Production

March 2019

2019.03.0: Monthly Production release began deployment on March 11

* Features may not be available in all Okta Product SKUs.

Content

Generally Available Features

New Features

Default sign on rule set to Deny in Client Access Policies for new Office 365 app instances

In ClientEssentially, a client is anything that talks to the Okta service. Within the traditional client-server model, Okta is the server. The client might be an agent, an Okta mobile app, or a browser plugin. Access Policies for new Office 365 appAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in. instances, the Default sign on rule is now set to Deny access (formerly set to Allow). Additionally, we've provided a rule above the Default sign on rule that allows access to only web browsers and apps that support Modern Authentication. This change is designed to help customers implement more secure policies by default. Note: Existing O365 app instances are unaffected by this change. For more information, see Office 365 Client Access Policies.

Skip importing groups during Office 365 user provisioning

While provisioning Office 365 in Okta, you can choose to skip importing Office 365 user groupsGroups allow you to organize your end users and the apps they can access. Assigning apps to large sets of end users is made easier with groups. and group memberships into Okta. This allows you to focus initially on user provisioning and take care of group assignments later in the deployment process. For more information, see Skip importing groups during Office 365 user provisioning.

Additional Custom Attributes for Webex integration

Our Webex integration is enhanced by adding support several new custom attributes. Okta imports these attributes that you can then map as additional custom properties. For more information see the Webex Provisioning Guide.

System Log enhancement

We’ve enhanced our System Log to take advantage of our new Network Zones feature. Admins can now hover over an IP address that's part of an event and navigate through the series of menus to add that IP address to either the gateway or proxy list of IP addresses.

SCIM App Wizard

Okta supports SCIM (System for Cross-domainA domain is an attribute of an Okta organization. Okta uses a fully-qualified domain name, meaning it always includes the top-level domain (.com, .eu, etc.), but does not include the protocol (https). Identity Management specification) provisioning for apps created with the Okta App Integration Wizard (AIW).

For more information about SCIM, see SCIM-Based Provisioning Integration. For instructions to enable SCIM for app-wizard apps, see The SCIM App Wizard.

View admin list by role

Super admins can now filter the list of admins by role and type for easier searching.

New macOS Device Trust Registration Task, version 1.2.0

This release includes the following:

  • Slack is added to the default app whitelist.

  • The System event in the System Log now reports the DeviceDisplayName attribute in the DebugContext:

  • Improvements to the logs that the Registration Task publishes to Jamf Pro during deployment.
  • Internal fixes and performance enhancements.

For version history, see Device Trust for macOS Registration Task Version History.

Social Identity Providers

This feature allows your end usersIn Okta literature, we generally refer to "end users" as the people who have their own Okta home page (My Applications), using chiclets to authenticate into all of their apps. End users do not have any administrative control. When we refer to "users" we are generally referring to the individual(s) who have administrative control. to self-register with your custom applications by first authenticating through their existing social identity accounts, such as Facebook, Google, Yahoo, or LinkedIn. For new usersIn Okta literature, we generally refer to "users" as the people who serve as Okta administrators. When we refer to "end users" we are generally referring to the people who the administrators serve. That is, those who use Okta chiclets to access their apps, but have no administrative control. of your custom application, Okta creates a Just In Time (JIT) Okta user profile based on attributes stored in their social profiles.

For more information see Identity Providers.

Connecting Apps to Okta using the LDAP Interface

The LDAP Interface allows you to authenticate legacy LDAP apps to Universal Directory in the cloud. With the LDAP Interface, authentication is done directly against Okta via LDAP, without the need for an on-premise LDAP server. In addition, the LDAP interface supports other LDAP functions like search. For details, see Using the LDAP Interface.

Enhanced Group Push for Litmos

Group Push now supports the ability to link to existing groups in Litmos. While this option is currently only available for some apps, we’ll periodically add this functionality to more provisioning-enabled apps. For details about this feature, see Using Group Push.

Schema Discovery for Litmos

The Litmos provisioning app now supports UD and Schema DiscoveryAbility to import additional attributes to Okta. For more information, see the Litmos Provisioning Guide.

Assign admin privileges to an Okta group

Super admins can now assign Okta admin privileges to Okta groups, making it easier to onboard large numbers of admins quickly. Everyone in the group receives the admin privileges assigned to the group. For details, see Assign admin privileges.

System Log events for YubiKey Seed

New System Log events have been added when a user uploads or revokes a YubiKey Seed successfully.

System Log events for Active Directory imports

A new System Log event appears when an Active Directory import is converted from an incremental to a full import.

A new System Log event appears when a full Active Directory import is required.

Admin role behavior changes

Admin roles assigned by adding a user to an Admin group can no longer be edited or customized for individual users. To edit or remove admin privileges from a user that were assigned by adding the user to an admin group, you must remove the user from the group. Additionally, if a user has individual admin privileges assigned to them as well as admin privileges they received due to being in an admin group, each admin privilege will be listed separately. The icons indicate whether the privilege was assigned individually or as a result of group membership. For details, see Admin assignment page overview and Assign admin privileges.

Use Expression Language (EL) to map AD attribute to Workplace by Facebook

Okta now uses EL to map manager from AD to the Workplace by Facebook app for all new apps. For more information about Workplace by Facebook provisioning, see the Workplace by Facebook Provisioning Guide.

CPC app operations throttling

To ensure execution of all customers’ provisioning operations in a timely manner, operations for CPC apps are now throttled on a per org basis.

Enhanced Okta Mobile Security Settings for Android and iOS

Applies to:

  • Okta Mobile 3.8.1+ for Android
  • Okta Mobile 5.22.0+ for iOS

From the admin console, you can configure the following security settings for devices running specific versions of Okta Mobile:

  • Specify the PIN length.
  • Allow/disallow use of a simple PIN (repeating/ascending/descending numeric sequences).
  • (Android only) Allow/disallow users taking screenshots, recording videos, or sharing their screen.

For details, see Okta Mobile Settings.

Generic OIDC

Generic OpenID Connect (OIDC) allows users to sign in to an Okta org using their credentials from their existing account at an OIDC Identity Provider (IdPAn acronym for Identity Provider. It is a service that manages end user accounts analogous to user directories such as LDAP and Active Directory, and can send SAML responses to SPs to authenticate end users. Within this scenario, the IdP is Okta.). A generic OIDC IdP can be a third-party IdP that supports OIDC, such as Salesforce or Yahoo or your own custom IdP. You can also configure federation between Okta orgs using OIDC as a replacement for SAMLAn acronym for Security Assertion Markup Language, SAML is an XML-based standard for exchanging authentication and authorization data between an identity provider (IdP) and a service provider (SP). The SAML standard addresses issues unique to the single sign-on (SSO) solution, and defines three roles: the end user, the IDP, and the SP.. For more information, see Generic OpenID Connect.

Generally Available Enhancements

Enhanced search for Group membership rules

You can now search for group rules by name, target groups, and expression conditions. For more information about Group membership rules, see Using group membership rules.

Change to Reset Password page

When Administrators navigate to Directory > People > Reset Password, the default view is now Locked Out users instead of All. This has been changed for performance reasons. For details, see Reset end user passwords.

Documentation links for Security Checklist

The Security Checklist on the admin console is updated to include documentation links for each setting. For more information about this feature, see Security Checklist.

Region codes updated for network zones

Network zones region codes are updated to adhere to the specifications of the ISO-3166 standard. This update includes changes to region names within Mexico, the Democratic Republic of the Congo, and Czech Republic. For more information about using country and region codes, see Networks.

Early Access Features

New Features

App condition for MFA enrollment policy

Admins can now use a new condition when setting a rule for an MFA enrollment policy. When this condition is configured, end-users are prompted for factor enrollment when accessing all of their applications or only for those selected by their org admin. For more information, see App Condition for MFA Enrollment Policy.

Review prompt on Okta Mobile for iOS

End-users using Okta Mobile on iOS are prompted to provide an App Store rating for the app. When they provide a rating in the app and click Submit, they are taken to the App Store page for the Okta Mobile app to provide more optional feedback about the app. They can click Not now to dismiss the option. For more information, see Review prompt on Okta Mobile (iOS only).

Schedule user imports

When you set up Provisioning to import users from an app or from a CSV directory to Okta, you can set up a schedule for imports at regular intervals on an hourly, daily, or weekly basis. If your app supports incremental imports, then you can set up both full and incremental import schedules. This integration applies to all non-AD and LDAP applications that support imports such as CSV directory, Workday, SuccessFactors, BambooHR, Salesforce, and so on. For more information, see Scheduling imports.

Okta On-Prem MFA Agent, version 1.4.0

This release replaces the JRE with the Amazon Corretto 8.0 version of OpenJDK JRE. For the agent version history, see Okta On-Prem MFA Agent Version History.

OIN Manager supports multiple application submissions

When submitting a new application integration for review by Okta, the OIN Manager now supports multiple concurrent application submissions (for new orgs only).

 

Early Access Enhancements

Custom domain certificate update

Custom domain setup can support up to 4096-bit certificates in the certificate chain. For more information about custom domains, see Configure a custom URL domain.

Custom domain HTTP to HTTPS redirect

Custom domain can redirect from HTTP to HTTPS. For more information about custom domains, see Configure a custom URL domain.

Fixes

General Fixes

OKTA-135037

Disabled users in the Roambi app were incorrectly imported into Okta.

OKTA-205616

The tooltip for username was missing on the Identifier-first login page when using IdP Discovery.

OKTA-205713

The Okta Interstitial page used an incorrect font on Windows OS.

OKTA-205734

The authentication process took more time than expected when the "Permit Automatic Push for Okta Verify Enrolled Users option for the RADIUS application was activated.

OKTA-207282

End-users could not see the Zip Code on the Personal Information page on the end-user dashboard despite having read-write permissions.

OKTA-207634

Customers were not properly redirected to the correct JIRA On-Prem instance after updating to JIRA On-Prem version 3.0.7.

OKTA-208446

Updates to the Okta Reporting Path were not saved on the first attempt and failed with errors when configuring API integration for the UltiPro app.

OKTA-209118

When configuring an OPP app with a SCIM connector, authentication headers were sometimes misconfigured.

OKTA-210624

For Desktop Device Trust flows, authentication failures reported in the System Log lacked sufficient detail.

OKTA-211769

When Single Line Prompt was enabled in the Radius app, login using a soft token generated duplicate events in the System Log.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

Applications

Application Updates

New Integrations

New SCIM Integration Application

The following partner-built provisioning integration apps are now available in the OIN as partner-built Early Access:

Mobile application for use with Okta Mobility Management (OMM) (Android and iOS)

  • Zscaler 2.0 (OKTA-210280)

SAML for the following Okta Verified applications

  • Idiomatic (OKTA-210213)

  • Stack Overflow Enterprise (OKTA-211271)

SWA for the following Okta Verified applications

  • 1st Global: Identity Server (OKTA-203266)

  • Amazon Incentives (OKTA-205373)

  • ClickToTweet (OKTA-206100)

  • Cumberland (OKTA-202677)

  • ForeScout (OKTA-203181)

  • Fremont Bank (OKTA-205715)

  • GoodHabitz (OKTA-206150)

  • HR Certification Institute (OKTA-204048)

  • Johnson & Johnson (OKTA-207334)

  • LinkedIn Sales Navigator (OKTA-202984)

  • LivePerson LiveEngage (OKTA-206681)

  • Lutron (OKTA-206149)

  • PNC Retirement Directions Participant Login (OKTA-206676)

  • SagicoreLife: Agent Login (OKTA-202262)

  • SecurePay (OKTA-210232)

  • Supermetrics (OKTA-205909)

  • Template Two Page Plugin App (OKTA-207162)

  • Texas Mutual (OKTA-207028)

  • Zscaler 2.0 (OKTA-210280)

Weekly Updates

Closed2019.03.1: Update 1 started deployment on March 18

Fixes

General Fixes

OKTA-184126

Custom domains were incorrectly reserved before being verified.

OKTA-194918H

Password credentials for the Paychex Online app were not inserted into the Password field in Edge browsers.

OKTA-204814

Certain group membership rules to assign AD-mastered users to an Okta group did not remove the users from the group when they were deactivated in AD.

OKTA-207871

Editing certain existing custom SAML app configurations resulted in errors.

OKTA-209615

In some cases, the EA Feature Manager page on the Admin Console had mismatched or empty feature descriptions.

OKTA-211237H

The complex password generator was able to generate passwords in the format of an <html> tag.

OKTA-212828

Resetting Web Authentication from the end-user Settings page displayed errors even when the action was successful.

OKTA-212890

The Getting Started page on the Admin Console displayed errors for Internet Explorer 10 users.

OKTA-213551H

Push Group failed for the Zscaler 2.0 app and no Retry task was available in the admin console.

App Integration Fixes

The following SAML app was not working correctly and is now fixed

  • NetSuite (OKTA-209499)

The following SWA apps were not working correctly and are now fixed

  • MileIq (OKTA-212466)

  • Ncontracts (OKTA-209463)

  • Ray Wenderlich (OKTA-212010)

  • Sequr (OKTA-212548)

  • Skillshare (OKTA-211690)

  • WorkFlowy (OKTA-212464)

  • WP Engine (OKTA-210832)

Applications

New Integrations

SAML for the following Okta Verified applications

  • Casetabs (OKTA-212169)

  • Projector PSA (OKTA-212170)

  • Sqreen (OKTA-211580)

  • UWV Employer Portal (OKTA-209228)

SWA for the following Okta Verified applications

  • Arrowhead Auto: Producer Login (OKTA-203718)

  • Citi Investor Reporting For Structured Finance (OKTA-194263)

  • ClinPhone (OKTA-211579)

  • IDShield Plus (OKTA-207842)

  • Salt Lake Tribune (OKTA-203950)

  • Taleo Enterprise User Login (OKTA-211578)

  • Wright National Flood Insurance Company (OKTA-207916)

Mobile application for use with Okta Mobility Management (OMM) (Android and iOS)

  • Microsoft Office 365 (OKTA-199395)

February 2019

2019.02.0: Monthly Production release began deployment on February 19

* Features may not be available in all Okta Product SKUs.

Content

Generally Available Features

New Features

PIV Support for MTLS

Authentication for PIV (Personal Identification Verification) now supports the MTLS protocol and may be used once you have whitelisted the following domain: *.mtls.okta.com. For more information about IP whitelisting and Okta domains, refer to Configuring Firewall Whitelisting.

Location-based network zones

Zones can now be defined based on geo-location. For more information on location zones, see Networks.

Remember Device setting enabled by default

As part of sign-on policy rules, admins can now enable by default the setting for end users to not be challenged on the same device again upon sign in. For more information on this feature, see Security Policies.

Support for converting contractors to full time employees in Workday

Added support for converting contractors to full time employees within Workday. For more information see Workday Provisioning Guide.

End-user plugin settings

End users can now configure Okta Plugin settings directly from the Your Apps menu in their browser. This feature lets end users customize the local behavior of the plugin, and helps end users and admins troubleshoot problems that may occur with the plugin. For details, see Configure the Okta browser plugin (end-user settings). This feature is GA for Preview orgs only.

Copy temporary password to clipboard

When resetting a password, admins can copy the temporary password directly to the clipboard by clicking the copy to clipboard icon.

Google Integration updated

Okta's Google social login integration has been updated to account for the deprecation of the Google+ API. More information can be found in our Knowledge Base.

Signature and Digest Algorithms for Template WS-Fed Applications

Template WS-Fed applications can now choose between SHA1 vs SHA256 options for their Signature and Digest Algorithms. In addition, all Template WS-Fed applications will have X.509 certificates signed with SHA256. For more information, see Configuring the Okta Template WS Federation Application.

Okta Plugin for Safari updated to 5.26.1

The Okta plugin for Safari browsers is updated to version 5.26.1. To meet Apple requirements, Okta built this version of the plugin as an App Extension to replace the legacy .safariextz architecture. This and future versions of the Okta Safari plugin will be available from the Mac App Store. For history, see Browser Plugin Version History

Generally Available Enhancements

Email notifications enabled by default

The setting for sending an email notification to end users who enroll in a new factor or request a factor reset is now enabled by default. For more information, see General Security.

EA Feature Manager feature list expanded

You can now enable Early Access features in the EA Feature Manager that may have other feature dependencies. If you select an EA feature that has a dependency on another feature, you must enable the required feature dependency before enabling your initial selection. For details, see Manage Early Access Features .

G Suite Provisioning Guide

Provisioning for G Suite now includes a link to the G Suite Provisioning Guide.

Closed

Early Access Features

New Features

Okta Active Directory agent, version 3.5.6

This release includes the following changes:

  • Back-end changes to improve how the agent refreshes its DNS entries and connects to servers during disaster recovery.

  • The MaxRetryLimitSleep parameter default is now 8 minutes.
  • A bug fix resolving group membership issues when a user is created by JIT.

For more information, see Okta Active Directory agent version history.

Okta LDAP agent, version 5.5.4

This release contains internal changes and bug fixes. For more information, see Okta Java LDAP agent version history.

Use Okta MFA for Azure AD Conditional Access and Windows Hello for Business Enrollment

  • Satisfy Azure AD Conditional Access MFA requirements for your federated Office 365 (O365) app instance.
  • Enroll end users into Windows Hello for Business.

For more information, see Use Okta MFA to satisfy Azure AD MFA requirements for Office 365.

MFA for ePCS

Okta provides multifactor authentication for the Electronic Prescribing for Controlled Substances (ePCS) system with its integration to Epic Hyperspace, which is the front-end software that launches ePCS. For more information, see Okta MFA for Electronic Prescribing for Controlled Substances (ePCS)

Automations

Automations enable you to quickly prepare and respond to situations that occur during the lifecycle of Okta-mastered end users. You can set up and schedule the following automations to perform actions upon the groups you select:

  • User inactivity
  • User password expiration

For more information, see Automations .

Prevent web browsers from saving sign-in credentials

You can prevent browsers such as Chrome from saving  an end user's sign-in credentials for Okta as well as for third-party apps accessed through the Okta Dashboard. For more information, see Prevent web browsers from saving sign-in credentials.

Mark Okta user profile attribute as sensitive

Okta now allows Super admins to mark an attribute in the Okta user profile as sensitive, which ensures that no one in Okta can view the information stored in that attribute field. You can also use sensitive attributes in SAML assertions to apps, allowing you to pass these sensitive attributes from the source app through Okta to an upstream app. For details, see Hide sensitive attributes.

Early Access Enhancements

Inline MFA Enrollment for RADIUS Apps

Admins can now either allow or prohibit end users to access resources protected by RADIUS to enroll in MFA while authenticating. For more information, see Configuring RADIUS applications in Okta.

Fixes

General Fixes

OKTA-145565

The response error message included a typo when an invalid 4-byte UTF-8 character (such as an emoji) was input into a text field

OKTA-201017

Sometimes when a Microsoft proxy was used, the proxy IP was displayed as the client IP in the System Log although the policies were enforced on the client IP.

OKTA-201572

End users had difficulty entering an SMS MFA code on the Okta sign-in page because a large portion of the Enter Code field was not clickable.

OKTA-201733

The Early Access feature that allows Okta-mastered users to move across OUs sometimes failed to update the organizational unit for Active Directory users whose account was pushed to Active Directory from Okta and whose AD username (CN) contained one of the following characters: ,\#+<>;"=

OKTA-203163

User profile updates for the Cornerstone app failed if the user already existed in Cornerstone.

OKTA-206191

In some cases group rules dependent on other group rules were not processed properly during user updates.

OKTA-206270

The Identity Provider list did not properly display the Authorize URI and Redirect URI fields.

OKTA-207402

Attempts to apply an app Sign On Policy Rule to users returned a spinning icon. This issue only occurred on Preview orgs.

OKTA-207554

The app Sign On Policy Rule that denied user access was not logged in the System Log’s application.policy.sign_on.deny_access event.

App Integration Fixes

The following SAML app was not working correctly and is now fixed

  • CyberArk Password Vault Web Access (OKTA-206890)

The following SWA apps were not working correctly and are now fixed

  • BullsEye Telecom (OKTA-207387)

  • Easy Projects (OKTA-207086)

  • Google Data Studio (OKTA-207296)

  • Infor EAM (OKTA-206680)

  • Looker (OKTA-206856)

  • ThinkHR (OKTA-207312)

  • Visible Equity (OKTA-206845)

Applications

Application Updates

New Integrations

New SCIM Integration Application

The following partner-built provisioning integration apps are now available in the OIN as partner-built Early Access:

SAML for the following Okta Verified applications

  • Boostr (OKTA-203119)

  • Pavaso (OKTA-207100)

  • PitchBook (OKTA-206101)

  • Revivn (OKTA-206671)

  • Rockset (OKTA-207102)

SWA for the following Okta Verified application

  • Zywave Home (OKTA-193830)

Weekly Updates

Closed2019.02.1: Update 1 started deployment on February 25

Fixes

General Fixes

OKTA-197013

MFA Factor Reset email template failed to save with a validation error.

OKTA-199716

If the Self Service Registration form included Preferred Language and Country Code attributes, the Registration page did not load.

OKTA-200815

The Report Client IP setting of the RADIUS app did not affect the IP displayed in the Okta Verify Push notification received by the end-user.

OKTA-202390

The setting for Dropbox user deactivation type in the application's Provisioning tab was not saved.

OKTA-202836

The number of Adobe Experience Manager groups and roles displayed in Okta was limited to 2000.

OKTA-203199

CSV reports downloaded from the System Log were missing IPChain data.

OKTA-203815

Some Okta accounts were not reactivated properly after related Active Directory accounts were re-enabled.

OKTA-204577

Some admins without appropriate permissions were able to see the Import tab for Directory Integrations.

OKTA-204887

Downloading CSV reports for Current Assignments failed.

OKTA-205714

When a Routing Rule was used with Agentless Desktop SSO or on-premise IWA, and user match criterion was specified, the rule resulted in a failed login flow.

OKTA-208669

Litmos app provisioning failed for some clients using the Australian tenant of the app.

OKTA-209258

Evaluation of some EL expressions resulted in unintended errors.

OKTA-209844

If routing rules and IWA were both enabled, the User matches section for Routing Rules was erroneously visible.

App Integration Fixes

The following SAML apps were not working correctly and are now fixed

  • NetSuite (OKTA-208950)

  • SightPlan (OKTA-208109)

  • SightPlan (OKTA-208109)

  • Torii (OKTA-208155)

The following SWA apps were not working correctly and are now fixed

  • AccessNS (OKTA-207099)

  • Amazon JP (OKTA-206135)

  • Apple Developer (OKTA-208815)

  • BVS Performance Solutions (OKTA-201303)

  • EZ Texting (OKTA-207091)

  • IATA (OKTA-205105)

  • NCCI Field Call (OKTA-207098)

  • Shopify (OKTA-209070)

  • Site5 (OKTA-207092)

  • Tegile (OKTA-208801)

  • Virgin Pulse (OKTA-207089)

  • yodeck (OKTA-208800)

Applications

Application Updates

The following partner-built provisioning integration app is now Generally Available in the OIN as partner-built:

New Integrations

New SCIM integrations

The following partner-built provisioning integration apps are now available in the OIN as partner-built Early Access:

SAML for the following Okta Verified applications

  • AMGtime (OKTA-208211)

  • Doppler (OKTA-208076)

  • EpicCareLink (OKTA-209500)

  • Flock (OKTA-208088)

  • Ontrack Workflow (OKTA-205379)

  • Qualified.io (OKTA-204346)

  • Squadcast (OKTA-208072)

  • Stormboard SAML (OKTA-208075)

  • Web Manuals (OKTA-206111)

Mobile applications for use with Okta Mobility Management (OMM) (Android and iOS)

  • Jobvite (OKTA-205265)

  • Lattice (OKTA-203396)

  • Lattice (OKTA-203396)

SWA for the following Okta Verified applications

  • Access FileCloud (OKTA-202796)

  • Aquera (OKTA-207382)

  • AutoEntry (OKTA-201237)

  • BungalowNet (OKTA-201604)

  • Centralized Showing Service (OKTA-202381)

  • Qumulo Partner Portal (OKTA-202644)

  • Rocket Lawyer (OKTA-202052)

  • Sweetgreen (OKTA-201715)

  • SwipedOn (OKTA-203574)

  • Tempo (OKTA-200175)

  • Travelport: Rooms and More (OKTA-201895)

  • Uxpressia (OKTA-199602)

Closed2019.02.2: Update 2 started deployment on March 4

Fixes

General Fixes

OKTA-175415

Some users who enabled Yubikey as an MFA factor could not use it for sign in.

OKTA-186607

In some cases, AD-mastered users reactivated in Okta remained in the Password Reset status on the Okta Admin Console. 

OKTA-196329

The toggle button for switching between the Okta Developer Console and the Classic UI was mispositioned.

OKTA-205914

Profile changes were not synced to Active Directory or LDAP directories when they occurred at the same time that an app-mastered user was reactivated in the app.

OKTA-206305

Deleted users were sometimes incorrectly shown as Active instead of Inactive in the Okta Usage Report.

OKTA-206513

In some cases, the Okta Admin Console took a long time to load.

OKTA-206559

Sometimes IdP routing rules did not direct to the correct identity provider when the request contained an empty username query parameter.

OKTA-210021

For app sign on policies configured to gate app access when client IPs match specified network zones, the matched network zone did not appear in the Zone field of the System Log events.

App Integration Fixes

The following SAML apps were not working correctly and are now fixed

  • HostAnalytics (OKTA-208766)

  • IBM MaaS360 (OKTA-195086)

The following SWA apps were not working correctly and are now fixed

  • Appbot (OKTA-209897)

  • DHL Express (OKTA-209932)

  • IDrive (OKTA-209898)

  • Smallpdf (OKTA-209784)

  • WP Engine (OKTA-209535)

Applications

Application Updates

The following partner-built provisioning integration apps are now Generally Available in the OIN as partner-built:

New Integrations

The following partner-built provisioning integration app is now available in the OIN as partner-built Early Access:

SAML for the following Okta Verified applications

  • Fulcrum (OKTA-210208)

  • HostAnalytics (OKTA-210227)

  • IDrive (OKTA-204347)

  • Modern Health (OKTA-210046)

  • PlainID (OKTA-210274)

SWA for the following Okta Verified applications

  • Adobe Experience Cloud (OKTA-204957)

  • Benson (OKTA-204945)

  • Bloomberg BNA (OKTA-205736)

  • Boston Properties (OKTA-204477)

  • Catalist (OKTA-204927)

  • Comerica Business Connect (OKTA-204380)

  • Florida Peninsula (OKTA-204778)

  • Genworth Mortgage Insurance (OKTA-202860)

  • Legrand Service Center (OKTA-204458)

  • NCR (OKTA-205586)

  • SoftMouse (OKTA-205528)

  • Title365 (OKTA-202822)

  • Wish (OKTA-205049)

Mobile application for use with Okta Mobility Management (OMM) (Android and iOS)

  • Figma (OKTA-203395)

January 2019

2019.01.0: Monthly Production release began deployment on January 14

* Features may not be available in all Okta Product SKUs.

Content

Generally Available Features

New Features

Email notifications for Factor Enrollment and Factor Reset

Admins can enable two new settings for email notifications that are sent to end users. When enabled, end users will receive an email confirmation if the end user or an admin enrolls in a new factor or resets an existing factor for their account. For more information on end user email notifications, see General Security.

Automatically send an email to locked-out end users

You can automatically send your users an email if their account becomes locked due to too many failed sign-in attempts. You can insert a link in the email to let users unlock their account. For details, see Configure lockout settings.

Group Push enhancements

Group Push now supports the ability to link to existing groups in the following application integrations:

  • Slack
  • Dropbox for Business
  • ServiceNow UD

You can centrally manage these apps in Okta. For details, see Enhanced Group Push.

Enhanced provisioning for Office 365

With additional enhancements to Microsoft Office 365 integration admins can now synchronize identities from on-premises to cloud-based Office 365, provision a user profile that is extended further to include over 100 attributes, as well as synchronize distribution groups, contacts, and resources such as conference rooms.

Admins can also manage user licenses and roles, independent of other provisioning flows. The new provisioning type for Office 365, License/Roles Management Only, allows admins to manage user license assignment and role delegation for existing Office 365 users and for users provisioned to Office 365 with third-party tools. For more details, see Okta Enhancements with Microsoft Office 365 Integration.

Modern authentication support

We have extended our Office 365 Sign On policies to include the ability to distinguish between web browser and modern authentication clients, giving you even more granularity in controlling how users are accessing corporate data. You access this functionality by creating a new App Sign On Rule.

Extended Client Access policy capability for apps

When you create App Sign on Policy rules, you can now specify platform types with greater granularity. For details, see Add Sign On policies for applications.  

Additional Custom Attributes for DocuSign integration

Our DocuSign integration is enhanced by adding support several new custom attributes. Okta imports these attributes that you can then map as additional custom properties. For details, see the DocuSign Provisioning Guide.

System Log save and reuse searches

After performing a System Log search, a Save button now appears next to the query. Click Save and you are prompted to name your search. Once saved, your named search appears on the main Reports page. You can reuse your saved search, modify it, or delete it. Note that saved searches can only be seen by the user who created them. A maximum of 20 searches can be saved at any time.

LDAP Interface, query performance improvement

LDAP Interface queries will no longer return the memberOf attribute unless requested specifically, or when all operational attributes are queried using “+”. This change brings performance improvement to searches that did not require this attribute. Improvements were also made to return additional operational attributes that were part of LDAP core schema. This list includes hasSubordinates, structuralObjectClass, entryDN, subschemaSubentry, and numSubordinates. Note that numSubordinates is not calculated for users and groups containers. For details, see Connecting to Okta using the LDAP Interface.

XFF Evaluation for Dynamic Zones and Behavior Detection

As part of Dynamic Zone and Behavior Detection evaluation, the client IP is now validated using the trusted proxies that have been configured for that org. In the admin System Log, this IP appears as the Client IP. For more information, see Dynamic Zone Evaluation.

New Windows Device Trust Registration Task, version 1.3.0

This release includes the following:

  • Improved support for organizations that route internet traffic through a proxy server.
  • Fixes an issue in which some Device Trust System Log events reported the Windows operating system version inaccurately on Windows desktops running Windows 8.1 or higher.

For version history, see Device Trust for Windows Desktop Registration Task Version History.

Support for Vietnamese language

Support for the Vietnamese language for the end user experience is now available to all customers. You can select the default language preference for your entire org, and your end users can select a different language preference for their own experience. For more information, see Configure the Display Language.

JIRA On-Prem Authenticator, version 3.0.7

This release includes enhanced SP-initiated SAML flow and support for spUsers and spGroups to handle JIRA only users. For version history, see JIRA Authenticator Version History.

Okta Browser Plugin, version 5.25.0

Okta Browser Plugin has been updated to version 5.25.0 for Chrome, Edge, Firefox, and Internet Explorer. This version contains security enhancements in addition to enhanced end-user settings. For version history, see Okta Plugin Version History. (Version history/browser ver history).

Enforce Device Trust for managed Windows computers

Okta Device Trust for Windows allows you to prevent unmanaged Windows computers from accessing enterprise services through browsers and native applications. For details, see Enforce Device Trust for managed Windows computers.

Generally Available Enhancements

EA Feature Manager

To provide more information about self-serviceable EA Features, links to help or developer documentation are now available for select features in the EA Feature Manager. For details, see Manage Early Access features.

New device notification enhancement

The setting for end users to receive a new device notification email when signing in to Okta from a new or unrecognized device is now enabled by default for all orgs. For more information about email notification settings, refer to New or Unknown Device Notification Emails.

Username passes to IdP when using identity-first IdP Discovery flow

When using an identifier-first IdP discovery flow and the user is redirected to the Identity Provider, such as SAML, Google, Microsoft, or Generic OIDC, the username value is passed on to the Identity Provider so the user does not have to type it in again.

API Token size increased for OAuth

We have increased the API token size when configuring OAuth 2.0 based authentication from 2 kB to 64 kB. For more information about OAuth, see OpenID Connect & OAuth 2.0 API.

Logos available for all Social Identity Providers

All social identity providers have the default logos shown below:

LDAP Interface, increased page size

The LDAP page size is increased from 200 to 1001, allowing LDAP clients to use a multiple page size of 1000. For details, see Connecting to Okta using the LDAP Interface.

Search range for group membership

The Okta LDAP Interface previously limited membership searches to the first 200 users for a group. This restriction has been removed and the LDAP Interface will iterate through all pages before returning membership response back to the client. This applies to LDAP searches that query uniquemember and ismemberOf attributes. For details, see Connecting to Okta using the LDAP Interface.

Closed

Temporary Passwords for Pending Users

Temporary passwords can now be created for users who are in the Pending user action state and cannot access their activation email. Creating a temporary password for a user in this way will activate the user and require them to change the password during their next successful sign-in attempt. For more information see Manage people.

Closed

IP Blacklist zone, increased Gateway IP limit

We have increased the number of Gateway IP addresses that can be used in an IP Blacklist zone from 150 to 1000. For details, see Networks.

IP Blacklist zones enhancement

Blacklist zones are no longer configurable in policies as they are evaluated before policy rules are evaluated. For more information about Network Zones, see Networks.

Early Access Features

New Features

Scoping admin privileges, AD and LDAP-mastered groups now supported

Super admins can now scopeA scope is an indication by the client that it wants to access some resource. Group and Help Desk admin privileges to AD and LDAP-mastered groups in addition to Okta-mastered groups. This EA Feature can be enabled in the Feature Manager. For details, see Assign Help Desk admin privileges.

Multi-forest support for Windows Device Trust enrollment

IWA web app version 1.12.2 supports cross-forest/cross-domain Windows device trust enrollment. Now an IWA web app running in one forest can detect and assess the trust posture of Windows desktop devices located in another trusted forest and then allow these devices to enroll in Windows Device Trust. For more about Windows Device Trust, see Enforce Okta Device Trust for managed Windows computers.

Okta collecting product feedback from end users

Admins can allow Okta to collect feedback from end users. If this feature is turned on, end users will see a prompt on their Okta dashboard requesting feedback about our products and services. You can opt out of Okta User Communication in Settings > Customization > General. For more information, see End User Communication.

Web Authentication for U2F as a Factor

Admins can enable the factor Web Authentication for U2F, where U2F keys are authenticated using the WebAuthn standard. For more information, see Web Authentication for U2F.

Okta SSO IWA Web App Agent, version 1.12.2

This EA release includes: Security fixes. Support for cross-forest/cross-domain Windows device trust enrollment. Now an IWA web app running in one forest can detect and assess the trust posture of Windows desktop devices located in another trusted forest and then allow these devices to enroll in Windows Device Trust. For details, see Okta SSO IWA Web App Agent Version History.

Fixes

General Fixes

OKTA-193300

In the admin System Log, the zone field was populated for all events that matched a sign-on policy even when the IP of the client request did not match any zones configured in the policy.

OKTA-193330

When the same user was API and App Admin, only OIDC apps were visible in the Universal Directory profile editor.

OKTA-194244

A misleading error message was displayed when the rate limit was exceeded while using the LDAP Interface to query LDAP.

OKTA-197762

Fixed inconsistent behavior with the Reset Password Link for LDAP users.

OKTA-199498

In some cases, Okta-mastered users were deactivated when their linked accounts in Active Directory were deactivated.

OKTA-200928

Logging on through Jira on-prem chiclet didn't error out properly if the end user didn't exist in the target app.

OKTA-203819H

Some orgs were unable to create the number of users that they were entitled to.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • ADP Portal (Admin) (OKTA-198299)

  • Bloomberg BNA (OKTA-202952)

  • Blue Cross Blue Shield North Carolina (OKTA-191585)

  • Coolblue (OKTA-203010)

  • Copper (OKTA-202311)

  • Dell EMC (OKTA-197625)

  • Egencia France (OKTA-202309)

  • Garveys (OKTA-202308)

  • Google AdWords (OKTA-200072)

  • Google Play Developer Console (OKTA-201061)

  • GT Nexus (OKTA-203008)

  • Monster Hiring (OKTA-202848)

  • Newton Software (OKTA-202111)

  • ONE by AOL Mobile (OKTA-201772)

  • SAP NetWeaver Application Server (OKTA-202310)

  • Tenable Support Portal (OKTA-201111)

  • The San Diego Union-Tribune (OKTA-202856)

Applications

Application Updates

The following partner-built provisioning integration app is now Generally Available in the OIN as partner-built:

New Integrations

New SCIM Integration Application

The following partner-built provisioning integration app is now available in the OIN as partner-built Early Access:

  • Effy: Freshservice Provisioning: For configuration information, see Effy: Freshservice Provisioning's Configuring SCIM with Okta.

SAML for the following Okta Verified applications

  • Oracle Cloud Infrastructure (OKTA-203179)

  • PerimeterX (OKTA-202317)

  • Visitly (OKTA-202988)

  • Workpath (OKTA-202894)

SWA for the following Okta Verified applications

  • AIMA (OKTA-197142)

  • BioDigital (OKTA-197194)

  • Cisco Registered Envelope Service (OKTA-197090)

  • DeKalb Physician Portal (OKTA-197193)

  • Financial News (OKTA-198739)

  • Fresh Direct (OKTA-197128)

  • My Eaton (OKTA-200770)

  • Ocado (OKTA-197129)

  • Private Advisors (OKTA-198720)

Weekly Updates

Closed2019.01.1: Update 1 started deployment on January 22

Fixes

General Fixes

OKTA-192916

Okta Expression Language for defining a custom UserName mapping was not supported when creating a new app.

OKTA-194089

Read-only admins and Application admins saw incorrect values for Max Unassignments for applications with provisioning enabled.

OKTA-197629

In SAML App Wizard apps, the error returned when the Relay State was too long, was unclear.

OKTA-200927

Some DelAuth users who had an incomplete profile setup were not able to complete the SAML forceAuthn flow.

OKTA-201827

Group Rules did not trigger for SecondEmail if the attribute was updated via self-service.

OKTA-203326

System Log processing experienced a lag when clearing large import queues because of firing a syslog event for each user in the import flow. Now a single syslog event is fired indicating the number of users cleared from the import queue.

OKTA-205267H

For some SP-initiated SAML Requests, it incorrectly included the <Subject> element in the AuthN request.

OKTA-205324H

Okta did not allow admins to delete a group push mapping if the mapping was in error status.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • ADP Portal (Admin) (OKTA-203745)

  • Avalara Partner Portal (OKTA-204049)

  • Barrons Online (OKTA-203796)

  • LA Times (OKTA-203390)

  • Netflix (OKTA-204051)

  • Shopify (OKTA-203516)

  • TigerText (OKTA-203393)

Applications

Application Updates

The following partner-built provisioning integration app is now Generally Available in the OIN as partner-built:

New Integrations

SAML for the following Okta Verified applications

  • Cobalt (OKTA-204332)

  • Imagineer Clienteer (OKTA-203743)

SWA for the following Okta Verified applications

  • AnyImage (OKTA-200388)

  • Crowdstrike Falcon (OKTA-199903)

  • FIS Client Portal (OKTA-193928)

Closed2019.01.2: Update 2 started deployment on February 4

Fixes

General Fixes

OKTA-152340

Pushing after removing group memberships failed for CPC apps (For example, ServiceNow, Dropbox, Slack).

OKTA-167393

In Okta Verify, Push challenges that were approved by users from the notification center had to be approved again in the Okta Verify iOS app.

OKTA-184036

Re-creating a user via JIT did not assign AD group memberships if the User Must Change Password At Next Logon option was enabled on the AD user profile after the user was deleted from Okta. 

OKTA-189547

Translation to Japanese for the MFA prompt Do not challenge me on this device for the next 30 minutes was incorrect.

OKTA-192100

Multiple run-time exception errors caused the LDAP agent to fail.

OKTA-195065

Pushing groups for GSuite app failed with the error Unexpected character ( '<' (code 60)): expected a valid value.

OKTA-196483

When the default backoff setting for the AD and LDAP agents was 1 hour, it caused the agents to remain unavailable for the entire hour regardless of when the underlying issue was fixed.

OKTA-197083

Admin roles that were granted, scoped, or revoked through the Roles API did not appear in the System Log.

OKTA-197934

Provisioning for the Adobe Experience Manager SAML app failed when users had an underscore "_" in their login attribute.

OKTA-198025

The following role attributes can now be added in PagerDuty: admin, limited_user, observer, read_only_user, restricted_access, team_responder, user.

OKTA-198932

Template SAML 1.1 apps did not honor the configuration for response/assertion signing in IdP-initiated flows.

OKTA-199767

The Help link for Verifying IE Plugin Enablement led to an invalid page.

OKTA-201029

The MFA Factor Enrolled email was sent before enrollment was completed. 

OKTA-201591

The application condition for an IdP Discovery rule only allowed for 20 applications. 

OKTA-201763

The Update Now button on the Sign On tab was always present even when not needed.

OKTA-201789

When searching for users by string match, if the string contained a space (for example, users with multiple last names such as "Van Horne") Okta only tried matching against the full name.

OKTA-202346

Changing profile mappings between applying only at user creation and applying at both creation and update would sometimes fail to apply the change.

OKTA-202684

For custom SAML applications, if the admin changed the Name Id format to persistent, the metadata was not updated.

OKTA-203596

An Application Sign-On policy created to allow or deny access to rich clients using modern auth and running on iPad didn't work as expected.

OKTA-204275

Domain matching in IdP Discovery rules were incorrectly case-sensitive.

OKTA-204738

An Invalid Factor error was encountered when end users used a permitted U2F factor, but also had one or more disallowed devices registered.

OKTA-205371

The Language drop-down list box on the Settings page incorrectly contained the label Beta for some languages.

OKTA-205410

Customers with Network Zone locations with China region codes CN-11, or CN-(some number) could not see the name of the region correctly, nor could they edit the Network Zone.  

OKTA-205446H

For new enrollments, Voice Call MFA failed with Each code can only be used once. Please wait for a new code and try again.

OKTA-205703

The Current Assignments report was not filtering correctly when USER_LISTS_FOR_AUDITING was enabled.

App Integration Fixes

The following SAML app was not working correctly and is now fixed

  • Bomgar (OKTA-196914)

The following SWA apps were not working correctly and are now fixed

  • ADP Screening and Selection Services (OKTA-202613)

  • Air Canada (OKTA-204326)

  • AnswerForce (OKTA-204331)

  • Backblaze (OKTA-205585)

  • BlackBerry Developers (OKTA-204370)

  • BlueJeans (OKTA-204960)

  • Booking (OKTA-204584)

  • Capital One (OKTA-204050)

  • Copper (OKTA-204325)

  • Crowdstrike Falcon (OKTA-205584)

  • CSCglobal (OKTA-204849)

  • Curalate (OKTA-206158)

  • Dell Boomi (OKTA-204328)

  • Eventbrite (OKTA-206655)

  • Evernote (OKTA-206169)

  • FACTs (OKTA-204599)

  • GatherContent (OKTA-205587)

  • Google AdWords (OKTA-206109)

  • Google Analytics (OKTA-205638)

  • GuideStar (OKTA-206168)

  • Hippo CMMS (OKTA-205390)

  • Infor EAM (OKTA-204329)

  • JobAdder (OKTA-202705)

  • LoopUp (OKTA-205012)

  • Maxemail (OKTA-206469)

  • My ADT (OKTA-206221)

  • MyCitrix (OKTA-205472)

  • NodePing (OKTA-205274)

  • Quantum Workplace (OKTA-204596)

  • Reputation.com Personal (OKTA-204737)

  • Shopify (OKTA-205380)

  • SimplyWell Member (OKTA-206545)

  • Trip Advisor (OKTA-205588)

  • USPS (OKTA-206184)

  • Virgin Mobile OneView (OKTA-206157)

  • WorkflowMAX (OKTA-206136)

  • WorkTerra (OKTA-206161)

Applications

New Integrations

The following partner-built provisioning integration apps are now available in the OIN as partner-built Early Access:

SAML for the following Okta Verified applications

  • CodeSignal (OKTA-204339)

  • Signagelive (OKTA-202831)

  • Simian (OKTA-204348)

  • Stampli (OKTA-203206)

  • Workspace (OKTA-205099)

SWA for the following Okta Verified applications

  • Ask the Fed (OKTA-197941)

  • Data Navigator (OKTA-197939)

  • Doctena (OKTA-198514)

  • Jack Henry & Associates Client Portal (OKTA-194264)

  • LexisNexis Bridger Insight XG (OKTA-196365)

  • Tech Data France (OKTA-192411)

Content

2018 Production Releases

Closed2018.12 December release and updates

December 2018

2018.12.0: Monthly Production release began deployment on December 10

* Features may not be available in all Okta Product SKUs.

Content

Generally Available Features

New Features

Push Notifications for the Okta RADIUS Agent

The Okta Radius Agent now includes functionality for end users to opt in to receive push notifications for MFA when enrolled with Okta Verify. For information on how to enable this setting, see Autopush for RADIUS.

Okta Windows Credential Provider agent, version 1.1.3

This release contains general bug fixes. For version history, see Okta MFA Credential Provider for Windows Version History .

Profile Editor supports linked objects

You can now add a custom attribute with a linked object data type to the Okta user profile. For details, see Add a linked object to an Okta user profile.

Add Notes to Okta-managed apps

You can now add App Notes to communicate with end users and other admins about apps. In addition to enhancing app deployment and usage, App Notes can also reduce help desk calls, provide troubleshooting assistance, and increase end-user self service.

App Notes facilitate the following types of communications:

  • Application notes to end users – Allows admins to present helpful information to end users, such as why they've been assigned the app, whom to contact for help, and links to additional information.

  • Application notes to admins – Allows admins to share administrative details about apps with other Super, App, Read-only, and Mobile admins.

For more information, see Add notes to an app.

Super admins can choose default email notifications for admins

Super admins have the ability to select which email notifications a specific type of admin receives by default. This allows you to manage the amount of email traffic the different admin roles receive. The new defaults will override existing admin email notifications default settings (see Email Notifications for default settings). This will exclude most admins from receiving most email notifications. For details, see Set default email notifications.

Generally Available Enhancements

Admin Console update

We have updated the release number displayed in the Admin Console to the YYYY.MM.U format that we are officially adopting with the December Monthly Release. For more information, see Release Notes.

Okta User Communication improvement

We have improved the Okta User Communication message in Settings > Customization to clarify the scope of end user communication.

Group Push enhancements

Group Push now supports the ability to link to existing groups in the following application integrations:

  • Smartsheet
  • Facebook at Work
  • Org2Org
  • Adobe CQ
  • JIRA, JIRA On-Prem
  • DocuSign

You can centrally manage these apps in Okta. For details, see Enhanced Group Push.

People page performance improvements

The A-to-Z links on the People page have been deprecated as part of efforts to improve the performance and responsiveness of the page in the Admin UI for large orgs. Screenshots:

Before:

After:

Reports enhancement

When generating reports, the earliest start date you can select is now 13 months prior to the current date. For more information about Reports, see Reports.

Early Access Features

New Features

Support for Salesforce Government Cloud

You can create instances of the Salesforce app that can integrate with Salesforce Government Cloud. For more details, see the Salesforce Provisioning Guide.

Okta Active Directory agent, version 3.5.5

This release includes:

  • A bug fix for errors when importing a group with more than 1,500 users.
  • Internal bug fixes

For version history details, see Okta Active Directory agent version history.

PIV Card authentication option added to identifier first Sign In page

A PIV Card authentication option is now provided on the identifier firstInstead of presenting both a Username and a Password field, "identifier first" sign in pages present only a Username field. As used in Okta IdP Routing Rule scenarios, "identifier first" sign in pages submit usernames to Okta for determining which IdP should be used to authenticate an end user. Sign In page when you configure a Smart Card Identity Provider and a corresponding IdP Routing Rule in the Okta Admin console. For more about Okta's support for PIV card authentication, see Add a Smart Card/PIV Card.

View admin list by role

Super admins can now filter the list of admins by role and type for easier searching.

Early Access Enhancements

ASN Support for Dynamic Zones

Admins can now enter ASNs (Autonomous System Numbers) when creating or editing a dynamic zone. For more information about using ASNs, see Dynamic Zones.

FIPS-mode encryption enhancement

We have updated the Okta Verify configuration UI label for the FIPS-Mode encryption setting. For more information, see Enabling FIPS-mode encryption.

Fixes

General Fixes

OKTA-185031

Recreating group push mappings for previously existing groups would cause group memberships to not be mastered by Okta.

OKTA-187881

An LDAP directory could not be assigned to an Okta group when Sync password was enabled and Create users was disabled.

OKTA-193192

Some end users were still prompted to authenticate with MFA despite successful enrollment with Okta Verify or Duo within the same session.

OKTA-194472

The API Access Management Admin role was not returned for the user when performing a GET on api/v1/users/${userId}/roles endpoint. 

OKTA-195092

When using browsers other than Internet Explorer, Agentless Desktop SSO was performing two authentication requests for each user, increasing the authentication time.

OKTA-196220

Push Groups functionality only worked for admins with Super Admin rights.

OKTA-197099

Provisioning operations for the Coupa app failed.

OKTA-197991

The MFA Usage Report listed Okta Verify with Push as an enrolled factor even if the factor was reset by an end user from their dashboard making it no longer enrolled. 

OKTA-198258

There was a minor grammatical error in the app approval admin notification message.

OKTA-198556

IdP Discovery rule with a Sharepoint On-Premise specific app instance condition was not routing properly on SP-initiated login flows.

OKTA-198797

After creating an ASN dynamic zone via the API, then viewing via the UI, the default proxy type was Unchecked instead of Any proxy

OKTA-201054H

SAML IdP flow broke down with a 404 error if the ACS URLACS Endpoint – Assertion Consumer Service URL – often referred to simply as the SP login URL. This is the endpoint provided by the SP where SAML responses are posted. The SP needs to provide this information to the IDP was in {{org}}/auth/saml20/{{IdP name}} format.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • Alibaba Cloud (Aliyun) (OKTA-198076)
  • Anaplan (OKTA-198239)
  • Apple Business Manager (OKTA-198241)
  • Dell Boomi (OKTA-198237)
  • Egencia UK (OKTA-198487)
  • Linux Academy (OKTA-198691)
  • PacificSource InTouch (OKTA-197597)
  • Perfode (OKTA-198238)
  • Rival IQ (OKTA-190557)
  • Salesforce: Marketing Cloud (OKTA-197948)
  • Web Manuals (OKTA-199509)

Applications

Application Updates

The following partner-built provisioning integration app is now Generally Available in the OIN as partner-built:

New Integrations

New SCIM Integration Application

The following partner-built provisioning integration app is now available in the OIN as partner-built Early Access:

SAML for the following Okta Verified applications

  • Abstract (OKTA-192587)
  • BambooHR (OKTA-199943)
  • CloudBees (OKTA-191171)
  • SAP Concur Solutions (OKTA-198484)
  • Workable (OKTA-198491)

SWA for the following Okta Verified applications

  • Acronis Cloud (OKTA-189384)
  • Ameriflex Wealth Care Portal (OKTA-197201)
  • Autodesk BIM 360 (OKTA-194354)
  • buildpulse (OKTA-196661)
  • Business Insider PRIME (OKTA-196625)
  • Drift (OKTA-192116)
  • Forum: Business Online Banking (OKTA-195330)
  • HigherGear - (OKTA-196158)
  • HomeDepot Vendor Portal (OKTA-190428)
  • HP DaaS (OKTA-196207)
  • Insperity Premier (OKTA-191066)
  • Kayak (OKTA-74699)
  • TrendKite (OKTA-197199)
  • WealthEngine (OKTA-198240)
  • Zywave Home (OKTA-193830)

Weekly Updates

Closed2018.12.1: Update 1 started deployment on December 17

Fixes

General Fixes

OKTA-155477

AD-mastered users logging into Okta with a temporary password were not asked to create a new password.

OKTA-177142

Inbound delegated authentication failed in application when the application username and Okta username were different.

OKTA-182115

As a result of multiple redirects, URLs became too long when a SAML app was used in conjunction with IWA and multifactor authentication.

OKTA-188067

When adding a user to the source user group, if the target user group did not exist, group push mappings did not display an error.

OKTA-189754

The Sign On policy did not show a warning after reaching the limit of 20 rules per policy in the UI. The limit has now been increased to 50 before showing the warning.

OKTA-190684

The OpenID Connect Client ID Token settings form was missing a link to the reference documentation about the groups claim, also the the Sign On mode tab was missing a link to the profile mappings. 

OKTA-191321

In some cases, the LDAP search filter did not allow using "<" and ">" simultaneously. 

OKTA-191398

The System Log did not include hostname in the Debug Context for Windows events.

OKTA-195890

IdP Discovery routing rules with an application condition and without a user identifier condition were not routing to social IdPs.

OKTA-195916

Resetting the password for one account while a different user was signed into another account in the same browser generated a successful System Log event for the wrong account, and the UI showed a failure message although password reset was successful.

OKTA-196579

The WebEx app did not update sessionType attributes for users.

OKTA-199133

The System Log did not report enrollment failures that occurred when the relevant Device Trust setting was not enabled in the Okta Admin Console.

OKTA-200176

The Application Usage report returned a server error instead of a bad request message when an invalid date was entered to generate the report.

App Integration Fixes

The following SAML app was not working correctly and is now fixed

  • IntraLinks (OKTA-198125)

The following SWA apps were not working correctly and are now fixed

  • Crunchbase (OKTA-198994)
  • Dashlane Business (OKTA-199046)
  • Shopify (OKTA-200163)
  • Thycotic Force (OKTA-198995)

Applications

New Integrations

The following partner-built provisioning integration app is now available in the OIN as partner-built Early Access:

SAML for the following Okta Verified applications

  • Expiration Reminder (OKTA-200470)
  • RecruitBot (OKTA-196618)

SWA for the following Okta Verified applications

  • Haivision Support (OKTA-191530)
  • ONE by AOL: Video (OKTA-196063)
Closed2018.12.2: Update 2 started deployment on January 7

Fixes

General Fixes

OKTA-71278

The Identity Providers list was missing the Action column header and had alignment issues.

OKTA-154988

Missing fields were not highlighted in the error message displayed when adding a new SAML identity provider.

OKTA-189636

Username changes in Okta for AD-Mastered users were not correctly pushed to the JIRA On-Prem app.

OKTA-190763

Users who had been locked out and then deactivated were still listed as locked out on the Reset Password and Unlock People pages, as well as on dashboard notifications.

OKTA-191917

When the Agentless Desktop SSO flow failed, the FromURI parameter was missing, causing a launched app not to load.

OKTA-193120

Incremental imports did not properly terminate users due to time zone differences.

OKTA-194696

Group membership updates that failed due to the Org2Org rate limit were not retried.

OKTA-197806

For orgs with the EA feature, Advanced Schema for Box enabled, assigning a group to Box sometimes failed.

OKTA-201633

The users/${userId}/factors/catalog endpoint returned email as a supported factor type although Email Authentication had not been enabled for the org in their MFA setting.

OKTA-201799

When searching for a group containing a space character, the text box selection to continue typing was lost and required users to click on the text box again to type next character.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • Aha (OKTA-200921)

  • Amazon DE (OKTA-200178)

  • CarGurus (OKTA-201462)

  • Cintellate by SAI Global (OKTA-201461)

  • GFI Mail Essential Online (OKTA-199274)

  • GTA Travel (OKTA-200126)

  • Gusto (OKTA-199737)

  • Handshake (OKTA-201464)

  • HP Connected (OKTA-200425)

  • MyViverae by Viverae (OKTA-200739)

  • Papertrail (OKTA-199505)

  • Sauce Labs (OKTA-199066)

  • SeamlessWeb (OKTA-201041)

  • The San Diego Union-Tribune (OKTA-201415)

Applications

Application Updates

The following partner-built provisioning integration apps are now Generally Available in the OIN as partner-built:

New Integrations

The following partner-built provisioning integration app is now available in the OIN as partner-built Early Access:

SAML for the following Okta Verified applications

  • Abacus (OKTA-201459)

  • Envoy Global (OKTA-201924)

  • Firstbird (OKTA-202087)

  • Five9 Plus Adapter for Salesforce (OKTA-198492)

  • Imagineer WebVision (OKTA-202327)

  • International Relocation Center (OKTA-200829)

  • iObeya (OKTA-198510)

  • SevenRooms (OKTA-199302)

  • Splash (OKTA-201453)

  • Wootric (OKTA-198958)

  • Zoom SAML (OKTA-200668)

SWA for the following Okta Verified applications

  • Anexia Engine (OKTA-197187)

  • Bloomberg (OKTA-198566)

  • CAPPS Enterprise Portal (OKTA-190371)

  • FHLBank of Dallas (OKTA-189796)

  • Information Management Network (OKTA-199265)

  • Morningstar UK (OKTA-199264)

  • NET-ENTERPRISES.FR (OKTA-190878)

  • PostNL Digital Postage Stamp (OKTA-198257)

  • Quip (OKTA-191534)

  • SonicWall Capture Security Center (OKTA-198693)

  • TxDMV webDEALER (OKTA-192030)

  • Vantiv IQ (OKTA-193087)

Mobile application for use with Okta Mobility Management (OMM) (Android and iOS)

  • LogicMonitor (OKTA-193723)

Closed2018.47 and 2018.48 Production release began deployment on December 3
ClosedGroup Push mappings status enhancement

When you delete a group, the Group Push mappings associated with the group are disabled and the mapping status will show as an error. You can then either deactivate or delete the mappings. For information about Group Push, see Using Group Push.

ClosedEnhanced IdP Discovery routing rule warnings

When you create a rule for an active Identity Provider, you can choose whether to activate the rule and apply it immediately, or else create it in an inactive state. Conversely, when you create a rule for an inactive Identity Provider, the rule cannot be activated and is automatically created in an inactive state. ClosedScreenshot:

When you deactivate an Identity Provider with active routing rules, Okta displays a warning that the rules will be deactivated. ClosedScreenshot:

For more information about Identity Providers, see Identity Providers.

ClosedNetwork zone country code for Kosovo

When configuring network zones, admins can now set Kosovo as a country using country code XK in order to ensure that IP addresses from Kosovo are more accurately defined. For more information about network zones, see Networks.

ClosedNew System Log event for invalid app-to-app mappings

If an app-to-app mapping includes an invalid expression, profile sync job creates a new System Log event to capture the failure, skips evaluating the expression, and processes the rest of the mapping. ClosedScreenshot

ClosedBambooHR integration update

The BambooHR integration now supports OpenID Connect (OIDC). For configuration information, see the BambooHR Provisioning Guide.

Closed2018.46 began deployment on November 26
ClosedOkta plugin, version 5.24.1 for Chrome

The Okta browser plugin for Chrome is updated to version 5.24.1. This version includes the following bug fix:

  • App icons did not load in Okta plugin for Google Chrome when the CDN was disabled.

For version history, see Okta Browser Plugin Version History.

Closed2018.45 began deployment on November 12
ClosedOkta plugin, version 5.24.0 for Chrome and Firefox

The Okta browser plugin for Chrome and Firefox browsers is updated to version 5.24.0. This version includes an update to end-user plugin settings (available in Early Access) and back-end product enhancements. For version history, see Okta Browser Plugin Version History.

ClosedNew RingCentral attribute

Job Title has been added to the list of RingCentral custom attributes that can be added via Schema Discovery. For more information about RingCentral provisioning, see the following provisioning guides:

ClosedCustom Okta attributes supported in the Microsoft SharePoint (On-Premises) app SAML assertion

For SharePoint (On-Premises) app, Expression Language evaluation for Application Attributes now supports sending any OKTA user attributes, including custom OKTA user attributes. For more information, see Adding the SharePoint (On-Premises) App in Okta.

ClosedShared SWA app accounts, password restriction

For SWA apps with an account sign in option set to Users share a single username and password set by administrator, only Super admins or App admins with permissions for that app can view the password.

ClosedClearing unconfirmed users

During standard imports, users are sometimes mistakenly imported from 3rd-party apps. The Clear Unconfirmed Users button allows admins to clear all unconfirmed users within an import queue. For more details, see Importing People.

Closed2018.44 began deployment on November 5
ClosedReport data start date

When generating reports, the earliest start date you can select is now 13 months prior to the current date. For details about Okta reports, see Reports.

ClosedNew Microsoft Office 365 chiclet

Okta has made a new chiclet, Microsoft Power BI, available for the Microsoft Office 365 app. You can enable it on the General tab of your org's Microsoft Office 365 app instance. For details, see Enable a Microsoft Office 365 Chiclet.

ClosedExtended Client Access policy capability for apps

When creating App Sign-On Policy rules to manage access to apps, you can now specify additional granularity for platform types. Office 365 Client Access policies will continue to provide additional granularity for clients (that is, Web vs EAS).

For details, see Add Sign-On policies for applications and Office 365 Client Access Policies.

Closed2018.42 began deployment on October 22
ClosedRegion codes for Network Zones

Region codes for China have been updated due to a recent change in the universal ISO standard. To prevent region codes from displaying incorrectly, update your network zone region codes accordingly. For more information, see Network Zones.

ClosedWarning added to unlinking groups UI

Unlinking between an Okta group and the pushed group in downstream applicationIn the context of Okta provisioning, a downstream app is one that is receiving data from Okta. cannot be reversed. A notification has been added to warn the admins that unlinking a group in this way cannot be undone. ClosedScreenshot

Closed2018.41 began deployment on October 15
ClosedUser Locked Out email changes

User Locked Out emails are sent to admins in batches and contain a list of all users who are locked out. The email shows users locked out since the previous email was sent. Previously each admin received one email for each locked out user in real time.

ClosedMultifactor Authentication single page UI

Administration for multifactor authentication is streamlined with a new single page design that improves navigation and usability for enabling and configuring authentication factors. For more information, see Multifactor Authentication. ClosedScreenshot:

ClosedImproved People page filter and Profile page details

We’ve added more detail to the user state labels on the People page. ClosedScreenshot:

And now provide the action required for users in a pending state on the User Profile page. ClosedScreenshot:

ClosedAssign users to multiple groups in one group rule

Users can be assigned to multiple groups in one group rule. It is no longer necessary to set up multiple rules for the same criteria to accommodate different groups. For details, see Using Group Membership Rules.

ClosedConfigure App Approval Workflow

This feature enables an administrator to configure a workflow for a self-service app that requires approval. It enables an end-user to request access to an app and an approver to approve or deny the request. For more information, see Access Request Workflow > Configure the App Approval Workflow.

ClosedPer-App Password Policy

The policy for randomly generated passwords for Password Sync can now be defined by Okta, on a per-app basis.

If Okta’s randomly generated password for Password Sync does not meet the password requirements of a specific app, Okta can, upon request, change that app’s password policy. This functionality is now available for all orgs.

ClosedUser sessions deleted after password reset

Okta now deletes all users' sessions after a successful password reset as part of the forgot password flow.

ClosedAdditional options for activation email lifetime

Admins can configure activation emails with lifetimes of 1, 2, or 4 hours. For more information on the General security options, see General Security. ClosedScreenshot

Closed2018.40 began deployment on October 8

There were no new features in this release. For new apps and bug fixes delivered in this release, select the appropriate tab.

Closed2018.39 began deployment on October 1

There were no new features in this release. For new apps and bug fixes delivered in this release, select the appropriate tab.

Closed2018.38 began deployment on September 24
ClosedAccess to the self-service menu for an org

Only a Super Admin can view the self-service menu (Applications > Self Service) for an organization. In the past, both org admins and super admins could access this menu. There is no change to the options on the menu. For more information on roles and permissions, see Administrators.

Closed2018.37 began deployment on September 17
ClosedUsername passed to target orgs

In an Identity Provider Discovery flow, the username entered as the identifier in the first screen is passed to other Okta orgs. End users do not need to re-enter a username when signing in to any other Okta org to which they are redirected. For more information, see Identity Provider Discovery.

ClosedSupport for Norwegian language as Beta

Support for the Norwegian (Bokmål) language for the end user experience is now available to all customers in Beta format. You can select the default language preference for your entire org, and your end users can select a different language preference for their own experience. For more information, see Configure the Display Language.

Closed2018.36 began deployment on September 10
ClosedAbility to download CSV report containing admin data

Super org admins can now download a CSV file containing a list of all admins and their permissions, using the Download CSV button on the Administrator page. For details, see Administrators. ClosedScreenshot

ClosedSupport for JWTs signed with private keys

Requests to the /token and /authorize endpoints will now accept JWTs signed with a private key. For more information, see the OIDC documentation for the token endpoint and the authorize endpoint.

ClosedAdmin email notifications default to off

These email notification types are off by default for admins in new orgs:

  • User Deprovision
  • App user import status
  • User lockouts

Each admin can individually opt in at Administrator > Settings > Account. Admins in existing orgs will be unaffected. For details, see Account Settings. This feature is available for new orgs only.

ClosedNew device notification email

When enabled, end users will receive a new device notification email when signing in to Okta from a new or unrecognized device. This feature is now generally available to all orgs. For more information about email notifications, refer to the New or Unknown Device Notification Emails section in General Security.

ClosedChanges to where an application username is configured

Okta is consolidating where app usernames are configured. Instead of being able to change the app username in the Profile Editor and the app’s Sign On tab, you will be able to edit the Okta to App username mappings only on the app’s Sign On tab.

Note: The following apps will not be changing their behavior: Active Directory, LDAP and SAML Identify Provider.

ClosedProfile Editor - Before

For the Okta to App flow, you can no longer override username mappings in the Profile Editor.

ClosedProfile Editor - After

Username mappings on the Sign On tab

The userName mapping in the app's Sign On tab will be the source of truth for the Okta to App flow. Updating the userName mapping on Create only or Create and Update will also be controlled from the app's Sign On tab. ClosedScreenshot:

ClosedSend admin emails as BCC

Super Admins and Org Admins can send all admin emails as BCC so that recipients' email addresses are hidden. For more information, see Global notifications options.ClosedScreenshot

ClosedManage the Okta loading animation for custom apps

You can now disable the default Okta loading animation (interstitial page) that appears when users are redirected to custom applications. End users are shown a blank interstitial page, instead. This allows you to present a more branded end-user experience. For more information, see Customizing the Interstitial page>. ClosedScreenshot:

ClosedAccess Request Workflow for App Self-Service

This feature streamlines the App Self-Service UI with the Access Request Workflow UI and allows admins to write a note to the end user about the app instance.  See Access Request Workflow and Self Service Registration for more details.  ClosedScreenshot

ClosedManage Apps at the Instance level

You can now assign Apps to App Admins at the instance level. This allows for more granular access control. For details, see Administrators.

ClosedCustomizable email alert template

We have added a new, customizable email template that alerts your end-users when someone connects to their Okta account from a new device. This feature protects against silent access to an end-user's account. For more about Okta email templates, see Email and SMS Options. This feature is Generally Available for new orgs only.

ClosedU2F Activation and Enrollment

The Multifactor Factor Types UI has been updated to include U2F activation and enrollment for end users. For more information about U2F enrollment, refer to the Factor Types Configuration section in Multifactor Authentication.

Closed2018.35 began deployment on September 4
ClosedUse Adaptive MFA with the VMware Horizon View, Pulse Connect Secure, BeyondTrust PowerBroker Password Safe, and Check Point apps

You can integrate Adaptive MFA with your VMware Horizon View , Pulse Connect Secure, BeyondTrust PowerBroker Password Safe, and Check Point clients. Follow these links for more information and complete setup instructions.

ClosedThe SSR form now supports enum data types

The Self Service Registration (SSR) form now supports enum data types of string, numbers, and integers. For more information, see Okta Self-Service Registration.

Closed2018.34 began deployment on August 27
ClosedDeactivation Emails improvement

Admins now receive an email listing all users deactivated during 30 minute periods instead of individual emails for each deactivation.

ClosedNew Microsoft Office 365 chiclet

Okta has made a new chiclet, Microsoft Forms, available for the Microsoft Office 365 app. You can enable it on the General tab of your org's Microsoft Office 365 app instance. For details, see Enable a Microsoft Office 365 Chiclet. ClosedScreenshot

Closed2018.33 began deployment on August 20
ClosedRadius agent, version 2.7.4

This version contains security enhancements. For version history information, see Okta RADIUS Server Agent Version History.

ClosedOkta On-prem MFA agent, version 1.3.8

This version contains security enhancements. For version history information, see Okta On-Prem MFA Agent Version History.

Closed2018.32 began deployment on August 13
ClosedSystem Log enhancement

The System Log now reports when requests are denied due to a blacklisted network zone. ClosedScreenshot:

For more details about the System Log, see Reports.

ClosedMFA System Log events

The Factor Type for MFA events is moved from the Actor's details to the Event's details in the System Log. ClosedScreenshot:

For more details about the System Log, see Reports.

ClosedNine supported languages

Okta has added the following nine supported languages for Email and SMS Customization: Czech, Greek, Hungarian, Indonesian, Malaysian, Polish, Romanian, Turkish, and Ukrainian. For more information, see Add Custom Email Templates for Multiple Languages.

ClosedBambooHR integration enhancement

BambooHR now retrieves additional attributes such as department and division for pre-start users.

For more information about BambooHR provisioning, see the BambooHR Provisioning Guide.

ClosedNew device notification emails

An enhancement to the device fingerprint feature has been made so that end users may receive a new device notification email when signing in via an embedded browser. Sign in via embedded browsers can take place in applications such as Microsoft Outlook on Mac OS or Windows and mobile apps. For more information about email notifications see New or Unknown Device Notification Emails.

ClosedAttribute mapping overrides

Admins can now recover the default values of mappings that had been overridden during individual app assignments. This feature also clearly displays default EL expressions, and simplifies overrides with Override and Reset buttons. For more information, see Attribute Mapping Overrides.

ClosedGoogle custom schemas

When enabled, Okta imports Google custom schemas which you can then map as additional custom properties. Note: In order to have permission to pull custom schema information from Google, Okta requires an additional OAuth scope. This requires you to reauthenticate your app instance in order use this functionality.

For more information about Google schema discovery, see the G Suite Provisioning Guide.

ClosedAdd custom attribute: enumerated list

When you create a custom attribute, you can enter a list of enum values. For example, you can create a Shirt size attribute with a list of values including: small, medium, large. For details, see Create Custom Attributes.

ClosedSupport for Salesforce Community and Portal

This feature allows you to create instances of the Salesforce.com app that can integrate with either a Salesforce Customer Portal or a Salesforce Customer Community. For more details, see the Salesforce Provisioning Guide.

ClosedCustom email domain

You can configure a custom domain so that email Okta sends to your end users appears to come from an address that you specify instead of the default Okta sender noreply@okta.com. This allows you to present a more branded experience to your end users. For details, see Configure a Custom Email Domain. ClosedScreenshot

User-added image

ClosedOkta Mobile Fingerprint/Touch ID and Face ID authentication

Okta Mobile supports fingerprint authentication on Android devices and Touch ID/Face ID authentication on iOS devices. For details, see Lock/Unlock the Okta Mobile App. ClosedExample Screenshot:

ClosedVoice Call as a Factor

Voice Call Factor authentication is now available as an MFA factor. With this feature enabled, end users will receive a phone call that audibly provides a 5 digit verification code to be entered upon login. This factor can be enabled either on its own or with other factors enabled. For more information about voice call as a factor, see Multifactor Authentication. ClosedScreenshot:

ClosedUser interface updates to Group member page

The Group member page (Directory > Groups) has the following enhancements:

  • The Manage People button is now the Add Members button.
  • The Search bar is relocated to the right side of the screen.
  • The managed column is now the Added By column to indicate who added the new group member.

Additionally, when searching for a user name, if the number of search results exceeds the page limit, you are prompted to refine your search.

ClosedBefore:

ClosedAfter:

ClosedEA Feature Manager

Super Admins have the ability to enable select Early Access (EA) features to which their organization is entitled. There is no need to contact Support to request access to these new features. EA features that require additional configuration will still require assistance from Support to be enabled. For details, see Manage Early Access features.

You can also track availability of EA features on the Product Roadmap available in the Okta Help Center.

Closed2018.30 and 2018.31 began deployment on August 6
ClosedApplication Usage report enhancement

In addition to filtering by application, Okta's Application Usage report has an option to include report data from All applications. If you select this option, the data is only available to download as a CSV file (in unaggregated format).

For more details, see Reports. ClosedScreenshot

ClosedGroup Push enhancements

Group Push now supports the ability to link to existing groups in Zendesk. You can centrally manage these apps in Okta. While this option is currently only available for certain apps, Okta will periodically add this functionality to more and more provisioning-enabled apps. This feature is now GA. For details, see Using Group Push.

ClosedSystem Log enhancement

The System Log now reports when a user has been imported, updated, and deleted through real time sync. ClosedScreenshot

ClosedThe OIN Manager

The OIN Manager is an Okta portal through which independent software vendor (ISVAn acronym for independent software vendors. Okta partners with various ISVs (usually producing enterprise applications) to integrate on-premises, in the cloud, or native-to-mobile devices with Okta.) partners can submit SSO and provisioning apps to Okta. Once approved, these integrations are included into the Okta Integration Network (OIN).

Closed2018.29 began deployment on July 23
ClosedAdaptive MFA available for Sophos VPN

You can integrate Adaptive MFA with your Sophos VPN clients. For more information, see Configure Sophos UTM to Interoperate with Okta via RADIUS.

ClosedGroup membership rules limit increase

We have increased the default number of group membership rules allowed per org from 100 to 2000. For details about Group rules, see About Groups.

ClosedIP whitelist download file available

If your server policy is set up to deny access to external IP addresses and websites, you must configure a whitelist to enable access as required. The IP whitelist information can be obtained programmatically and can be downloaded in JSON format here: IP whitelist file. To view the current IP ranges, download the .json file. To maintain a history, save successive versions of the file. For more information about Okta IP whitelisting, see Configuring Firewall Whitelisting.

ClosedReports update

Okta continues to optimize performance in generating reports with a focus on data reliability, quality and self service of report data delivery. To achieve this, certain reports are now delivered asynchronously as a CSV download. For more information about reports, see Reports. ClosedScreenshot:

ClosedActive Directory agent, version 3.4.13

This release includes the following changes:

  • The installer will not continue if it cannot use a TLS 1.2 connection to connect to the Okta service. For Windows 2008 R2 TLS 1.2 is disabled by default and needs to be enabled through the registry. For details, see TLS 1.2 registry edits.
  • Increased the minimum .NET version supported to 4.5.2. If the installer does not detect .NET 4.5.2 or higher, it will be installed.

For version history, see Active Directory Agent Version History.

Closed2018.28 began deployment on July 16
ClosedU2F as MFA Factor

U2F is available as an MFA factor. See Factor Types for more information about different MFA types, including U2F. ClosedScreenshot:

ClosedOkta plugin, version 5.19.0 for all supported browsers

The Okta browser plugin for the Chrome, Firefox, Internet Explorer, and Safari browsers was updated to version 5.19.0 in release 2018.24. This version provides support for the Okta Account Chooser. For version history, see Browser Plugin Version History.

ClosedSystem Log enhancement

The Okta System Log and Events APIs filter out any password information that customers might have included in query parameters. This filter is part of our on-going optimizations to scrub sensitive data from logs. Okta always recommends that customers use POST requests, and never use sensitive data in HTTP GET parameters. ClosedScreenshot:

Closed2018.26 and 2018.27 began deployment on July 9
ClosedMultiple attribute support

Setting multiple enum value attributes on the end user Profile Settings page is now supported. ClosedScreenshot:

ClosedRevised schema for Saleforce

New Salesforce app instances now come with a reduced set of base attributes:

  • username
  • firstName
  • lastName
  • email
  • profile

Attributes that used to be in the base schema are moved to custom:

  • title
  • communityNickname
  • mobilePhone
  • phone
  • street
  • city
  • state
  • postalCode
  • employeeNumber
  • companyName
  • division
  • department
  • managerId
  • role
  • salesforceGroups
  • featureLicenses
  • publicGroups

This change allows admins more fine-grained control over which attributes Okta will sync in the downstream SFDC instance.

For information about Salesforce provisioning, see Okta's Salesforce Provisioning Guide.

ClosedCustom expression support for Confluence attribute mapping

Okta supports custom expressions when mapping attributes from Okta to Confluence. For more information about Confluence provisioning, see the Confluence Provisioning Guide.

ClosedScreenshot:

ClosedGoogle schema discovery enhancement
  • Support for custom properties to push and import to/from Google.
  • Support for multi-value fields (arrays) for Google Schema Discovery.

For more information about Google schema discovery, see the G Suite Provisioning Guide.

Note: Boolean properties for multi-value fields are not supported by Okta Universal Directory. They are ignored during schema import and are not visible in the Profile Editor.

ClosedScreenshot:

ClosedMFA Factors - new confirmation dialog

A confirmation notification is now displayed after resetting or enrolling in a factor. ClosedScreenshot:

ClosedUse Adaptive MFA on an F5 BigIP APM

You can integrate Adaptive MFA with your F5 BigIP APM Edge clients. For complete installation and usage information, see Configure the F5 BigIP APM to Interoperate with Okta via RADIUS.

ClosedImproved messaging for authorization server changes

New message notifications appear when an Authorization Server is activated, deactivated, or deleted. ClosedScreenshot:

ClosedEmail address used in Request Access to Apps option no longer editable

To address a security vulnerability, end users' primary email address is now populated automatically in the Request Access to Apps dialog box and the Your email field is no longer editable. The dialog box displays when end users click Request an app in the footer of their Okta org. ClosedScreenshot:

Closed2018.25 began deployment on June 25
ClosedAll admins unsubscribed from Trust incidents and updates email

All admins are being unsubscribed from receiving email notifications for Known Issues and System Outages which is now renamed to Trust incidents and updates. To receive these notifications, go to Settings > Account > Email Notifications. For details, see Email Notifications.

ClosedAdmin Email Notifications name change

In Settings > Account, under Email Notifications, the Known Issues and System Outages option is renamed to Trust incidents and updates. All new Super admins will be subscribed by default. For details, see Email Notifications.

ClosedAdmin Email Notifications for deactivated users

Some admins can select whether they want to receive emails when a user is deactivated. The admin roles that have this option are: Super Admin, Org Admin, App Admin and Mobile Admin. For details, see Email Notifications.

ClosedSystem Log enhancement

The following events are added to System Log:

  • The feature for supporting multiple network zones is disabled for an org (IWA SSO only). ClosedScreenshot:

  • When synchronizing users with a directory, users will be skipped if they match default filter rules. ClosedScreenshot:

Closed2018.24 began deployment on June 18
ClosedScope Selector enhanced
The scope selector on the Token Preview tab of the Authorization Server page is now searchable by typing a few characters of a scope name. Previously, only up to 20 scopes were displayed.
ClosedDownloads page reorganization

The Okta Downloads page contains a new section, MFA Plugins and Agents that replaces the Okta On-Prem MFA Agents section. ClosedScreenshot

ClosedRemove the restriction on usernames in email address format

By default, Okta requires user names to be formatted as email addresses in Okta Universal Directory. Using the Format Restriction control in the Profile Editor, Administrators can remove the email format constraint from the Username attribute in Okta UD or replace it with a specific set of characters that are allowed. This provides additional control over the format for Okta usernames for all users in an Okta org. For more information see Relax email format requirement for Okta username.

ClosedSwitch between multiple Okta accounts using the Okta browser plugin

End users can now switch between multiple Okta accounts easily through the Okta browser plugin. This feature prompts signed-in end users to trust or reject subsequent Okta accounts the first time they access those accounts allowing them full control to choose seamlessly between accounts. For details, see Switch between multiple Okta accounts using the plugin. ClosedScreenshot

ClosedCRL download enhancements
Added functionality to reduce the frequency with which Certificate Revocation Lists (CRLs) for client supplied certificates are downloaded when using X509 based authentication and to improve the handling of cases where the CRL cannot be downloaded.
ClosedEnd-users can reset the Okta browser plugin

If there's a problem with the Okta browser plugin, an error message with a Refresh Plugin button now displays allowing end users to refresh the plugin cache. For more, see About the Okta Browser Plugin. ClosedScreenshot

Closed2018.23 began deployment on June 11
ClosedImproved organization of Okta email templates

The list of Okta-provided email templates is reorganized by template type. This makes it easier for admins to find and evaluate Okta-provided email templates in Settings > Email & SMS. For more information about Okta email templates, see Email and SMS. ClosedScreenshot:

ClosedUpdated error message

Error message text has been modified when assigning non-email formatted values for username attribute.

ClosedNew System Log event

The System Log contains an entry when a user cannot be unlocked automatically by the nightly batch job due to a read-only event. ClosedScreenshot:

ClosedMultiple network zones

Authentication whitelisting and blacklisting (explicitly permitting or denying access) based on network zones is now Generally Available (GA). Network zones are sets of IP address ranges. You can use this feature in policies, application sign on rules, and VPN notifications. This expands the use of Gateway IP Addresses. This feature is now GA for all orgs. For more information, see Network. ClosedScreenshot

ClosedCustom email templates in multiple languages

Custom email templates allow you to send custom Okta-generated email messages to end users in multiple languages. For details, see Add Custom Email Templates for Multiple Languages. ClosedScreenshot

ClosedRadius Agent, version 2.7.3

This version disables CDN during install and contains bug fixes. For history, see Okta RADIUS Server Agent Version History.

ClosedOn-Prem MFA agent, version 1.3.7

This version disables CDN during install. For history, see On-Prem MFA Agent Version History.

ClosedOkta Verify Auto-Push authentication

Okta Verify Auto-Push makes Multifactor Authentication (MFA) even easier. Now, when end users land on the MFA challenge page (with Okta Verify with Push enabled), the challenge is sent automatically with no need to click Send Push. To set up this feature, end users select Send Push Automatically on the authentication screen. For more information, see Okta Verify with Push Authentication. ClosedScreenshot

ClosedCloud access security broker for SAML apps

Support for a cloud access security broker (CASB) is available for all SAML apps. For more information, see the CASB Configuration Guide.

ClosedDynamic translation for custom email templates

When you customize an Okta-generated email template through the Add Translation dialog box, the text in the body of the template updates automatically into the language you select in the Language list. The Generally Available version of this feature includes updated labels and other minor UI improvements. For more about custom email templates, see Add Custom Email Templates for Multiple Languages. ClosedScreenshot

Closed2018.21 and 2018.22 began deployment on June 5
ClosedLitmos support for SHA2

The Litmos integration is updated to support SHA2 cryptographic hash algorithm which utilizes the new Litmos SAML endpoint splogin. If you are currently using the Litmos SAML integration, Okta highly recommends that you review the steps outlined in the migration section of the Litmos Configuration Guide and switch to SHA2 at your earliest convenience. ClosedScreenshot:

ClosedUse Adaptive MFA on a Fortinet appliance

You can extend Adaptive MFA to your Fortinet appliance. For complete installation and usage information, see Configure the Fortinet Appliance to Interoperate with Okta via RADIUS.

ClosedSystem Log events for new device notification emails

New device notification email events now appear in the System Log. ClosedScreenshot

ClosedU2F-compliant factor enrollment improvements

We've improved the user experience for U2F-compliant factor enrollment by making the following changes:

  • U2F instructions are updated to remove references to specific browsers such as Chrome and Firefox
  • Error messages now include more descriptive text

For more information, see MFA Factor Types. ClosedScreenshot:

Closed2018.20 began deployment on May 29

There were no new Production features in this release.

Closed2018.19 began deployment on May 14
ClosedUpdate (May 23, 2018): Rate Limit Notifications

Added the following enhancements to support Rate Limit notifications:

  • Notification banners within Okta for Super administrators when the Rate Limit warning and violation thresholds have been reached within the last 24 hours. ClosedScreenshot

  • Automatic email notifications to Super administrators when the Rate Limit warning and violation thresholds have been reached within the last 24 hours. ClosedScreenshot

  • An Email Notifications setting available in Settings > Account for the Super administrator to turn the email notification on or off. This setting is turned on by default. ClosedScreenshot

  • Syslog entries that track discrete rate limit events for warnings and violations, and that can be queried independently or jointly. This provides you with a full picture of organizational as well as individual client trends.

    For example, the following query shows both warnings and violations:

    eventType eq "system.org.rate_limit.warning" OR eventType eq "system.org.rate_limit.violation"

    Both the notification banner and the email notification contain a link to the query above. ClosedScreenshot

For more information, refer to Rate Limiting at Okta.

ClosedSimplified Convert Assignments screen

The Convert Assignments screen is populated only when there are assignments to convert. When there are no assignments to convert it presents a message. ClosedScreenshot.

ClosedAgent version and TLS 1.2 compliance status, and other Downloads page enhancements

The Downloads page includes the following changes:

  • The agent status is highlighted at the top of the page, indicating whether or not agents are up-to-date. ClosedScreenshot
  • Agent status information appears after the first agent of that type is configured.
  • For the AD, SSO IWA, On-Prem MFA, Provisioning, and LDAP agents, there is now a status message indicating whether the agent is up-to-date or a new version is available.
  • The Connected Agents table displays the host name, the version of the agent that is currently running, whether the agent is TLS 1.2 compliant. ClosedScreenshots
  • The AD Password Sync and RADIUS agents information includes a link to the System Log to view the agent version, if applicable.
  • The Admin Downloads section moved to the top of the page and similar agents are grouped (for example, all AD agents are together).
  • A link to a CSV file containing this information is added to the right-hand sidebar. ClosedScreenshot
ClosedID tokens enhancement

ID tokens can now be retrieved using a Refresh Token.

Closed2018.18 began deployment on May 7
ClosedIWA Token Processing: Redirect to custom error page now available for all existing orgs

If Okta fails to process an IWA token, you can now redirect end users to a custom error page. This option is useful if you embed Okta into your solution and want to control end-to-end branding to enhance end user experience. For more information, see Login Error Page.

Note: This feature is now Generally Available for all orgs.

ClosedScreenshot

ClosedRADIUS app for RADIUS users
Okta has developed a RADIUS App that allows for access control on multiple RADIUS configurations. This option also provides the ability to create policy and assign RADIUS authentication to groups of users. For details, see Okta RADIUS App
ClosedWorkday integration enhancement

You can deactivate Workday mastered users on their last day worked, even if the period of time between that day and the termination exceeds a specified Pre-Start interval. See the Workday Provisioning Guide for more information.

ClosedWorkday app enhancements

The Workday integration now connects to the latest Human Resources API (v29) and uses the Maintain Contact Information Workday API for email and telephone write back, a more secure web service that some customers prefer. Additionally Okta has improved the pre-start interval functionality by only processing new users being created and ignoring updates within the pre-start interval. There are also some performance enhancements when performing an import from Workday. See the Workday Configuration Guide for details.

This feature is Generally Available for new orgs only.

ClosedConfigure Advanced API Access for Office 365

You can configure Advanced API Access for Office 365 instances by using the admin consent option on the Sign On tab.

Admins needs to leave this checked to complete OAuth authentication flow with O365, which is required for signing into chicletsThe "buttons" that appear on an end user's Home page and represent each application they wish to access through Okta. Clicking the chiclet allows the end user to instantly sign in and authenticate themselves into their chosen app. such as Yammer, Teams, and CRM. For more information, see Admin Consent for Advanced API Access. ClosedScreenshot:

ClosedWorkday integration update

Okta has updated its Workday integration: Workday Real Time Sync (RTS) can now run concurrently with regular imports. Refer to Workday Provisioning Guide to learn more about Workday RTS.

Closed2018.16 and 2018.17 began deployment on May 1
ClosedOrg admin shown as Actor for Device Trust Registration Task revocation

If the org admin revokes the Device Trust certificate through the admin console, the Sys Log for Device Trust Certificate Revocation now identifies the admin. As before, if the certificate is implicitly revoked due to user deactivation, the Actor continues to be shown as Okta System. For details, see Revoke and remove Device Trust certificates. ClosedScreenshot:

ClosedCitrix NetScaler integration

The Citrix NetScaler Gateway now integrates with Okta via RADIUS, in addition to SAML and OAuth. For detailed information, see the Citrix Netscaler Gateway Radius Configuration Guide.

ClosedPassword reset available before activation

Password Reset is available for users who are not yet active. This is to enable users who may have lost their original activation email to request a password reset.

ClosedDouble quotation marks supported in email logins

Email addresses enclosed in double quotation marks are supported for Okta logins.

ClosedImproved page labels

The Account tab on the Customization page is renamed General. For details about options on this tab, see Customization. ClosedScreenshot:

ClosedNew documentation links for Windows Credential Provider and ADFS integration

Direct links to the documentation for the Okta Windows Credential Provider and the Active Directory Federation Services (ADFS) Plugin are available in the sidebar. ClosedScreenshots:

Closed2018.15 began deployment on April 16
ClosedNew AD Password Sync agent, version 1.3.6

This Generally Available agent update contains the following fixes:

  • Locate the correct user when searching for a SamAccountName that is duplicated in a forest
  • Include the User-Agent in the header of the request

For history, see AD Password Sync Agent Version History.

ClosedNew Okta Plugin 5.17.1 for Chrome

This release fixes an issue where the screen appeared blank. For version history see Browser Plugin Version History.

ClosedRetry available for text message for forgotten password

The Forgotten Password Text Message screen offers an option to resend the code to enter for SMS or call again for Voice call. For more information about password reset functionality, see End User Password Reset. ClosedScreenshot:

ClosedPagerDuty uses API v2

The PagerDuty app now implements v2 of the PagerDuty API. PagerDuty API v1 is going to be deprecated on April 24, 2018. The change of API should be transparent to customers. For more information, see https://v2.developer.pagerduty.com/. For more information about PagerDuty provisioning, see the PagerDuty Provisioning Guide.

ClosedNew OPP agent, version 1.2.3

This version provides internal fixes to the installer, including a fix which allows the installer to work behind a firewall.

For history, see On Premises Provisioning Agent and SDK Version History.

Closed2018.14 began deployment on April 9
ClosedOkta email templates have a new look and feel

These newly-designed email templates are applied to standard (uncustomized) email templates, as well as to customized templates that have been Reset to Default. Previously-customized email templates that have not been Reset to Default are unchanged.

ClosedBefore

ClosedAfter

ClosedConfigure the Okta browser plugin to work with a custom end user portal

You can configure the Okta browser plugin to behave on your custom end user portal exactly as it behaves in the Okta end user dashboard. For details, see Configure your custom end user portals to leverage the Okta browser plugin.

ClosedIWA Token Processing: Redirect to custom error page

If Okta fails to process an IWA token, you can now redirect end users to a custom error page. This option is useful if you embed Okta into your solution and want to control end-to-end branding to enhance end user experience. For more information, see Login Error Page.

Note: This feature is Generally Available for new orgs.

ClosedScreenshot

ClosedExempt specified URLs from login form inspection

You can now set the SkipUrls registry key to prevent the Okta Internet Explorer browser plugin from inspecting the pages of specified URLs for the presence of login and change password forms. This allows pages to load faster. For details, see Exempt specified URLs from login form inspection.

ClosedEmpty names replaced with the login name

When both first and last name attributes are empty, the login name is displayed in the following UI pages:

  • User Picker in App Approver picker
  • New Group
  • Convert individual user back to group in app
  • Exclusive user list in group rule
  • App User assignment
  • API token review
  • Yubikey UI
  • Spotlight search

First and last names can be null if they are removed in the Profile Editor or changed with the Users API.

ClosedIWA agent, version 1.11.5

This Generally Available release provides the following:

  • To improve the security of IWA integrations, we now default to the TLS 1.2 security protocol in orgs running .NET Framework 4.5 or later. Orgs running earlier versions of the .NET Framework continue to use TLS 1.0.
  • Fixed an issue that caused an error when accessing the Box desktop app with SSO.
  • Internal fixes to the installer.

For history, see IWA Agent Version History.

ClosedLDAP agent, version 5.4.6

This Generally Available release provides internal fixes to the installer. For history, see LDAP Agent Version History.

ClosedThe Okta plugin has been updated to version 5.17.0 for Chrome and Edge

This release provides performance and security enhancements. For version history, see Browser Plugin Version History.

ClosedContent of new device/browser email notifications improved

Email notifications sent to users after the detection of a new device or browser at login have improved messaging and now specify Unknown browser and Unknown OS instead of just Unknown.

Closed2018.13 began deployment on April 2
ClosedConfigure the Palo Alto Networks VPN to Interoperate with Okta

Okta and Palo Alto Networks interoperate through either RADIUS or SAML 2.0. For each Palo Alto gateway, you can assign one or more authentication providers. Each authentication profile maps to an authentication server, which can be RADIUS, TACAS+, LDAP, etc. Using RADIUS, Okta’s agent translates RADIUS authentication requests from the VPN into Okta API calls. For more information, see Configure the Palo Alto Networks VPN to Interoperate with Okta via RADIUS.

ClosedSystem Log improvement – Client ID tracked

The Client ID field is now populated in the Client Section of the System Log. ClosedScreenshot:

ClosedSystem Log for the Hipchat and Confluence apps

System Log entries are now added for the Hipchat and Confluence apps. For details, see the Hipchat and Confluence sections in Provisioning Integration Error Events.

ClosedMicrosoft Office 365 app, the default for the Admin Consent

When setting up an Microsoft Office 365 app, the checkbox for Admin Consent on SSO tab is now unchecked by default. For more information on Admin Consent, see Admin Consent for Advanced API Access.

ClosedOkta Verify iPad icons updated

Updated app icons for Okta Verify are available for iPad users. ClosedScreenshot:

ClosedOkta ADFS Plugin, version 1.4.0

The Okta ADFS (Active Directory Federaton Services) Plugin version 1.4.0 is available. This version supports load balanced ADFS servers.

Closed2018.12 began deployment on March 26
ClosedImproved App Integration Wizard guidance for group attribute statements

The Learn More link in the Attributes Statements (optional) section of the SAML Settings page points to improved information. ClosedScreenshot:

ClosedSupport for AD Agent Installer proxy credentials

In environments where internet traffic is required to go through a proxy, the sign-in flow for the AD agent installer uses the proxy settings specified within the installer. If no proxy settings are specified, the machine defaults are used. Previously,admins had to open up a hole in their data center firewall during installation.

For more information about the AD agent see Okta Active Directory Agent.

ClosedCornerstone OnDemand Provisioning Guide available

An in-product link to the Provisioning Guide for Cornerstone app is added, replacing in-product help text.

ClosedNew IWA agent, version 1.10.4

This release provides the following:

To improve the security of IWA integrations, we now default to the TLS1.2 security protocol in orgs running .NET Framework 4.5 or later. Orgs running earlier versions of the .NET Framework continue to use TLS1.

For history, see SSO IWA Web App version history.

ClosedNew On-Prem MFA agent, version 1.3.4

This new version supports TLS 1.2.

For history, see On-Prem MFA Agent Version History.

Closed2018.11 began deployment on March 20
ClosedEnhanced Custom Email Templates UI

Labels and messages in the Custom Email Templates feature are updated to improve usability.

ClosedMicrosoft Office 365 admin consent flow improved

The Microsoft Office 365 (O365) admin consent flow is now optional and is selected by default on the Sign On tab for the O365 app. Admins needs to leave this checked to complete OAuth authentication flow with O365, which is required for signing into chiclets such as Yammer, Teams, and CRM. For more information, see Admin Consent for Advanced API Access. ClosedScreenshot:

ClosedImproved scopes descriptions

The default scopes included with OAuth Custom Authorization Servers have improved display names and descriptions.

ClosedRadius Agent version 2.7.1

This new version supports TLS 1.2. For history, see Okta RADIUS Server Agent Version History.

Closed2018.10 began deployment on March 12
ClosedSocial Login usability improvements - scopes picker

When configuring scopes for Identity Providers, whenever a comma, tab, or return is typed, scopes are tokenized. For example, typing "Profile, Email" in the Scopes field in the screenshot below, will result in two scopes, Profile and Email.

For more information, see User Consent for OAuth 2.0 and OpenID Connect Flows.

ClosedScreenshot:

ClosedOkta base attributes First Name, Last Name now optional

Okta has defined 31 default base attributes for all users in an org. These base attributes are generally fixed and cannot be modified or removed. There are now two exceptions: First Name and Last Name. These two attributes can now be marked as required or optional for Okta-mastered users only. For details, see Profile Editor.

ClosedNew parameter for authentication with Okta Verify with Auto-Push

An enhancement was made for our platform customers using the auto-push feature for Okta Verify. As a result, all product users will need to re-affirm their Okta Verify Auto-Push preference (check the Send Push Automatically checkbox) if it was checked previously. Following this, Okta Verify with Auto-Push will behave as it did originally. For more information about this new parameter, see https://developer.okta.com/docs/api/resources/authn.html#request-parameters-for-verify-push-factor.

ClosedThe Okta plugin for the IE browser has been updated to version 5.16.1.

This release provides the following:

  • Improved IE performance when Browser Help Object (BHO) logging is enabled
  • An option to opt out of cert pinning through the registry
  • Iimprovements and bug fixes

For version history, see Browser Plugin Version History.

ClosedSystem Log enhancements
  • System Log events are added for the ExactTarget, GitHub, Google, Gotomeeting, Rightscale, Roambi, Samanage, SendWordNow, ServiceNow2, ServiceNow, Smartsheet, SugarCRM, VeevaVault, WebEx, Yammer, and Zendesk provisioning integrations. Previously, the log events were only available using the Okta API. For details, see Provisioning Integration Error Events.
  • System Log events are added for the Huddle, Jive45, Litmos, Lotus Domino, MoveIt DMZ, Msbpos, NetSuite, Org2Org, PagerDuty, Postini provisioning integrations. For details, see Provisioning Integration Error Events.
ClosedExternal ID for the Zendesk app

We have added new external Id attribute to the Zendesk provisioning app. ClosedScreenshot:

ClosedCustomize email attribute in Netsuite

You can now customize the email SAML attribute for the Netsuite app to map to an email or username attribute.

ClosedCustom user management not supported for RADIUS apps

The Enable on-premises provisioning configuration option is removed from RADIUS apps, as it is not supported.

ClosedConfigure the Cisco ASA VPN to Interoperate with Okta

Okta and Cisco ASA interoperate through either RADIUS or SAML 2.0. For each Cisco ASA appliance, you can configure AAA Server groups which can be RADIUS, TACAS+, LDAP, etc. Using RADIUS, Okta’s agent translates RADIUS authentication requests from the VPN into Okta API calls. For more information, see Configure the Cisco ASA VPN to Interoperate with Okta via RADIUS.

ClosedOkta Sign-in Widget 2.7.0

Version 2.7.0 of the Okta Sign-In Widget is available. New features include :

  • Voice call as an option for Unlock Account
  • Display of multiple MFA responses
  • Display a warning for beta registrations

For more information, see Okta Sign-In Widget.

ClosedThe Okta Integration Network (OIN)

The Okta Application Network (OAN) includes more than 5,000 pre-integrated business and consumer apps. As Okta expands beyond SSO and Provisioning, we are extending the network to include new integration types, and updating the catalog name to the Okta Integration Network (OIN). As part of this rebranding, we have changed the UI and documentation to reflect this change—managing and adding your apps and integrations remain the same.

The OIN now includes the following new integrations in addition to previous SSO and Provisioning options:

  • F5 BIG-IP APM
  • Sumo Logic Okta Activity Log Integration
  • ServiceNow - Okta Orchestration Activity Pack
  • Splunk Add-on for Okta
  • QRadar Device Support Module (DSM)

For details about these new integrations, search and click the Learn More button. ClosedScreenshot:

Note: This feature is now Generally Available for all orgs.

ClosedProfile Master and User Life Cycle Management enhancements

The flow of an end user's identity throughout the different stages of access is known as a user’s lifecycle. This release contains several enhancements to define the options that manage this cycle clearly.

  • Simplified Import settings: Using a profile master necessitates a clear distinction between new and imported end users to prevent conflicts. Feedback from our users prompted improvements with matching rules, auto-confirmation and auto-activation settings.
  • New lifecycle settings: When an end user is deactivated in a profile mastered app, admins can now set whether they are deactivated, suspended, or remain an active user in Okta.

See Profile Mastering and Life Cycle for more details.

Note: This feature is now Generally Available for all orgs.

ClosedAPI Access Management

Secure your APIs with API Access Management, Okta’s implementation of the OAuth 2.0 authorization framework. API Access Management uses the Okta Identity platform to enable powerful control over access to your APIs. API Access Management can be controlled by Okta admins as well as by a rich set of APIs for client, user, and policy management. For details on features available from the Admin console, see API Access Management.

ClosedUse scopes in Rules

We've improved the text and flow of the Add Rules dialog that is part of the Early Access API Management functionality. For details see, Create Rules for Each Access Policy.

ClosedAPI Access Management Admin

The API Access Management Admin role has the following permissions:

  • Create and edit Authorization Servers, Scopes, Claim, and access policies
  • Create and edit OAuth/OIDC Client apps
  • Assign users and groups to OAuth/OIDC client apps
  • View user profiles when assigning users/clients for token preview

For more information, see API Access Management.

ClosedAnimated transition

An animated transition page now appears when users click chiclets to log into apps:

Closed2018.09 began deployment on March 6.
ClosedSocial Login improvements

Integrating Social Login with Okta is improved with redesigned screens, prepopulated IdP username value, and expanded entry options for scopes. ClosedScreenshot:

ClosedSystem Log changes related to Authorization Servers

The following message changes apply to either the Okta Org Authorization Server or a Custom Authorization Server including default (which requires API Access Management), or both, as indicated in each section.

ClosedSimplified Failure Messages from [/authorize]

The existing messages app.oauth2.authorize_failure, app.oauth2.as.authorize_failure and app.oauth2.as.authorize.scope_denied_failure replace these messages:

  • app.oauth2.authorize.access_denied
  • app.oauth2.authorize.invalid_client_id
  • app.oauth2.authorize.invalid_cache_key
  • app.oauth2.authorize.no_existing_session
  • app.oauth2.authorize.login_failed
  • app.oauth2.authorize.mismatched_user_in_cache_and_session
  • app.oauth2.authorize.user_not_assigned
  • app.oauth2.authorize.scope_denied
  • app.oauth2.as.authorize.warn_failure
  • app.oauth2.as.authorize.scope_denied

Details about the nature of the failure are included, so no information has been lost with this simplification.

These System Log changes affect responses from requests that involve either the Okta Org Authorization Server or a Custom Authorization Server including default.

ClosedSimplified Failure Messages from [/token]

Instead of supplying two different messages for token grant failures on /token, the existing message app.oauth2.as.authorize.token.grant_failure replaces these messages:

  • app.oauth2.as.token.grant.warn_failure
  • app.oauth2.as.token.grant.scope_denied_failure

This System Log change affects responses from requests that involve a Custom Authorization Server including default.

ClosedSimplified Success Messages from [/token]

Instead of supplying a different message for ID token and access token generation, there's just one message for each. The ID token or access token minted is included in the message as it was previously.

  1. The existing message app.oauth2.authorize.implicit_success replaces:
    • app.oauth2.authorize.implicit.id_token_success
    • app.oauth2.authorize.implicit.access_token_success
  2. The existing message app.oauth2.as.authorize.implicit_success replaces:
    • app.oauth2.as.authorize.implicit.id_token_success
    • app.oauth2.as.authorize.implicit.access_token_success

The _success messages weren’t being written to the System Log previously, but are now.

These System Log changes affect responses from requests that involve either the Okta Org Authorization Server or a Custom Authorization Server including default.

ClosedSimplified Messages from [/token]

Instead of supplying a different message for ID token and access token generation, there's just one message for each. The ID token or access token minted is included in the message as it was previously.

  1. The existing message app.oauth2.authorize.implicit replaces:
    • app.oauth2.authorize.implicit.id_token
    • app.oauth2.authorize.implicit.access_token
  2. The existing message app.oauth2.as.authorize.implicit replaces:
    • app.oauth2.as.authorize.implicit.id_token
    • app.oauth2.as.authorize.implicit.access_token

These System Log changes affect responses from requests that involve either the Okta Org Authorization Server or a Custom Authorization Server, including default.

ClosedSystem Log for the GoodData app

System Log entries are now added for the GoodData app. For details, see the GoodData section in Provisioning Integration Error Events

ClosedUpdate second email address in Master User Profile

Admins can update the second email address on a master user profile when Attribute Mapping is enabled.

ClosedMultiple MFA requirements display improvements

The Okta Sign On screen display is improved to display all factors when multiple Multifactor Authentication factors are required.

ClosedCSV header size limits increased

The header size limit for CSV imports is increased from 1000 to 50,000 characters.

Closed2018.07 began deployment on February 26
ClosedSystem Log enhancements

The System Log tracks the following items:

ClosedImproved error tracking

Added validation to API token creation when the maximum character length is exceeded

Closed2018.06 began deployment on February 12
ClosedOpenID Connect scopes list available

When creating or updating a rule in the Custom Authorization Server's policy, there is a button to add all default OpenID Connect scopes to the rule condition quickly. ClosedScreenshot:

For more information, see Create Rules for Each Access Policy.

ClosedOAuth 2.0 Client Grant types reorganized

Grant types for OAuth 2.0 clients are reorganized for convenience on the General Settings page for an app and in the app creation screen in the developer console. For information on grant types, see App Wizard - Procedures. ClosedScreenshot:

ClosedUnlock an account by Voice Call

The Okta Sign In page supports unlocking an account with a Voice Call. ClosedScreenshot:

Closed2018.04 and 2018.05 began deployment on February 6
ClosedSystem Log Enhancements

  • The System Log tracks mass password expiry events. ClosedScreenshot:

  • The System Log tracks events when a user account is unlocked by an Admin, when the primary email for an account is updated, and when behaviors are detected.

    ClosedScreenshot:

    ClosedScreenshot:

    ClosedScreenshot:

ClosedPublish metadata for custom scopes

When defining custom scopes for an Authorization Server, you can choose whether the metadata for these scopes is included in the public metadata. For more information, see Create Scopes.

ClosedScreenshot:

ClosedScreenshot:

ClosedAuthorization Server Policy Rule improvements

Information and error messages are improved for the Access Token Lifetime and Refresh Token Lifetime setting in a policy rule. ClosedScreenshot:

ClosedOkta's Privacy Policy update

Okta’s Privacy Policy, available at https://okta.okta.com/privacy/, was updated on January 18, 2018 in order to comply with new, forthcoming requirements promulgated by Google, and to disclose more precisely the manner in which Okta interoperates with Google's G Suite after the OAuth authentication flow is successfully completed by the admin.

Closed2018.03 began deployment on January 22
ClosedPassword Policy Soft Lock

The password policy soft lock feature provides the option to lock Active Directory (AD) mastered users in Okta with password policies. To ensure that users are locked in Okta before they are locked out of their windows accounts, Admins must set a lockout count in Okta that is lower than the lockout count specified in the AD policy.

This feature does not change the current behavior for any organizations. Consequently, when this feature is enabled, the default invalid password lockout count for Active Directory password policies is reset to zero (0). Admins must specify a new lockout count to use this feature which s tracked in the System Log as a policy update event.

Some legacy customers might have non-zero values set in the invalid password lockout count in Okta. When these values are reset to zero with this feature, a System Log event is created to show the old and new values and inform Admins that the lockout is disabled.

For more information, see Group Password Policies.

Import Lockout Status from AD

Lockout status from AD is not imported automatically. To receive these imports, contact Okta Support. Any legacy users who already receive these imports will continue to receive them.

Rollout

This feature is becoming Generally Available and will be enabled in a phased manner across all cells. The feature will be enabled for the majority of customers in Preview and US Cell 1 by January 19th and for the remainder of customers in all other cells by February 2nd.

ClosedImproved workflow for creating OAuth 2.0 services

The button for creating OAuth 2.0 Services (Client Credentials apps) is moved from the applications list into the Add Application Wizard. For more information, see Add OAuth 2.0 Client Application. ClosedScreenshot:

ClosedImproved workflow for OAuth 2.0 token preview

During OAuth Token Preview, selections for response type are not visible when the grant type is not IMPLICIT. For more information on token preview, see Test Your Authorization Server Configuration.

ClosedSpecification for login initiated by available for all grant types

The General tab on the app instance screen for OAuth 2.0 clients now displays the Login initiated by dropdown for all grant types with App Only as the default. ClosedScreenshot:

ClosedSystem Log enhancements

System Log entries were enhanced to include events when users were unassigned from group membership. ClosedScreenshot:

ClosedAdmin Managed tabs improved

Admin Managed tabs are not created if there are no apps to display in the tab. For more information, see Manage dashboard tabs for end users.

Closed2018.01 and 2018.02 began deployment on January 16
ClosedCreate user and expire password

When admins create a new user they can choose whether to have that user create a password on first sign in or create a password for the user which must be changed on their next sign in. For details, see Add People.

ClosedUser and AppUser profile schemas

Added support to allow updates to User and AppUser profile schemas. See App User Schema API documentation for more information.

ClosedNetsuite Custom attribute support

The following User Profile properties have been added to our Netsuite integration:

location, class, notes, salutation, homePhone, officePhone, fax

To use these properties, you can either create a new app instance, or contact Okta Support to manually migrate the User Profile template. For more information about our Netsuite integration, see the Netsuite Provisioning Guide.

ClosedPlaceholder text used in default Sign In page settings

In Settings > Customization, fields in the Sign In page section now contain default placeholder text instead of default editable text. This enhancement makes it easier to distinguish fields that contain Okta's default text from fields that contain custom, admin-provided text. Placeholder text disappears when you enter custom text in the field. For more information, see Customize Sign In Page headings, links, labels, and placeholders.

ClosedAuthorization Server screen enhancements

Explanatory text on the Authorization Server are expanded, and also include a direct link to the Authentication Guide topic on the Developer site.

ClosedImproved error messages

Error messages for permission errors for the password reset dialog are more descriptive and user-friendly.

ClosedSHA-256 Signed Certificates for new SAML 2.0 apps

All new SAML 2.0 apps are bootstrapped with SHA-256 signed public certificates. Existing SAML 2.0 apps are unchanged.

ClosedUltiPro Integration Update

We have added email and phone writeback functionality for UltiPro international employees. For more information about UltiPro provisioning, see UltiPro User Import and Provisioning.

2018 Application Integrations and Updates

Closed2018.48 (combines 2018.47 and 2018.48)
ClosedApplication Update

The following partner-built provisioning integration app is now Generally Available in the OIN as partner-built:

ClosedNew Application Integrations
ClosedNew SCIM integration applications

The following partner-built provisioning integration apps are now available in the OIN as partner-built Early Access:

ClosedSAML for the following Okta Verified applications

  • Freshdesk (OKTA-191125)

  • Numeracy (OKTA-197992)

  • Retool (OKTA-197113)

  • Saba (OKTA-193973)

ClosedSWA for the following Okta Verified applications

  • CALXA (OKTA-191701)

  • Dashlane Business (OKTA-188394)

  • FannieMae DUS Disclose (OKTA-193513)

  • Hillgate Travel (OKTA-191141)

  • Jack Henry and Associates (IPAY) (OKTA-194266)

  • Moody's (OKTA-193598)

  • MyToll (OKTA-190867)

  • Ncrunch (OKTA-190531)

  • Nmbrs (OKTA-188157)

  • PrintMail (OKTA-194265)

  • Retargeter (OKTA-191730)

Closed2018.46
ClosedApplication Update

We have updated our Zoom integration to support a new attribute, User Type. This allows customers to set the User Type per user being provisioned from Okta to Zoom to be either Basic, Pro, or Corp.

For users who have set up the Zoom integration and enabled Provisioning before November 8, 2018, follow the migration steps detailed in Zoom's Configuring Okta With Zoom if you want to use the new attribute.

ClosedNew Application Integrations
ClosedNew SCIM integration applications

The following partner-built provisioning integration apps are now available in the OIN as partner-built Early Access:

ClosedSAML for the following Okta Verified applications

  • Cerner (OKTA-194709)

  • Coralgix (OKTA-195349)

  • Digify (OKTA-193483)

  • eLeaP (OKTA-194168)

  • Mimecast - Admin (OKTA-193270)

  • Mobile Locker (OKTA-194895)

  • SaaSLicense (OKTA-195120)

  • Synthetix (OKTA-189127)

ClosedSWA for the following Okta Verified application

  • Star Station (OKTA-187650)

ClosedMobile applications for use with Okta Mobility Management (OMM) (Android and iOS)

  • Aha! (OKTA-189385)

  • CorpTrav (OKTA-191634)

  • SAP Jam (SuccessFactors) (OKTA-189112)

  • Speco Technologies (OKTA-195019)

Closed2018.45
ClosedNew Application Integrations
ClosedNew SCIM integration applications

The following partner-built provisioning integration apps are now available in the OIN as partner-built Early Access:

ClosedSAML for the following Okta Verified applications

  • Abstract (OKTA-192943)

  • Clubhouse (OKTA-194685)

  • ExpenseNet (OKTA-194122)

ClosedSWA for the following Okta Verified application

  • Lead Apparel (OKTA-187687)

Closed2018.44
ClosedNew Application Integrations
ClosedNew SCIM integration applications

The following partner-built provisioning integration apps are now available in the OIN as partner-built Early Access:

ClosedSAML for the following Okta Verified applications

  • Aha! (OKTA-193716)

  • Drift (OKTA-193719)

  • Halo Communications (OKTA-192603)

  • Socialbakers (OKTA-193252)

  • UltiPro (OKTA-193804)

ClosedSWA for the following Okta Verified applications

  • Abbvie (OKTA-189416)

  • Air Canada Travel Agency (OKTA-189703)

  • Asteron Life (OKTA-185986)

  • ChathamDirect (OKTA-189336)

  • Cloud Conformity (OKTA-189068)

  • Entoro Investor Login (OKTA-187239)

  • NoMachine: Workbench (OKTA-185837)

  • Plivo (OKTA-187847)

  • Sabre Vacations Travel Agency Login (OKTA-186555)

  • XactAnalysis (OKTA-188418)

Closed2018.42
ClosedApplication Updates
  • The following partner-built provisioning integration app is now Generally Available in the OIN as partner-built:
ClosedNew Application Integrations
ClosedNew SCIM integration application

The following partner-built provisioning integration apps are now available in the OIN as partner-built Early Access:

  • Federated Directory: For configuration information, see Federated Directory's Integrate with Okta.

ClosedSAML for the following Okta Verified applications
  • Pigeonhole Live (OKTA-191208)
  • Slab (OKTA-190334)
  • Sunlight (OKTA-190547)
  • Twic (OKTA-190548)
ClosedSWA for the following Okta Verified applications
  • Amazon IT (OKTA-186022)
  • AudaExpress (OKTA-187178)
  • Citizens Business Bank Online Banking (OKTA-187670)
  • Federal Mogul ePresentment for Corporation Statements & Invoices (OKTA-186329)
  • WooBoard (OKTA-187152)
ClosedMobile application for use with Okta Mobility Management (OMM) (Android and iOS)
  • Corporate Travel Management (OKTA-190328)
Closed2018.41
ClosedApplication Update

The Solarwinds SWA integration application has been enhanced to support custom login URL’s.

ClosedNew Application Integrations
ClosedNew SCIM integration applications

The following partner-built provisioning integration apps are now available in the OIN as partner-built Early Access

ClosedSAML for the following Okta Verified applications

  • HubSpot (OKTA-190126)

  • Tines (OKTA-190101)

ClosedSWA for the following Okta Verified applications

  • Alamy (OKTA-189545)

  • Citrix Netscaler Gateway (OKTA-185234)

  • HiPay (OKTA-186563)

  • Invisalign (OKTA-186776)

  • LowesLink (OKTA-185180)

  • Meritain (OKTA-186927)

  • Mimecast - Admin (OKTA-185382)

  • Sabre Cruises (OKTA-186554)

Closed2018.40
ClosedApplication Update

The following partner-built provisioning integration app is now Generally Available in the OIN as partner-built:

ClosedNew Application Integrations
ClosedNew SCIM integration applications

The following partner-built provisioning integration apps are now available in the OIN as partner-built Early Access:

ClosedSAML for the following Okta Verified applications
  • Carbon Black - PSC (OKTA-187929)
  • MyWorkDrive (OKTA-189557)
  • Seed (OKTA-188581)
ClosedSWA for the following Okta Verified applications

  • Air Canada: Corporate Rewards Agent Login (OKTA-185502)

  • CommInsure: Adviser (OKTA-185985)
  • OnePath Advisor (OKTA-185989)
  • Risk Control (OKTA-185533)
  • Scribble Maps (OKTA-185677)
ClosedMobile application for use with Okta Mobility Management (OMM) (Android and iOS)
  • HighGround (OKTA-184805)
Closed2018.39
ClosedNew Application Integrations
ClosedNew SCIM integration application

The following partner-built provisioning integration app is now available in the OIN as partner-built Early Access:

ClosedSAML for the following Okta Verified applications

  • Automox (OKTA-189108)

  • Instructure Bridge (OKTA-185486)

ClosedSWA for the following Okta Verified applications

  • ABD Insurance and Financial Services (OKTA-183836)

  • Deluxe-Strategic Sourcing (OKTA-186091)

  • GoCompare (OKTA-185231)

  • Google Discover (OKTA-184419)

  • New Voice Media (OKTA-184604)

  • Nitro Cloud (OKTA-186292)

  • Salesforce (force.com) (OKTA-184354)

  • Zlife (OKTA-185988)

Closed2018.38
ClosedNew Application Integrations
ClosedSAML for the following Okta Verified application

  • Figma (OKTA-186594)

ClosedSWA for the following Okta Verified applications

  • Boardvantage Meetx/Director (OKTA-183845)

  • McMaster-Carr (OKTA-185177)

  • MyWave Connect (OKTA-183859)

  • Orgill (OKTA-185331)

  • RapidAPI (OKTA-185363)

  • Smallpdf (OKTA-184134)

Closed2018.37
ClosedApplication Updates
  • The following partner-built provisioning integration app is now Generally Available in the OIN as partner-built:
ClosedNew Application Integrations
ClosedNew SCIM integration application

The following partner-built provisioning integration app is now available in the OIN as partner-built Early Access:

ClosedSAML for the following Okta Verified applications

  • Avid Secure (OKTA-181718)

  • MyAcademy (OKTA-187155)

  • TopBox (OKTA-179620)

  • Workplace by Facebook (OKTA-185097)

ClosedSAML for the following Community Created application

  • Appsulate (OKTA-187156)

ClosedSWA for the following Okta Verified applications

  • Brandify (OKTA-183379)

  • G Adventures Sherpa Agency (OKTA-183941)

  • GAMMIS (OKTA-182914)

  • IBM Partner World (OKTA-182930)

  • MIBOR (OKTA-187007)

  • TechPortal (OKTA-182900)

  • Zerto: DRaaS Service Portal (OKTA-180711)

Closed2018.36
ClosedApplication Updates
  • The following partner-built provisioning integration app is now Generally Available in the OIN as partner-built:
  • 15Five now supports the following Provisioning feature (in addition to the other provisioning features that it already supports):
    • Group Push

    Users who have set-up the 15Five integration and enabled Provisioning before August 27, 2018, must follow the steps detailed in the 15Five Configuration Guide if they want to use the new features.

ClosedNew Application Integrations
ClosedNew SCIM integration application

The following partner-built provisioning integration apps are now available in the OIN as partner-built Early Access:

ClosedSAML for the following Okta Verified applications

  • Emburse (OKTA-185748)

  • TestingBot (OKTA-185998)

ClosedSWA for the following Okta Verified applications

  • Akamai Enterprise Application Access (OKTA-180151)

  • Creditntell (OKTA-180856)

  • Essendant Solutions Central (OKTA-181089)

  • Exact Online (OKTA-167861)

  • Pure Storage Partners (OKTA-180445)

  • Wombat Security Awareness (OKTA-182578)

ClosedMobile application for use with Okta Mobility Management (OMM) (Android and iOS)

  • Zendesk (OKTA-181154)

Closed2018.35
ClosedNew Application Integrations
ClosedNew SCIM integration application

The following partner-built provisioning integration app is now available in the OIN as partner-built Early Access:

ClosedSAML for the following Okta Verified applications

  • DailyPay (OKTA-184138)

  • Fastly SAML (OKTA-184539)

  • Mimeo (OKTA-184146)

  • ProMaster (by Inlogik) (OKTA-184149)

  • Recruiterbox (OKTA-184536)

  • StatusHub Hub SAML (OKTA-180233)

  • TeamViewer (OKTA-183668)

ClosedSWA for the following Okta Verified applications

  • EveryoneSocial (OKTA-181223)

  • Hermes Investment Management: EOS (OKTA-179402)

  • IRMLS Indiana Regional MLS - Safemls (OKTA-181470)

  • NatureBridge (OKTA-183752)

  • Polygon (OKTA-183237)

Closed2018.34
ClosedNew Application Integrations
ClosedNew SCIM integration application

The following partner-built provisioning integration app is now available in the OIN as partner-built Early Access:

ClosedSAML for the following Okta Verified application

  • Content Insights (OKTA-168880)

ClosedSWA for the following Okta Verified applications

  • Adobe Enterprise (OKTA-178641)

  • Amazon Video Partner (OKTA-177266)

  • MassMutual Not-for-Profit Workplace Retirement (OKTA-178022)

  • Nuance (OKTA-180548)

  • Primeiro Pay (OKTA-181176)

Closed2018.33
ClosedNew Application Integrations
ClosedSAML for the following Okta Verified applications
  • Dovetale (OKTA-183038)
  • People.ai (OKTA-180849)
  • Workteam (OKTA-182091)
ClosedSAML for the following Community Created application
  • Imprima iRoom (OKTA-181903)
ClosedSWA for the following Okta Verified applications
  • Apple Business Manager (OKTA-179326)
  • Centrelink (OKTA-180192)
  • Decision Lender (OKTA-179129)
  • Emburse (OKTA-183553)
  • Mobile Health Consumer, Inc.(OKTA-180025)
  • MY TELE2 FOR BUSINESS (OKTA-178240)
  • United Intranet (OKTA-179628)
Closed2018.32
ClosedApplication Updates

Fuze now supports the following Provisioning features (in addition to the other Provisioning features that it already supports):

  • Importing Users
  • Profile Mastering

Users who have set up the Fuze integration and enabled Provisioning before August 1, 2018, need to follow the migration steps detailed in the Fuze Configuration Guide if they want to use these new features.

ClosedNew Application Integrations
ClosedNew SCIM

The following partner-built provisioning integration app is now available in the OIN as partner-built Early Access:

  • Amazon Chime: For configuration information, see Amazon Chime's Connect to Okta SSO instructions.
ClosedSAML for the following Okta Verified applications
  • 4me (OKTA-180242)
  • SendSafely (OKTA-180234)
ClosedSWA for the following Okta Verified applications
  • AIA (OKTA-179070)
  • AirVantage (OKTA-177125)
  • Clearview (OKTA-179071)
  • Fiscal Unattended Portal (OKTA-178318)
  • Looker (OKTA-174927)
  • LucidPress (OKTA-177037)
  • Thycotic Force (OKTA-181148)
  • Vyond: GoAnimate (OKTA-177036)
ClosedMobile application for use with Okta Mobility Management (OMM) (Android and iOS)
  • LinkedIn Learning (OKTA-177771)
Closed2018.31 (combines app integrations from 2018.30 and 2018.31 releases)
ClosedApplication Updates

Namely now supports the following Provisioning features (this is in addition to the Profile Master feature that it already supports):

  • Create users
  • Update user attributes

For users that have set-up the Namely integration and enabled Provisioning before July 23, 2018, they have to follow the migration steps detailed in the Namely Configuration Guide if they want to use the new features.

ClosedNew Application Integrations
ClosedSAML for the following Okta Verified applications

  • Carbonite Endpoint Protection (OKTA-179619)

  • CipherCloud (OKTA-178258)

  • Omnilert (OKTA-178842)

ClosedSWA for the following Okta Verified applications

  • Air Canada Travel Agency (OKTA-176497)

  • Deep Social (OKTA-175548)

  • FastMail (OKTA-173347)

  • FPI Portfolio (OKTA-177374)

  • GTA Travel (OKTA-175171)

  • Health Wise Global (OKTA-175660)

  • IBM Partner World (OKTA-178902)

  • iTunes Podcasts Connect (OKTA-177007)

  • JumpCloud (OKTA-176802)

  • Pinnacle Financial Partners (OKTA-174891)

  • Profitstars (OKTA-179309)

  • Quick Base (OKTA-179540)

  • Revenue NSW (OKTA-179226)

  • SkyKick (OKTA-177199)

  • StiPP (OKTA-177420)

ClosedMobile applications for use with Okta Mobility Management (OMM) (Android and iOS)

  • Dialpad (OKTA-174331)

  • SwiftKey (OKTA-177039)

Closed2018.29
ClosedApplication Updates

The following partner-built provisioning integration app is now Generally Available in the OIN as partner-built:

ClosedNew Application Integrations
ClosedNew SCIM

The following partner-built provisioning integration app is now available in the OIN as partner-built Early Access:

ClosedSAML for the following Okta Verified applications

  • CloudSaver (OKTA-178376)

  • Fuel Cycle (OKTA-177763)

  • IMIchat (OKTA-172672)

  • Luminate Secure Access Cloud (OKTA-177980)

  • PitchBook (OKTA-178524)

  • Spoke (www.askspoke.com) (OKTA-176635)

  • Ultimo (OKTA-176636)

  • Symsys (OKTA-178538)

ClosedSWA for the following Okta Verified applications

  • FrameIO (OKTA-175531)

  • Grove (OKTA-176622)

  • GTA Travel (OKTA-175171)

  • My NS Business (OKTA-176453)

  • Track My Backflow (OKTA-175785)

  • Wire (OKTA-173345)

ClosedMobile application for use with Okta Mobility Management (OMM) (Android and iOS)

  • Microsoft Dynamics CRM Online (OKTA-175795)

Closed2018.28
ClosedApplication Updates

The following partner-built provisioning integration app is now Generally Available in the OIN as partner-built:

ClosedNew Application Integrations
ClosedNew SCIM

The following partner-built provisioning integration apps are now available in the OIN as partner-built Early Access:

ClosedSAML for the following Okta Verified applications

  • eFront (OKTA-176299)

  • Federated Directory (OKTA-177196)

  • Process Plan (OKTA-176823)

  • Torii (OKTA-176916)

Closed2018.27 (combines app integrations from 2018.26 and 2018.27 releases)
ClosedApplication Updates

The following partner-built provisioning integration apps are now available in the OIN as partner-built Early Access:

The following partner-built provisioning integration app is now Generally Available in the OIN as partner-built:

ClosedNew Application Integrations
ClosedSAML for the following Okta Verified applications

  • Autotask Endpoint Backup (OKTA-175184)

  • Beneplace G3 (OKTA-173834)

  • Egress (OKTA-174618)

  • Forter (OKTA-174571)

  • getSayDo (OKTA-173822)

  • Mind Tools (OKTA-172557)

  • MockFlow (OKTA-170692)

  • ProsperWorks (OKTA-172832)

  • StatusHub (OKTA-174984)

  • Tiled (OKTA-173560)

ClosedSWA for the following Okta Verified applications

  • BeValuedUk (OKTA-175212)

  • Cylance Partner (OKTA-173385)

  • Explorer for ArcGIS (OKTA-166173)

  • MRI Software (OKTA-177190)

  • Symsys Selmore (OKTA-174360)

  • Telmediq (OKTA-177265)

Closed2018.25
ClosedApplication Updates

The following partner-built provisioning integration apps are now available in the OIN as partner-built Early Access:

The following partner-built provisioning integration app is now Generally Available in the OIN as partner-built:

We removed support for provisioning for the imeetcentral app.

ClosedNew Application Integrations
ClosedSAML for the following Okta Verified applications

  • Nvoicepay (OKTA-172287)

  • Sigma (OKTA-174900)

  • TrackVia (OKTA-171562)

ClosedSWA for the following Okta Verified applications

  • Carrick Capital Partner (OKTA-173141)

  • Cisco (OKTA-173291)

Closed2018.24
ClosedApplication Updates

The following partner-built provisioning integration app is now available in the OIN as partner-built Early Access:

We support SHA2 for the following integration:

  • Litmos (OKTA-169369)

ClosedNew Application Integrations
ClosedSAML for the following Okta Verified applications

  • AppDynamics v4.5+ (with SAML Encryption) (OKTA-172601)

  • Mambu (OKTA-171083)

ClosedSWA for the following Okta Verified applications

  • Hippo CMMS (OKTA-173145)

  • TruQu (OKTA-172875)

Closed2018.23
ClosedApplication Updates

The following partner-built provisioning integration app is now Generally Available in the OIN as partner-built:

ClosedNew Application Integrations
ClosedSAML for the following Okta Verified applications

  • Paladin (OKTA-172501)

  • Talkdesk (OKTA-170361)

ClosedSWA for the following Okta Verified applications

  • Cadence (OKTA-172519)

  • Guidewire Community (OKTA-171779)

  • Ipreo (OKTA-170892)

  • Mimecast Secure Messaging (OKTA-166261)

  • Portico Property Management (OKTA-171052)

  • Quadient Cloud (OKTA-166195)

  • SecureWorks (OKTA-172818)

  • WebAdvisor (OKTA-167409)

  • Wells Fargo (Commercial Electronic Office) (OKTA-172565)

ClosedMobile applications for use with Okta Mobility Management (OMM) (Android and iOS)

  • Namely (OKTA-171365)

  • VMware Horizon View VDI (OKTA-171494)

ClosedMobile applications for use with Okta Mobility Management (OMM) (Android

  • Cadence (OKTA-171772)

Closed2018.22
ClosedApplication Updates

The following partner-built provisioning integration apps are now available in the OIN as partner-built Early Access:

ClosedNew Application Integrations
ClosedSAML for the following Okta Verified applications

  • Built.io Flow (OKTA-170655)

  • Collective Health Employer Portal (OKTA-170658)

  • FOSSA (OKTA-170095)

  • Guru (OKTA-170656)

  • iDeals VDR (OKTA-166918)

  • Korbyt (OKTA-171463)

  • Marvelapp (OKTA-170657)

  • OpenEye Web Services (OKTA-167710)

ClosedSWA for the following Okta Verified applications

  • 1Password Business (OKTA-172516)

  • Amazon DE (OKTA-167431)

  • Benchmarking (OKTA-168838)

  • Dell Boomi (OKTA-171444)

  • DocsCorp Support (OKTA-168878)

  • Granite Group Advisors Education (OKTA-167734)

  • HP Channel Services Network (OKTA-170175)

  • HP Express Decision Portal (OKTA-166576)

  • IBM MaaS360 (OKTA-167146)

  • ITSupport247 (OKTA-167960)

  • Kronos: SaaShr Payroll (OKTA-169641)

  • LA Times (OKTA-166855)

  • Qlikid (OKTA-171593)

  • Rabobank Internetbankieren (OKTA-171384)

  • Rippe and Kingston LMS (OKTA-168601)

  • SAP Fiori Client (OKTA-170853)

  • ShowClix Organizer Login (OKTA-168649)

  • Spot.IM (OKTA-170306)

  • WebEx (Cisco) (OKTA-165568)

  • WorkFusion Forum (OKTA-168914)

  • xpenditure (OKTA-171605)

  • Yodeck (OKTA-170597)

ClosedMobile applications for use with Okta Mobility Management (OMM) (Android and iOS)

  • G Suite (OKTA-170627)

  • Palo Alto Networks - GlobalProtect (OKTA-170860)

  • Zoho One (OKTA-171114)

ClosedMobile applications for use with Okta Mobility Management (OMM) (Android

  • Confluence On-Premise SAML (OKTA-168082)

Closed2018.20
ClosedApplication Updates

The following partner-built provisioning integration app is now available in the OIN as partner-built Early Access:

ClosedNew Application Integrations
ClosedSAML for the following Okta Verified applications

  • LaunchDarkly (OKTA-169378)

  • Saleshood (OKTA-169149)

ClosedSWA for the following Okta Verified applications

  • EOLIS (OKTA-166337)

  • HP Partner First Portal (OKTA-166039)

  • HSB Connect (OKTA-167254)

  • Pandora (OKTA-162880)

  • Samsara (OKTA-166084)

Closed2018.19
ClosedApplication Updates

The following partner-built provisioning integration app is now available in the OIN as partner-built Early Access:

The following partner-built provisioning integration app is now available in the OIN as partner-built Okta VerifiedEach integration found in the Okta Integration Network is either Okta Verified, Community Created, or Community Verified. Integrations can receive Okta Verification status in one of the following ways: 1) If the integration is Okta-built and is tested and verified by Okta. 2) If the integration is ISV-built (partner-built) and tested by Okta, then verified by a customer in production.:

ClosedNew Application Integrations
ClosedSAML for the following Okta Verified applications

  • BeyondTrust (OKTA-166383)

  • Fivetran (OKTA-168577)

  • SmartDraw (OKTA-168214)

ClosedSWA for the following Okta Verified applications

  • Collector (OKTA-168887)

  • Collector for ArcGIS (OKTA-166172)

  • ManageEngine ServiceDesk Plus (OKTA-164522)

  • Onfido (OKTA-168265)

  • Survey123 For ArcGIS (OKTA-166171)

ClosedMobile applications for use with Okta Mobility Management (OMM) (Android and iOS)

  • G Suite (OKTA-165929)

  • SAP Fiori Client (OKTA-166524)

ClosedMobile application for use with Okta Mobility Management (OMM) (Android)

  • OrgWiki (OKTA-166365)

Closed2018.18
ClosedApplication Updates

The following partner-built provisioning integration apps are now available in the OIN as partner-built Early Access:

ClosedNew Application Integrations
ClosedSAML for the following Okta Verified applications

  • Amazon Web Services Redshift (OKTA-165274)

  • Duo Admin Panel (encrypted assertions) (OKTA-167692)

  • Enplug (OKTA-166192)

  • Everlaw (OKTA-167870)

  • SecurityCompass (OKTA-164352)

  • Verkada (OKTA-167421)

  • Xton Access Manager (OKTA-167253)

  • Yodeck (OKTA-166898)

ClosedSWA for the following Okta Verified applications

  • Amadeus Selling Platform Connect (OKTA-164289)

  • Amazon JP (OKTA-165793)

  • Braze (OKTA-165681)

  • Cognito Forms (OKTA-165816)

  • Fiserv ServicePoint (OKTA-164827)

  • MasterControl (OKTA-164742)

  • Mercado Pago Chile (OKTA-164690)

  • MileIq (OKTA-166676)

  • Percipio (OKTA-164973)

  • Stampli (OKTA-166043)

  • StormWind Studios (OKTA-163355)

  • The Library (OKTA-165278)

  • Trafalgar (OKTA-164559)

ClosedMobile applications for use with Okta Mobility Management (OMM) (Android and iOS)

  • Condeco Desk Booking v2 (OKTA-165976)

  • InFlight Mobile (OKTA-165974)

  • InVironMobile (OKTA-165975)

  • INX (OKTA-165973)

  • ProsperWorks (OKTA-165092)

Closed2018.17 (combines app integrations from 2018.16 and 2018.17 releases)
ClosedApplication Updates

The following partner-built provisioning integration apps are now available in the OIN as Okta Verified:

ClosedNew Application Integrations
ClosedSAML for the following Okta Verified applications

  • Braze (OKTA-164730)

  • EZRentOut (OKTA-165985)

  • Peakon (OKTA-164574)

  • Podbean (OKTA-165001)

  • ReadCube (OKTA-165511)

  • ScreenSteps (OKTA-166666)

  • Shareworks (OKTA-166193)

  • Visual Paradigm Online (OKTA-164575)

  • Ziflow (OKTA-165510)

ClosedSWA for the following Okta Verified applications

  • Columbia Bank: Columbia Connect Login (OKTA-164598)

  • DemandCaster (OKTA-162686)

  • eNett (OKTA-161969)

  • Helpshift (OKTA-164347)

  • Meditta Customer Portal (OKTA-164125)

  • Mood Mix (OKTA-163389)

  • MT Bank: Web InfoPLUS Login (OKTA-163923)

  • Registro.br (OKTA-163594)

  • The Alabama Department of Revenue Motor Vehicle Division (OKTA-164095)

ClosedMobile applications for use with Okta Mobility Management (OMM) (Android and iOS)

  • Dialpad (OKTA-162928)

  • Sequr (OKTA-165140)

Closed2018.15
ClosedNew Application Integrations
ClosedSAML for the following Okta Verified applications

  • CGR Foundation (OKTA-163834)

  • SimpleLegal (OKTA-162488)

  • TradeShift (OKTA-163383)

ClosedSAML for the following Community Created application

  • ArcGIS Online (OKTA-163206)

ClosedSWA for the following Okta Verified applications

  • Alacriti: OrbiPay Payments (OKTA-162622)

  • Ascensus (OKTA-158493)

  • Bendigo Bank (OKTA-162125)

  • Boxed (OKTA-161706)

  • Colorado CDOT Maps (OKTA-162497)

  • Join Handshake (OKTA-162160)

  • Okta Ice: Gourmet Ice Cream (OKTA-163277)

Closed2018.14
ClosedApplication Updates

The following partner-built provisioning integration app is now available in the OIN as partner-built Early Access:

ClosedNew Application Integrations
ClosedSAML for the following Okta Verified applications

  • Givitas (OKTA-163560)

  • SSOGEN (OKTA-163382)

  • Zoom (OKTA-161971)

ClosedSAML for the following Community Created application

  • Appsulate (OKTA-162836)

ClosedSWA for the following Okta Verified applications

  • Aurilo (OKTA-160566)

  • CBS Helpdesk (OKTA-161425)

  • Creditsafe (OKTA-163255)

  • ESET: License Administrator (OKTA-157798)

  • FamilySearch (OKTA-160772)

  • MYOB Essentials (OKTA-160212)

  • Northpass (OKTA-161830)

  • StatusHub (OKTA-161879)

  • WEXOnline Client Login (OKTA-161332)

ClosedMobile applications for use with Okta Mobility Management (OMM) (Android and iOS)

  • Impraise SAML (OKTA-163703)