May 2020

2020.05.0: Monthly Production release began deployment on May 11

* Features may not be available in all Okta Product SKUs.

Generally Available Features

New Features

Application Lifecycle Event Hook

Application Lifecycle events are now available for use as Event Hooks. See Event Types for a list of Events that can be used with Event Hooks.

Assign users to multiple groups in one group rule

Users can be assigned to multiple groupsGroups allow you to organize your end users and the apps they can access. Assigning apps to large sets of end users is made easier with groups. in one group rule. It is no longer necessary to set up multiple rules for the same criteria to accommodate different groups. See Group rules. This feature is now available for more orgs.

Rate limit behavior for SAML sign-ins

When Just-In-Time provisioning is enabled and the number of users attempting to sign in using SAMLAn acronym for Security Assertion Markup Language, SAML is an XML-based standard for exchanging authentication and authorization data between an identity provider (IdP) and a service provider (SP). The SAML standard addresses issues unique to the single sign-on (SSO) solution, and defines three roles: the end user, the IdP, and the SP. Here's how SAML works through Okta: SP-initiated flow: the end user requests (principally through a browser) a service from the SP. The SP requests and obtains an identity assertion from the IdP (in this case, Okta). On the basis of this assertion, the SP can decide whether or not to authorize or authenticate the service for the end user. IdP-initiated flow: with Okta as the IdP, an end user goes to the Okta browser and clicks on an app, sending a SAMLResponse to the configured SP. A session is established with the SP, and the end user is authenticated. or a Social Identity Provider exceeds rate limits, Okta displays a message that it will automatically retry the JIT request after waiting a few seconds.

Disable Import Groups per app

Admins have the option to choose whether groups are included in imports from apps. This new option is available when setting up provisioning for an appAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in..

This feature should be used with care as disabling group imports will have the result of deleting all groups from the app you are configuring. As such, we provide a warning prior to disabling group imports:

Note that you will be unable to disable group imports for an app if the following conditions exist:

  • App Assignments based on Group exist
  • Group policy rules exist
  • Group Push mappings exist

In these cases, an error is displayed.

Enhancement: MFA phone-number enrollment restricted

End usersEnd users are people in your org without administrative control. They can authenticate into apps from the icons on their My Applications home page, but they are provisioned, deprovisioned, assigned, and managed by admins. are now prevented from enrolling premium numbers for SMS and phone multifactor authentication. Premiums numbers are those reserved for various services. In the U.S., they include numbers that begin with a zero or use area codes 900, 911, and 411. Internationally, the following phone-number types are restricted: Audiotext, Carrier selection, National rate, Premium rate, Shared cost, Satellite, and Short Code.

eDirectory LDAP support

Okta now supports eDirectory LDAP integrations with the upgrade to the LDAP agent version 5.6.2 or later. See eDirectory LDAP integration reference.

OUD LDAP Support

Okta now supports Oracle Unified Directory (OUD) LDAP integrations. See Oracle Unified Directory LDAP integration reference.

App-level safeguard

To guard against an unusual number of app un-assignments during user import, the admin can set the safeguard to orgThe Okta container that represents a real-world organization.-level, app-level, or both. See Import safeguards.

This feature will be gradually made available to all orgs.

Generally Available Enhancements

New HealthInsight recommendation and updates

HealthInsight now recommends enabling Okta Verify for MFA. The existing recommendation to enable strong MFA factors now also recommends disabling weaker factors. See HealthInsight.

Copy and paste groups for admin permissions

You can now copy and paste group assignments when creating admin permissions. See Grant admin privileges.

Early Access Features

New Features

Okta RADIUS Server agent, version 2.11.0

This version includes support for EAP-TTLS. See Okta RADIUS Server Agent Version History.

End-user profile reauthentication

The Customization section has a new setting that allows an admin to set the reauthentication time when an end user edits their profile. See Reauthentication Settings.


Enhancements to the new Okta End-User Dashboard

The new Okta End-User Dashboard now includes the following enhancements:

  • The Add Apps button has been removed.
  • Apps can be configured to launch automatically after users sign in to Okta.
  • Searches place more relevant options at the top of the search results.
  • Sections can be collapsed or expanded.


General Fixes


GitHub import into Okta only updated a subset of users.


The filter on the Directory > Profile Editor > Apps page didn't work for Org2Org and Bookmark apps.


Email templates that contain invalid or unknown expressions didn't display the right error message and were still saved.


Application group assignment windows didn't resize correctly when input was added.


In some cases, when a large number of groups were assigned to an application, assigning users to these groups took longer than usual.


Users couldn't use the arrow keys to navigate through app search results on the new Okta End-User Dashboard.


End users using the new Okta End-User Dashboard were incorrectly prompted to install or upgrade the Okta Browser Plugin even if it was IT-managed.


CSV files generated in the System Log sometimes incorrectly included carriage returns.


Search results were incorrectly sorted when searching for an app on the new Okta End-User Dashboard.


When Factor Sequencing was enabled and the authentication policy contained a method set to Password / Any IDPAn acronym for Identity Provider. It is a service that manages end user accounts analogous to user directories such as LDAP and Active Directory, and can send SAML responses to SPs to authenticate end users. Within this scenario, the IdP is Okta., the sign-in window froze when users reset their password.


Some users became stuck in an authentication loop when trying to access an app from the new Okta End-User Dashboard.


Some admins received errors when trying to approve app requests from end users made through the new Okta End-User Dashboard.


The Smart card sign-in button was visible without a Smart Card Identity Provider configured within the customer org.


Some identity providers didn't show up in the Device Identity Provider list when configuring Device Trust.


Users were prevented from disabling both app-level and org-level roadblocks.


The Email as an MFA Factor feature was not made available for some orgs when it was released earlier. We are re-releasing it in 2020.05.0.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • 1Password Business (OKTA-291540)

  • 2020 Spaces (OKTA-293863)

  • Airship (OKTA-292749)

  • (OKTA-292940)

  • CalPERS (OKTA-294342)

  • Cisco Webes (OKTA-292505)

  • IBM Cloud (OKTA-293426)

  • Sauce Labs (OKTA-292506)

  • Thomson Reuters MyAccount (OKTA-291630)

  • Twitter (OKTA-287886)

  • WP Engine (OKTA-293338)


New Integrations

New SCIM Integration Applications

The following partner-built provisioningThis term is obsolete. See "Okta Verified". integration apps are now Generally Available in the OIN as partner-built:

SAML for the following Okta Verified applications

  • ACALL (OKTA-292094)

  • BigChange (OKTA-294316)

  • Freshworks (OKTA-290904)

  • Kintaba (OKTA-291174)

  • Lingotek (OKTA-292197)

  • Mapbox (OKTA-294374)

  • Odo (OKTA-294315)

  • Prezi (OKTA-293858)

  • Seculio (OKTA-293141)

  • Statusbrew (OKTA-292827)

SWA for the following Okta Verified application

  • Spreadshirt (OKTA-291601)

OIDC for the following Okta Verified application

  • FiveToNine: For configuration information, see FiveToNine documentation (note you need appropriate permissions to view this doc).

Weekly Updates

April 2020

2020.04.0: Monthly Production release began deployment on April 13

* Features may not be available in all Okta Product SKUs.

Generally Available Features

New Features

OAuth authentication for Workplace by Facebook

Workplace by Facebook now uses OAuth authentication instead of the custom Facebook authentication method that was used before.

Note: Existing customers have been migrated to use the new authentication method; new customers will only be able to use the new authentication method (OAuth).

Third-party admin role

Some organizations have a business need to to set up administrator roles in Okta for individuals who perform admin functions but are not direct employees of the organization. By introducing the concept of a third-party admin in Okta, we are able to treat these admins differently than the typical Okta admins who interact directly with the Okta Admin Console. See Third-party admins.

OAuth for Okta

With OAuth for Okta, you are able to interact with Okta APIs using scoped OAuth 2.0 access tokens. Each access token enables the bearer to perform specific actions on specific Okta endpoints, with that ability controlled by scopes that the access token contains. See OAuth for Okta guide.

Note that at this time, OAuth for Okta works only with the APIs listed in the Scopes & supported endpoints section of our developer docs. We are actively working towards supporting additional APIs. Our goal is to cover all Okta public API endpoints.

Dynamic SAML attribute statements for OIN apps

The Dynamic SAML feature allows admins to add and preview dynamic attribute statements to the SAML Assertion for existing OIN apps. For information how to use the SAML Attribute Statements, see Define Attribute Statements.

Email as a factor for MFA

Email is now an accepted factor for multifactor authentication for convenience and to expedite migration from legacy identity platforms. After setup, your end users receive a code in an email message to use during Okta sign in. For details on setting up this factor, see Multifactor Authentication .

New developer on-boarding experience

An updated developer on-boarding experience has been rolled out for new development orgs. New signups will be asked a series of questions about their goals and the initial on-boarding tasks will be tailored to match these requirements.

Generally Available Enhancements

Improvements to App Search results

When searching for an integration, the App Catalog results now display the protocol and capabilities alongside the app name, rather than the associated categories. To expand the results, click See All Results.

HealthInsight recommendation for SAML-based apps

A new HealthInsight recommendation now notifies an admin of all existing SAML-based apps that aren't using SAML authentication. See Enable SAML or OIDC authentication for supported apps.

Admin CSV file name updated

The naming format for Administrator CSV files has been updated to contain the report type and the org ID.

Admin role descriptions added

Admin role descriptions have been added to the Add Administrator and Edit Administrator dialog boxes. See Grant admin privileges.

Google Push Group enhancement

Google Push Group functionality remains available even when the ability to import groups has been disabled. See Using Group Push

Enhanced UI for network zones

The network zones UI has been enhanced to improve readability and flow for IP, location, and ASN data. See Network Security.

New device behavior detection enhancement

The behavior detection of new devices has been updated to re-evaluate certain scenarios where a device fingerprint is missing when users sign in. See Security Behavior Detection.

Additional validation to curtail abuse

For free and paid developer orgs, we have added additional validation to the org name and some user profile fields to curtail abuse.

Early Access Features

New Features

Okta RADIUS Server agent, version 2.10.1

This version includes support for Linux, including .rpm and .deb installers. See Okta RADIUS Server Agent Version History.

LDAP agent, version 5.6.4

This version of the agent contains internal improvements. See Okta Java LDAP agent version history.


General Fixes


When editing an administrator's roles, toggling the Super Administrator check box on and off sometimes caused the UI to mistakenly issue a warning that no roles were selected.


New SAML apps had an active SAML assertion Inline Hook assigned to them automatically.

OKTA-267840, OKTA-274937, OKTA-279424, OKTA-279458

Several UI elements contained minor translation errors (Dutch, Korean, French, and Portugese).


In some cases, a SAML assertion incorrectly included extra Attribute Statements.


The Update application username field under the Provisioning settings tab didn't render correctly when profile mastering was enabled.


The Admin CSV file didn't have the Third-Party Admin column for orgs that have enabled the third-party admin assignment settings.

OKTA-282208, OKTA-286053

Modifying the settings in the Profile and Lifecycle Mastering section of the new import and provisioning settings experience for Active Directory sometimes failed.


Error messages concerning SAML Inline Hooks sometimes didn't populate in the System Log.


Sometimes when Application Entitlement Policy and Import Sync Callback feature flags were enabled, AD-imported attributes were not updated by mapping.


The App Catalog page sometimes did not render properly when the resolution was 1024x768 or lower.


Okta internal logging didn't handle valid special characters in the log field, resulting in issues.


When Federation Broker Mode was enabled for a SAML app using encryption, attempts to SSO into that app failed with a 400 Bad Request error.


Search results for users with invalid profile data due to a schema change incorrectly resulted in a 500 error instead of a 409 conflict error.


Add Section and Edit Section Name buttons didn't function properly in the new Okta End-User Dashboard in Internet Explorer 11 and Edge. Dragging application icons functionality didn't work in Internet Explorer 11.


Some UI elements were missing from the app settings sidebar in the new Okta End-User Dashboard in Internet Explorer 11 and Edge.


The Install the plugin button didn't display consistently in Internet Explorer 11 and Edge.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • Assure Sign (OKTA-284353)

  • AvaTax Admin Console (OKTA-285170)

  • Chase Mastercard (OKTA-284914)

  • Citi Credit Cards (OKTA-285965)

  • Citi Velocity (OKTA-286149)

  • Custom Report Sharing (OKTA-284638)

  • ezeep (OKTA-286381)

  • GoNoodle (OKTA-286382)

  • Meraki Dashboard (OKTA-286379)

  • Monster Hiring (OKTA-285556)

  • MyLexia (OKTA-286148)

  • Pinterest (OKTA-285778)

  • PremiumBeat (OKTA-284402)

  • Sagitta Propel Insurance (OKTA-285845)

  • Secureworks (OKTA-285995)

  • Service Channel (OKTA-286147)

  • Standout M (OKTA-284911)

  • TapInfluence (OKTA-286380)

  • TeamPassword (OKTA-286378)

  • The Business of Fashion (OKTA-280914)

  • Zapier (OKTA-284033)


New Integrations

New SCIM Integration applications

The following partner-built provisioning integration apps are now Generally Available in the OIN as partner-built:

SAML for the following Okta Verified applications

  • BlogIn (OKTA-284052)

  • DiversityEduLLC (OKTA-284062)

  • Doppler (OKTA-283629)

  • Inspire (OKTA-283636)

  • Lola (OKTA-284376)

  • MyRIACompliance (OKTA-279290)

  • Paylocity Web Pay (OKTA-285418)

  • Psono Password Manager (EE) (OKTA-284898)

  • SurveyGizmo (OKTA-282980)

  • TelemetryTV (OKTA-284380)

SAML for the following Community Created application

  • The Respond Analyst (OKTA-278325)

SWA for the following Okta Verified application

  • Membee (OKTA-268688)

Weekly Updates

March 2020

2020.03.0: Monthly Production release began deployment on March 9

* Features may not be available in all Okta Product SKUs.

Generally Available Features

New Features

Changes to admin permissions

Super admins can no longer edit their own role assignment. The Edit and Delete actions are removed from their profile row on the Administrators page. See Super admin role.

Pagination is now available when listing Authorization Servers

Pagination is now available for lists of authorization servers. See API Access Management.

Custom Email events added to the System Log

Updates to custom email templates are now tracked in the System Log.

Email verification added as optional enrollment factor

If admins configure email verification as an optional MFA factor, end users can select email as a factor during MFA enrollment. To complete enrollment, end users enter the code sent to their primary email address. The verification UI is redesigned.

Sign-in attempt behavior evaluation is logged when there is no client information

Sign-in attempt behavior evaluation is logged in the debugContext object of the user.session.start and policy.evaluate.sign_on events even when client information is missing for all behaviors.

Active Directory improvements

To assist orgs with more than 10,000 Organizational Units (OUs), improvements were made to the User OUs connected to Okta and Group OUs connected to Okta fields on the Active Directory Settings page.

Mobile tab available for mobile-capable apps

The Mobile tab available in the Admin Console for mobile-capable OIN apps allows you to publish mobile applications to an App Store and deploy them to your end users. See Enable access to managed mobile apps.

Deleted admin users

When a user who has an admin role and privileges assigned to them is deleted, their admin privileges are revoked. The deleted user is removed from the Administrators page and CSV download list of administrators. For information about Admin roles, see Administrators.

Generally Available Enhancements

Salesforce integration supports pushing null values

The Salesforce integration supports pushing null values to user profile updates. To enable this functionality, select the Allow Pushing Null Values option on the Provisioning tab.

Veeva Vault integration update

The Veeva Vault integration has a new check box on the Provisioning tab that allows admins to choose whether to use Email instead of Username.

Spotlight search bar changes

The spotlight search bar is no longer visible to Report Admins because they do not have search permissions.

Accessibility enhancement for Okta Sign-in Widget

The Username and Password form fields on the Sign-In page now include the aria-required property. This property is not visible to end users, but indicates to screen readers that these fields are required.

Profile Editor improvements

The Profile Editor page has been improved to simplify navigation and clarify functionality.

Early Access Features

New Features

Okta Verify support for risk-based authentication

Okta Verify with Push now supports risk-based authentication. With this feature, admins can assess the level of risk when an end user signs in to their org and attempts to authenticate with Okta Verify. See Enable risk-based authentication for Okta Verify with Push.

New Group Membership Admin role

The new Group Membership Admin role grants permission to view all users in an org and manage the membership of groups. See Group membership admin role.


General Fixes


App admins were able to modify all profiles in the Profile Editor even when the admin was limited to only administer certain apps.


The Okta Admin Console displayed options to delete or deactivate app instances that can't be deleted or deactivated.


When the App Catalog feature was enabled, app admins with required permissions received a blank page when they clicked the Add Application button.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • Blanchard Exchange (OKTA-278301)

  • ConnectWise Automate (OKTA-278300)

  • Playbook (OKTA-279423)


New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN as partner-built:

SAML for the following Okta Verified applications

  • Halogen (OKTA-280008)

  • OneDesk (OKTA-276015)

  • Parabol (OKTA-278665)

SWA for the following Okta Verified application

  • Altair Eyewear (OKTA-277992)

Weekly Updates