The Okta browser plugin for Chrome is updated to version 5.24.1. This version includes the following bug fix:

• App icons did not load in Okta plugin for Google Chrome when the CDN was disabled.

For version history, see Okta Browser Plugin Version History.

The Okta browser plugin for Chrome and Firefox browsers is updated to version 5.24.0. This version includes an update to the end user plugin settings (available in Early Access) and back-end product enhancements. For version history, see Okta Browser Plugin Version History.

Job Title has been added to the list of RingCentral custom attributes that can be added via Schema Discovery. For more information about RingCentral provisioning, see the following provisioning guides:

• BT Cloud Phone
• RingCentral Office @Hand for AT&T
• RingCentral

For SharePoint (On-Premises) app, Expression Language evaluation for Application Attributes now supports sending any OKTA user attributes, including custom OKTA user attributes. For more information, see Adding the SharePoint (On-Premises) App in Okta.

For SWA apps with an account sign in option set to Users share a single username and password set by administrator, only Super admins or App admins with permissions for that app can view the password.

During standard imports, users are sometimes mistakenly imported from 3rd-party apps. The Clear Unconfirmed Users button allows admins to clear all unconfirmed users within an import queue. For more details, see Importing People.

When generating reports, the earliest start date you can select is now 13 months prior to the current date. For details about Okta reports, see Reports.

Okta has made a new chiclet, Microsoft Power BI, available for the Microsoft Office 365 app. You can enable it on the General tab of your org's Microsoft Office 365 app instance. For details, see Enable a Microsoft Office 365 Chiclet.

When creating App Sign-On Policy rules to manage access to apps, you can now specify additional granularity for platform types. Office 365 Client Access policies will continue to provide additional granularity for clients (that is, Web vs EAS).

For details, see Add Sign-On policies for applications and Office 365 Client Access Policies.

Only a Super Admin can view the self-service menu (Applications > Self Service) for an organization. In the past, both org admins and super admins could access this menu. There is no change to the options on the menu. For more information on roles and permissions, see Administrators.

In an Identity Provider Discovery flow, the username entered as the identifier in the first screen is passed to other Okta orgs. End users do not need to re-enter a username when signing in to any other Okta org to which they are redirected. For more information, see Identity Provider Discovery.

Support for the Norwegian (Bokmål) language for the end user experience is now available to all customers in Beta format. You can select the default language preference for your entire org, and your end users can select a different language preference for their own experience. For more information, see Configure the Display Language.

Super org admins can now download a CSV file containing a list of all admins and their permissions, using the Download CSV button on the Administrator page. For details, see Administrators. Screenshot

Requests to the /token and /authorize endpoints will now accept JWTs signed with a private key. For more information, see the OIDC documentation for the token endpoint and the authorize endpoint.

These email notification types are off by default for admins in new orgs:

• User Deprovision
• App user import status
• User lockouts

Each admin can individually opt in at Administrator > Settings > Account. Admins in existing orgs will be unaffected. For details, see Account Settings. This feature is available for new orgs only.

New device notification email

When enabled, end users will receive a new device notification email when signing in to Okta from a new or unrecognized device. This feature is now generally available to all orgs. For more information about email notifications, refer to the New or Unknown Device Notification Emails section in General Security.

Okta is consolidating where app usernames are configured. Instead of being able to change the app username in the Profile Editor and the app’s Sign On tab, you will be able to edit the Okta to App username mappings only on the app’s Sign On tab.

Note: The following apps will not be changing their behavior: Active Directory, LDAP and SAML Identify Provider.

Profile Editor - Before

For the Okta to App flow, you can no longer override username mappings in the Profile Editor.

Profile Editor - After

Username mappings on the Sign On tab

The userName mapping in the app's Sign On tab will be the source of truth for the Okta to App flow. Updating the userName mapping on Create only or Create and Update will also be controlled from the app's Sign On tab. Screenshot:

Super Admins and Org Admins can send all admin emails as BCC so that recipients' email addresses are hidden. For more information, see Global notifications options.Screenshot

You can now disable the default Okta loading animation (interstitial page) that appears when users are redirected to custom applications. End users are shown a blank interstitial page, instead. This allows you to present a more branded end user experience. For more information, see Customizing the Interstitial page>. Screenshot:

This feature streamlines the App Self-Service UI with the Access Request Workflow UI and allows admins to write a note to the end user about the app instance.  See Access Request Workflow and Self Service Registration for more details.  Screenshot

You can now assign Apps to App Admins at the instance level. This allows for more granular access control. For details, see Administrators.

We have added a new, customizable email template that alerts your end users when someone connects to their Okta account from a new device. This feature protects against silent access to an end user's account. For more about Okta email templates, see Email and SMS Options. This feature is Generally Available for new orgs only.

The Multifactor Factor Types UI has been updated to include U2F activation and enrollment for end users. For more information about U2F enrollment, refer to the Factor Types Configuration section in Multifactor Authentication.

You can integrate Adaptive MFA with your VMware Horizon View , Pulse Connect Secure, BeyondTrust PowerBroker Password Safe, and Check Point clients. Follow these links for more information and complete setup instructions.

The Self Service Registration (SSR) form now supports enum data types of string, numbers, and integers. For more information, see Okta Self-Service Registration.

Admins now receive an email listing all users deactivated during 30 minute periods instead of individual emails for each deactivation.

Okta has made a new chiclet, Microsoft Forms, available for the Microsoft Office 365 app. You can enable it on the General tab of your org's Microsoft Office 365 app instance. For details, see Enable a Microsoft Office 365 Chiclet. Screenshot

This version contains security enhancements. For version history information, see Okta RADIUS Server Agent Version History.

This version contains security enhancements. For version history information, see Okta On-Prem MFA Agent Version History.

The System Log now reports when requests are denied due to a blacklisted network zone. Screenshot:

For more details about the System Log, see Reports.

The Factor Type for MFA events is moved from the Actor's details to the Event's details in the System Log. Screenshot:

For more details about the System Log, see Reports.

Okta has added the following nine supported languages for Email and SMS Customization: Czech, Greek, Hungarian, Indonesian, Malaysian, Polish, Romanian, Turkish, and Ukrainian. For more information, see Add Custom Email Templates for Multiple Languages.

BambooHR now retrieves additional attributes such as department and division for pre-start users.

For more information about BambooHR provisioning, see the BambooHR Provisioning Guide.

An enhancement to the device fingerprint feature has been made so that end users may receive a new device notification email when signing in via an embedded browser. Sign in via embedded browsers can take place in applications such as Microsoft Outlook on Mac OS or Windows and mobile apps. For more information about email notifications see New or Unknown Device Notification Emails.

Admins can now recover the default values of mappings that had been overridden during individual app assignments. This feature also clearly displays default EL expressions, and simplifies overrides with Override and Reset buttons. For more information, see Attribute Mapping Overrides.

When enabled, Okta imports Google custom schemas which you can then map as additional custom properties. Note: In order to have permission to pull custom schema information from Google, Okta requires an additional OAuth scope. This requires you to reauthenticate your app instance in order use this functionality.

For more information about Google schema discovery, see the G Suite Provisioning Guide.

When you create a custom attribute, you can enter a list of enum values. For example, you can create a Shirt size attribute with a list of values including: small, medium, large. For details, see Create Custom Attributes.

This feature allows you to create instances of the Salesforce.com app that can integrate with either a Salesforce Customer Portal or a Salesforce Customer Community. For more details, see the Salesforce Provisioning Guide.

You can configure a custom domain so that email Okta sends to your end users appears to come from an address that you specify instead of the default Okta sender noreply@okta.com. This allows you to present a more branded experience to your end users. For details, see Configure a Custom Email Domain. Screenshot

Okta Mobile supports fingerprint authentication on Android devices and Touch ID/Face ID authentication on iOS devices. For details, see Lock/Unlock the Okta Mobile App. Example Screenshot:

Voice Call Factor authentication is now available as an MFA factor. With this feature enabled, end users will receive a phone call that audibly provides a 5 digit verification code to be entered upon login. This factor can be enabled either on its own or with other factors enabled. For more information about voice call as a factor, see Multifactor Authentication. Screenshot:

The Group member page (Directory > Groups) has the following enhancements:

• The Manage People button is now the Add Members button.
• The Search bar is relocated to the right side of the screen.
• The managed column is now the Added By column to indicate who added the new group member.

Additionally, when searching for a user name, if the number of search results exceeds the page limit, you are prompted to refine your search.

Before:

After:

Super Admins have the ability to enable select Early Access (EA) features to which their organization is entitled. There is no need to contact Support to request access to these new features. EA features that require additional configuration will still require assistance from Support to be enabled. For details, see Manage Early Access features.

You can also track availability of EA features on the Product Roadmap available in the Okta Help Center.

In addition to filtering by application, Okta's Application Usage report has an option to include report data from All applications. If you select this option, the data is only available to download as a CSV file (in unaggregated format).

For more details, see Reports. Screenshot

Group Push now supports the ability to link to existing groups in Zendesk. You can centrally manage these apps in Okta. While this option is currently only available for certain apps, Okta will periodically add this functionality to more and more provisioning-enabled apps. This feature is now GA. For details, see Using Group Push.

The System Log now reports when a user has been imported, updated, and deleted through real time sync. Screenshot

The OIN Manager is an Okta portal through which independent software vendor (ISVAn acronym for independent software vendors. Okta partners with various ISVs (usually producing enterprise applications) to integrate on-premises, in the cloud, or native-to-mobile devices with Okta.) partners can submit SSO and provisioning apps to Okta. Once approved, these integrations are included into the Okta Integration Network (OIN).

You can integrate Adaptive MFA with your Sophos VPN clients. For more information, see Configure Sophos UTM to Interoperate with Okta via RADIUS.

We have increased the default number of group membership rules allowed per org from 100 to 2000. For details about Group rules, see About Groups.

If your server policy is set up to deny access to external IP addresses and websites, you must configure a whitelist to enable access as required. The IP whitelist information can be obtained programmatically and can be downloaded in JSON format here: IP whitelist file. To view the current IP ranges, download the .json file. To maintain a history, save successive versions of the file. For more information about Okta IP whitelisting, see Configuring Firewall Whitelisting.

Okta continues to optimize performance in generating reports with a focus on data reliability, quality and self service of report data delivery. To achieve this, certain reports are now delivered asynchronously as a CSV download. For more information about reports, see Reports. Screenshot:

This release includes the following changes:

• The installer will not continue if it cannot use a TLS 1.2 connection to connect to the Okta service. For Windows 2008 R2 TLS 1.2 is disabled by default and needs to be enabled through the registry. For details, see TLS 1.2 registry edits.
• Increased the minimum .NET version supported to 4.5.2. If the installer does not detect .NET 4.5.2 or higher, it will be installed.

For version history, see Active Directory Agent Version History.

U2F is available as an MFA factor. See Factor Types for more information about different MFA types, including U2F. Screenshot:

The Okta browser plugin for the Chrome, Firefox, Internet Explorer, and Safari browsers was updated to version 5.19.0 in release 2018.24. This version provides support for the Okta Account Chooser. For version history, see Browser Plugin Version History.

The Okta System Log and Events APIs filter out any password information that customers might have included in query parameters. This filter is part of our on-going optimizations to scrub sensitive data from logs. Okta always recommends that customers use POST requests, and never use sensitive data in HTTP GET parameters. Screenshot:

Setting multiple enum value attributes on the end user Profile Settings page is now supported. Screenshot:

New Salesforce app instances now come with a reduced set of base attributes:

• username
• firstName
• lastName
• email
• profile

Attributes that used to be in the base schema are moved to custom:

• title
• communityNickname
• mobilePhone
• phone
• street
• city
• state
• postalCode
• employeeNumber
• companyName
• division
• department
• managerId
• role
• salesforceGroups
• featureLicenses
• publicGroups

This change allows admins more fine-grained control over which attributes Okta will sync in the downstream SFDC instance.

For information about Salesforce provisioning, see Okta's Salesforce Provisioning Guide.

Okta supports custom expressions when mapping attributes from Okta to Confluence. For more information about Confluence provisioning, see the Confluence Provisioning Guide.

Screenshot:

• Support for custom properties to push and import to/from Google.
• Support for multi-value fields (arrays) for Google Schema Discovery.

For more information about Google schema discovery, see the G Suite Provisioning Guide.

Note: Boolean properties for multi-value fields are not supported by Okta Universal Directory. They are ignored during schema import and are not visible in the Profile Editor.

Screenshot:

A confirmation notification is now displayed after resetting or enrolling in a factor. Screenshot:

You can integrate Adaptive MFA with your F5 BigIP APM Edge clients. For complete installation and usage information, see Configure the F5 BigIP APM to Interoperate with Okta via RADIUS.

New message notifications appear when an Authorization Server is activated, deactivated, or deleted. Screenshot:

To address a security vulnerability, end users' primary email address is now populated automatically in the Request Access to Apps dialog box and the Your email field is no longer editable. The dialog box displays when end users click Request an app in the footer of their Okta org. Screenshot:

All admins are being unsubscribed from receiving email notifications for Known Issues and System Outages which is now renamed to Trust incidents and updates. To receive these notifications, go to Settings > Account > Email Notifications. For details, see Email Notifications.

In Settings > Account, under Email Notifications, the Known Issues and System Outages option is renamed to Trust incidents and updates. All new Super admins will be subscribed by default. For details, see Email Notifications.

Some admins can select whether they want to receive emails when a user is deactivated. The admin roles that have this option are: Super Admin, Org Admin, App Admin and Mobile Admin. For details, see Email Notifications.

The following events are added to System Log:

• The feature for supporting multiple network zones is disabled for an org (IWA SSO only). Screenshot:

  

• When synchronizing users with a directory, users will be skipped if they match default filter rules. Screenshot:

  

The Okta Downloads page contains a new section, MFA Plugins and Agents that replaces the Okta On-Prem MFA Agents section. Screenshot

By default, Okta requires user names to be formatted as email addresses in Okta Universal Directory. Using the Format Restriction control in the Profile Editor, Administrators can remove the email format constraint from the Username attribute in Okta UD or replace it with a specific set of characters that are allowed. This provides additional control over the format for Okta usernames for all users in an Okta org. For more information see Relax email format requirement for Okta username.

End users can now switch between multiple Okta accounts easily through the Okta browser plugin. This feature prompts signed-in end users to trust or reject subsequent Okta accounts the first time they access those accounts allowing them full control to choose seamlessly between accounts. For details, see Switch between multiple Okta accounts using the plugin. Screenshot

If there's a problem with the Okta browser plugin, an error message with a Refresh Plugin button now displays allowing end users to refresh the plugin cache. For more, see About the Okta Browser Plugin. Screenshot

The list of Okta-provided email templates is reorganized by template type. This makes it easier for admins to find and evaluate Okta-provided email templates in Settings > Email & SMS. For more information about Okta email templates, see Email and SMS. Screenshot:

Error message text has been modified when assigning non-email formatted values for username attribute.

The System Log contains an entry when a user cannot be unlocked automatically by the nightly batch job due to a read-only event. Screenshot:

Authentication whitelisting and blacklisting (explicitly permitting or denying access) based on network zones is now Generally Available (GA). Network zones are sets of IP address ranges. You can use this feature in policies, application sign on rules, and VPN notifications. This expands the use of Gateway IP Addresses. This feature is now GA for all orgs. For more information, see Network. Screenshot

Custom email templates allow you to send custom Okta-generated email messages to end users in multiple languages. For details, see Add Custom Email Templates for Multiple Languages. Screenshot

This version disables CDN during install and contains bug fixes. For history, see Okta RADIUS Server Agent Version History.

This version disables CDN during install. For history, see On-Prem MFA Agent Version History.

Okta Verify Auto-Push makes Multifactor Authentication (MFA) even easier. Now, when end users land on the MFA challenge page (with Okta Verify with Push enabled), the challenge is sent automatically with no need to click Send Push. To set up this feature, end users select Send Push Automatically on the authentication screen. For more information, see Okta Verify with Push Authentication. Screenshot: 

Support for a cloud access security broker (CASB) is available for all SAML apps. For more information, see the CASB Configuration Guide.

When you customize an Okta-generated email template through the Add Translation dialog box, the text in the body of the template updates automatically into the language you select in the Language list. The Generally Available version of this feature includes updated labels and other minor UI improvements. For more about custom email templates, see Add Custom Email Templates for Multiple Languages. Screenshot

The Litmos integration is updated to support SHA2 cryptographic hash algorithm which utilizes the new Litmos SAML endpoint splogin. If you are currently using the Litmos SAML integration, Okta highly recommends that you review the steps outlined in the migration section of the Litmos Configuration Guide and switch to SHA2 at your earliest convenience. Screenshot:

You can extend Adaptive MFA to your Fortinet appliance. For complete installation and usage information, see Configure the Fortinet Appliance to Interoperate with Okta via RADIUS.

New device notification email events now appear in the System Log. Screenshot: 

We've improved the user experience for U2F-compliant factor enrollment by making the following changes:

• U2F instructions are updated to remove references to specific browsers such as Chrome and Firefox
• Error messages now include more descriptive text

For more information, see MFA Factor Types. Screenshot:

Added the following enhancements to support Rate Limit notifications:

• Notification banners within Okta for Super administrators when the Rate Limit warning and violation thresholds have been reached within the last 24 hours. Screenshot

  

• Automatic email notifications to Super administrators when the Rate Limit warning and violation thresholds have been reached within the last 24 hours. Screenshot

  

• An Email Notifications setting available in Settings > Account for the Super administrator to turn the email notification on or off. This setting is turned on by default. Screenshot

  

• Syslog entries that track discrete rate limit events for warnings and violations, and that can be queried independently or jointly. This provides you with a full picture of organizational as well as individual client trends.

  For example, the following query shows both warnings and violations:

  eventType eq "system.org.rate_limit.warning" OR eventType eq "system.org.rate_limit.violation"

  Both the notification banner and the email notification contain a link to the query above. Screenshot

  

For more information, refer to Rate Limiting at Okta.

The Convert Assignments screen is populated only when there are assignments to convert. When there are no assignments to convert it presents a message. Screenshot.

The Downloads page includes the following changes:

• The agent status is highlighted at the top of the page, indicating whether or not agents are up-to-date. Screenshot
• Agent status information appears after the first agent of that type is configured.
• For the AD, SSO IWA, On-Prem MFA, Provisioning, and LDAP agents, there is now a status message indicating whether the agent is up-to-date or a new version is available.
• The Connected Agents table displays the host name, the version of the agent that is currently running, whether the agent is TLS 1.2 compliant. Screenshots
• The AD Password Sync and RADIUS agents information includes a link to the System Log to view the agent version, if applicable.
• The Admin Downloads section moved to the top of the page and similar agents are grouped (for example, all AD agents are together).
• A link to a CSV file containing this information is added to the right-hand sidebar. Screenshot

ID tokens can now be retrieved using a Refresh Token.

If Okta fails to process an IWA token, you can now redirect end users to a custom error page. This option is useful if you embed Okta into your solution and want to control end-to-end branding to enhance end user experience. For more information, see Login Error Page.

Note: This feature is now Generally Available for all orgs.

Screenshot

You can deactivate Workday mastered users on their last day worked, even if the period of time between that day and the termination exceeds a specified Pre-Start interval. See the Workday Provisioning Guide for more information.

The Workday integration now connects to the latest Human Resources API (v29) and uses the Maintain Contact Information Workday API for email and telephone write back, a more secure web service that some customers prefer. Additionally Okta has improved the pre-start interval functionality by only processing new users being created and ignoring updates within the pre-start interval. There are also some performance enhancements when performing an import from Workday. See the Workday Configuration Guide for details.

This feature is Generally Available for new orgs only.

You can configure Advanced API Access for Office 365 instances by using the admin consent option on the Sign On tab.

Admins needs to leave this checked to complete OAuth authentication flow with O365, which is required for signing into chiclets such as Yammer, Teams, and CRM. For more information, see Admin Consent for Advanced API Access. Screenshot:

Okta has updated its Workday integration: Workday Real Time Sync (RTS) can now run concurrently with regular imports. Refer to Workday Provisioning Guide to learn more about Workday RTS.

If the org admin revokes the Device Trust certificate through the admin console, the Sys Log for Device Trust Certificate Revocation now identifies the admin. As before, if the certificate is implicitly revoked due to user deactivation, the Actor continues to be shown as Okta System. For details, see Revoke and remove Device Trust certificates. Screenshot:

The Citrix NetScaler Gateway now integrates with Okta via RADIUS, in addition to SAML and OAuth. For detailed information, see the Citrix Netscaler Gateway Radius Configuration Guide.

Password Reset is available for users who are not yet active. This is to enable users who may have lost their original activation email to request a password reset.

Email addresses enclosed in double quotation marks are supported for Okta logins.

The Account tab on the Customization page is renamed General. For details about options on this tab, see Customization. Screenshot:

Direct links to the documentation for the Okta Windows Credential Provider and the Active Directory Federation Services (ADFS) Plugin are available in the sidebar. Screenshots:

This Generally Available agent update contains the following fixes:

• Locate the correct user when searching for a SamAccountName that is duplicated in a forest
• Include the User-Agent in the header of the request

For history, see AD Password Sync Agent Version History.

This release fixes an issue where the screen appeared blank. For version history see Browser Plugin Version History.

The Forgotten Password Text Message screen offers an option to resend the code to enter for SMS or call again for Voice call. For more information about password reset functionality, see End User Password Reset. Screenshot:

The PagerDuty app now implements v2 of the PagerDuty API. PagerDuty API v1 is going to be deprecated on April 24, 2018. The change of API should be transparent to customers. For more information, see https://v2.developer.pagerduty.com/. For more information about PagerDuty provisioning, see the PagerDuty Provisioning Guide.

This version provides internal fixes to the installer, including a fix which allows the installer to work behind a firewall.

For history, see On Premises Provisioning Agent and SDK Version History.

These newly-designed email templates are applied to standard (uncustomized) email templates, as well as to customized templates that have been Reset to Default. Previously-customized email templates that have not been Reset to Default are unchanged.

Before

After

You can configure the Okta browser plugin to behave on your custom end user portal exactly as it behaves in the Okta end user dashboard. For details, see Configure your custom end user portals to leverage the Okta browser plugin.

If Okta fails to process an IWA token, you can now redirect end users to a custom error page. This option is useful if you embed Okta into your solution and want to control end-to-end branding to enhance end user experience. For more information, see Login Error Page.

Note: This feature is Generally Available for new orgs.

Screenshot

You can now set the SkipUrls registry key to prevent the Okta Internet Explorer browser plugin from inspecting the pages of specified URLs for the presence of login and change password forms. This allows pages to load faster. For details, see Exempt specified URLs from login form inspection.

When both first and last name attributes are empty, the login name is displayed in the following UI pages:

• User Picker in App Approver picker
• New Group
• Convert individual user back to group in app
• Exclusive user list in group rule
• App User assignment
• API token review
• Yubikey UI
• Spotlight search

First and last names can be null if they are removed in the Profile Editor or changed with the Users API.

This Generally Available release provides the following:

• To improve the security of IWA integrations, we now default to the TLS 1.2 security protocol in orgs running .NET Framework 4.5 or later. Orgs running earlier versions of the .NET Framework continue to use TLS 1.0.
• Fixed an issue that caused an error when accessing the Box desktop app with SSO.
• Internal fixes to the installer.

For history, see IWA Agent Version History.

This Generally Available release provides internal fixes to the installer. For history, see LDAP Agent Version History.

This release provides performance and security enhancements. For version history, see Browser Plugin Version History.

Email notifications sent to users after the detection of a new device or browser at login have improved messaging and now specify Unknown browser and Unknown OS instead of just Unknown.

Okta and Palo Alto Networks interoperate through either RADIUS or SAML 2.0. For each Palo Alto gateway, you can assign one or more authentication providers. Each authentication profile maps to an authentication server, which can be RADIUS, TACAS+, LDAP, etc. Using RADIUS, Okta’s agent translates RADIUS authentication requests from the VPN into Okta API calls. For more information, see Configure the Palo Alto Networks VPN to Interoperate with Okta via RADIUS.

The Client ID field is now populated in the Client Section of the System Log. Screenshot:

System Log entries are now added for the Hipchat and Confluence apps. For details, see the Hipchat and Confluence sections in Provisioning Integration Error Events.

When setting up an Microsoft Office 365 app, the checkbox for Admin Consent on SSO tab is now unchecked by default. For more information on Admin Consent, see Admin Consent for Advanced API Access.

Updated app icons for Okta Verify are available for iPad users. Screenshot:

The Okta ADFS (Active Directory Federaton Services) Plugin version 1.4.0 is available. This version supports load balanced ADFS servers.

The Learn More link in the Attributes Statements (optional) section of the SAML Settings page points to improved information. Screenshot:

In environments where internet traffic is required to go through a proxy, the sign-in flow for the AD agent installer uses the proxy settings specified within the installer. If no proxy settings are specified, the machine defaults are used. Previously,admins had to open up a hole in their data center firewall during installation.

For more information about the AD agent see Okta Active Directory Agent.

An in-product link to the Provisioning Guide for Cornerstone app is added, replacing in-product help text.

This release provides the following:

To improve the security of IWA integrations, we now default to the TLS1.2 security protocol in orgs running .NET Framework 4.5 or later. Orgs running earlier versions of the .NET Framework continue to use TLS1.

For history, see SSO IWA Web App version history.

This new version supports TLS 1.2.

For history, see On-Prem MFA Agent Version History.

Labels and messages in the Custom Email Templates feature are updated to improve usability.

The Microsoft Office 365 (O365) admin consent flow is now optional and is selected by default on the Sign On tab for the O365 app. Admins needs to leave this checked to complete OAuth authentication flow with O365, which is required for signing into chiclets such as Yammer, Teams, and CRM. For more information, see Admin Consent for Advanced API Access. Screenshot:

The default scopes included with OAuth Custom Authorization Servers have improved display names and descriptions.

This new version supports TLS 1.2. For history, see Okta RADIUS Server Agent Version History.

When configuring scopes for Identity Providers, whenever a comma, tab, or return is typed, scopes are tokenized. For example, typing "Profile, Email" in the Scopes field in the screenshot below, will result in two scopes, Profile and Email.

For more information, see User Consent for OAuth 2.0 and OpenID Connect Flows.

Screenshot:

Okta has defined 31 default base attributes for all users in an org. These base attributes are generally fixed and cannot be modified or removed. There are now two exceptions: First Name and Last Name. These two attributes can now be marked as required or optional for Okta-mastered users only. For details, see Profile Editor.

An enhancement was made for our platform customers using the auto-push feature for Okta Verify. As a result, all product users will need to re-affirm their Okta Verify Auto-Push preference (check the Send Push Automatically checkbox) if it was checked previously. Following this, Okta Verify with Auto-Push will behave as it did originally. For more information about this new parameter, see https://developer.okta.com/docs/api/resources/authn.html#request-parameters-for-verify-push-factor.

This release provides the following:

• Improved IE performance when Browser Help Object (BHO) logging is enabled
• An option to opt out of cert pinning through the registry
• Iimprovements and bug fixes

For version history, see Browser Plugin Version History.

• System Log events are added for the ExactTarget, GitHub, Google, Gotomeeting, Rightscale, Roambi, Samanage, SendWordNow, ServiceNow2, ServiceNow, Smartsheet, SugarCRM, VeevaVault, WebEx, Yammer, and Zendesk provisioning integrations. Previously, the log events were only available using the Okta API. For details, see Provisioning Integration Error Events.
• System Log events are added for the Huddle, Jive45, Litmos, Lotus Domino, MoveIt DMZ, Msbpos, NetSuite, Org2Org, PagerDuty, Postini provisioning integrations. For details, see Provisioning Integration Error Events.

We have added new external Id attribute to the Zendesk provisioning app. Screenshot:

You can now customize the email SAML attribute for the Netsuite app to map to an email or username attribute.

The Enable on-premises provisioning configuration option is removed from RADIUS apps, as it is not supported.

Okta and Cisco ASA interoperate through either RADIUS or SAML 2.0. For each Cisco ASA appliance, you can configure AAA Server groups which can be RADIUS, TACAS+, LDAP, etc. Using RADIUS, Okta’s agent translates RADIUS authentication requests from the VPN into Okta API calls. For more information, see Configure the Cisco ASA VPN to Interoperate with Okta via RADIUS.

Version 2.7.0 of the Okta Sign-In Widget is available. New features include :

• Voice call as an option for Unlock Account
• Display of multiple MFA responses
• Display a warning for beta registrations

For more information, see Okta Sign-In Widget.

The Okta Application Network (OAN) includes more than 5,000 pre-integrated business and consumer apps. As Okta expands beyond SSO and Provisioning, we are extending the network to include new integration types, and updating the catalog name to the Okta Integration Network (OIN). As part of this rebranding, we have changed the UI and documentation to reflect this change—managing and adding your apps and integrations remain the same.

The OIN now includes the following new integrations in addition to previous SSO and Provisioning options:

• F5 BIG-IP APM
• Sumo Logic Okta Activity Log Integration
• ServiceNow - Okta Orchestration Activity Pack
• Splunk Add-on for Okta
• QRadar Device Support Module (DSM)

For details about these new integrations, search and click the Learn More button. Screenshot:

Note: This feature is now Generally Available for all orgs.

The flow of an end user's identity throughout the different stages of access is known as a user’s lifecycle. This release contains several enhancements to define the options that manage this cycle clearly.

• Simplified Import settings: Using a profile master necessitates a clear distinction between new and imported end users to prevent conflicts. Feedback from our users prompted improvements with matching rules, auto-confirmation and auto-activation settings.
• New lifecycle settings: When an end user is deactivated in a profile mastered app, admins can now set whether they are deactivated, suspended, or remain an active user in Okta.

See Profile Mastering and Life Cycle for more details.

Note: This feature is now Generally Available for all orgs.

Secure your APIs with API Access Management, Okta’s implementation of the OAuth 2.0 authorization framework. API Access Management uses the Okta Identity platform to enable powerful control over access to your APIs. API Access Management can be controlled by Okta admins as well as by a rich set of APIs for client, user, and policy management. For details on features available from the Admin console, see API Access Management.

Use scopes in Rules

We've improved the text and flow of the Add Rules dialog that is part of the Early Access API Management functionality. For details see, Create Rules for Each Access Policy.

The API Access Management Admin role has the following permissions:

• Create and edit Authorization Servers, Scopes, Claim, and access policies
• Create and edit OAuth/OIDC Client apps
• Assign users and groups to OAuth/OIDC client apps
• View user profiles when assigning users/clients for token preview

For more information, see API Access Management.

An animated transition page now appears when users click chiclets to log into apps:

Integrating Social Login with Okta is improved with redesigned screens, prepopulated IdP username value, and expanded entry options for scopes. Screenshot:

The following message changes apply to either the Okta Org Authorization Server or a Custom Authorization Server including default (which requires API Access Management), or both, as indicated in each section.

Simplified Failure Messages from [/authorize]

The existing messages app.oauth2.authorize_failure, app.oauth2.as.authorize_failure and app.oauth2.as.authorize.scope_denied_failure replace these messages:

• app.oauth2.authorize.access_denied
• app.oauth2.authorize.invalid_client_id
• app.oauth2.authorize.invalid_cache_key
• app.oauth2.authorize.no_existing_session
• app.oauth2.authorize.login_failed
• app.oauth2.authorize.mismatched_user_in_cache_and_session
• app.oauth2.authorize.user_not_assigned
• app.oauth2.authorize.scope_denied
• app.oauth2.as.authorize.warn_failure
• app.oauth2.as.authorize.scope_denied

Details about the nature of the failure are included, so no information has been lost with this simplification.

These System Log changes affect responses from requests that involve either the Okta Org Authorization Server or a Custom Authorization Server including default.

Simplified Failure Messages from [/token]

Instead of supplying two different messages for token grant failures on /token, the existing message app.oauth2.as.authorize.token.grant_failure replaces these messages:

• app.oauth2.as.token.grant.warn_failure
• app.oauth2.as.token.grant.scope_denied_failure

This System Log change affects responses from requests that involve a Custom Authorization Server including default.

Simplified Success Messages from [/token]

Instead of supplying a different message for ID token and access token generation, there's just one message for each. The ID token or access token minted is included in the message as it was previously.

1. The existing message app.oauth2.authorize.implicit_success replaces:
   • app.oauth2.authorize.implicit.id_token_success
   • app.oauth2.authorize.implicit.access_token_success
2. The existing message app.oauth2.as.authorize.implicit_success replaces:
   • app.oauth2.as.authorize.implicit.id_token_success
   • app.oauth2.as.authorize.implicit.access_token_success

The _success messages weren’t being written to the System Log previously, but are now.

These System Log changes affect responses from requests that involve either the Okta Org Authorization Server or a Custom Authorization Server including default.

Simplified Messages from [/token]

Instead of supplying a different message for ID token and access token generation, there's just one message for each. The ID token or access token minted is included in the message as it was previously.

1. The existing message app.oauth2.authorize.implicit replaces:
   • app.oauth2.authorize.implicit.id_token
   • app.oauth2.authorize.implicit.access_token
2. The existing message app.oauth2.as.authorize.implicit replaces:
   • app.oauth2.as.authorize.implicit.id_token
   • app.oauth2.as.authorize.implicit.access_token

These System Log changes affect responses from requests that involve either the Okta Org Authorization Server or a Custom Authorization Server, including default.

System Log entries are now added for the GoodData app. For details, see the GoodData section in Provisioning Integration Error Events

Admins can update the second email address on a master user profile when Attribute Mapping is enabled.

The Okta Sign On screen display is improved to display all factors when multiple Multifactor Authentication factors are required.

The header size limit for CSV imports is increased from 1000 to 50,000 characters.

The System Log tracks the following items:

• User authentication via IDP. Screenshot:

  

• Country code for SMS and voices. Screenshot:

  

• System Log events are added for the Clarizen, CrashPlanPro, Docusign, and Egnyte provisioning integrations. For details, see Provisioning Integration Error Events.

Added validation to API token creation when the maximum character length is exceeded

When creating or updating a rule in the Custom Authorization Server's policy, there is a button to add all default OpenID Connect scopes to the rule condition quickly. Screenshot:

For more information, see Create Rules for Each Access Policy.

Grant types for OAuth 2.0 clients are reorganized for convenience on the General Settings page for an app and in the app creation screen in the developer console. For information on grant types, see App Wizard - Procedures. Screenshot:

The Okta Sign In page supports unlocking an account with a Voice Call. Screenshot:

• The System Log tracks mass password expiry events. Screenshot:

  

• The System Log tracks events when a user account is unlocked by an Admin, when the primary email for an account is updated, and when behaviors are detected.

  Screenshot:

  

  Screenshot:

  

  Screenshot:

  

When defining custom scopes for an Authorization Server, you can choose whether the metadata for these scopes is included in the public metadata. For more information, see Create Scopes.

Screenshot:

Screenshot:

Information and error messages are improved for the Access Token Lifetime and Refresh Token Lifetime setting in a policy rule. Screenshot:

Okta’s Privacy Policy, available at https://okta.okta.com/privacy/, was updated on January 18, 2018 in order to comply with new, forthcoming requirements promulgated by Google, and to disclose more precisely the manner in which Okta interoperates with Google's G Suite after the OAuth authentication flow is successfully completed by the admin.

The password policy soft lock feature provides the option to lock Active Directory (AD) mastered users in Okta with password policies. To ensure that users are locked in Okta before they are locked out of their windows accounts, Admins must set a lockout count in Okta that is lower than the lockout count specified in the AD policy.

This feature does not change the current behavior for any organizations. Consequently, when this feature is enabled, the default invalid password lockout count for Active Directory password policies is reset to zero (0). Admins must specify a new lockout count to use this feature which s tracked in the System Log as a policy update event.

Some legacy customers might have non-zero values set in the invalid password lockout count in Okta. When these values are reset to zero with this feature, a System Log event is created to show the old and new values and inform Admins that the lockout is disabled.

For more information, see Group Password Policies.

Import Lockout Status from AD

Lockout status from AD is not imported automatically. To receive these imports, contact Okta Support. Any legacy users who already receive these imports will continue to receive them.

Rollout

This feature is becoming Generally Available and will be enabled in a phased manner across all cells. The feature will be enabled for the majority of customers in Preview and US Cell 1 by January 19th and for the remainder of customers in all other cells by February 2nd.

The button for creating OAuth 2.0 Services (Client Credentials apps) is moved from the applications list into the Add Application Wizard. For more information, see Add OAuth 2.0 Client Application. Screenshot:

During OAuth Token Preview, selections for response type are not visible when the grant type is not IMPLICIT. For more information on token preview, see Test Your Authorization Server Configuration.

The General tab on the app instance screen for OAuth 2.0 clients now displays the Login initiated by dropdown for all grant types with App Only as the default. Screenshot:

System Log entries were enhanced to include events when users were unassigned from group membership. Screenshot:

Admin Managed tabs are not created if there are no apps to display in the tab. For more information, see Manage dashboard tabs for end users.

When admins create a new user they can choose whether to have that user create a password on first sign in or create a password for the user which must be changed on their next sign in. For details, see Add People.

Added support to allow updates to User and AppUser profile schemas. See App User Schema API documentation for more information.

The following User Profile properties have been added to our Netsuite integration:

location, class, notes, salutation, homePhone, officePhone, fax

To use these properties, you can either create a new app instance, or contact Okta Support to manually migrate the User Profile template. For more information about our Netsuite integration, see the Netsuite Provisioning Guide.

In Settings > Customization, fields in the Sign In page section now contain default placeholder text instead of default editable text. This enhancement makes it easier to distinguish fields that contain Okta's default text from fields that contain custom, admin-provided text. Placeholder text disappears when you enter custom text in the field. For more information, see Customize Sign In Page headings, links, labels, and placeholders.

Explanatory text on the Authorization Server are expanded, and also include a direct link to the Authentication Guide topic on the Developer site.

Error messages for permission errors for the password reset dialog are more descriptive and user-friendly.

All new SAML 2.0 apps are bootstrapped with SHA-256 signed public certificates. Existing SAML 2.0 apps are unchanged.

We have added email and phone writeback functionality for UltiPro international employees. For more information about UltiPro provisioning, see UltiPro User Import and Provisioning.

The following partner-built provisioning integration app is now Generally Available in the OIN as partner-built:

• Pivotal Tracker: For configuration information, see Tracker SCIM Documentation.

We have updated our Zoom integration to support a new attribute, User Type. This allows customers to set the User Type per user being provisioned from Okta to Zoom to be either Basic, Pro, or Corp.

For users who have set up the Zoom integration and enabled Provisioning before November 8, 2018, follow the migration steps detailed in Zoom's Configuring Okta With Zoom if you want to use the new attribute.

• The following partner-built provisioning integration app is now Generally Available in the OIN as partner-built:
  • Figma: For configuration information, Figma's Configure Okta Provisioning.

The Solarwinds SWA integration application has been enhanced to support custom login URL’s.

The following partner-built provisioning integration app is now Generally Available in the OIN as partner-built:

• Zinc: For configuration information, see Zinc’s Setting up AD Sync with OKTA.