent Dynamics (OKTA-373350)

  • Roadster (OKTA-359604)

  • Vonage (OKTA-373104)

March 29

EA Enhancement

Dashboard and Browser Plugin apps available in Admin Console

Admins of the orgs that have enabled the new Okta End User Dashboard and First Party Applications can now see the Okta Dashboard and Okta Browser Plugin apps in Okta Admin Console > Applications. They can also set up sign-on policies for these apps. See Enable the new Okta End-User Experience. This feature will be gradually made available to all orgs.

Fixes

General Fixes

OKTA-333391, OKTA-362811, OKTA-372138, OKTA-372662, OKTA-372959, OKTA-375504, OKTA-375682, OKTA-375977, OKTA-376890, OKTA-376908, OKTA-376985, OKTA-376988, OKTA-377189

Orgs with the Admin Experience Redesign feature enabled had the following issues on some pages:

  • Text or UI elements were misaligned or didn’t wrap correctly.
  • Drop-downs didn’t work properly.
  • Old UI elements replaced the new ones.
  • Font or font color was inconsistent.
  • The scroll functionality didn’t work properly.

OKTA-354628

The RADIUS app didn't have a configuration option to permit MFA-only configuration to allow access-challenge responses.

OKTA-372692

If multiple users matching a UPN or SAM Account Name existed, the authentication process failed even if only one of those users was assigned the RADIUS app.

OKTA-373288

In rare cases, during multifactor authentication (MFA) enrollment with SMS as a factor, users could have multiple unverified phone numbers and weren't able to verify any of them.

OKTA-373963

Group memberships were still being synced to an app even when API integration for the app was disabled.

OKTA-377201

After the local numbers were changed to 10 digits, users in Ivory Coast enrolling in SMS and Voice Call authentication received a warning about the phone numbers not being valid, and they had to retry the same number to complete the enrollment.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • Azure Manage (OKTA-377470)

  • Baystate Benefits - Employee (OKTA-377235)

  • Brainerd Dispatch (OKTA-377232)

  • Chase Bank - Personal (OKTA-377215)

  • Domo (OKTA-377226)

  • GuideStar (OKTA-377224)

  • IBM Blueworks Live (OKTA-377219)

  • IntraLinks (OKTA-377496)

  • Iola (OKTA-377217)

  • Jack Henry & Associates Client Portal (OKTA-377212)

  • Lucidchart (OKTA-376367)

  • SAP Concur Solutions (OKTA-375460)

  • Skykick (OKTA-377845)

  • Staples (OKTA-377474)

  • Texas Mutual (OKTA-355698)

  • The Information (OKTA-372438)

  • TSheets QuickBooks (OKTA-372937)

Applications

Application Updates

  • The Fastly application is now private and is renamed Fastly (Deprecated)

  • The Signal Sciences application is now private is renamed Signal Sciences (Deprecated)

  • The Fastly SAML is renamed Fastly and is updated with SWA Sign On mode.

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration app is now Generally Available in the OIN as partner-built:

SAML for the following Okta Verified applications

  • EVA Voice Biometrics (OKTA-379067)

  • FortiSASE SIA (OKTA-379066)

  • GitHub Enterprise Managed User (OKTA-379065)

  • IDrive360 (OKTA-378511)

  • Lucid (OKTA-377238)

  • SecureFlag (OKTA-377229)

February 2021

2021.02.0: Monthly Production release began deployment on February 8

* Features may not be available in all Okta Product SKUs.

Content

Generally Available Features

New Features

Option to activate and deactivate rate limit warning and violation notifications for all orgs

All admins now receive the warning and violation notifications for rate limits. Additionally, you have the option to activate and deactivate the notification from the Admin Console.

Additional events available for use as Event Hooks

The following event types are now available for use as an Event Hook:

  • The user.account.lock event makes admins aware of accounts that are locked because of suspicious activity or due to multiple incorrect sign-in attempts. Admins can also use this Event Hook to take action against affected accounts.
  • The user.account.unlock event makes admins aware of accounts that are no longer locked. Admins can also notify users of appropriate next steps to prevent future account locking.

  • The group.lifecycle.create event notifies admins when new Okta groups are created. The group.lifecycle.delete event notifies admins when new Okta groups are deleted. Admins can use Event Hooks based on these events to initiate automated custom flows.

  • The system.org.rate.limit.warning event notifies admins when their org is approaching an org-wide rate limit. The system.org.rate.limit.violation event notifies admins when their org has exceeded an org-wide rate limit. Admins can use Event Hooks based on these events to trigger a real-time alert to a downstream system, such as PagerDuty.

  • The system.import.group.create event helps admins to automate IT processes, such as providing members of the imported group with access to applications.
  • The system.import.group.delete event helps admins use these events to trigger actions in downstream systems, such as an Okta Workflows Flow that creates a Slack notification.

  • The user.mfa.factor.suspend and user.mfa.factor.unsuspend events notify your service when enrolled MFA factors are suspended or unsuspended. This typically occurs when a registered device associated with the factor is suspended or unsuspended either through the Okta Admin Console or the Okta API.

New System Log events for MFA factor activity and for importing users through CSV

The following System Log event types are now available:

  • The system.mfa.factor.activate event indicates that the MFA factor is activated.

  • The system.mfa.factor.deactivate event indicates that the MFA factor is deactivated.

These events help admins collect metrics for MFA factor activity and track user action for activating and deactivating an MFA factor. These events are triggered when an MFA factor is activated and when it is deactivated.

  • The system.import.user_csv.start event indicates that the process to import users from CSV is started.

  • The system.import.user_csv.complete event indicates that the process to import users from CSV is completed.

These events help admins track user activity of batch importing users through CSV. These events are triggered when the process to import users from CSV is started and when it is completed.

Support for Safari user interaction requirement for WebAuthn flows

Okta now supports Safari's user interaction security requirement for WebAuthn flows. When accessing resources protected by an Okta WebAuthn MFA policy, end users now must tap Verify before they're challenged to provide biometrics or a security key.

General Availability of Workflows

Okta Workflows is now Generally Available for additional customers in the APAC cell.

Okta Workflows is an interface-driven, no-code platform for business process automation that provides integration with some of the most widely used third-party APIs in the industry, including Box, Slack, Salesforce, and Google Workspace. See Okta Workflows.

Deployment is taking place over the course of several days to entitled orgs with the following SKUs:

  • IT Products - Advanced Lifecycle Management

  • Legacy SKU: IT Products - Lifecycle Management, Unlimited

  • Legacy SKU: IT Products - Lifecycle Management, Unlimited OIN Apps

  • Legacy SKU: IT Products - Lifecycle Management, 10 OIN Apps

To access Workflows, select the Workflow > Workflows console menu option from the Okta Admin Console.

Limit group stats when searching for user groups during admin assignment

In search results, groups with more than 10,000 users or apps now appear with a count of 10,000. This speeds up results when super admins search for groups to assign admin privileges. The actual totals are not impacted and can be viewed on the group's page.

New System Log delAuthTimeout and LDAP delAuth values

The following values now appear in the System Log:

  • The delAuthTimeout value identifies the authentication timeout value. The delegated authentication timeout value is the time in milliseconds that Okta waits for delegated authentication responses. Knowing this value can help identify when timeout values are too high and consuming system resources unnecessarily. See System Log.

  • The Ldap delAuth value identifies the delegated authentication type. The values returned are LDAP or AD. Knowing this value can help you identify and resolve delegated authentication issues. See Delegated authentication.

Generally Available Enhancements

Admins only receive rate limit warning and violation notifications for org events

All admins are notified for rate limit warning and violations for their orgs in the Admin Console and by email. These notifications are for org-wide events and not for client and operations-based events. This reduces unnecessary email notifications.

Updates to the text in rate limit warning and violation notifications

The text in the rate limit warning and violations notification in the Admin Console and email has been updated to make it more user-friendly. Now, the email notification also contains a link to the Rate limit overview document to boost your understanding of rate limits. See Rate limits.

Link to Okta agent support policies

The Downloads page in the Admin Console now has a direct link to the latest Okta agent support policies. See Okta agent support policies.

Enhancement to the OIDC app creation message

After an OIDC application is created, the Application created successfully notification is frequently missed because it only appears briefly after an app is saved. The message now appears after the UI redirects to the new application's main page.

Okta Workflows URL verification in Event Hooks

Admins can now enter a Workflow API Endpoint URL as an Event Hook URL without the need for verification. This helps admins easily configure a Workflow to be triggered from an Event Hook for multiple events or for events not yet available in Workflows.

See Event Hooks.

Enhancements to policy scheduled execution System Log events

The policy.scheduled.execute event has been updated. When triggered by Okta Automations, this event now displays the number of user lifecycle state changes for deactivations, deletions, and suspensions in the SuccessfulDeactivations, SuccessfulDeletions, and SuccessfulSuspensions fields under the DebugContext object. This event is useful for admins to measure the number of user accounts that have been affected by Okta Automations.

New color scheme for the map view in System Log

The mapview in the System Log now has a new color scheme that increases visibility and clarity.

Early Access Features

New Features

Event Hook preview

Event Hook preview lets admins easily test and troubleshoot their Event Hooks, as well as send sample requests without manually triggering an actual event. This means admins can preview the payload of a specific Event Hook type and make sure that it's what they need to move forward before a full deployment to production. See Event Hook Preview.

Wildcards for OAuth redirect subdomains

Developers can now use the Apps API to set multiple redirect URI subdomains with a single parameter using the asterisk * wildcard. This feature provides convenience and flexibility in cases where subdomains vary by only a few characters. For example: https://subdomain*.example.com/oidc/redirect may be used to represent subdomain1, subdomain2, and subdomain3.

Enhanced Admin Console search

Admins can now search for end user email addresses in the Spotlight Search field in the Admin Console. You can also view the user's status in the search results when you search by username and email address. This robust global search helps you find what you need in the Admin Console quickly, thereby, saving time and increasing productivity. See Admin Console search.

RADIUS Agent, version 2.15.0

This version includes all changes released since the EA version 2.7.4. When configuring RADIUS apps, admins seek ways to constantly enhance network security and expand the server OS coverage. To meet these goals, the RADIUS agent version 2.15.10 now supports:

New network access authentication protocols:

  • PEAP-EAP-GTC

  • EAP-TTLS

New Linux operating systems:

  • Red Hat Enterprise Linux release 8.0

  • CentOS 7.6

  • Ubuntu 18.04.4

With the latest updates, admins gain more flexibility in deployment use cases. For example, the Okta RADIUS agent now interoperates with Netmotion Mobility using EAP-GTC.

RADIUS agent version 2.15.10 also includes support for TLS 1.2, which is required for all connections to Okta, and a simplified installer, which supports proxies and no longer requires shared secrets and ports. The new agent provides admins with an easier installation, configuration, and run-time experience. See Okta RADIUS Server Agent Version History.

Fixes

General Fixes

OKTA-336933

Some Office 365 users were deprovisioned with an incorrect localization error.

OKTA-347240

During account creation, if a user's input violated the length constraints, the error message didn't include the value of the length constraint.

OKTA-348024

SuccessFactor users weren't deactivated by timezone.

OKTA-351180

SAML Preview returned the 400 Bad Request error if the SAML sign-on mode for an app was configured with Single Logout.

OKTA-353734

Some users who had successfully authenticated received a sign-in failed error when they attempted to sign in to an app that wasn't assigned to them.

OKTA-355854

The Okta Admin Dashboard wasn't properly aligned in Internet Explorer 11.

OKTA-358580

Admins couldn't approve or deny app access requests in the new Okta End-User Dashboard.

OKTA-358736

Resend SMS factor sometimes resulted in a 400 error upon app sign-in.

OKTA-359104

Some base attributes were missing from the User Profile.

OKTA-359189

The Preview banner in Preview orgs wasn't properly displayed.

OKTA-361024

The new Okta End-User Dashboard didn't show all company-managed apps or the Show More button.

OKTA-361741

In an IdP-initiated flow, end users were prompted to verify the IdP factor when they accessed an app even if they'd verified a factor when they signed in to the Okta End-User Dashboard.

OKTA-362034

In some browsers, extra scroll bars appeared on the Okta Admin Dashboard.

OKTA-362764

The Tasks card on the Okta Admin Dashboard didn't load properly in Internet Explorer 11.

OKTA-363398

The Help documentation link under Customization > New End User Experience was broken.

OKTA-364583

In the SmartSheet provisioning profile, when admins tried to change the Group Priority setting to Combine values across groups for the variable smartsheet.userPermissions, the error message: Not allowed to modify property userPermissions from the base schema was returned.

OKTA-366948H

Some imports from AD were delayed, especially when large number of import jobs were being run.

OKTA-367152H

In some cases, MS Office authentication did not prompt for MFA and failed.

Applications

  • The Okta SAML Toolkit is deprecated and removed from the Okta Downloads page.

  • Google Apps is rebranded as Google Workspace. We have updated the OIN Application and associated documentation.

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN as partner-built:

SAML for the following Okta Verified applications

  • TravelPerk (OKTA-362457)

Weekly Updates

February 16

Fixes

General Fixes

OKTA-348508

During Okta to Box provisioning, if the Create personal Box folder when new user account is provisioned option was selected, the admin was sometimes added to the folder with the user.

OKTA-350375

Some profiles were not updated when Active Directory (AD) attributes were pushed to custom attributes in Okta.

OKTA-358884

During CSV import, attempts to add and update User Profile attributes failed.

OKTA-359569

During password reset, an incorrect error message was reported if security requirements were not met.

OKTA-360989

Admins couldn't enable the Okta Browser Plugin toolbar for specific groups.

OKTA-361726

In the new Okta Admin Console, the Overview section of the Admin Dashboard didn't reflect the correct last-updated date for reports.

OKTA-362107

A non-functioning Learn More link was displayed under Status in the Agents panel.

OKTA-363845

In the new Okta Admin Console, the number of apps displayed on the dashboard was different from the number of actual apps.

OKTA-365531

The Russian translation for the Show More button in the App Catalog was inaccurate.

OKTA-366755

In Internet Explorer 11, the left navigation menu was missing from the new Okta Admin Dashboard.

OKTA-367191

The word Authenticator was not translated on the new Okta End-User Dashboard or in the security enrollment flow.

OKTA-367776

When using a browser other than Safari to access resources protected by an Okta WebAuthn MFA policy, end users were required to tap Verify before they were challenged to provide biometrics or a security key.

OKTA-370361H

Admins sometimes encountered errors when attempting to update O365 app settings or with provisioning related operations to AAD.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • 123RF (OKTA-365452)

  • Avery (OKTA-361758)

  • Chrome River (OKTA-364083)

  • CSI - WatchDOG Elite (OKTA-362468)

  • Exclusive Resorts (OKTA-364063)

  • mySE: My Schneider Electric (OKTA-364080)

  • Nationwide Evictions (OKTA-367116)

  • Notion (OKTA-366913)

  • Skrill (OKTA-366912)

  • SmartyStreets (OKTA-361757)

  • vAuto (OKTA-361755)

  • Visionplanner (OKTA-360707)

  • Wayfair (OKTA-366424)

Applications

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN as partner-built:

SAML for the following Okta Verified applications

  • A Cloud Guru (OKTA-361798)

  • Genesys Cloud (OKTA-362719)

  • Onfido (OKTA-365910)

  • Strings (OKTA-364012)

  • zkipster (OKTA-364003)

February 22

Fixes

General Fixes

OKTA-344871

Although the Add Rule button on the Groups page appeared inactive, in some cases users accessed the Add Rule dialog box after clicking the button.

OKTA-345647

3-byte characters weren't readable in the Okta Password Health report.

OKTA-347025

Group admins could view all Okta tenant users and not just the ones in their group.

OKTA-354798

Sometimes, sign-in attempts with Just-In-Time provisioning using LDAP failed with an UNKNOWN_USER error when delegated authentication was enabled.

OKTA-356023

Importing users from SAP Litmos to Okta failed in some cases.

OKTA-358253

The Okta End-User Dashboard didn't display localized content when the web browser's default language was set to Indonesian.

OKTA-360983

Password requirement error messages shown during self-service registration weren't consistent.

OKTA-361189

In the new Okta Admin Console, the My Settings link erroneously redirected to the organization's Settings page instead of the end-user Settings page.

OKTA-364406

When creating a new app integration as part of the developer onboarding experience, users were redirected to the deprecated Okta Developer Console App Integration Wizard, instead of the App Integration Wizard in the Okta Admin Console.

OKTA-365037

Sometimes, Just-In-Time provisioning or Real Time Sync wasn't triggered during Active Directory delegated authentication.

OKTA-365205/OKTA-366761

Some pages in the new Okta Admin Console didn't display properly in Internet Explorer 11.

OKTA-365925

Sometimes, admins received a 500 Internal Server Error when they deleted a user.

OKTA-367666

When creating a new SAML 2.0 app integration, the Attribute Statement heading in the wizard wasn't grouped with the corresponding input fields.

OKTA-367941

On the Create OpenID Connect App Integration page in the Okta Admin Console, the yellow bar was missing from the side note.

OKTA-368138

In the new Okta Admin Console, removed app instances were identified as agent down on the Dashboard > Agents page.

OKTA-368828

In the new Okta Admin Console, selected child pages were sometimes not highlighted in the left navigation menu.

OKTA-370995

The Admin Console search didn't deliver expected search results when customers searched by the full name of the user. As part of this fix, the ability to search by email address and to view the user's status has been rolled back and is now only available as Early Access.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • Arena Solutions (OKTA-366918)

  • CoderPad (OKTA-368916)

  • IBM Blueworks Live (OKTA-366917)

  • NewEgg (OKTA-366340)

  • UserVoice (OKTA-366920)

Applications

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN as partner-built:

SAML for the following Okta Verified applications

  • Cybereason (OKTA-364009)

  • EmployerD Payroll and HR Solutions (OKTA-356069)

  • Exium (OKTA-367104)

  • HyperStore (OKTA-365050)

  • Samdesk (OKTA-367358)

SWA for the following Okta Verified applications

  • Beyond Identity (OKTA-354040)

  • Secret Double Octopus (OKTA-353300)

  • Silverfort (OKTA-352875)

  • Trusona (OKTA-352871)

  • Truu (OKTA-352866)

March 1

Fixes

General Fixes

OKTA-332375

Sometimes, admins received a generic 500 error for agentless Desktop Single Sign-On failures caused by request timeout.

OKTA-341050

Some banners in the new Okta Admin Console had inconsistent style.

OKTA-344854

The Sign-In Widget pages were missing language attributes required by screen readers.

OKTA-358773

For deactivated users, apps were still displayed in the Assigned Applications list although they had been unassigned.

OKTA-358826

In the new Okta Admin Console, after opening and closing the spotlight search window with the keyboard shortcut Control + Space, the window no longer opened when admins clicked the Search field or icon.

OKTA-363680/OKTA-371218

Sometimes, a user that was removed from a group wasn't unassigned from the apps assigned to that group, and was instead left with individual assignment.

OKTA-365542

In the new Okta End-User Dashboard, the check box for Lightweight Directory Access Protocol (LDAP) delegated authentication settings was misaligned.

OKTA-365604

Although the See Password and Update Credential settings shouldn't be available for bookmark apps, these settings were still displayed in the Okta End-User Dashboard.

OKTA-370942

Sometimes, a deactivated Office 365 app instance in Okta couldn't be deleted if the username and password for the app instance failed authentication in Microsoft.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • Google Workspace (OKTA-368883)

  • Onfido (OKTA-368220)

Applications

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration app is now Generally Available in the OIN as partner-built:

SAML for the following Okta Verified applications

  • Claim Leader (OKTA-369552)

  • FAX.PLUS (OKTA-370972)

  • Gamesight (OKTA-360548)

  • IBMid (OKTA-367991)

  • MyCarSpot (OKTA-355697)

  • Osano (OKTA-368805)

  • Sigma on AWS (OKTA-369098)

  • SmartHR (OKTA-368788)

  • Tanda (OKTA-352713)

  • Very Good Security (OKTA-369127)

  • Whil (OKTA-370655)

January 2021

2021.01.0: Monthly Production release began deployment on January 11

* Features may not be available in all Okta Product SKUs.

Content

Generally Available Features

New Features

New phone rate limits

Users who attempt Voice and SMS enrollment can now be rate limited. Voice and SMS enrollment rate-limit events are now logged in the System Log. See Rate Limits.

WebAuthn feature validation updates with Trusted Origins API

The WebAuthn feature now supports trusted cross-origin and cross-Relying Party Identifier (RP ID) validation when using the Trusted Origins API. Trusted Origins are configured in the Okta Trusted Origins framework either through the Admin UI or the API. These Trusted Origins, configured with the CORS scope, now support orgs using WebAuthn for sign-in pages hosted at Trusted Origins distinct from the org's Okta URL (that is, different from the org's Okta or custom domain URL).

User authentication with MFA can be used as an Event Hook

The user.authentication.auth_via_mfa event type is now available for use as an event hook. See Event Types for a list of events that can be used with event hooks.

Browser Plugin notification expiration

Notifications for new features in the Okta Browser Plugin now expire after three months. See Okta Browser Plugin: Version history.

Okta Provisioning agent, version 2.0.2

This release of the Okta Provisioning agent includes vulnerability and security fixes. See Okta Provisioning agent and SDK version history.

Okta Workflows is Generally Available

Okta Workflows is an interface-driven, no-code platform for business process automation that provides integration with some of the most widely used third-party APIs in the industry, including Box, Slack, Salesforce, and G Suite Admin. See Okta Workflows.

Deployment is taking place over the course of several days to entitled orgs with the following SKUs:

  • IT Products - Advanced Lifecycle Management

  • Legacy SKU: IT Products - Lifecycle Management, Unlimited

  • Legacy SKU: IT Products - Lifecycle Management, Unlimited OIN Apps

  • Legacy SKU: IT Products - Lifecycle Management, 10 OIN Apps

APAC and HIPAA cells are excluded.

To access Workflows, select the Workflow > Workflows Console menu option from the Okta Admin Console.

Reports delivered by email

Admins can now receive the following reports by email:

  • Okta Usage Report

  • Okta Password Health Report

  • Current Assignments Report

  • MFA Usage Reports

See Reports.

Workday Field Overrides support

The Workday integration now uses Field Overrides reports to fetch custom profile data information instead of custom reports. Field Overrides is a faster report type than custom reports, so using this method is much more efficient. Existing custom report configurations will work, but new app instances will not have these configuration options. See Workday Provisioning.

Import Monitoring dashboard

The Import Monitoring dashboard is now available and displays user attribute imports for a seven day period. You can use the dashboard to view import progress, status, details, and logs. See View the Import Monitoring dashboard.

Technical admin configuration

Admins can now disable UI prompts that allow for end-users to contact technical admins and report issues. This is enabled by default for existing orgs, and disabled for new orgs.

Email address change notifications

Email change confirmation notification emails can now be sent to admins or admins and users. By default, email change confirmation notification emails are sent to admin users only. These notifications not only make admins and users aware of email address changes, they can also act as an early warning of suspicious activity. See Customize an email template. This feature will be gradually made available to all orgs.

Generally Available Enhancements

Group Membership System Log enhancement

The Add user to group membership and Remove user from group membership events have been updated. When triggered by group rules, these events now display the group rule ID in the TriggeredByGroupRuleId field under the Debug Context object.

Extra Verification UI enhancement for end users

The Extra Verification section under End-User Dashboard Settings is now displayed in the right column.

Inclusive language updates

As part of the Okta inclusive language initiative, the following is changed:

  • Application provisioning documentation and UI elements have been updated with inclusive language.

  • Allow list has replaced whitelist, block list has replaced blacklist, and source has replaced master.

  • Instances of profile masters, profile master, and profile mastering on the Okta Admin Console Profile Masters page have been updated to profile source and profile sourcing. The administrator documentation has been updated to reflect this change.

Risk Scoring settings

When enabled, Risk Scoring settings now appear in the Okta sign-on policy rule. See © 2021 Okta, Inc All Rights Reserved. Various trademarks held by their respective owners..

Early Access Features

New Features

Workplace by Facebook Push AD Manager functionality

Admins can choose to disable Push AD Manager functionality using this self-service Early Access feature. This enables admins to control the manager attribute using Okta Expression Language syntax to avoid being dependent on AD for the field. See Workplace by Facebook.

LDAP agent, new version 5.7.1

This version of the agent contains:

  • Internal improvements

  • Security fixes

To view the agent version history, see Okta LDAP Agent version history.

Manage admin email notification subscriptions using API endpoints

Admins can manage email subscriptions using the Admin Email Subscription API endpoints.

  • Super admins can configure default subscription settings by admin type.

  • All admins can manage their own admin email notification subscriptions.

Enhancements

Skip to Content improvements

End users can now click Skip to Content on the new Okta End-User Dashboard to navigate directly to the Add Apps page.

Options relocation

The Recent Activity tab, End-User preferences, Admin View, and Sign Out options are now displayed in the user drop down menu on the Okta End-User Dashboard.

Fixes

General Fixes

OKTA-329862

Indonesian translations and templates were displayed in English.

OKTA-330432

The Okta Browser Plugin continued to recommend strong passwords for apps after the setting was disabled.

OKTA-345311

The sign-in page auto refresh sometimes didn't work when factor sequencing was used.

OKTA-347526

Information text in Settings > Update Credentials was incorrect for bookmarked apps.

OKTA-352737

Self-Service Registration with inline hooks failed for some orgs.

OKTA-354151

Some users were unable to enroll in Okta Verify through TOTP and PUSH methods in some orgs.

OKTA-354967

When defined for an MFA Enrollment policy, the App Condition was not enforced when a user signed in to an application.

OKTA-355035

Security methods for Safari web authentication did not allow for biometric authentication.

OKTA-355482

When super admins edited a group admin role in Security > Administrators, only the first 10 groups were displayed.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • Adobe Sign Provisioning (OKTA-352597)

  • FIS E-ACCESS (OKTA-346510)

  • Google Analytics (OKTA-348673)

  • Nationwide Financial (OKTA-355417)

Applications

New Integrations

New SCIM Integration Application

The following partner-built provisioning integration app is now Generally Available in the OIN as partner-built:

SAML for the following Okta Verified applications

  • Culture Connect (OKTA-354618)

  • hCaptcha (OKTA-352403)

  • LinkedIn Talent Solutions (OKTA-343875)

  • Process Bolt (OKTA-353096)

SWA for the following Okta Verified applications

  • Adweek (OKTA-350720)

  • Amazon Payee Central (OKTA-347803)

  • CenturyLink (OKTA-350562)

  • TechCrunch (OKTA-343939)

  • Vue Mastery (OKTA-342948)

OIDC for the following Okta Verified applications

Weekly Updates

January 19

Fixes

General Fixes

OKTA-336092

The import of user accounts from Adobe Experience Manager to Okta failed if there were duplicate entries in the database.

OKTA-336966

The password requirements presented to LDAP-sourced users during password reset didn’t match the password policy definition.

OKTA-337515

In some cases, the link to activate an account through self-service registration led to an empty page.

OKTA-340836

When admins enabled password change notification, end users going through self-service registration erroneously received a password change notification in addition to the account activation email.

OKTA-341729

In some cases, when a role was deleted from the Amazon Web Services (AWS) console, refreshing the app data in Okta removed group assignments causing users to lose access to AWS.

OKTA-343739

Some users received notifications for new app assignments although no new apps had been assigned to them.

OKTA-346826

In the SmartSheet provisioning profile, when admins tried to change the Group Priority setting to Combine values across groups for the variable smartsheet.userPermissions, the error message: Not allowed to modify property userPermissions from the base schema was returned.

OKTA-354279

In some orgs, after account activation, Active Directory users were redirected to a blank page instead of the Okta End-User Dashboard.

OKTA-355574

Some generic or anonymized WebAuthn factors were inaccurately labeled YubiKey.

OKTA-358425

When evaluating risk using device token as a signal, some new users signing in to Okta were incorrectly marked as high risk.

OKTA-359363

Reactivated users from AD did not maintain their group memberships after import.

App Integration Fixes

The following SWA app was not working correctly and is now fixed

  • Cisco Webex Meetings (OKTA-356220)

Applications

Integration Updates

The Tableau Online SAML app has been updated to add support for Single Logout (SLO). Customers who previously added the integration should refer to the SAML Setup Instructions to enable this new feature.

New Integrations

New SCIM Integration Application

The following partner-built provisioning integration app is now Generally Available in the OIN as partner-built:

SAML for the following Okta Verified applications

  • Communifire (OKTA-353568)

  • LabLog (OKTA-356012)

  • Ybug (OKTA-356075)

SWA for the following Okta Verified applications

  • eClinical Works (OKTA-349360)

  • SiteLink myHub (OKTA-354952)

February 1

Fixes

General Fixes

OKTA-303059

API calls to Workday sometimes removed the secondary email of a user when attempting to update the user information.

OKTA-324780

Failed Lightweight Directory Access Protocol (LDAP) sign-in attempts were logged as failed Active Directory (AD) sign-in events in the System Log.

OKTA-333518

Using SAML-based Device Trust with VMware for Identity Provider (IdP) initiated flows threw a 404 error for some users.

OKTA-334383

After entering an invalid username in the Okta Sign-In Widget, users sometimes received a 404 error after refreshing the browser.

OKTA-351888

When editing a user profile, the value of a custom attribute defaulted to the first value, rather than blank (null).

OKTA-353590

If end users accessed Okta by using a Sign-In Widget in Internet Explorer, their origin header wasn't logged in the System Log.

OKTA-354271

Removing a permission set in Salesforce sometimes caused provisioning failures in Okta even though that permission set was no longer selected for the Salesforce app assignment.

OKTA-354309

The EmailEncodingKey attribute in Okta orgs was sometimes incorrectly reported to Salesforce.

OKTA-355368

Profile sourcing and attribute-level sourcing functionality was erroneously not available for Universal Directory SKUs.

OKTA-356087

Send SMS button text was not displayed correctly if the text was too long for certain languages.

OKTA-357656

When using Agentless Desktop Single Sign-on (ADSSO), admins sometimes received scripting errors.

OKTA-358469

The client IP was sometimes missing from user.authentication and policy.evaluate_sign_on events.

OKTA-358970

The logo on the user activation page didn't display correctly if it included a redirect to an application.

OKTA-359173

Inactive users were sometimes erroneously displayed in the Current Assignments report.

OKTA-362398

If the username was different from the email address, Okta Password Health reports were sent erroneously to the username instead of the user's primary email.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • ADP Workforce Now (Employee) (OKTA-361462)

  • Angus (OKTA-360602)

  • Cisco Partner (OKTA-359699)

  • MessageBird (NL) (OKTA-361828)

  • Parallels (OKTA-360298)

  • RIMS (OKTA-360587)

  • Sylvania (OKTA-360624)

  • The Economist (OKTA-360588)

  • Xero (OKTA-361732)

Applications

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN as partner-built:

SAML for the following Okta Verified applications

  • Airbase (OKTA-356338)

  • Kandji (OKTA-360958)

  • Pactflow (OKTA-355531)

  • Partnerize (OKTA-345643)

  • Pave Total Comp (OKTA-359579)

  • Pilgrim SmartSolve (OKTA-359054)

  • Sapling (OKTA-358186)

  • Sociabble (OKTA-355695)

  • Tax1099 (OKTA-355507)

  • ThankYouKindly (OKTA-354613)

  • WhosOffice (OKTA-355012)

  • Yonyx Interactive Guides (OKTA-355527)

December 2020

2020.12.0: Monthly Production release began deployment on December 9

* Features may not be available in all Okta Product SKUs.

Content

Generally Available Features

New Features

Admin Privilege events can be used as Event Hooks

Admin Privilege events are now available for use as Event Hooks. See Event Types for a list of events that can be used with event hooks.

Application Access Request Workflow Event Hooks

Application Access Request Workflow events are now available for use as an external Event Hook. Admins can use Application Access Request Workflow events to designate approvers for app access requests. See Event Types for a list of Events that can be used with Event Hooks.

The map view is again available in the System Log

The System Log map view, which was temporarily removed, is again available.

System Log events

  • The system.custom_error.update event indicates that the Custom Error page has been updated.

  • The system.custom_signin.update event indicates that the Custom Sign-In page has been updated.

  • The system.custom_url_domain.initiate event indicates that the Custom URL Domain setup has been initiated.

  • The system.custom_url_domain.cert_upload event indicates that a Custom URL Domain HTTPS certificate has been uploaded.

  • The system.custom_url_domain.verify event indicates that the Custom URL Domain has been verified in the DNS.

Recommendation text added to SSO IWA Agents section of the Downloads page

On the Okta Admin Console Downloads page, text has been added to the SSO IWA Agents section recommending that Agentless Desktop Single Sign-on (ADSSO) should be used to implement Desktop Single Sign-on (DSSO). This text has been added to highlight that ADSSO has a simplified configuration process and requires less maintenance. See Configure agentless Desktop Single Sign-on

Additional PIV IDP user profile mapping values

In Okta user profiles, three new attributes are available:

  • idpuser.subjectAltNameUuid
  • idpuser.subjectKeyIdentifier
  • idpuser.sha1PublicKeyHash

These attributes are available to newly created Personal Identity Verification (PIV) identity providers and to identity providers that were marked inactive and then reactivated.

Okta SSO IWA Web App agent, version 1.13.2

This release of the Okta SSO IWA Web App agent includes security enhancements and internal fixes. See Okta SSO IWA Web App version history.

Jira Authenticator, version 3.1.5

This release contains bug fixes and logging improvements. See Okta Jira Authenticator Version History.

Confluence Authenticator, version 3.1.5

This release contains bug fixes and logging improvements. See Okta Confluence Authenticator Version History.

State tokens in the Agentless DSSO authentication flow

An authentication state token has been added to the Agentless DSSO workflow to allow orgs to relay information such as fromUri. This change lets orgs shorten URLs and avoid HTTP 414 URI Too Long status code errors. See Configure agentless Desktop Single Sign-on.

SAML account linking

Admins can now enable or disable automatic account linking between SAML identity providers and Okta. They can also restrict the linking based on whether the end user is a member of any of the specified groups. See Identity Providers.

Generally Available Enhancements

Inclusive language updates

As part of the Okta inclusive language initiative, the following is changed:

Usability enhancements for OIDC app wizard

The OIDC app integration wizard interface has been updated with usability improvements and clarified help text. See Create an OIDC app integration using AIW.

Sign-in Widget and accessibility improvements

Main landmarks and skip links have been added to the Sign-in Widget. Accessibility improvements for OAuth and Admin Consent pages include focus on input fields and Don’t Allow buttons. See Configure a custom Okta-hosted sign-in page.

Contact your administrator link removed

The Client/Device certificate error page no longer contains an email link to contact your administrator.

BambooHR integration enhancement

The following org properties have been added to the BambooHR application integration:

  • Timezone aware pre-hires: This enables users' Lifecycle Management based on their Timezone/Location. If it is disabled, Okta manages users' lifecycles according to UTC timezone.

  • Preferred timezone: This option allows admins to set the main location timezone the same as in the BambooHR instance (BambooHR Settings > General Settings > Timezone). This is available only when the Timezone aware pre-hires option is enabled.

See Configure Provisioning for BambooHR.

UltiPro integration enhancement

In new instances of UltiPro, app user profile templates now contain a required EepPersonID field for external IDs. See UltiPro.

Group Password Policy enhancement

The Group Password Policies enhancement is now available for all Production orgs. By using Group Password Policies and associated rules, admins can configure and enforce password settings and set account recovery options for groups. See © 2021 Okta, Inc All Rights Reserved. Various trademarks held by their respective owners..

Early Access Features

New Features

Service Principal Name functionality improvement

New Service Principal Name (SPN) functionality allows Agentless Desktop Single Sign-on (ADSSO) authentication to continue without interruption when an SPN is updated. A service account and an SPN are required for ADSSO Kerberos authentication. With this change, you can now update the SPN frequently as an additional security precaution. See Create a service account and configure a Service Principal Name.

One Time Use Refresh Token

One Time Use Refresh Token, also called Refresh Token Rotation, helps a public client to securely rotate refresh tokens after each use. A new refresh token is returned each time the client makes a request to exchange a refresh token for a new access token. See Refresh Token Rotation.

Okta Provisioning agent, version 2.0.1

This release of the Okta Provisioning agent includes vulnerability fixes and incremental import support for adding and updating user attributes. See Okta Provisioning agent and SDK version history.

Okta Provisioning agent incremental imports

The option to incrementally import user data is now available for the Okta Provisioning agent. Incremental imports reduce the time required for synchronization by only downloading user information that has changed since the last successful import. See Okta Provisioning Agent incremental import.

Fixes

General Fixes

OKTA-325406

The Italian translation in the MFA Factor Enrolled email template was inaccurate.

OKTA-328882

The Japanese translation during the password reset process was inaccurate.

OKTA-329447

In the Integration settings of the LDAP Provisioning tab, the User Attribute help link was broken.

OKTA-335816

The password requirement message displayed to some users during the self-registration process was misleading.

OKTA-337663

The Hungarian translation during the sign-in process was inaccurate.

App Integration Fixes

The following SWA app was not working correctly and is now fixed

  • GetFeedback (OKTA-348946)

Applications

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN as partner-built:

SAML for the following Okta Verified applications

  • Adra by Trintech (OKTA-348038)

  • Authomize (OKTA-347099)

  • Axomo (OKTA-341694)

  • DefenseStorm (OKTA-345662)

  • Forcepoint Private Access (OKTA-338537)

  • IntelligenceBank (OKTA-347415)

  • KHA Online - SDS (OKTA-347435)

  • Rootly (OKTA-348648)

  • Smarklook (OKTA-346263)

  • TenForce (OKTA-338549)

  • Toggl Plan (OKTA-347528)

  • Upmarket (OKTA-344925)

  • Very Good Security (OKTA-348624)

  • WIREWAX (OKTA-347407)

Weekly Updates

December 21

Fixes

General Fixes

OKTA-303280

The ThumbnailPhoto attribute for Office 365 was hidden or uneditable, which prevented admins from making changes to Office 365 profile mapping.

OKTA-330732

The Japanese translation for password policy messages was inaccurate.

OKTA-333711

An incorrect error was returned when an admin tried to delete an app sign-on policy rule that was already deleted.

OKTA-338458

Routing rules were not honored for end users who attempted to access their orgs using an iPad.

OKTA-347185

End users couldn't sign in with Personal Identity Verification (PIV) cards when they were in a Password Expired state.

OKTA-351052

Language used in OIDC app creation was outdated.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • Advanced MD (OKTA-351889)

  • Deloitte Connect (OKTA-349765)

  • RUN Powered by ADP (OKTA-351720)

  • Sigma Aldrich (OKTA-351026)

  • TSheets QuickBooks (OKTA-350027)

  • UMR (OKTA-351440)

Applications

New Integrations

SAML for the following Okta Verified applications

  • Alchemer (OKTA-338554)

  • Bullseye TDP (OKTA-350352)

  • SQLDBM (OKTA-348943)

SWA for the following Okta Verified application

  • HomeStreet Bank Business (OKTA-343128)

OIDC for the following Okta Verified application

January 4

Fixes

General Fixes

OKTA-312643

The Okta LDAP agent couldn't set the correct account enable/disable values for IBM LDAP accounts.

OKTA-334346

When admins attempted to approve Self Service app requests from users on the new Okta End-User Dashboard, they were unable to select values for the user assignment.

OKTA-338621

When a user with a CamelCase Okta username was provisioned to Google Workspace, their username was converted to lowercase and they were unassigned during the next import into Okta.

OKTA-340092

The System Log still used Daylight Savings Time for the America: Sao Paulo time zone.

OKTA-342401

If a Workday mobile phone number wasn't mapped to Okta, it was removed from Workday during the Okta to Workday updates.

OKTA-342757

New contingent users from Workday weren't imported and the existing users weren't updated during incremental imports.

OKTA-346242

On the new Okta End-User Dashboard, end users could make an app request even when Self Service was disabled.

OKTA-347247

Self-Service Registration form fields didn't apply minimum length requirements.

OKTA-348756

Pushing new user profiles to Google Workspace failed with an Invalid User error.

OKTA-349883

The first password wasn't included in the password history when an account was created through Self-Service Registration.

OKTA-351779

Some full imports from Active Directory and LDAP failed with a This choice creates a conflict error.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • Adobe Stock (OKTA-353598)

  • Express Scripts (OKTA-353604)

  • Visionplanner (OKTA-353502)

  • WebTimeClock (OKTA-353608)

Applications

New Integrations

New SCIM Integration Application

The following partner-built provisioning integration app is now Generally Available in the OIN as partner-built:

SAML for the following Okta Verified application

  • GRAVTY (OKTA-349790)

SWA for the following Okta Verified applications

  • Bitrix24 (OKTA-354066)

  • Particle (OKTA-345520)

OIDC for the following Okta Verified application

November 2020

2020.11.0: Monthly Production release began deployment on November 9

* Features may not be available in all Okta Product SKUs.

Content

Generally Available Features

New Features

Okta Browser Plugin, version 5.42.0

This version includes the following:

  • Sign-in pages are opened in a new tab only after a user installs the plugin manually, and are not opened if the plugin is installed through a group policy for Chrome, Firefox, Legacy Edge, and Chromium Edge.
  • Performance improvements.

You can download the plugin for Internet Explorer from the Okta End-User Dashboard, or for other web browsers, install through their respective stores. See Okta Browser Plugin: Version history.

OIN Manager - add app instance properties

In the OIN Manager portal, new functionality in OIDC, SAML, and SCIM submission steps allow ISVs to create custom per-tenant URLs and URIs for app integration submissions. See Configure protocol-specific settings.

Tor Anonymizer recommendation

Admins can see a new HealthInsight recommendation to view failed sign-in rates from IPs categorized as Tor Anonymizer Proxies. Okta recommends using Dynamic Zones to blacklist IPs that are categorized as Tor anonymizer proxies. See and HealthInsight.

Vendor-specific attributes

RADIUS agents now support vendor specific attributes. With this feature, admins can use optional settings to configure vendor specific attributes to include group membership. Note that no agent update is required for this feature. See Configure group response in the following topics:

Client-based rate limiting

Client-based rate limiting for the OAuth API /authorize endpoint is now available in Preview. It provides granular isolation between requests made to the /authorize endpoint by using a combination of the Client ID, user's IP address, and the Okta device identifier. This isolates rogue OAuth clients and bad actors, ensuring valid users and applications don't run into rate-limit violations. The client-based rate-limiting framework can exist in one of three modes set in the Admin console. See Account settings.

Salesforce REST OAuth

Admins can now upgrade to the latest version of our Salesforce integration. OAuth authentication will be now used for Provisioning and Imports. See Configure OAuth and REST integration.This feature is currently available for new orgs only.

User Consent for OAuth 2.0 Flows in API Access Management

A consent represents a user’s explicit permission to allow an application to access resources protected by scopes. As part of an OAuth 2.0 or OpenID Connect authentication flow, you can prompt the user with a popup window to approve your app's access to specified resources.

Consent grants are different from tokens because a consent can outlast a token, and there can be multiple tokens with varying sets of scopes derived from a single consent. When an application comes back and needs to get a new access token, it may not need to prompt the user for consent if they have already consented to the specified scopes. Consent grants remain valid until the user manually revokes them, or until the user, application, authorization server or scope is deactivated or deleted.

See User Consent for OAuth 2.0 and OpenID Connect Flows.

Generally Available Enhancements

Inclusive language updates

The OIN Catalog has been updated with inclusive terminology. Attribute Sourcing has replaced Attribute Mastering.

Changes in rate limit utilization notifications

All Customer Identity org super admins now get a detailed notification in the Okta Admin Console and an email when their org’s rate limit utilization meets the following criteria:

  • Crosses the threshold (60% for API products and 90% for Workforce products)
  • Reaches 100%

These warnings help super admins take preventative action and avoid service disruptions. See Account settings.

Group Password Policy enhancement

The Group Password Policies enhancement is now available for all new production orgs.

By using Group Password Policies and associated rules, admins can configure and enforce password settings and set account recovery options for groups. See © 2021 Okta, Inc All Rights Reserved. Various trademarks held by their respective owners.. This feature was already released to a subset of orgs, we are now releasing it to all new Production orgs.

ThreatInsight security enhancements

ThreatInsight enhancements improve detection of credential-based attacks from malicious IPs. See About Okta ThreatInsight.

Early Access Features

New Features

Okta SSO IWA Web App agent, version 1.13.1

This release of the Okta SSO IWA Web App agent includes security enhancements and internal fixes. See Okta SSO IWA Web App version history.

Fixes

General Fixes

OKTA-293251

In some cases, reactivated AD users signing in to Okta were presented an empty Welcome screen although no user actions were required.

OKTA-297744

On the new Okta End-User Dashboard, wide logos were cut off.

OKTA-313490

In Okta End-User Dashboard > Settings > Personal Information, some editable fields extended past their border if they contained too many characters.

OKTA-321737

In some cases, admins didn't receive the Import Summary Notification Emails from Workday when an import was completed.

OKTA-321999

In some cases, users signing into Okta through email MFA received an error message despite entering the correct passcode.

OKTA-323345

The email template for password change notifications didn't allow certain expressions used in other email templates.

OKTA-323919

Admins could exclude the mandatory email field from the self-service registration form.

OKTA-326781, OKTA-329842

Admins were stuck when attempting to load Group Rules in Directory > Groups > Group Rules for certain expressions.

OKTA-328856

The Okta Browser Plugin didn’t inject credentials into sign-in pages for Org2Org SWA apps added to dashboards.

OKTA-330549

Disabled users were imported erroneously from Confluence to Okta during provisioning.

OKTA-330615

Invalid error objects returned through a Registration Inline Hook caused the client to see a 500 error rather than a 400.

OKTA-334126

Scheduled imports failed when CSV Directory Incremental Imports was enabled.

OKTA-334163

In some cases, admins erroneously received a rate limit error when viewing Access Policies through Security > API > Authorization Servers > Access policies > Select the policy.

OKTA-334255

Enrollment and reset emails were still sent to secondary email addresses even if the admin had disabled secondary email addresses.

OKTA-334929

Due to differences in the way the new RADIUS app handles username attributes, authentication failed for some users depending on whether their username had a UPN or sAMAccountName format.

OKTA-335890

Some SWA apps in the OIN App catalog were categorized incorrectly.

OKTA-337462

In some cases, custom app names for Wizard apps weren't globally unique and caused collision issues with apps from other cells.

OKTA-338863

Admins were unable to add IP addresses to the BlockedIpZone list from the System Log.

OKTA-342006

In some cases, the footer on the new Okta End-User Dashboard didn't maintain its position at the bottom of the page.

OKTA-343802H

In the Okta Admin Console, the message displayed when a rate limit was reached was incorrect.

OKTA-345672H

The new Okta End-User Dashboard was enabled for some end users even though it was disabled by the admin. The dashboard now displays the correct version depending on whether the new dashboard is enabled or not.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • 1Password Business (OKTA-340768)

  • ADP Portal (OKTA-339374)

  • ADP TotalSource (OKTA-339601)

  • CBT Nuggets (OKTA-340787)

  • Citrix Right Signature (OKTA-336890)

  • ECP (OKTA-340794)

  • FCO (OKTA-340785)

  • ISSUU (OKTA-340784)

  • Legrand Service Center (OKTA-340769)

  • Miro (OKTA-338110)

  • Sainsburys (OKTA-340792)

  • Schwab Advisors (OKTA-337947)

  • SEMrush (OKTA-340786)

  • SmartyStreets (OKTA-340781)

  • SunTrust SunView Treasury Manager (OKTA-338770)

  • vAuto (OKTA-340782)

  • Zurich Adviser Portal (OKTA-340770)

The following SAML app was not working correctly and is now fixed

  • Sentry (OKTA-332821)

Applications

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN as partner-built:

SAML for the following Okta Verified applications

  • AlertEnterprise Guardian Access (OKTA-331898)

  • Cirrus Federation Bridge (OKTA-331296)

  • ERP Maestro 2.0 (OKTA-328139)

  • Helper Helper (OKTA-338542)

  • Nature Research (OKTA-337029)

  • Qualified (OKTA-336983)

  • Raketa (OKTA-336302)

  • Streams (OKTA-334367)

SWA for the following Okta Verified applications

  • Adyen (OKTA-337639)

  • BNP Paribas (OKTA-331531)

  • Freshbooks (OKTA-337319)

  • Schneider Electric (OKTA-330814)

OIDC for the following Okta Verified applications

Weekly Updates

November 16

Fixes

General Fixes

OKTA-322372

Users were prompted to set up a Password Recovery Question every time they signed in to Okta when Self-Service Password Reset was enabled.

OKTA-325372

Single sign-on events for OIDC apps with Federation Broker Mode enabled didn't appear in the System Log.

OKTA-328845

In the Directories tab of the Okta Admin Console, existing app assignment settings for Groups couldn't be modified.

OKTA-328900

Some attributes sourced from NetSuite weren't imported into Okta.

OKTA-329029

Bookmark apps that were added by users didn't have See Password and Update Credentials options in the Settings tab.

OKTA-330495

Disabling the app conditions for MFA enrollment policies removed all app conditions from existing factor enrollment policies.

OKTA-334118

Some reactivated G Suite users were mistakenly deactivated in Okta.

OKTA-335769

Some POST requests to the /users endpoint incorrectly triggered Inline Hooks, which resulted in higher latency.

OKTA-336865

In some cases, redirects to the Okta Admin Console resulted in a 404 error.

OKTA-339228

In some cases, app membership changes made by Group Membership Admins weren't pushed to the app.

OKTA-346079H

In some cases, inbound federation to preview failed for Generic OIDC Idps.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • ADP Workforce Now (Admin) (OKTA-341914)

  • ADP Workforce Now (Employee) (OKTA-336993)

  • Barracuda Networks (OKTA-341592)

  • CareFirst (OKTA-341601)

  • CVS Caremark (OKTA-343161)

  • Earth Class Mail (OKTA-340804)

  • Fiserv - Client Workstation (OKTA-341610)

  • Grammarly (OKTA-341608)

  • Informatica (OKTA-341605)

  • Justifacts (OKTA-341595)

  • LexisNexis Insurance Solutions (OKTA-341583)

  • Optimal Blue (OKTA-343800)

  • Safari Online Learning (OKTA-340799)

  • ShipStation (OKTA-342680)

  • Staples (OKTA-343167)

  • Trustwave (OKTA-340797)

Applications

Application Updates

The following apps have been deprecated from the OIN catalog:

  • Kato: Kato ceased to exist as of August 2015.
  • Datasite: A new Datasite integration has been published to the OIN. The previous integration has been deprecated (renamed to Datasite Deprecated) and can no longer be added by customers. If you are using the now-deprecated Datasite app, there is no impact on you. We recommend moving to the new app to take advantage of new updates to the app we may add to it in future.

New Integrations

SAML for the following Okta Verified applications

  • Airbnb for Work (OKTA-329468)

  • Axway - AMPLIFY Platform (OKTA-335106)

  • Baker Hill NextGen (OKTA-336078)

  • Lumity 2.0 (OKTA-342160)

  • Stratafax (OKTA-339889)

OIDC for the following Okta Verified application

November 30

Fixes

General Fixes

OKTA-293294, OKTA-293296

Some screen readers didn't read the elements on the new Okta End-User Dashboard correctly when tabbing over the sections or apps.

OKTA-302414

Profile mappings were not applied downstream for users after they were added to or removed from a group.

OKTA-316898

System Log messages for self-service account password reset events were misleading.

OKTA-324892

The Assignment tab on an app page was misaligned for some admins who filtered by Groups.

OKTA-325820

When an app that requires VPN was moved to a different section of the new Okta End-User Dashboard, the VPN dialog box didn't appear.

OKTA-327550

Re-authenticating API integration credentials for provisioning-enabled apps reset the app username format.

OKTA-330846

The report name was missing from reports delivered by email.

OKTA-336058

In some cases, the password reset workflow for end users failed if admins disabled the requirement for a security question.

OKTA-337304

Aliases in Office 365 were incorrectly removed when users were assigned to the app in Okta through Licenses/Roles Management Only provisioning.

OKTA-337563

Job requests to refresh app data for the Adobe Experience Manager timed out in Preview orgs.

OKTA-338055

Salesforce integration caches were not cleared if an admin authenticated using different credentials.

OKTA-343777

Enrolling in Okta Verify with SMS push sometimes failed.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • Adobe (OKTA-344942)

  • Adobe Admin Console (OKTA-345276)

  • Alaska Airlines (OKTA-344936)

  • American Express Online by Concur (OKTA-343173)

  • Autotask (OKTA-345338)

  • Backblaze (OKTA-343168)

  • Chatham Direct (OKTA-343202)

  • Citizens Bank accessOPTIMA (OKTA-343176)

  • Conservice (OKTA-343192)

  • DoorDash (OKTA-343177)

  • FullStory (OKTA-343704)

  • HelloSign (OKTA-342994)

  • International Air Transport Association (IATA) (OKTA-343209)

  • Linode (OKTA-343086)

  • Nice inContact Workforce Management (OKTA-343175)

  • One America (OKTA-344616)

  • Rakuten Advertising (OKTA-345250)

Applications

New Integrations

SAML for the following Okta Verified applications

  • Datasite (OKTA-333536)

  • Hover, Inc. (OKTA-343149)

  • Mosio (OKTA-343051)

  • TVU Service (OKTA-344929)

  • uStudio (OKTA-342622)

OIDC for the following Okta Verified applications

December 7

Fixes

General Fixes

OKTA-311308

Admins couldn't configure LDAP instances unless usernames were formatted as email addresses.

OKTA-324213

Options to configure an inline hook for an AD instance were missing for some admins.

OKTA-325684

Some group admins received errors when they navigated to Directory > People.

OKTA-328593

After the Office 365 app was enabled, Outlook didn't appear on some end users' dashboards.

OKTA-333901

When base attributes were set as read-only, some attributes were missing from the user profile.

OKTA-336862

Admins who selected an LDAP instance with no connected agents were directed to the Agents tab instead of the Provisioning tab.

OKTA-337494

Some AD-managed users were incorrectly displayed as having admin roles.

OKTA-339859

When API Integration was enabled, some ServiceNow imports didn't import all active users.

OKTA-343355

The 3-number challenge that is part of the Okta Verify risk-based authentication feature appeared on end user mobile devices in LDAPi environments even though the feature isn't supported in those environments.

OKTA-344772

When an end user made two SMS or voice MFA enrollment requests, the second request was only sent to the backup provider if it was made within one minute of the first.

OKTA-347213

Email notifications sent through the report workflow incorrectly listed the report expiration as 30 days later, instead of 7.

OKTA-347218

The map view in the System Log still appeared even after the functionality was unavailable.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • ADP Workforce Now (Employee) (OKTA-343365)

  • Airtasker (OKTA-348075)

  • Akamai (OKTA-344943)

  • BSA E-Filing (OKTA-346870)

  • Dell Boomi (OKTA-348090)

  • Hartford Retirement (OKTA-346843)

  • Innovative (OKTA-348491)

  • Nextiva NextOS 3.0 (OKTA-346866)

Applications

Application Update

The Cloudvisor.io integration has now been deprecated from the OIN as Cloudvisor is now rebranded as Zesty. Use Zesty.co SAML app instead.

New Integrations

New SCIM integration applications

The following partner-built provisioning integration apps are now Generally Available in the OIN as partner-built:

SAML for the following Okta Verified applications

  • Animaker (OKTA-344080)

  • Clockwork Recruiting (OKTA-346859)

  • CrisisGo (OKTA-335097)

  • EureQa (OKTA-348851)

  • Immuta (OKTA-343150)

  • Lawvu (OKTA-336365)

  • Mooncamp (OKTA-344916)

  • Palo Alto Networks - Prisma Access (OKTA-343825)

  • Zesty.co (OKTA-340116)

SWA for the following Okta Verified applications

  • CitiDirect BE (OKTA-340862)

  • Inside Mortgage Finance (OKTA-335129)

  • NewRez Correspondent (OKTA-339224)

  • ProofPoint Community (OKTA-340034)

OIDC for the following Okta Verified applications

October 2020

2020.10.0: Monthly Production release began deployment on October 12

* Features may not be available in all Okta Product SKUs.

Content

Generally Available Features

New Features

Inclusive language and terminology

Okta is focused on the adoption of inclusive language and communication. Some long-standing industry terminology and expressions have been updated in this release and will continue to be made in future releases. Click the Feedback button on any Okta Help page to share your suggestions on the use of inclusive language.

The following inclusive language changes have been made:

  • Allow list has replaced whitelist
  • Block list has replaced blacklist

See About Network Zones.

The following topics have begun to adopt the new inclusive language:

The network zones user interface has been updated with inclusive terminology:

  • Add IP Zone
  • Add Dynamic Zone

The OIN Manager user interface has been updated with inclusive terminology:

  • Profile Sourcing has replaced Profile Mastering

API Access Management enables scope as a claim

Admins can now name a claim scope in API Access Management custom authorization servers. Admins can also use the EL expression access.scope in custom claims to return an array of granted scope strings. See API Access Management.

OIN Manager - enable profile sourcing

For developer orgs, the Profile Sourcing option (previously Profile Mastering) for SCIM apps must be enabled by Okta developer support. If you're an ISV and need this functionality temporarily activated when you're testing and submitting a SCIM app integration, see Submission support.

Changes to removing personal app instances

When an end user adds an app from the OIN catalog that is not self-service within their org, a personal instance of the app integration is created. Previously, if the end user removed the app integration from their dashboard, then the app instance was kept but marked as deactivated in the System Log. Now, when the user removes the app integration, the personal instance is removed and it is marked as deleted in the System Log. See Common SSO Tasks for End Users.

On-Premise Jira versions confirmed for OKTA Jira Authenticator

The Okta JIRA authenticator has been certified to work with new On-Prem Jira versions. See Okta Jira Authenticator Version History .

Default sign on rule set to Deny in Client Access Policies for new Office 365 app instances

In Client Access Policies for new Office 365 app instances, the Default sign on rule is now set to Deny access (formerly set to Allow). Additionally, we've provided a rule above the Default sign on rule that allows access to only web browsers and apps that support Modern Authentication. This change is designed to help customers implement more secure policies by default. Note: Existing O365 app instances are unaffected by this change. For more information, see Get started with Office 365 sign on policies.

Self-Service improved plugin onboarding experience

The improved Okta Browser Plugin onboarding experience for new end users is now available on all web browsers except Safari. After installing the plugin, new end users will be automatically directed to the sign in page or will have their dashboard refreshed, and will be shown an introduction banner on their dashboard. See Install the Okta Browser Plugin.

Provision out of sync users

If you enable provisioning for an app that already has users assigned to it, Okta can sync these users so they now have provisioning capabilities. See Provisioning.

Email address change notification templates

Email address change notification templates are now available. These templates notify users of an email address change and let them confirm the change. See Customize an email template.

Password requirements formatting

When setting a password, requirements are now shown in a list format rather than a sentence format.

Generally Available Enhancements

Okta LDAP agent log enhancement

To help identify and correct latency issues between Okta and on-premises Okta LDAP agents, a delAuthTimeTotal field has been added to the Login Events section of the Okta LDAP agent log. This field displays the time in milliseconds taken to complete a delegated authentication request between Okta and the Okta LDAP agent. See Locate the Okta LDAP agent log.

Sign-In page auto refresh

In some cases, if end users don’t sign in on the Sign-In page and leave it idle until the authentication session expires, the Sign-In page now refreshes automatically to establish a new session.

NetMotion Mobility

The NetMotion Mobility (RADIUS) app is now available on the OIN. It supports the EAP-GTC protocol with RADIUS agent version 2.12.0 or later. See Configure NetMotion Mobility to interoperate with Okta via RADIUS.

OIN Manager - submission process improvements

The final processing step has been removed from the OIN app integrations submission process. Submitted app integrations that pass quality assurance (QA) testing by the OIN Operations team don't require further ISV input and are now automatically approved and published to the OIN.

OIN Manager - update submission email text

The email text sent to ISVs during the quality assurance (QA) portion of the OIN submission process has been clarified to make the information easier to understand.

Early Access Features

New Features

Okta Active Directory agent, version 3.6.0

This release includes performance improvements, security enhancements, and bug fixes. See Okta Active Directory agent version history.

On-Prem MFA agent, version 1.4.4

This version includes hardening around certain security vulnerabilities and includes a new version of the Log4J library.

Note: The new Log4J library stores properties in log4j2.xml. Before upgrading, save a copy of C:\Program Files (x86)\Okta\Okta On-Prem MFA Agent\current\user\config\rsa-securid\log4j.properties and enter any changes into the new configuration file. See On-Prem MFA Agent Version History.

RADIUS agent, version 2.14

This version includes hardening around certain security vulnerabilities and includes support for the PEAP-EAP-GTC protocol. See Okta RADIUS Server Agent Version History.

ADFS plugin, version 1.7.8

This version includes bug fixes and hardening around certain security vulnerabilities. See Okta ADFS Plugin Version History.

MFA Credential Provider for Windows, version 1.3.1

This version includes hardening around certain security vulnerabilities. See Okta MFA Credential Provider for Windows Version History .

Custom IdP factor authentication with OIDC support

Custom IdP factor authentication now supports OpenID Connect. See Custom IdP Factor Authentication .

Optional Display Preferences for new Okta End-User Dashboard

Users can now set Display Preferences on the new Okta End-User Dashboard. They can enable or disable the Recently Used section and organize their dashboard as a grid or a list. See The new Okta end-user experience.

Fixes

General Fixes

OKTA-277851

In some cases, removing tasks from the Okta Admin Dashboard failed.

OKTA-283085

When searching for apps on the new Okta End-User Dashboard, app logos included in the search results were too large.

OKTA-314990

In some cases, a user's DisplayName appeared as their user ID in the System Log.

OKTA-315076

For certain app admin operations, rate-limit error messages in the System Log erroneously suggested that admins retry failed operations manually instead of waiting for the operations to be rescheduled.

OKTA-315286

After selecting certain attributes in Advanced RADIUS settings, the On-Prem MFA agent returned the proxy IP instead of the IP address of the RSA agent.

OKTA-315638

Grammarly and Dragon extensions on Chrome caused issues for users who attempted to sign in to apps that required Okta MFA.

OKTA-321996

Users deactivated in Okta weren't deactivated correctly in the Salesforce app.

OKTA-322115

If an account was deleted while the user was in an active session, Okta presented an error instead of redirecting the user to the Sign-in page.

OKTA-322925

Certain custom attributes that were updated in Okta weren't subsequently updated in LDAP.

OKTA-325636

Admin privileges couldn't be removed from users who had an invalid email address.

OKTA-327165

When updating a security question for password recovery, end users could use the non-domain part of their email as an answer.

OKTA-327188

Some Japanese translations on the Sign-In page weren't displayed correctly.

OKTA-329289

Some email templates in Italian were inaccurately translated.

OKTA-329756

In some cases, the Pending email address change email sent to end users didn't include dynamic content.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • Acronis Cloud (OKTA-333972)

  • Cisco Partner Login (OKTA-334409)

  • Flipboard (OKTA-332426)

  • Flock (helloflock.com) (OKTA-333132)

  • The Hartford EBC (OKTA-332871)

Applications

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN as partner-built:

New RADIUS integration

SAML for the following Okta Verified applications

  • CodeSignal (OKTA-333537)

  • Lexion (submitted via ISV Portal). SLA: 22/Sep/20 (OKTA-331539)

  • Mindtickle (OKTA-331529)

  • TerraTrue (OKTA-331899)

  • TransPerfect GlobalLink Dashboard (OKTA-331544)

  • Trotto Go Links (OKTA-330216)

  • WorkSafe (OKTA-334374)

Weekly Updates

October 19

Fixes

General Fixes

OKTA-296041

When searching for apps on the new Okta End-User Dashboard, all search results remained even after an app was selected.

OKTA-316869

The ShareFile app couldn't send the user.username attribute as NameID in SAML assertions.

OKTA-324814

The NetSuite app didn't display updated instance type URLs in the API integration drop down.

OKTA-330424

The Norwegian translation for the Send SMS Code MFA prompt was unclear.

Applications

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN as partner-built:

SAML for the following Okta Verified applications

  • Beautiful.ai (OKTA-333538)

  • Brightflag (OKTA-325633)

  • Gamma Data Leak Prevention (OKTA-335554)

  • Gremlin (OKTA-333666)

  • Learnerbly (OKTA-332872)

  • Profit.co (OKTA-321220)

  • Pudding (OKTA-333992)

  • RemotePC (OKTA-335105)

SWA for the following Okta Verified application

  • Pacific Western Bank - Business eBanking (OKTA-330791)

October 26

Fixes

General Fixes

OKTA-309244

Although users successfully signed in to a RADIUS app using Okta Verify, the System Log recorded a failed email factor event.

OKTA-322108

When self-service registration was enabled, adding a required attribute to a non-default User Type profile threw an error.

OKTA-324298

The tool tips on the Email and SMS Customization page were missing instructions on how to edit the email template.

OKTA-325353

The error message displayed when revoking the last individually assigned Super Admin was unclear.

OKTA-328337

In some cases, the new Okta End-User Dashboard wasn't translated properly.

OKTA-328953

Approval Action and Message requests were missing from the Request History section of the new Okta End-User Dashboard.

OKTA-329123

When updating user profile mappings for Okta-to-Slack provisioning, an internal server error was thrown in some cases.

OKTA-330017

In an org with self service registration enabled, a user pushed to an Active Directory group was sent two activation emails instead of one.

OKTA-332039

Okta returned a 500 Internal Server error when the LDAP agent was disconnected and users attempted to sign into Okta with an incorrect password.

OKTA-332891

One-time MFA Usage reports contained outdated information about user status and their enrolled MFA factors.

OKTA-336169

No warnings were displayed when disabling a custom URL domain.

OKTA-337002

In developer orgs, users who were trying to reset their password were sent an email that didn't contain a password reset link.

Applications

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN as partner-built:

SAML for the following Okta Verified applications

  • Funnel.io (OKTA-335549)

  • Query.AI (OKTA-325342)

SWA for the following Okta Verified application

  • Moffi (OKTA-331031)

September 2020

2020.09.0: Monthly Production release began deployment on September 08

* Features may not be available in all Okta Product SKUs.

Content

Generally Available Features

New Features

New features for SuccessFactors integration

The following new features have been added to the SuccessFactors integration:

  • Time zone based pre-hires and deactivations: Admins can deactivate SuccessFactors users and import pre-hires into Okta based on the time zone of their location.
  • Incremental imports: Incremental imports improve performance by importing only users who were created, updated, or deleted since the last import.

See Learn about SAP SuccessFactors Employee Central data provisioning.

Modern authentication support

We have extended our Office 365 Sign On policies to include the ability to distinguish between web browser and modern authentication clients, giving you even more granularity in controlling how users are accessing corporate data. You access this functionality by creating a new App Sign On Rule. See Rule Configuration.

Inline Hook preview

The Inline Hook preview feature lets admins preview and validate Inline Hook requests before making them active. See Preview an Inline Hook .

Improved new device behavior detection

Stronger signals are now used for the detection of new devices. Devices with web browsers that don't store cookies are treated as new and trusted applications must send a unique identifier for each device as a device token. See Security Behavior Detection.

This feature is currently available for new orgs only.

Okta mastered attribute updates

Okta mastered attributes are now updated in a master app user profile when an org disables email customization.

Base attributes added to user profiles

When users access the Okta End-User Dashboard, all default base attributes are now added to their user profile.

Identity Provider Discovery

Using Identity Provider Discovery and routing rules, Okta directs users to different identity providers based on certain criteria. These criteria include location, device, the app being accessed, the user's domain, and specific user attributes. See Identity Provider Discovery. This feature will be gradually made available to all orgs.

Early Access Features

New Features

New Recent Activity page on the new Okta end-user dashboard

The Recent Activity page provides end users with a summary of recent sign-in and security events for their Okta account. End users can also report suspicious activity to their Okta admin by clicking I don’t recognize this. See Recent Activity.

Fixes

General Fixes

OKTA-276604

Filtering groups that were pushed by group also displayed groups that were pushed by name.

OKTA-312642

On the Activate User page, Search by Group didn't work if the search term included the vertical bar sign |.

OKTA-319877

In some cases, creating a custom SAML or SWA app using a bearer token failed.

OKTA-323045

Okta Workflows didn’t restrict application assignment to super admins.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • Autotask (OKTA-318506)

  • ccLink Provider Portal (OKTA-324140)

  • Chubb Personal Insurance (OKTA-323264)

  • Earth Class Mail (OKTA-322840)

  • Jobvite (OKTA-318586)

Applications

Application Updates

  • The Zoom SCIM app schema is updated. See Configuring Zoom with Okta for more information.
  • Provisioning support has been removed from the BigMachines and GoToMeeting apps due to their low customer usage, lack of standards based integration, and high supportability cost.

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN as partner-built:

SAML for the following Okta Verified applications

  • Australian Access Federation (OKTA-317867)

  • Estateably (OKTA-324912)

  • Hopin (OKTA-324248)

  • Signal AI (OKTA-322928)

  • SocialHP (OKTA-322572)

  • Thematic (OKTA-322576)

OIDC for the following Okta Verified applications

Weekly Updates

September 14

Fixes

General Fixes

OKTA-307089

When attempting to reset a user's password using the password reset link, admins received a 500 Internal Server error rather than the correct error message if the user's email address was invalid.

OKTA-318040

The voice call used for MFA with Twilio as the call provider wasn't translated in Simplified Chinese, Traditional Chinese, and Portuguese.

OKTA-321794

App Admins who were granted permissions through the group assignment API could see all apps in the OIN catalog when adding an app even though they didn't have the permissions to create them.

OKTA-324295

Inline hooks that should have updated multiple user attributes only updated one.

OKTA-326226

The Origin header value was missing from the System Log event for the user.session.start debug context.

OKTA-326955

When a geographical network zone that included Okta routers was added to an IP blacklist zone, all requests to the org were blocked.

OKTA-326962

The On-Prem MFA agent was inconsistent with other agents in how often it conducted system health checks.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • ADP Portal (Employee) (OKTA-325832)

  • Bananatag (OKTA-324700)

  • ClearCompany (OKTA-323156)

  • Ecogent (OKTA-324473)

  • Figma (OKTA-324979)

  • Fullstory (OKTA-324977)

  • LucidPress (OKTA-322083)

Applications

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration app is now Generally Available in the OIN as partner-built:

SAML for the following Okta Verified applications

  • Cloudvisor.io (OKTA-322418)

  • Indition (OKTA-321249)

  • KeySix (OKTA-322969)

  • Zenefits (OKTA-322575)

SWA for the following Okta Verified applications

  • BeyondID (OKTA-312394)

  • Tecnis (OKTA-309904)

OIDC for the following Okta Verified application

September 21

Fixes

General Fixes

OKTA-190533

Events were missing from the System Log when Identity Providers were added, updated, activated, deactivated, or deleted.

OKTA-284904

Some groups didn’t render properly under Directory > Groups after a group rule was deleted.

OKTA-328123

Importing users from SuccessFactors failed with a Java exception error.

App Integration Fixes

The following SWA app was not working correctly and is now fixed

  • SAP Litmos (OKTA-328160)

Applications

Application Update

  • The AlertMedia SCIM app guide link has been updated.
  • The Zepl OIDC app has been updated to include the Initiate Login URI value.

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN as partner-built:

SAML for the following Okta Verified applications

  • Encoding (OKTA-296011)
  • MediaPlatform (OKTA-328133)
  • ProWriters Cyber IQ (OKTA-328138)
  • Pubble (OKTA-322567)
  • SparkPost (OKTA-326370)
  • Vote.gov (OKTA-327834)

OIDC for the following Okta Verified applications

September 28

Fixes

General Fixes

OKTA-290250

The directNumber value wasn't correctly imported from RingCentral.

OKTA-309276

On the Add Apps page of the new Okta End-User Dashboard, the placeholder text in the search field was misleading.

OKTA-309423

On the Okta End-User Dashboard, app notes weren’t visible for bookmark apps that were assigned through self-service.

OKTA-318189

When using the LDAP interface to view user objects with empty middle names, additional spaces were present in the Common Name (CN) field even though they weren't present in the CN that was returned with an API call.

OKTA-320453

Updating a routing rule failed when a network zone was deleted before removing it from the routing rule.

OKTA-322271

On the new Okta End-User Dashboard, users could auto-launch SWA apps configured with the setting Administrator sets username, user sets password without being prompted to update their credentials.

OKTA-328536

For some orgs that stopped setting up a custom URL domain partway through the process, completing the setup later failed.

OKTA-329650

On the new Okta End-User Dashboard, some app card logos were oversized.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • Alexa (OKTA-330529)

  • Jobvite (OKTA-328688)
  • TransUnion (OKTA-328858)

Applications

Application Update

  • The Internap Portal app is deprecated. This app is rebranded as INAP.

New Integrations

New SCIM Integration Application

The following partner-built provisioning integration app is now Generally Available in the OIN as partner-built:

SAML for the following Okta Verified applications

  • Estateably (OKTA-324912)
  • Optymyze (OKTA-326879)
  • Query.ai (OKTA-325342)

SWA for the following Okta Verified applications

  • Clarity (OKTA-301636)
  • Horizon (OKTA-330251)
  • TSheets (OKTA-322853)

OIDC for the following Okta Verified applications

  • Chargifi: For configuration information, see Chargifi documentation here (you need a Chargifi account to access this documentation).

  • WarehouseTWO: For configuration information, see How to Enable Okta Login.

October 5

Fixes

General Fixes

OKTA-306373

Imports from UltiPro got stuck in the Queued status.

OKTA-309646

When adding an Access Policy to an Authorization Server, using scrollbars to navigate caused search criteria to be lost and scrollbars to disappear.

OKTA-310688

Searching groups by name on the Push Groups tab returned duplicate search results.

OKTA-315564

An internal server error was thrown and the System Log didn't record an event when sending a self-service account unlock or password reset email failed due to an invalid email recipient. A System Log event is now added to notify the admin.

OKTA-320265H

When a custom unique attribute from the Okta user profile was added to self-service registration, in certain instances user imports and creation failed.

OKTA-324204

Selecting Request Integration in the Okta Bookmark App Settings pane had no effect.

OKTA-325469

New users provisioned from Okta to DocuSign couldn’t send documents despite having correct permissions.

OKTA-325492

Reactivated users couldn’t access apps that were assigned their group while they were inactive.

OKTA-332102

User activations were logged erroneously as user.account.privilege.revoke in the System Log.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • Kingsley Associates Portal (OKTA-331176)

  • MessageBird (NL) (OKTA-330524)

  • PaloAlto Networks Support (OKTA-329881)

  • Pond5 (OKTA-330614)

  • The Washington Post (OKTA-330607)

  • Trello (OKTA-330012)

  • Upwork (OKTA-331969)

  • Wells Fargo (Commercial Electronic Office) (OKTA-330311)

Applications

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN as partner-built:

  • Sparkpost: For configuration information, see SCIM User Provisioning Through Okta.

  • Gong: For configuration information, see Gong documentation here (you need a Gong account to access this documentation).

SAML for the following Okta Verified applications

  • WorkSafe (OKTA-331532)
  • Teubora (OKTA-330214)

  • Flock (helloflock.com) (OKTA-328135)

OIDC for the following Okta Verified application

August 2020

2020.08.0: Monthly Production release began deployment on August 10

* Features may not be available in all Okta Product SKUs.

Content

Generally Available Features

New Features

G Suite Role Management support

Admins can manage G Suite admin roles directly from the Okta Assignments tab during user create, update, or delete operations. See Google Workspace Provisioning.

Note: Customers need to contact Okta Support to migrate their Universal Directory profile template to enable this feature.

Delete OIN draft submissions

Draft submissions of app integrations in the OIN Manager portal can now be deleted. See Update your published integration.

Configurable email OTP lifetime

Admins can now set the expiration of one-time passcodes in email messages up to 30 minutes when email is enabled for multifactor authentication. See © 2021 Okta, Inc All Rights Reserved. Various trademarks held by their respective owners. in MFA.

Okta IWA Web agent Just-In-Time operation failures

When using Agentless Desktop Single Sign-on (DSSO) or the Okta IWA Web agent, Just-In-Time (JIT) operations fail when users are disconnected from Active Directory (AD) and the Profile & Life cycle Mastering settings don’t allow user reactivation. This behavior is expected, and consistent with JIT operations in non-IWA AD environments. See Install and configure the Okta IWA Web agent for Desktop Single Sign-on.

Group push for Active Directory

You can now use group push on the Okta Admin Console to copy groups and their members to Active Directory. See Push groups from Okta to Active Directory.

Custom TOTP Factor for MFA

Admins can now enable a custom MFA factor based on the Time-based One-time Password (TOTP) algorithm. See .

Apple as an Identity Provider

Adding Apple as an Identity Provider allows users to sign in to your app using their Apple ID. See Add an external Identity Provider.

PIV Card authentication option added to identifier first Sign In page

A PIV Card authentication option is now provided on the identifier first Sign In page when you configure a Smart Card Identity Provider and a corresponding IdP Routing Rule in the Okta Admin console. See Identity Providers.

Multiple Smart Card/PIV Card Identity Providers

Our Multiple Certificate Chain Support for PIV Auth feature allows you to leverage multiple Smart Card/PIV Card IdPs, each with different certificate chains, to allow access to a single Okta org. The correct IdP will be automatically selected based on matching the user's chosen certificate to a configured certificate chain. See Identity Providers.

End-user profile reauthentication

The Customization section has a new setting that allows an admin to set the re-authentication time when an end user edits their profile. See Configure general customization settings.

MFA for reactivated accounts

End users are now prompted for MFA before landing on the Welcome page if their accounts were reactivated and already enrolled in one or more MFA factors. This feature is currently available for new orgs only.

Extended Client Access policy capability for apps

When creating App Sign-On Policy rules to manage access to apps, admins can now specify additional granularity for platform types. Office 365 Client Access policies will continue to provide additional granularity for clients (that is, Web vs EAS). See Add Sign-On policies for applications and Office 365 Client Access Policies.

App condition for MFA enrollment policy

Admins can now use a new condition when setting a rule for an MFA enrollment policy. When this condition is configured, end users are prompted for factor enrollment when accessing all of their applications or only for those selected by their org admin. See App condition for MFA enrollment policies.

Generally Available Enhancements

System Log enhancement

When a System Log event contains more than two targets, they're now displayed in an expandable list.

Workday time zone-based user deactivation support check box

The feature that allows Workday users to be deactivated based on their local time zone is now enabled using a check box on the Workday Provisioning page. See Workday.

Improved AWS Provisioning

When a customer has an AWS instance that was configured to use the Amazon AWS IAM role as the Sign On mode, and removes an optional child account from that instance, they're warned in the UI that their role provisioning will be removed and an event is generated in the System Log.

Add Administrator Group update

To prevent permission overrides, existing admin groups can only be granted new roles through the Edit option. The Add Administrator Group feature is available for new admin groups only. See Assign administrator permissions.

OIN Manager improvements

The OIDC tab in the OIN Manager portal has been updated with new fields - a configuration guide link, additional URI tenant customization questions, and a sign-in flow option question. The improvements also include minor fixes to the UI text on the SAML tab. See Configure protocol-specific settings.

OIN Manager automated emails for discarded submissions

The OIN Manager sends an automated email to an ISV when an app integration submission is moved back to a draft state due to inaction by the ISV.

Early Access Features

New Features

LDAP agent, version 5.7.0

This version of the agent contains:

  • Support for LDAP group password policies
  • Bug fixes

See Okta LDAP Agent version history.

MFA for Windows Credential Provider, version 1.3.0

MFA for Windows Credential Provider version 1.3.0 is now available, adding support for Windows Server 2019. See Okta MFA Credential Provider for Windows Version History .

Allow or deny custom clients in Office 365 sign on policy

Admins can filter specific clients in an Office 365 app sign-on rule to allow or deny them access to Office 365 resources. This filter can be used to deny access to untrusted clients or to only allow trusted clients. See Allow or deny custom clients in Office 365 sign on policy.

Fixes

General Fixes

OKTA-267328

Group members in a BambooHR-mastered group weren't correctly reflected into Okta after the group import.

OKTA-300889

The Remember me check box on the Sign On page didn't respond to the space key when using Firefox, Internet Explorer, or Edge.

OKTA-300957

The German translation of password policy requirements wasn't accurate.

OKTA-301352

Some Turkish characters in email templates didn't render correctly.

OKTA-303517

A user could be created without providing values for required custom arrays.

OKTA-310089

When the API Access Management feature was enabled, end users signing in to an OIDC app using Agentless Desktop SSO weren't correctly redirected to the app.

OKTA-313852

The position of the app logo was mis-aligned on the Add Application page.

OKTA-320854H

When existing apps that were incorrectly labeled as new were selected, errors occurred.

OKTA-321489H

L10N_ERROR[connector-agents] errors erroneously appeared in the UI in some Security > Multifactor sections.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • Cloud Guru (OKTA-315734)

  • Google AdWords (OKTA-312421)

  • Vision Planner (OKTA-316019)

Applications

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN as partner-built:

SAML for the following Okta Verified applications

  • Coursera (OKTA-315355)

  • MediaValet (OKTA-313684)

  • Security Studio (OKTA-313793)

OIDC for the following Okta Verified application

Weekly Updates

August 17

Fixes

General Fixes

OKTA-265994

When, in the General tab of the Salesforce app, User Profile and Type was selected as Standard Salesforce, additional import options appeared erroneously on the Salesforce to Okta Provisioning tab.

OKTA-293366

The Profile Editor displayed incorrect length constraint instructions for usernames formats.

OKTA-301252

The Okta Browser Plugin didn't generate System Log events when users accessed an app through an SP-initiated flow.

OKTA-301760

In some cases, provisioning errors occurred in Box when selecting Group Push via User Attributes.

OKTA-304562

App admin assignments for groups weren't applied properly to RADIUS apps.

OKTA-305132

SMS messages in Chinese, Portuguese, and Dutch didn't support translation.

OKTA-310687

Groups created through Group Push erroneously showed up multiple times in the group list.

OKTA-310750

System Log events weren't logged when modifying Advanced RADIUS settings in the Sign On tab of the app.

OKTA-312588

Inbound federation for some orgs failed because metadata elements of the SAML specification were missing.

OKTA-316684

Admins couldn't create service clients without the API Access Management feature.

OKTA-317457

The User Search by first and last name on the People page didn't work as expected for all search keyword counts.

OKTA-318384

In some cases, deactivating users in Workday failed for scheduled imports.

OKTA-320235

The error message displayed when creating an admin group that already had existing admin roles was ambiguous.

OKTA-321665H

Provisioning to Office 365 using User Sync or Universal Sync failed in some cases.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • Adobe Sign Provisioning (OKTA-315230)

  • American Express - Work (OKTA-318244)

  • CenPOS (OKTA-320689)

  • Formstack (OKTA-318620)

  • PaloAlto Networks Support (OKTA-312790)

Applications

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN as partner-built:

SAML for the following Okta Verified applications

  • Ally (OKTA-317614)

  • BirdEye (OKTA-314483)

  • Cequence Security (OKTA-315329)

  • Closing Folders (OKTA-315330)

  • Datasite (OKTA-313781)

  • Documo (OKTA-318832)

  • Dundas BI (OKTA-319258)

  • Ermetic (OKTA-318858)

  • Evergreen (OKTA-318831)

  • Five9 Plus Adapter for ServiceNow (OKTA-314639)

  • Jira SAML SSO by miniOrange (OKTA-304222)

  • Netskope Admin Console (OKTA-320867)

  • OwnBackup (OKTA-298672)

  • Qase (OKTA-317609)

  • Rstudio Server Pro (OKTA-312993)

  • SecureW2 (OKTA-313771)

  • TransPerfect (OKTA-303677)

  • Tribeloo (OKTA-319293)

  • Userflow (OKTA-318828)

  • Workable (OKTA-315969)

SWA for the following Okta Verified applications

  • Chubb Personal Insurance (OKTA-317081)

  • Nutanix Partner Login (OKTA-315291)

  • TerraTrue (OKTA-319285)

OIDC for the following Okta Verified application

August 24

Fixes

General Fixes

OKTA-285972

Users encountered scrolling problems when dragging and dropping apps on the new Okta End-User Dashboard.

OKTA-313812

Help Desk and Read Only admins received false successful MFA reset confirmations for users they didn’t manage.

OKTA-318437

In orgs with Factor Sequencing enabled, customers always had password as one of the factor types in their ID token's amr claim, regardless of which factor was actually used.

OKTA-319515

On the Okta End-User Dashboard, some managed apps were listed more than once.

OKTA-320675

For some orgs with both Passwordless Authentication and Improved New Device Behavior Detection enabled, Okta treated all authentication attempts as though they came from new devices.

OKTA-325206H

Deleted Custom Domains also deleted OIDC client secrets.

OKTA-3253931H

Help Desk admins could not reset passwords.

App Integration Fixes

The following SAML apps were not working correctly and are now fixed

  • Netskope Admin Console (OKTA-322294)

  • RStudio Connect (OKTA-320865)

  • TeamzSkill (OKTA-321223)

The following SWA apps were not working correctly and are now fixed

  • Google AdWords (OKTA-319559)

  • New Relic by Account (OKTA-319755)

  • ShipStation (OKTA-319715)

Applications

Application Update

monday.com now supports the following Provisioning features (this is in addition to the other provisioning features that it already supports):

  • Group Push
  • Update User Attributes
  • Password Sync

For configuration information, see Provisioning Configuration - Okta.

New Integrations

New SCIM Integration application

The following partner-built provisioning integration app is now Generally Available in the OIN as partner-built:

SAML for the following Okta Verified applications

  • Databox (OKTA-321227)

  • ENTOUCH (OKTA-321208)

  • Ramp (OKTA-312623)

  • Terraform Cloud (OKTA-315643)

OIDC for the following Okta Verified applications

August 31

Fixes

General Fixes

OKTA-294233

In some orgs configured with a custom URL domain, the password reset link provided in the custom email template redirected users to the Sign In page instead of the reset password flow.

OKTA-306130

The error message admins received when trying to add a second password inline hook was misleading.

OKTA-309244

Successfully authenticating into a Radius app using Okta Verify logged a failure event in the System Log.

OKTA-318932

Okta Confluence Authenticator dependencies caused problems with 3rd party Confluence Plug-ins using the javax.inject library. To obtain this fix, upgrade to the latest Okta Confluence Authenticator, version 3.1.4, see Okta Confluence Authenticator Version History.

OKTA-323151

App notes on the Okta End-User Dashboard were misaligned.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • Cisco Meraki Dashboard SAML (OKTA-322785)

  • Jobvite (OKTA-318586)

  • LucidChart (OKTA-320576)

Applications

New Integrations

SAML for the following Okta Verified applications

  • CloudSign (OKTA-316737)

  • MyCompliance (OKTA-318059)

SWA for the following Okta Verified application

  • Internap (OKTA-321035)

OIDC for the following Okta Verified applications

July 2020

2020.07.0: Monthly Production release began deployment on July 13

* Features may not be available in all Okta Product SKUs.

Content

Generally Available Features

New Features

LDAP agent, version 5.6.6

This release provides the same functionality as release 5.6.5. Some default settings have been updated. See Okta LDAP Agent version history.

Reduced LDAP Interface inactive connection time out

The time out for inactive LDAP Interface connections that don't receive LDAP operations has been reduced from 120 seconds to 30 seconds, and they are now disconnected after 30 seconds of inactivity. Connections that receive an LDAP bind operation time out after 120 seconds.

Warning message added to the Import Settings page

A warning message now appears on the Active Directory Import Settings page to warn users that changing the user and group organizational unit settings can result in the deprovisioning of users.

App integration logos

The maximum size for an app integration logo has been increased from 100 KB to 1 MB. For best results, use a PNG file with a minimum resolution of 420 x 120 pixels, with landscape orientation, and with a transparent background.

Terms of Service acceptance required

Terms of Service acceptance is required from the first super admin to initiate access to OCC (Okta Cloud Connect), Developer, and Free Trial editions of Okta.

New Group Membership Admin role

The new Group Membership Admin role grants permission to view all users in an org and manage the membership of groups. See The Group Membership Admin role.

Dynamic authentication context for SAML apps

Admins can configure a custom attribute statement for SAML assertions to send user's authentication context to SAML apps during the app authentication process. The app uses this information to limit access to certain app-specific behaviors and calculate the risk profile for the signed-in user. See Pass Dynamic Authentication Context to SAML Apps.

Prevent web browsers from saving sign-in credentials

You can prevent browsers such as Chrome from saving  an end user's sign-in credentials for Okta as well as for third-party apps accessed through the Okta Dashboard. See Prevent web browsers from saving sign-in credentials.

ASN Support for Dynamic Zones

Admins can now enter ASNs (Autonomous System Numbers) when creating or editing a dynamic zone. See Dynamic Zones.

DocuSign support update

DocuSign now supports workers who have an Activation Sent status in DocuSign.

Schema Discovery for Cornerstone On Demand

The Cornerstone On Demand provisioning app now supports Universal Directory and Schema Discovery. See the Cornerstone On Demand Provisioning Guide.

Profile Mastering and Push can be enabled together

Admins can enable both Profile Master and Push for an app. This allows all Okta-to-App mappings to push, regardless of whether Active Directory is the Profile Master.

OIN Manager supports multiple application submissions

When submitting a new application integration for review by Okta, the OIN Manager now supports multiple concurrent application submissions:

 

Risk Scoring sign-on policy rule

Admins can now set a risk level as part of a sign-on policy rule. Setting a risk level helps determine potential security risks that are associated with an end user when they attempt to sign in to their org. This feature will be gradually made available to all orgs.

see Risk Scoring.

Generally Available Enhancements

Okta Browser Plugin enhancements

The following improvements have been added to the Okta Browser Plugin:

  • The plugin icon displays a green exclamation point (!) to alert users of new plugin features that have been added.
  • The plugin settings highlights new opt-in features when they are made available.
  • In Firefox, the Close tab button, shown to users after granting privacy-related permissions for the Okta Browser Plugin, is removed due to browser limitations.
  • In Chrome, when the Offer to Save Passwords setting is controlled by a group policy, the popover setting to prevent the browser from prompting to save passwords is hidden from end-users.

Inline Hook links to Overview page

In the Okta Admin Console > Inline Hooks page, clicking an Inline Hook now directly opens the Overview page. See Inline Hooks.

File size and file hash information for Okta Active Directory and LDAP agents

File size and file hash information is now provided for the Okta Active Directory and Okta LDAP agents on the Okta Admin Console > Downloads page.

Early Access Features

New Features

New RADIUS agent, version 2.13

This version includes security enhancements, a buffer overrun fix, and a dialog title change to the RADIUS Agent installer. See Okta RADIUS Server Agent Version History.

Litmos supports Advanced Custom Attributes

The Litmos provisioning app now supports Advanced Custom Attributes. See Litmos Provisioning Guide.

Fixes

General Fixes

OKTA-290791

Users who switched to a new app section in the Okta Browser Plugin weren't redirected to the top of that section.

OKTA-292056

The percentage listed in messages on the Okta Admin Dashboard occasionally contained an extra percentage symbol.

OKTA-292816

Group membership roles on the Assignments tab didn't reflect the actual membership roles of users in the Confluence app.

OKTA-296301

Users configuring voice call as an MFA factor were redirected to a wrong page if they refreshed the page during the setup.

OKTA-302908

Admins received a 404 error when opening the Rules tab on the Groups page in a new tab.

OKTA-304503

Users repeatedly received prompts to reinstall or update the Okta Browser Plugin regardless of its version and were given false warnings that the plugin was infected or unsafe.

OKTA-304770

The publisher for the Okta Browser Plugin for Internet Explorer was incorrectly listed as Internal Okta CA instead of Okta, Inc. in Internet Explorer > Tools > Manage add-ons.

OKTA-306546

The incorrect plugin version number was displayed for the Okta Browser Plugin in Internet Explorer > Tools > Manage add-ons.