Production

January 2020

2020.01.0: Monthly Production release began deployment on January 13

* Features may not be available in all Okta Product SKUs.

Content

Generally Available Features

New Features

Okta Browser Plugin version 5.36.1 for Chromium-based Microsoft Edge and Mozilla Firefox

This version includes the following:

For version history, see Okta Browser Plugin: Version History

New System Log events for OIDC scope grants

System Log events are now triggered when an administrator grants consent for OpenID Connect scopes.

Rogue Accounts Report End of Life (EOL)

The Rogue Accounts Report feature has been removed due to low usage, high cost of maintenance, and the availability of custom solutions. For example, admins can retrieve similar data by using the List Users Assigned to Application API to see users who were assigned to an appAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in. in Okta, and then using custom code to generate a list of users assigned in the app itself. For more information, see this Support Article.

Federate multiple Office 365 domains in a single app instance

You can automatically federate multiple Microsoft Office 365 domains within a single Office 365 app instance in Okta. This eliminates the need to configure a separate Office 365 app instance for each Office 365 domainA domain is an attribute of an Okta organization. Okta uses a fully-qualified domain name, meaning it always includes the top-level domain (.com, .eu, etc.), but does not include the protocol (https).. For more information, see Federate multiple Office 365 domains in a single app instance.

Support for Salesforce Government Cloud

You can create instances of the Salesforce app that can integrate with Salesforce Government Cloud. For more details, see the Salesforce Provisioning Guide.

Box integration enhancement

The Box integration is enabled for Universal DirectoryUniversal Directory enables you to store an unlimited amount of users and attributes from applications and sources like AD or HR systems. Any type of attributes are supported including linked-objects, sensitive attributes, and pre-defines lists. All of it accessible by all apps in our OIN catalog, over LDAP or via API. and is enhanced by the following additional properties in the User Profile:

See the Box Provisioning Guide for more information.

Resumable Import

Resumable Import is a performance enhancement that prevents imports from starting over in the event of a deployment or infrastructure issue. Instead, the import automatically pauses and continues from the most recently completed step. For information on importing users, see Import users from an app.

HealthInsight

HealthInsight audits an organization’s security settings and suggests recommended tasks to improve an orgThe Okta container that represents a real-world organization.'s security posture. Security tasks and recommendations are intended for admins who manage employee security within their organization.

HealthInsight may now be accessed directly from the Admin Console dashboard.

Fore more information, see HealthInsight.

App Catalog Search Improvements

The enhanced Okta Integration Network (OINAn acronym for the Okta Integration Network. The OIN is comprised of thousands of public, pre-integrated business and consumer applications. As an on-demand service, OIN integrations are continuously validated, always up to date, and constantly growing both in number and capability. Okta performs a single integration with an ISV or SP, providing thousands of end users with point-and-click customization for their orgs.) App Catalog now features:

  • A new incremental search and an improved search results preview
  • Expanded search capabilities to check app integration names, descriptions, or categories
  • Fuzzy search logic to match partial hits and name variations
  • Tiles highlight the protocols supported by the app integration

This feature will be gradually made available to all orgs.

Generally Available Enhancements

UI Enhancements for HealthInsight

The HealthInsight card on the Admin Console dashboard and HealthInsight actions have been updated for improved usability. For more information about HealthInsight, see HealthInsight.

Additional context in MFA authentication in some apps

We have added an additional target element containing application information to MFA events triggered by authentication to Epic Hyperspace EPCS (MFA) and Microsoft RDP (MFA) apps.

Improved text in single line challenge for RADIUS MFA

The text displayed during the a single line MFA challenge via RADIUS authentication has been improved to fixed grammatical errors.

Notification when adding a user to an Admin group

Admins now see a notification that admin privileges will be granted when adding a user to a group with Admin privileges.

Updated Privacy Policy

Okta has updated its Privacy Policy. See https://okta.com/privacy-policy/ to review the latest version.

Condition update for MFA Enrollment policy rules

The name of the setting for the Any Application condition has been updated to specify app support for MFA Enrollment. For more information, see App Condition for MFA Enrollment Policy.

UI enhancements for profile and attribute selection

The appearance of profile and attribute selection elements is updated to be more consistent with other Okta select elements.

Toggle on/off the end user onboarding screen

In the Settings > Appearance settings in the Admin Console, admins can control whether or not new end usersEnd users are people in your org without administrative control. They can authenticate into apps from the icons on their My Applications home page, but they are provisioned, deprovisioned, assigned, and managed by admins. see the onboarding screen upon their first sign in to the Okta End User dashboard.

Early Access Features

New Feature

Deactivated admin users

When a user who has an admin role and privileges assigned to them is deactivated, their admin privileges are revoked. The deactivated user is removed from the Administrators page and CSV download list of administrators. For information about Admin roles, see Administrators. This feature is available from our Self Service Feature Manager, for more information, see Manage Early Access and Beta features .

Fixes

General Fixes

OKTA-243820

The word Password was incorrectly translated in Dutch.

OKTA-246764

French translation for the Self-Service Unlock when Account is not Locked email template was not intuitive.

OKTA-253397

Microsoft RDP (MFA) prompts did not display the official Okta logo.

OKTA-257479

After an application was selected from the Okta Safari plugin toolbar menu, the selection window did not close as expected.

OKTA-259962

Searching for an app in App Administration Assignment did not display exact matches.

OKTA-262560

Fido 2.0 (Webauth) set as a secondary factor on Factor Sequencing failed on the user sign-in with the error We found some errors. Please review the form and make corrections.

OKTA-262649

In Okta Device Trust with VMware Workspace ONE implementations, app sign-on policy denied access on Android 10 even if the device was trusted.

OKTA-266237

App Admins who were configured to only see a subset of apps in the catalog were able to see all apps.

OKTA-267712

When creating a SAMLAn acronym for Security Assertion Markup Language, SAML is an XML-based standard for exchanging authentication and authorization data between an identity provider (IdP) and a service provider (SP). The SAML standard addresses issues unique to the single sign-on (SSO) solution, and defines three roles: the end user, the IdP, and the SP. Here's how SAML works through Okta: SP-initiated flow: the end user requests (principally through a browser) a service from the SP. The SP requests and obtains an identity assertion from the IdP (in this case, Okta). On the basis of this assertion, the SP can decide whether or not to authorize or authenticate the service for the end user. IdP-initiated flow: with Okta as the IdP, an end user goes to the Okta browser and clicks on an app, sending a SAMLResponse to the configured SP. A session is established with the SP, and the end user is authenticated. integration using the AIW, the instructions contained the outdated acronym OAN instead of the current OIN (Okta Integration Network) acronym.

OKTA-268637

For orgs that had opted into the New Import and ProvisioningProvisioning is the enterprise-wide configuration, deployment, and management of multiple types of IT system resources. Specifically, provisioning provides users access to equipment, software, or services. This involves creating, maintaining and deactivating required business process automation objects and attributes in systems, directories, and applications. Settings Experience for Active DirectoryActive Directory (AD) is a directory service that Microsoft developed for the Windows domain networks. It is included in most Windows Server operating systems as a set of processes and services. Initially, Active Directory was only in charge of centralized domain management. EA feature, placeholder text was displayed instead of the correct text in the warning dialogue when the Profile and Lifecycle Mastering checkbox under Active Directory provisioning settings was checked and the Update Users checkbox was previously enabled.

OKTA-268720

The Settings tab for app provisioning failed to render in Internet Explorer 11.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • Aha (OKTA-266200)

  • American Express Work Reconciliation (OKTA-266198)

  • Apple ID (OKTA-264195)

  • Aveda (OKTA-266196)

  • Blackbaudhost Citrix (OKTA-266199)

  • Bloomfire (OKTA-266193)

  • Brex (OKTA-266241)

  • Cisco WebEx Meeting Center (OKTA-262750)

  • Citrix RightSignature (OKTA-268537)

  • DoorDash (OKTA-268780)

  • Firefox (OKTA-266201)

  • FullContact Developer Portal (OKTA-268538)

  • Google Analytics (OKTA-266914)

  • Impraise (OKTA-268534)

  • MKB Brandstof (OKTA-267534)

  • Nest (OKTA-267942)

  • NewEgg Business (OKTA-268840)

  • OnePath Advisor (OKTA-266925)

  • Principal Financial Personal (OKTA-268782)

  • RescueTime (OKTA-266197)

  • Rhino3d (OKTA-268531)

  • Seek (AU) - Employer (OKTA-266703)

  • Shipwire (OKTA-266919)

  • Site24x7 (OKTA-268622)

  • Vindicia (OKTA-266192)

  • Wombat Security Awareness (OKTA-268532)

The following SAML app was not working correctly and is now fixed

  • Datadog (OKTA-267430)

Applications

Application Updates

  • Zoom provisioning application now supports updating user email addresses.
  • Citrix NetScaler Gateway has changed its name to Citrix Gateway.

New Integrations

New SCIM Integration Application

The following partner-built provisioningThis term is obsolete. See "Okta Verified". integration apps are now Generally Available in the OIN as partner-built:

SAML for the following Okta Verified applications

  • AppOmni (OKTA-266642)

  • Appsian Security Platform for PeopleSoft (Encrypted) (OKTA-265400)

  • Clinical Maestro (OKTA-264130)

  • Cmd (OKTA-266400)

  • Freshworks (OKTA-262038)

  • Grammarly (OKTA-266950)

  • Kisi Physical Security (OKTA-265701)

  • LoanBuddy (OKTA-266952)

  • Mode Analytics (OKTA-260404)

  • Reducer (OKTA-265134)

  • TeamzSkill (OKTA-265665)

SWA for the following Okta Verified application

  • Miniter (OKTA-262048)

Weekly Updates

Closed2020.01.1: Update 1 started deployment on January 21

Fixes

General Fixes

OKTA-172858

Help Desk and User admins could see the System Log page although it did not contain any events.

OKTA-260178

Group rules that included a custom attribute based on a class name resulted in an Error in evaluating expression error.

OKTA-262628

A non-descriptive validation error was displayed when providing a non-unique value for a unique attribute during self-service registration. The error message now shows an appropriate message.

OKTA-265119

Profile Updates and User Deprovisioning did not run sequentially, which sometimes resulted in errors.

OKTA-265977

New users who tried to create an account received a 400 error when federating into applications such as Office 365.

OKTA-266061

The warning for Custom SMS stated that custom messages were limited to 160 characters instead of 159 characters.

OKTA-267419

For orgs with the latest App Catalog Search enabled, admins using Internet Explorer 11 who searched for an app to add were not redirected correctly to add applications.

OKTA-269174

The Chromium Edge Plugin store link was missing from the Downloads page in the Admin Console.

OKTA-270440H

Signing in from status.okta.com hung on the interstitial page.

OKTA-270581H

Attempts to access the HealthInsight section returned a 500 error.

App Integration Fixes

The following SAML app was not working correctly and is now fixed

  • Salesforce Marketing Cloud (OKTA-231271)

The following SWA apps were not working correctly and are now fixed

  • Guardian Insurance (OKTA-256039)

  • ARIN (OKTA-267889)

  • WealthEngine (OKTA-269191)

Applications

New Integrations

New SCIM Integration Application

The following partner-built provisioning integration app is now Generally Available in the OIN as partner-built:

December 2019

2019.12.0: Monthly Production release began deployment on December 16

* Features may not be available in all Okta Product SKUs.

Content

Generally Available Features

New Features

 

Okta Browser Plugin version 5.35.0 for Safari and Internet Explorer

This version includes the following:

  • Bug fixes for custom URL domain support for the plugin
  • Okta privacy link
  • Back-end enhancements

For version history, see Okta Browser Plugin: Version History.

Okta Confluence Authenticator, version 3.1.2

This release contains a fix for OpenSaml initialization in OSGi environment and an update to OpenSaml library version 3.2.0. For version history, see Okta Confluence Authenticator Version History

Okta SAML Toolkit for Java, version 3.1.2

This release contains a fix for OpenSaml initialization in OSGi environment and an update to OpenSaml library version 3.2.0. For version history, see Okta SAML Toolkit for Java Version History

SAML or SCIM applications created in certain developer cells can now submit to ISV portal

Developers in the OK7 developer cell who create and test SAML or SCIMSystem for Cross-domain Identity Management (SCIM) is an open standard that allows for the automation of user provisioning. It was created in 2011 as it became clear that the technology of the future would be cloud-based. SCIM communicates user identity data between identity providers (such as companies with multiple individual users) and service providers requiring user identity information (such as enterprise SaaS apps). In short, SCIM makes user data more secure and simplifies the user experience by automating the user identity lifecycle management process. applications using the App Wizard can now submit directly to the ISVAn acronym for independent software vendors. Okta partners with various ISVs (usually producing enterprise applications) to integrate on-premises, in the cloud, or native-to-mobile devices with Okta. portal at oinmanager.okta.com.

Increased timeout for Okta Sign In page

The initial timeout duration has been extended on the Okta Sign-In page.

ACS Limit Increased

The maximum number of Assertion Consumer Service (ACS) URLs for a SAML app is increased to 100.

LDAP Password Push

Okta now supports Password Push for LDAPLightweight Directory Access Protocol (LDAP) is a lightweight client-server protocol for accessing directory services, specifically X.500-based directory services. LDAP runs over TCP/IP or other connection oriented transfer services.. This allows each user's LDAP password to be synced to their Okta password. Any subsequent password changes users make are pushed to their user profile in LDAP. In addition to simplifying password management for orgs using LDAP, organizations using both Active Directory (AD) and LDAP can now synchronize their user passwords from AD through Okta to LDAP. For details, see the Provisioning section in Install and Configure the Okta Java LDAP Agent.

Suspicious Activity Reporting

End users can now report unrecognized activity to their org admins when they receive an account activity email notification. This feature is now available through the EA feature manager. See Suspicious Activity Reporting.

Group rules triggered by user reactivations

Group rules are now triggered when a user is reactivated. See Group rules for more information.

Multifactor Authentication for admins

MFA for Admins allows Super admins to enable mandatory multifactor authentication for all administrators accessing admin functionality. For details see Authentication.

Beta features available in Feature Manager

You can now enroll your Preview org in Open Betas in the Feature Manager. When you enroll in a Beta feature, you receive an email with further details. For details, see Manage Early Access and Beta features .

SAML Inline Hook

The SAML Inline Hook enables you to customize the authentication flow by allowing you to add attributes or modify existing attributes in outbound SAML assertions. For details, see our SAML Inline Hook page.

Admin Getting Started tasks

The new Admin Getting Started page helps super admins begin configuring their new Okta org.

For more information, see Get Started with Okta.

Token Inline Hook

The Token Inline Hook enables you to integrate your own custom functionality into the process of minting OAuth 2.0 and OpenID Connect tokens. For details, see our Token Inline Hook page.

SCIM Template Apps include ISV portal link

Any apps created from the SCIM app templates display a banner that directs developers to use the ISV portal at oinmanager.okta.com to submit their SCIM app to the OIN.

SAML App Wizard change for software developers

During the creation of a SAML app with the App Wizard, software vendors receive a link to the ISV portal at oinmanager.okta.com to submit their app to the OIN. If the software vendors elect not to submit through the App Wizard, a banner appears on their app configuration page with the link to the ISV portal.

OIN Manager supports multiple application submissions

When submitting a new application integration for review by Okta, the OIN Manager now supports multiple concurrent application submissions:

 

Custom URL domain support for the Okta Browser Plugin

This support enables the Okta Browser Plugin to work on the configured custom URL domain. See Configure custom URL domain.

Improved People page filter and Profile page details

We’ve added more detail to the user state labels on the People page.

And now provide the action required for users in a pending state on the User Profile page.

Generally Available Enhancements

OAuth Consent UX Enhancements

  • The OAuth Consent end-user dialog has been modified to improve the user experience.
  • For OAuth Scopes created for a new Authorization Server, the default values for Display Name and Description are updated to be more informative.

Select group UI enhancement

The appearance of Select Group elements are enhanced throughout the UI to be more visually intuitive and consistent with other Okta select elements:

Application Settings enhancements

  • When you create a new application in the dashboard, it will be created with a default Post Logout Redirect URI (previously this field existed but defaulted to blank).
  • When you create a new application of type Single Page Application (SPA), it will default to using Authorization Code with PKCE instead of defaulting to Implicit Flow.
  • The Post Logout Redirect URI only impacts users using our /logout API call (not using any of our SDKs), and it is a list of possible values just like the (Login) Redirect URI.

Event hooks support for MFA factor events

Event hooks are now enabled for MFA factor life-cycle events such as activating or resetting a factor.

Windows Mobile and Blackberry options removed

The option in the Okta Sign In Widget and in the End User Settings to enroll in Okta Verify or Google Authenticator using Windows Mobile or Blackberry devices is now removed.

Sorting functionality added for inline hooks and event hooks

Admins can now sort inline hooks by Status, Type, or Name, and event hooks by Verification, Status, or Name. For more information, see Inline hooks and Event Hooks.

Authentication Server display name enhancement

The Authorization Server scopeA scope is an indication by the client that it wants to access some resource. display name for new entries is now limited to 40 characters.

Use of admin information

Additional legal text regarding use of admin information is added to Settings > Account >Admin email notifications.

Email notification when org licensing changes

Super admins will now receive an email when their org is converted from a free trial and licensed based on a new active contract.

Addition of status text to status icons

The On-Prem MFA and RSA SecureID Agents status icons relied on color to provide status. Status is now also represented by text for improved accessibility.

Workplace by Facebook domain update

When setting up a Workplace by Facebook app, you now have the option to switch from the default org.facebook.com domain to the org.workplace.com domain.

Device fingerprinting for custom org URLs

Custom org URLs now support device fingerprinting for improved accuracy of new sign-in notifications and new device detection.

New device behavior detection

New device behavior detection is improved to provide better accuracy with new devices.

New warning modal for provisioning to apps

Admins who enable Profile MasterA profile master is an application (usually a directory service such as Active Directory, or human capital management system such as Workday) that acts as a source of truth for user profile attributes. A user can only be mastered by a single application or directory at any one time. For more details, see the Profile Master page. When users are mastered by attribute, we call this attribute-level mastery (ALM). ALM delivers finer grain control over how profiles are mastered by allowing admins to specify different profile masters for individual attributes. Profile mastering only applies to Okta user profiles, not app user profiles. For more details, see Attribute Level Mastering. and Push for the same app are now warned of the potential for overwritten attributes and the risk of lost data. For more information, see Profile mastering.

Early Access Features

This release does not have any Early Access features.

Fixes

General Fixes

OKTA-250443

When using Factor Sequencing, the Custom Password label did not appear in the Password field on the Sign-In page.

OKTA-251904

Okta did not update null/blank profile attributes into RingCentral.

OKTA-256102

Country Code prefix for Kosovo was set to +undefined when enrolling SMS as a factor.

OKTA-259414

In some cases, Reapply mapping was displayed incorrectly when editing app users with an app user property that was sourced from two different groups.

OKTA-260360H

Social Login created a race condition with Self Service Registration.

OKTA-261676

LDAPi searches using a filter containing entryDN=* failed with result code 80.

OKTA-263016

For customers who opted into the New Import and Provisioning Settings Experience for Active Directory Early Access feature, if an admin entered an invalid custom expression into the AD username format field on the AD Settings page, clicking Save caused infinite loading of the page without saving the settings.

OKTA-263017

Customers who opted into the New Import and Provisioning Settings Experience for Active Directory Early Access feature could not see the UI control for previewing the result of the custom expression underneath the AD username format field when custom was chosen in the drop down.

OKTA-263915

Additional customizations applied to the ADFS site were not displayed when users accessed the ADFS second factor challenge page.

OKTA-264334

In some cases, customers importing users from Workday (as a Master) got an undefined error when executing profile matching.

App Integration Fixes

The following SWA app was not working correctly and is now fixed

  • Ingram Micro (OKTA-260621)

Applications

Application Updates

Provisioning support has been removed from the following apps due to low customer usage, lack of standards based integration, and high supportability cost:

  • Veeva
  • Replicon
  • Roambi Business
  • Gooddata
  • Rightscale

New Integrations

New SCIM integration applications

The following partner-built provisioning integration app is now Generally Available in the OIN as partner-built:

SAML for the following Okta Verified applications

  • Appsian Security Platform for PeopleSoft (OKTA-258107)

  • Cincopa (OKTA-260900)

  • Cisco Webex (OKTA-263286)

  • Firmex VDR (OKTA-262869)

  • Juro (OKTA-258096)

  • TripActions (OKTA-263057)

  • Wochit Studio (OKTA-263299)

Weekly Updates

Closed2019.12.1: Update 1 started deployment on January 6

Fixes

General Fixes

OKTA-252780

When a super admin canceled edits made to the email settings for an admin type, the edits were not actually canceled.

OKTA-260752

Dynamic SAML attributes appeared in read-only mode with the name, type, and value. Attributes now show only the name and value.

OKTA-261688

When adding Dynamic Attributes to a new SAML 2.0 app instance with long names or values, the text did not wrap correctly on the screen.

OKTA-261738

When creating a new SAML 2.0 app instance, the Attribute fields were auto-expanded, however the Expand button indicated that they were collapsed.

OKTA-262950

Okta Verify Push could be enabled even when Okta Verify was an inactive factor.

OKTA-264060

UNIQUE_PROPERTIES_UI caused delays and 500 errors for Postman DELETE USER API.

OKTA-264158

When OUAn acronym of Organizational Unit. Organizational units are Active Directory containers into which you can place users, groups, computers, and other organizational units. It is the smallest scope or unit to which you can assign Group Policy settings or delegate administrative authority._PICKER_V2_IN_AD_SETTINGS and AD_GROUP_PUSH were enabled, the organizational unit tree in the Push Groups tab on the AD Settings page rendered without formatting and check boxes.

OKTA-267811H

When AAD Graph API was enabled, role assignment and imports from Office365 sometimes failed.

App Integration Fixes

The following SAML apps were not working correctly and are now fixed

  • GaggleAMP (OKTA-265520)

  • NetFortris HUD Web (OKTA-264119)

  • Open Air (OKTA-252147)

The following SWA apps were not working correctly and are now fixed

  • AmericanFunds Retirement Solutions (OKTA-264261)

  • BioWorld (OKTA-265878)

  • BridgeBank Business eBanking (OKTA-263159)

  • eBay (OKTA-265287)

  • Kamer van Koophandel (OKTA-265639)

  • Mimecast (OKTA-263189)

  • Netskope (OKTA-265465)

  • Principal Advisor (OKTA-263869)

  • The Daily Beast (OKTA-266188)

  • WebRoot Anywhere (OKTA-264805)

The following Mobile apps were not working correctly and are now fixed

  • NetSuite (OKTA-263316)

  • SAP Cloud for Customer (OKTA-263312)

Applications

New Integrations

The following partner-built provisioning integration apps are now Generally Available in the OIN as Okta VerifiedEach integration in the Okta Integration Network has one of the following status designations: Okta Verified, Community Created, or Community Verified. Integrations receive Okta Verified status: 1) if the integration is Okta-built, and is then tested and verified by Okta; or 2) if the integration is ISV-built (partner-built), and is then tested and verified by Okta.:

SAML for the following Okta Verified application

  • Blocks Edit (OKTA-264267)

SWA for the following Okta Verified applications

  • AuctionAccess (OKTA-263763)

  • Hunter Communications (OKTA-264917)

  • HYPR (OKTA-264057)

  • MKB Brandstof (OKTA-262883)

  • Savannah Morning News (OKTA-265411)

  • The Daily Beast (OKTA-264753)

Mobile applications for use with Okta Mobility Management (OMM) (Android and iOS)

  • Adobe Experience Manager (OKTA-263294)

  • FieldGlass SAML (OKTA-263295)

November 2019

2019.11.0: Monthly Production release began deployment on November 11

* Features may not be available in all Okta Product SKUs.

Content

Generally Available Features

New Features

Agentless Desktop SSO migration

Customers who enabled Agentless Desktop SSOAn acronym for single sign-on. In a SSO system, a user logs in once to the system and can access multiple systems without being prompted to sign in for each one. Okta is a cloud-based SSO platform that allows users to enter one name and password to access multiple applications. Users can access all of their web applications, both behind the firewall and in the cloud, with a single sign in. Okta provides a seamless experience across PCs, laptops, tablets, and smartphones. using the registry key configuration method must migrate to the KerberosKerberos is a computer-network authentication protocol that works on the basis of tickets to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner. alias supported configuration. Contact Support to enable ENG_ADSSO_MIGRATION_READINESS_CHECK which allows you to check your readiness prior to migrating.

For a list of complete migration steps refer to Migrate your Agentless Desktop Single Sign-on configuration.

New System Log events for Okta user groups

System Log events have been added to indicate when Okta user groups are successfully created or deleted.

Sign-in widget for end-user factor enrollment

The sign-in widget is now displayed if an end user enrolls in a factor manually or resets a factor from the End User Dashboard settings. This feature is being released to Production orgs gradually over the month of November.

Minor visual changes to the Feature Manager

The Feature Manager user interface has been updated with minor changes including:

  • The Early Access auto-enroll option is now at the bottom of the Early Access section.
  • When a feature is auto-enabled in EA, the date of enrollment is listed beside the toggle switch.

Agentless Desktop SSO

Agentless desktop SSO and Silent Activation now support Kerberos alias authentication for customers implementing these features for the first time. See Configure Agentless Desktop Single Sign-on - new implementations and Office 365 Silent Activation: New Implementations. This feature is Generally Available in Production for new orgs only.

Automations

Automations enable you to quickly prepare and respond to situations that occur during the lifecycle of end users who are assigned to an Okta group. You can set up two types of Automations and perform actions such as changing user lifecycle states and notifying users:

  • Recurring Automations to check for conditions such as user inactivity and password expiration
  • One-time Automations to bulk suspend and notify users belonging to a particular group irrespective of their activity

For more information, see Automations .

Required update for Microsoft Dynamics CRM, admin consent needed

We have updated the landing URL for the Microsoft Dynamics 365 app to use OAuth and to be accessible globally. The updated app resolves the issue where end-users outside the USA could not access Dynamics 365 and were redirected to an error page.

You need to provide or renew Admin consent within the Okta Office 365 app instance to continue using Dynamics 365 app in your Okta org.

See Provide Microsoft admin consent for Okta.

Security Behavior Detection

To provide additional security without overburdening your end users, you can configure a Sign On policy for your organization to require additional authentication for behaviors defined as higher risk based on variance from individual users' prior sign ins. Admins can configure the system so that individual end users are only prompted for an additional MFA factor when there is a change in behavior that the admin defines. For more information, see Security Behavior Detection.

Generally Available Enhancements

Admin roles for groups

Admin roles can now only be granted to groups with less than 5000 members.

For more information, see Assign admin privileges.

Admin settings for end-user suspicious activity reporting

In account settings, admins now have the option to exclude themselves or other admins from receiving user-reported notifications about suspicious account activity.

For more information, see Suspicious Activity Reporting.

WebAuthn UI enhancement

The description and icon for the WebAuthn factor have been updated both in the Admin Console and Sign-in Widget.

For more information, see Web Authentication (FIDO2) .

Early Access Features

New Features

Workday Field Overrides

As part of our new Workday connector, Field Overrides are an alternate way to pull custom attribute information from Workday that replaces the existing custom report facility.

For more information, see Workday Field Overrides.

OAuth for Okta

With OAuth for Okta, you are able to interact with Okta APIs using scoped OAuth 2.0 access tokens. Each access token enables the bearer to perform specific actions on specific Okta endpoints, with that ability controlled by scopes that the access token contains.

For more information, see OAuth for Okta guide.

Okta RADIUS Service Agent Update, version 2.9.5

The Okta RADIUS Server Agent version 2.9.5 is updated to run under the LocalService account, which has lower privileges than LocalSystem. The service has also been configured with a write-restricted token to further restrict access.

For more information, see Okta RADIUS Server Agent Version History.

Okta MFA Credential Provider for Windows, version 1.2.2

The Okta MFA Credential Provider version 1.2.2 includes bug fixes and adds self-service password reset.

For more information, see Okta MFA Credential Provider for Windows Version History .

Admin settings for selecting identity providers

Admins now have the option to configure a sign-on policy based on a specific identity provider.

For more information, see Adding Rules in Security Policies.

Disable Import Groups per app

Admins have the option to choose whether groups are included in imports from apps. This new option is available when setting up provisioning for an app.

This feature should be used with care as disabling group imports will have the result of deleting all groups from the app you are configuring. As such, we provide a warning prior to disabling group imports:

Note that you will be unable to disable group imports for an app if the following conditions exist:

  • App Assignments based on Group exist
  • Group policy rules exist
  • Group Push mappings exist

In these cases, an error is displayed.

Fixes

General Fixes

OKTA-212852

Group rules were not applied to reactivated users.

OKTA-221328

With Routing Rules enabled, users saw the message This is the first time you are connecting to [an application] from this browser even though they had logged in before.

OKTA-240039

With Routing Rules enabled, users saw the message This is the first time you are connecting to [an application] from this browser even though they had logged in before.

OKTA-241929

Custom TOTP factors were not supported as part of the authentication flow in Factor Sequencing.

OKTA-249465

On some web browsers, switching between Okta Verify and WebAuthn caused an error.

OKTA-254641

Changes to Max Import Unassignment settings were not logged in the System Log.

OKTA-254723

WebAuthn factor types were incorrectly named as Windows Hello in the MFA Usage Report.

OKTA-255688

The Reset via Email button on a custom sign-in page was visible and active even when that option was disabled for custom URL domains.

OKTA-257032

The Agentless Desktop SSO flow failed to authenticate users accessing custom-domain URLs.

OKTA-257269

In some cases, end users registering for Okta Verify were enrolled in One-Time Password but not in Push.

OKTA-257277

Some admins with MFA for Admin configured entered an infinite page-loading loop when signing into the Admin Console.

OKTA-257315

The HealthInsight page did not load properly for certain Okta orgs.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • Adobe Stock (OKTA-257769)

  • GoToWebinar (OKTA-255869)

  • Grammarly (OKTA-258776)

  • Instacart (OKTA-258045)

  • Sainsburys Groceries (OKTA-258041)

  • Twenty20 Stock (OKTA-257496)

  • Twilio (OKTA-258047)

Applications

Application Updates

Provisioning support has been removed from the following apps due to low customer usage, lack of standards based integration, and high supportability cost:

  • OutSystems
  • ExactTarget
  • RightnowCX
  • SugarCRM

New Integrations

SAML for the following Okta Verified application

  • GainsightPX (OKTA-253926)

SWA for the following Okta Verified applications

  • Ontario MC EDT (OKTA-244471)

  • ParcelQuest (OKTA-249541)

  • WatchGuard Evidence Library (OKTA-244478)

Weekly Updates

Closed2019.11.1: Update 1 started deployment on November 18

Fixes

General Fixes

OKTA-162537

The Testing IWA Web App help link on the Delegated Authentication page was broken.

OKTA-218841

End users did not receive proper credential update exceptions when there was an issue with their change password flow.

OKTA-235243

Group Push stopped on the first failure received by O365 and did not display any warnings in the System Log to indicate the issue.

OKTA-236583H

The error message for when a user was locked out did not respect the Group Password Policy settings.

OKTA-244438

In some cases a user could not be unassigned from a SCIM app if the SCIM Server had a slow response time.

OKTA-250498

Super admins were able to select the Rate limit warning and violation email notification when the feature was not enabled for their org.

OKTA-251844

Users were unable to sign in due to a 400 error that was caused by the following conditions: using Internet Explorer, using an SPAn acronym for service provider. Generally, an SP is a company, usually providing organizations with communications, storage, processing, and a host of other services. Within Okta, it is any website that accepts SAML responses as a way of signing in users, and has the ability to redirect a user to an IdP (e.g., Okta) to begin the authentication process.-initiation SAML sign on, IDPAn acronym for Identity Provider. It is a service that manages end user accounts analogous to user directories such as LDAP and Active Directory, and can send SAML responses to SPs to authenticate end users. Within this scenario, the IdP is Okta. Discovery was enabled, IWA and an MFA prompt were configured.

OKTA-257469

Due to hard validation, attempts to use group functions between profile-mastered appuser to Okta user mapping resulted in validation errors.

OKTA-260343

The Firefox plugin could not be downloaded from the Mozilla Add-ons store. The Firefox plugin version 5.34.0 is now available from the Admin Console, Settings > Downloads menu.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • BombBomb (OKTA-258406)

  • Mimecast Personal Portal v2 (OKTA-258584)

  • MyGeotab (OKTA-258044)

  • Veeva Vault (OKTA-258852)

  • WebEx Premium (OKTA-258040)

  • WP Engine (OKTA-259045)

Applications

New Integrations

The following partner-built provisioning integration apps are now Generally Available in the OIN as Okta Verified:

SAML for the following Okta Verified applications

  • Concur Travel and Expense (OKTA-254835)

  • JazzHR (OKTA-246402)

  • NetFortris HUB Web (OKTA-250307)

  • Netskope User Enrollment (OKTA-253910)

  • Portnox CLEAR (OKTA-253896)

  • Portnox CLEAR Self-onboarding (OKTA-253895)

  • Udemy for Business (OKTA-258121)

  • Vant SSO Proxy (OKTA-257483)

  • YouAttest (OKTA-259546)

SWA for the following Okta Verified applications

  • Dealerpull (OKTA-248564)

  • Encompass TPO Connect (OKTA-241362)

  • Global Database InvestmentMetrics (OKTA-245640)

  • Global Database InvestmentMetrics (OKTA-245640)

  • Informa (OKTA-245651)

  • Instacart Canada (OKTA-248835)

  • k-eCommerce (OKTA-256824)

  • Safeco Agent (OKTA-247347)

  • Southwest Traveler (OKTA-244178)

  • Stetson Insurance Funding Agent Login (OKTA-247772)

  • Street Smart by CycloMedia (OKTA-247460)

  • Transus (OKTA-247849)

Mobile applications for use with Okta Mobility Management (OMM) (Android and iOS)

  • Jive (OKTA-245483)

  • ShareFile (OKTA-260468)

Mobile application for use with Okta Mobility Management (OMM) (Android iOS)

  • Jive Communications (OKTA-245485)

Closed2019.11.2: Update 2 started deployment on December 2

Fixes

General Fixes

OKTA-247115

Some links in Suspicious Activity Reporting events did not work as expected.

OKTA-260013

The MFA Usage Report did not display some MFA factors when it was generated for all users.

OKTA-262346H

Some provisioning operations for some orgs failed with 409 errors.

OKTA-262644H

For some orgs, the Upload Logo button (Settings > Appearance) did not work.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • Acronis Cloud (OKTA-261592)

  • Dell Boomi (OKTA-260860)

  • eOriginal (OKTA-260858)

  • HotSchedules (OKTA-259809)

  • Lola (OKTA-259813)

  • Nationwide Eviction (OKTA-261405)

  • Percolate (OKTA-259811)

  • U.Chicago Dist. Ctr. (OKTA-259812)

Applications

New Integrations

The following partner-built provisioning integration app is now Generally Available in the OIN as Okta Verified:

SAML for the following Okta Verified applications

  • PrinterLogic SaaS (OKTA-257046)

  • PTO Exchange (OKTA-259997)

SWA for the following Okta Verified applications

  • Bannockburn Global Forex (OKTA-252379)

  • Booking Admin (OKTA-257151)

  • Brex (OKTA-254738)

  • Crown Mark (OKTA-255472)

  • Dealer Daily Toyota (OKTA-253563)

  • Empower (OKTA-248283)

  • Firemax - G5 (OKTA-249415)

  • Health Assured UK (OKTA-258033)

  • Rileys eStore (OKTA-248900)

  • RUN Powered by ADP (OKTA-251863)

  • SafetySync (OKTA-248899)

  • State of California Department of Motor Vehicles (OKTA-256771)

  • Untangle (OKTA-250112)

  • Wipster (OKTA-248068)

  • WordFly (OKTA-251885)

Closed2019.11.3: Update 3 started deployment on December 9

Fixes

General Fixes

OKTA-244018

Signing out from Okta from within the password re-authentication screen caused a new Okta Sign In page to appear within the existing Okta UI.

OKTA-246083

When configured to add apps on the fly, the Okta Browser Plugin did not always offer to save credentials for some apps.

OKTA-249009

Attempts to Push Groups from Okta to ShareFile failed and produced an error.

OKTA-252921

The wrong attribute values were mapped from Okta to PagerDuty if the values limited_user or team_responder were selected in the app assignment for a user.

OKTA-253183

When an admin attempted to modify an existing admin’s role by unchecking all roles, then clicked Update Administrator, a non-user-friendly error message was returned instead of the message At least one role must be selected.

OKTA-256370

CSV imports failed when there were unique custom properties in the user profile and imported users had non-empty values set for the unique properties.

OKTA-257508

A 500 error rather than a user-friendly error was returned when an invalid factor was used during the credential authentication flow.

OKTA-257703

An application.provision.user.sync event was generated with a successful outcome before provisioning was attempted.

OKTA-258832

Imports from Confluence 7.0 failed with the error No such operation getUser.

OKTA-259741

Additional MFA factors were not enforced for Okta Mobile if an org created a sign-on policy using Okta as IDP as the priority one rule that defined additional MFA factors.

OKTA-261115

In some cases, the My Applications button was not visible on the admin console.

OKTA-262419

Not all Yubikey device names were displayed after they were enrolled for WebAuthn.

App Integration Fixes

The following SAML app was not working correctly and is now fixed

  • Cisco Webex Teams (OKTA-259313)

The following SWA apps were not working correctly and are now fixed

  • Adobe Reseller Console (OKTA-263079)

  • AlertLogic (OKTA-261300)

  • Apple Store (OKTA-262873)

  • Avalara CertCapture (OKTA-262331)

  • BioWorld (OKTA-262957)

  • CallTower (OKTA-262327)

  • Experian (OKTA-262329)

  • General Motors GlobalConnect (OKTA-262328)

  • Inspired eLearning (OKTA-262335)

  • Kamer van Koophandel (OKTA-262334)

  • Percipio (OKTA-262330)

  • Southwest Traveler (OKTA-262925)

  • WeWork (OKTA-261968)

  • Work Number Commercial Verifier (OKTA-261507)

Applications

New Integrations

The following partner-built provisioning integration apps are now Generally Available in the OIN as Okta Verified:

  • Clearwage: For configuration information, see the Clearwage Provisioning and SSO Configuration guide.
  • Vant SSO Proxy: Note: The configuration guide for this app is not public. The ISV will provide the internal link to this documentation to the engineers who will be using this integration directly.
  • Book4time: For configuration information, see Book4time SCIM Setup Guide.

SAML for the following Okta Verified applications

  • KindLink (OKTA-259556)

  • Mitel Connect (OKTA-262010)

  • NetFortris HUD (OKTA-261151)

  • Netskope User Enrollment (OKTA-261565)

  • TeamzSkill (OKTA-262037)

  • Visit.org (OKTA-261400)

SWA for the following Okta Verified applications

  • Amazon ES (OKTA-259282)

  • Applied Epic Assuredpartners (OKTA-256238)

  • ASIC - Registered Agents (OKTA-260407)

  • Averon (OKTA-260126)

  • ConnectWise Automate (OKTA-252945)

  • Double Dutch Event (OKTA-256694)

  • Nx2me Clinician Portal (OKTA-259247)

  • OneNote (OKTA-259831)

  • RFPIO (OKTA-259502)

  • SALTO KEYS (OKTA-260440)

  • The Hartford Customer Service Center (OKTA-257302)

  • USA Today (OKTA-261633)

  • Welltower Portal (OKTA-254521)

  • WestJet Biz (OKTA-261389)

ClosedDecember 2019

December 2019

2019.12.0: Monthly Production release began deployment on December 16

* Features may not be available in all Okta Product SKUs.

Content

Generally Available Features

New Features

 

Okta Browser Plugin version 5.35.0 for Safari and Internet Explorer

This version includes the following:

  • Bug fixes for custom URL domain support for the plugin
  • Okta privacy link
  • Back-end enhancements

For version history, see Okta Browser Plugin: Version History.

Okta Confluence Authenticator, version 3.1.2

This release contains a fix for OpenSaml initialization in OSGi environment and an update to OpenSaml library version 3.2.0. For version history, see Okta Confluence Authenticator Version History

Okta SAML Toolkit for Java, version 3.1.2

This release contains a fix for OpenSaml initialization in OSGi environment and an update to OpenSaml library version 3.2.0. For version history, see Okta SAML Toolkit for Java Version History

SAML or SCIM applications created in certain developer cells can now submit to ISV portal

Developers in the OK7 developer cell who create and test SAML or SCIM applications using the App Wizard can now submit directly to the ISV portal at oinmanager.okta.com.

Increased timeout for Okta Sign In page

The initial timeout duration has been extended on the Okta Sign-In page.

ACS Limit Increased

The maximum number of Assertion Consumer Service (ACS) URLs for a SAML app is increased to 100.

LDAP Password Push

Okta now supports Password Push for LDAP. This allows each user's LDAP password to be synced to their Okta password. Any subsequent password changes users make are pushed to their user profile in LDAP. In addition to simplifying password management for orgs using LDAP, organizations using both Active Directory (AD) and LDAP can now synchronize their user passwords from AD through Okta to LDAP. For details, see the Provisioning section in Install and Configure the Okta Java LDAP Agent.

Suspicious Activity Reporting

End users can now report unrecognized activity to their org admins when they receive an account activity email notification. This feature is now available through the EA feature manager. See Suspicious Activity Reporting.

Group rules triggered by user reactivations

Group rules are now triggered when a user is reactivated. See Group rules for more information.

Multifactor Authentication for admins

MFA for Admins allows Super admins to enable mandatory multifactor authentication for all administrators accessing admin functionality. For details see Authentication.

Beta features available in Feature Manager

You can now enroll your Preview org in Open Betas in the Feature Manager. When you enroll in a Beta feature, you receive an email with further details. For details, see Manage Early Access and Beta features .

SAML Inline Hook

The SAML Inline Hook enables you to customize the authentication flow by allowing you to add attributes or modify existing attributes in outbound SAML assertions. For details, see our SAML Inline Hook page.

Admin Getting Started tasks

The new Admin Getting Started page helps super admins begin configuring their new Okta org.

For more information, see Get Started with Okta.

Token Inline Hook

The Token Inline Hook enables you to integrate your own custom functionality into the process of minting OAuth 2.0 and OpenID Connect tokens. For details, see our Token Inline Hook page.

System Log events for successful Office 365 logins

A new System Log event is added when an end user successfully signs in to Office 365 using any of the Office 365 app chiclets on the dashboard.

SCIM Template Apps include ISV portal link

Any apps created from the SCIM app templates display a banner that directs developers to use the ISV portal at oinmanager.okta.com to submit their SCIM app to the OIN.

SAML App Wizard change for software developers

During the creation of a SAML app with the App Wizard, software vendors receive a link to the ISV portal at oinmanager.okta.com to submit their app to the OIN. If the software vendors elect not to submit through the App Wizard, a banner appears on their app configuration page with the link to the ISV portal.

OIN Manager supports multiple application submissions

When submitting a new application integration for review by Okta, the OIN Manager now supports multiple concurrent application submissions:

 

Custom URL domain support for the Okta Browser Plugin

This support enables the Okta Browser Plugin to work on the configured custom URL domain. See Configure custom URL domain.

Improved People page filter and Profile page details

We’ve added more detail to the user state labels on the People page.

And now provide the action required for users in a pending state on the User Profile page.

Generally Available Enhancements

OAuth Consent UX Enhancements

  • The OAuth Consent end-user dialog has been modified to improve the user experience.
  • For OAuth Scopes created for a new Authorization Server, the default values for Display Name and Description are updated to be more informative.

Select group UI enhancement

The appearance of Select Group elements are enhanced throughout the UI to be more visually intuitive and consistent with other Okta select elements:

Application Settings enhancements

  • When you create a new application in the dashboard, it will be created with a default Post Logout Redirect URI (previously this field existed but defaulted to blank).
  • When you create a new application of type Single Page Application (SPA), it will default to using Authorization Code with PKCE instead of defaulting to Implicit Flow.
  • The Post Logout Redirect URI only impacts users using our /logout API call (not using any of our SDKs), and it is a list of possible values just like the (Login) Redirect URI.

Event hooks support for MFA factor events

Event hooks are now enabled for MFA factor life-cycle events such as activating or resetting a factor.

Windows Mobile and Blackberry options removed

The option in the Okta Sign In Widget and in the End User Settings to enroll in Okta Verify or Google Authenticator using Windows Mobile or Blackberry devices is now removed.

Sorting functionality added for inline hooks and event hooks

Admins can now sort inline hooks by Status, Type, or Name, and event hooks by Verification, Status, or Name. For more information, see Inline hooks and Event Hooks.

Authentication Server display name enhancement

The Authorization Server scope display name for new entries is now limited to 40 characters.

Use of admin information

Additional legal text regarding use of admin information is added to Settings > Account >Admin email notifications.

Email notification when org licensing changes

Super admins will now receive an email when their org is converted from a free trial and licensed based on a new active contract.

Addition of status text to status icons

The On-Prem MFA and RSA SecureID Agents status icons relied on color to provide status. Status is now also represented by text for improved accessibility.

Workplace by Facebook domain update

When setting up a Workplace by Facebook app, you now have the option to switch from the default org.facebook.com domain to the org.workplace.com domain.

Device fingerprinting for custom org URLs

Custom org URLs now support device fingerprinting for improved accuracy of new sign-in notifications and new device detection.

New device behavior detection

New device behavior detection is improved to provide better accuracy with new devices.

New warning modal for provisioning to apps

Admins who enable Profile Master and Push for the same app are now warned of the potential for overwritten attributes and the risk of lost data. For more information, see Profile mastering.

Early Access Features

This release does not have any Early Access features.

Fixes

General Fixes

OKTA-250443

When using Factor Sequencing, the Custom Password label did not appear in the Password field on the Sign-In page.

OKTA-251904

Okta did not update null/blank profile attributes into RingCentral.

OKTA-253324

In some cases, an incorrect System Log event of INVALID_OKTA_MOBILE_ID was logged even when OMM Device Trust was not enabled.

OKTA-256102

Country Code prefix for Kosovo was set to +undefined when enrolling SMS as a factor.

OKTA-259414

In some cases, Reapply mapping was displayed incorrectly when editing app users with an app user property that was sourced from two different groups.

OKTA-260360H

Social Login created a race condition with Self Service Registration.

OKTA-261676

LDAPi searches using a filter containing entryDN=* failed with result code 80.

OKTA-263016

For customers who opted into the New Import and Provisioning Settings Experience for Active Directory Early Access feature, if an admin entered an invalid custom expression into the AD username format field on the AD Settings page, clicking Save caused infinite loading of the page without saving the settings.

OKTA-263017

Customers who opted into the New Import and Provisioning Settings Experience for Active Directory Early Access feature could not see the UI control for previewing the result of the custom expression underneath the AD username format field when custom was chosen in the drop down.

OKTA-263915

Additional customizations applied to the ADFS site were not displayed when users accessed the ADFS second factor challenge page.

OKTA-264334

In some cases, customers importing users from Workday (as a Master) got an undefined error when executing profile matching.

App Integration Fixes

The following SWA app was not working correctly and is now fixed

  • Ingram Micro (OKTA-260621)

Applications

Application Updates

Provisioning support has been removed from the following apps due to low customer usage, lack of standards based integration, and high supportability cost:

  • Veeva
  • Replicon
  • Roambi Business
  • Gooddata
  • Rightscale

New Integrations

New SCIM integration applications

The following partner-built provisioning integration app is now Generally Available in the OIN as partner-built:

SAML for the following Okta Verified applications

  • Appsian Security Platform for PeopleSoft (OKTA-258107)

  • Cincopa (OKTA-260900)

  • Cisco Webex (OKTA-263286)

  • Firmex VDR (OKTA-262869)

  • Juro (OKTA-258096)

  • TripActions (OKTA-263057)

  • Wochit Studio (OKTA-263299)

Weekly Updates

Closed2019.12.1: Update 1 started deployment on January 6

Fixes

General Fixes

OKTA-252780

When a super admin canceled edits made to the email settings for an admin type, the edits were not actually canceled.

OKTA-260752

Dynamic SAML attributes appeared in read-only mode with the name, type, and value. Attributes now show only the name and value.

OKTA-261688

When adding Dynamic Attributes to a new SAML 2.0 app instance with long names or values, the text did not wrap correctly on the screen.

OKTA-261738

When creating a new SAML 2.0 app instance, the Attribute fields were auto-expanded, however the Expand button indicated that they were collapsed.

OKTA-262950

Okta Verify Push could be enabled even when Okta Verify was an inactive factor.

OKTA-264060

UNIQUE_PROPERTIES_UI caused delays and 500 errors for Postman DELETE USER API.

OKTA-264158

When OU_PICKER_V2_IN_AD_SETTINGS and AD_GROUP_PUSH were enabled, the organizational unit tree in the Push Groups tab on the AD Settings page rendered without formatting and check boxes.

OKTA-267811H

When AAD Graph API was enabled, role assignment and imports from Office365 sometimes failed.

App Integration Fixes

The following SAML apps were not working correctly and are now fixed

  • GaggleAMP (OKTA-265520)

  • NetFortris HUD Web (OKTA-264119)

  • Open Air (OKTA-252147)

The following SWA apps were not working correctly and are now fixed

  • AmericanFunds Retirement Solutions (OKTA-264261)

  • BioWorld (OKTA-265878)

  • BridgeBank Business eBanking (OKTA-263159)

  • eBay (OKTA-265287)

  • Kamer van Koophandel (OKTA-265639)

  • Mimecast (OKTA-263189)

  • Netskope (OKTA-265465)

  • Principal Advisor (OKTA-263869)

  • The Daily Beast (OKTA-266188)

  • WebRoot Anywhere (OKTA-264805)

The following Mobile apps were not working correctly and are now fixed

  • NetSuite (OKTA-263316)

  • SAP Cloud for Customer (OKTA-263312)

Applications

New Integrations

The following partner-built provisioning integration apps are now Generally Available in the OIN as Okta Verified:

SAML for the following Okta Verified application

  • Blocks Edit (OKTA-264267)

SWA for the following Okta Verified applications

  • AuctionAccess (OKTA-263763)

  • Hunter Communications (OKTA-264917)

  • HYPR (OKTA-264057)

  • MKB Brandstof (OKTA-262883)

  • Savannah Morning News (OKTA-265411)

  • The Daily Beast (OKTA-264753)

Mobile applications for use with Okta Mobility Management (OMM) (Android and iOS)

  • Adobe Experience Manager (OKTA-263294)

  • FieldGlass SAML (OKTA-263295)

ClosedNovember 2019

November 2019

2019.11.0: Monthly Production release began deployment on November 11

* Features may not be available in all Okta Product SKUs.

Content

Generally Available Features

New Features

Agentless Desktop SSO migration

Customers who enabled Agentless Desktop SSO using the registry key configuration method must migrate to the Kerberos alias supported configuration. Contact Support to enable ENG_ADSSO_MIGRATION_READINESS_CHECK which allows you to check your readiness prior to migrating.

For a list of complete migration steps refer to Migrate your Agentless Desktop Single Sign-on configuration.

New System Log events for Okta user groups

System Log events have been added to indicate when Okta user groups are successfully created or deleted.

Sign-in widget for end-user factor enrollment

The sign-in widget is now displayed if an end user enrolls in a factor manually or resets a factor from the End User Dashboard settings. This feature is being released to Production orgs gradually over the month of November.

Minor visual changes to the Feature Manager

The Feature Manager user interface has been updated with minor changes including:

  • The Early Access auto-enroll option is now at the bottom of the Early Access section.
  • When a feature is auto-enabled in EA, the date of enrollment is listed beside the toggle switch.

Agentless Desktop SSO

Agentless desktop SSO and Silent Activation now support Kerberos alias authentication for customers implementing these features for the first time. See Configure Agentless Desktop Single Sign-on - new implementations and Office 365 Silent Activation: New Implementations. This feature is Generally Available in Production for new orgs only.

Web Authentication for MFA

Admins can enable Web Authentication as a factor as defined by WebAuthn standards. Web Authentication supports both security key authentication such as YubiKey devices and platform authenticators. For more information, see Web Authentication (FIDO2) .

Automations

Automations enable you to quickly prepare and respond to situations that occur during the lifecycle of end users who are assigned to an Okta group. You can set up two types of Automations and perform actions such as changing user lifecycle states and notifying users:

  • Recurring Automations to check for conditions such as user inactivity and password expiration
  • One-time Automations to bulk suspend and notify users belonging to a particular group irrespective of their activity

For more information, see Automations .

Required update for Microsoft Dynamics CRM, admin consent needed

We have updated the landing URL for the Microsoft Dynamics 365 app to use OAuth and to be accessible globally. The updated app resolves the issue where end-users outside the USA could not access Dynamics 365 and were redirected to an error page.

You need to provide or renew Admin consent within the Okta Office 365 app instance to continue using Dynamics 365 app in your Okta org.

See Provide Microsoft admin consent for Okta.

Security Behavior Detection

To provide additional security without overburdening your end users, you can configure a Sign On policy for your organization to require additional authentication for behaviors defined as higher risk based on variance from individual users' prior sign ins. Admins can configure the system so that individual end users are only prompted for an additional MFA factor when there is a change in behavior that the admin defines. For more information, see Security Behavior Detection.

Generally Available Enhancements

Admin roles for groups

Admin roles can now only be granted to groups with less than 5000 members.

For more information, see Assign admin privileges.

Admin settings for end-user suspicious activity reporting

In account settings, admins now have the option to exclude themselves or other admins from receiving user-reported notifications about suspicious account activity.

For more information, see Suspicious Activity Reporting.

WebAuthn UI enhancement

The description and icon for the WebAuthn factor have been updated both in the Admin Console and Sign-in Widget.

For more information, see Web Authentication (FIDO2) .

Early Access Features

New Features

Workday Field Overrides

As part of our new Workday connector, Field Overrides are an alternate way to pull custom attribute information from Workday that replaces the existing custom report facility.

For more information, see Workday Field Overrides.

OAuth for Okta

With OAuth for Okta, you are able to interact with Okta APIs using scoped OAuth 2.0 access tokens. Each access token enables the bearer to perform specific actions on specific Okta endpoints, with that ability controlled by scopes that the access token contains.

For more information, see OAuth for Okta guide.

Okta RADIUS Service Agent Update, version 2.9.5

The Okta RADIUS Server Agent version 2.9.5 is updated to run under the LocalService account, which has lower privileges than LocalSystem. The service has also been configured with a write-restricted token to further restrict access.

For more information, see Okta RADIUS Server Agent Version History.

Okta MFA Credential Provider for Windows, version 1.2.2

The Okta MFA Credential Provider version 1.2.2 includes bug fixes and adds self-service password reset.

For more information, see Okta MFA Credential Provider for Windows Version History .

Admin settings for selecting identity providers

Admins now have the option to configure a sign-on policy based on a specific identity provider.

For more information, see Adding Rules in Security Policies.

Disable Import Groups per app

Admins have the option to choose whether groups are included in imports from apps. This new option is available when setting up provisioning for an app.

This feature should be used with care as disabling group imports will have the result of deleting all groups from the app you are configuring. As such, we provide a warning prior to disabling group imports:

Note that you will be unable to disable group imports for an app if the following conditions exist:

  • App Assignments based on Group exist
  • Group policy rules exist
  • Group Push mappings exist

In these cases, an error is displayed.

Fixes

General Fixes

OKTA-212852

Group rules were not applied to reactivated users.

OKTA-221328

With Routing Rules enabled, users saw the message This is the first time you are connecting to [an application] from this browser even though they had logged in before.

OKTA-240039

With Routing Rules enabled, users saw the message This is the first time you are connecting to [an application] from this browser even though they had logged in before.

OKTA-241929

Custom TOTP factors were not supported as part of the authentication flow in Factor Sequencing.

OKTA-249465

On some web browsers, switching between Okta Verify and WebAuthn caused an error.

OKTA-254641

Changes to Max Import Unassignment settings were not logged in the System Log.

OKTA-254723

WebAuthn factor types were incorrectly named as Windows Hello in the MFA Usage Report.

OKTA-255688

The Reset via Email button on a custom sign-in page was visible and active even when that option was disabled for custom URL domains.

OKTA-257032

The Agentless Desktop SSO flow failed to authenticate users accessing custom-domain URLs.

OKTA-257269

In some cases, end users registering for Okta Verify were enrolled in One-Time Password but not in Push.

OKTA-257277

Some admins with MFA for Admin configured entered an infinite page-loading loop when signing into the Admin Console.

OKTA-257315

The HealthInsight page did not load properly for certain Okta orgs.

OKTA-56159

Re-authentication defined in sign-on policies only supported SAML-based apps and did not support SWA.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • Adobe Stock (OKTA-257769)

  • GoToWebinar (OKTA-255869)

  • Grammarly (OKTA-258776)

  • Instacart (OKTA-258045)

  • Sainsburys Groceries (OKTA-258041)

  • Twenty20 Stock (OKTA-257496)

  • Twilio (OKTA-258047)

Applications

Application Updates

Provisioning support has been removed from the following apps due to low customer usage, lack of standards based integration, and high supportability cost:

  • OutSystems
  • ExactTarget
  • RightnowCX
  • SugarCRM

New Integrations

SAML for the following Okta Verified application

  • GainsightPX (OKTA-253926)

SWA for the following Okta Verified applications

  • Ontario MC EDT (OKTA-244471)

  • ParcelQuest (OKTA-249541)

  • WatchGuard Evidence Library (OKTA-244478)

Weekly Updates

Closed2019.11.1: Update 1 started deployment on November 18

Fixes

General Fixes

OKTA-162537

The Testing IWA Web App help link on the Delegated Authentication page was broken.

OKTA-218841

End users did not receive proper credential update exceptions when there was an issue with their change password flow.

OKTA-235243

Group Push stopped on the first failure received by O365 and did not display any warnings in the System Log to indicate the issue.

OKTA-236583H

The error message for when a user was locked out did not respect the Group Password Policy settings.

OKTA-244438

In some cases a user could not be unassigned from a SCIM app if the SCIM Server had a slow response time.

OKTA-250498

Super admins were able to select the Rate limit warning and violation email notification when the feature was not enabled for their org.

OKTA-251844

Users were unable to sign in due to a 400 error that was caused by the following conditions: using Internet Explorer, using an SP-initiation SAML sign on, IDP Discovery was enabled, IWA and an MFA prompt were configured.

OKTA-257469

Due to hard validation, attempts to use group functions between profile-mastered appuser to Okta user mapping resulted in validation errors.

OKTA-260343

The Firefox plugin could not be downloaded from the Mozilla Add-ons store. The Firefox plugin version 5.34.0 is now available from the Admin Console, Settings > Downloads menu.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • BombBomb (OKTA-258406)

  • Mimecast Personal Portal v2 (OKTA-258584)

  • MyGeotab (OKTA-258044)

  • Veeva Vault (OKTA-258852)

  • WebEx Premium (OKTA-258040)

  • WP Engine (OKTA-259045)

Applications

New Integrations

The following partner-built provisioning integration apps are now Generally Available in the OIN as Okta Verified:

SAML for the following Okta Verified applications

  • Concur Travel and Expense (OKTA-254835)

  • JazzHR (OKTA-246402)

  • NetFortris HUB Web (OKTA-250307)

  • Netskope User Enrollment (OKTA-253910)

  • Portnox CLEAR (OKTA-253896)

  • Portnox CLEAR Self-onboarding (OKTA-253895)

  • Udemy for Business (OKTA-258121)

  • Vant SSO Proxy (OKTA-257483)

  • YouAttest (OKTA-259546)

SWA for the following Okta Verified applications

  • Dealerpull (OKTA-248564)

  • Encompass TPO Connect (OKTA-241362)

  • Global Database InvestmentMetrics (OKTA-245640)

  • Global Database InvestmentMetrics (OKTA-245640)

  • Informa (OKTA-245651)

  • Instacart Canada (OKTA-248835)

  • k-eCommerce (OKTA-256824)

  • Safeco Agent (OKTA-247347)

  • Southwest Traveler (OKTA-244178)

  • Stetson Insurance Funding Agent Login (OKTA-247772)

  • Street Smart by CycloMedia (OKTA-247460)

  • Transus (OKTA-247849)

Mobile applications for use with Okta Mobility Management (OMM) (Android and iOS)

  • Jive (OKTA-245483)

  • ShareFile (OKTA-260468)

Mobile application for use with Okta Mobility Management (OMM) (Android iOS)

  • Jive Communications (OKTA-245485)

Closed2019.11.2: Update 2 started deployment on December 2

Fixes

General Fixes

OKTA-247115

Some links in Suspicious Activity Reporting events did not work as expected.

OKTA-260013

The MFA Usage Report did not display some MFA factors when it was generated for all users.

OKTA-262346H

Some provisioning operations for some orgs failed with 409 errors.

OKTA-262644H

For some orgs, the Upload Logo button (Settings > Appearance) did not work.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • Acronis Cloud (OKTA-261592)

  • Dell Boomi (OKTA-260860)

  • eOriginal (OKTA-260858)

  • HotSchedules (OKTA-259809)

  • Lola (OKTA-259813)

  • Nationwide Eviction (OKTA-261405)

  • Percolate (OKTA-259811)

  • U.Chicago Dist. Ctr. (OKTA-259812)

Applications

New Integrations

The following partner-built provisioning integration app is now Generally Available in the OIN as Okta Verified:

SAML for the following Okta Verified applications

  • PrinterLogic SaaS (OKTA-257046)

  • PTO Exchange (OKTA-259997)

SWA for the following Okta Verified applications

  • Bannockburn Global Forex (OKTA-252379)

  • Booking Admin (OKTA-257151)

  • Brex (OKTA-254738)

  • Crown Mark (OKTA-255472)

  • Dealer Daily Toyota (OKTA-253563)

  • Empower (OKTA-248283)

  • Firemax - G5 (OKTA-249415)

  • Health Assured UK (OKTA-258033)

  • Rileys eStore (OKTA-248900)

  • RUN Powered by ADP (OKTA-251863)

  • SafetySync (OKTA-248899)

  • State of California Department of Motor Vehicles (OKTA-256771)

  • Untangle (OKTA-250112)

  • Wipster (OKTA-248068)

  • WordFly (OKTA-251885)

Closed2019.11.3: Update 3 started deployment on December 9

Fixes

General Fixes

OKTA-244018

Signing out from Okta from within the password re-authentication screen caused a new Okta Sign In page to appear within the existing Okta UI.

OKTA-246083

When configured to add apps on the fly, the Okta Browser Plugin did not always offer to save credentials for some apps.

OKTA-249009

Attempts to Push Groups from Okta to ShareFile failed and produced an error.

OKTA-252921

The wrong attribute values were mapped from Okta to PagerDuty if the values limited_user or team_responder were selected in the app assignment for a user.

OKTA-253183

When an admin attempted to modify an existing admin’s role by unchecking all roles, then clicked Update Administrator, a non-user-friendly error message was returned instead of the message At least one role must be selected.

OKTA-256370

CSV imports failed when there were unique custom properties in the user profile and imported users had non-empty values set for the unique properties.

OKTA-257508

A 500 error rather than a user-friendly error was returned when an invalid factor was used during the credential authentication flow.

OKTA-257703

An application.provision.user.sync event was generated with a successful outcome before provisioning was attempted.

OKTA-258832

Imports from Confluence 7.0 failed with the error No such operation getUser.

OKTA-259741

Additional MFA factors were not enforced for Okta Mobile if an org created a sign-on policy using Okta as IDP as the priority one rule that defined additional MFA factors.

OKTA-261115

In some cases, the My Applications button was not visible on the admin console.

OKTA-262419

Not all Yubikey device names were displayed after they were enrolled for WebAuthn.

App Integration Fixes

The following SAML app was not working correctly and is now fixed

  • Cisco Webex Teams (OKTA-259313)

The following SWA apps were not working correctly and are now fixed

  • Adobe Reseller Console (OKTA-263079)

  • AlertLogic (OKTA-261300)

  • Apple Store (OKTA-262873)

  • Avalara CertCapture (OKTA-262331)

  • BioWorld (OKTA-262957)

  • CallTower (OKTA-262327)

  • Experian (OKTA-262329)

  • General Motors GlobalConnect (OKTA-262328)

  • Inspired eLearning (OKTA-262335)

  • Kamer van Koophandel (OKTA-262334)

  • Percipio (OKTA-262330)

  • Southwest Traveler (OKTA-262925)

  • WeWork (OKTA-261968)

  • Work Number Commercial Verifier (OKTA-261507)

Applications

New Integrations

The following partner-built provisioning integration apps are now Generally Available in the OIN as Okta Verified:

  • Clearwage: For configuration information, see the Clearwage Provisioning and SSO Configuration guide.
  • Vant SSO Proxy: Note: The configuration guide for this app is not public. The ISV will provide the internal link to this documentation to the engineers who will be using this integration directly.
  • Book4time: For configuration information, see Book4time SCIM Setup Guide.

SAML for the following Okta Verified applications

  • KindLink (OKTA-259556)

  • Mitel Connect (OKTA-262010)

  • NetFortris HUD (OKTA-261151)

  • Netskope User Enrollment (OKTA-261565)

  • TeamzSkill (OKTA-262037)

  • Visit.org (OKTA-261400)

SWA for the following Okta Verified applications

  • Amazon ES (OKTA-259282)

  • Applied Epic Assuredpartners (OKTA-256238)

  • ASIC - Registered Agents (OKTA-260407)

  • Averon (OKTA-260126)

  • ConnectWise Automate (OKTA-252945)

  • Double Dutch Event (OKTA-256694)

  • Nx2me Clinician Portal (OKTA-259247)

  • OneNote (OKTA-259831)

  • RFPIO (OKTA-259502)

  • SALTO KEYS (OKTA-260440)

  • The Hartford Customer Service Center (OKTA-257302)

  • USA Today (OKTA-261633)

  • Welltower Portal (OKTA-254521)

  • WestJet Biz (OKTA-261389)

ClosedOctober 2019

October 2019

2019.10.0: Monthly Production release began deployment on October 14

* Features may not be available in all Okta Product SKUs.

Content

Generally Available Features

New Features

Reports calendar selections limited to past 3 months

The calendar date range for a report displays the past three months only. This matches the maximum date range for report data.

Tokens transform events no longer available

Token transform System Log [events]() will no longer fire for SAML and Token inline hooks. They are retained in Inline Hook events.

See API event types.

Device Trust applies to apps in Okta Mobile for iOS

Any Device Trust policies configured in your environment are now also enforced when iOS device users access resources through Okta Mobile. This functionality is enabled by default. To change it, go to Security > General > Okta Mobile.

See Okta Mobile Settings.

Okta Browser Plugin version 5.33.0 for all browsers

This version includes the following:

  • Security warning and anti-phishing whitelist
  • Reflection of real-time app and profile changes in the end user dashboard
  • Custom URL domain support for the plugin (available in Preview orgs)
  • New look (available in beta)
  • Back-end enhancements

See Okta Browser Plugin: Version History.

OPP agent, version 1.3.4

This version of the OPP agent:

  • Improves networking utilities and recovery speed after a DR event
  • Improves log correlation between the agent and Okta
  • Fixes a bug that read special characters from a CSV incorrectly

See On Premises Provisioning Agent and SDK Version History.

Active Directory agent, version 3.5.9

This release of the AD agent fixes an issue where meta data about Active Directory domains was not updated in Okta during imports from AD. In some cases this prevented features which rely on this meta data, for example Agentless Desktop SSO, from working correctly or being configured for the first time.

See Okta Active Directory agent version history.

JIRA Authenticator Toolkit, version 3.1.2

This release includes the following bug fix: JIRA service failed to start after upgrading the JIRA Authenticator from 3.0.7 to 3.1.1.

See Okta Jira Authenticator Version History.

Okta Browser Plugin reflects real-time app and profile changes in the end user dashboard

The Okta Browser Plugin now reflects the real-time state of the end user dashboard, eliminating the need to refresh the dashboard for the plugin to reflect the latest app and profile changes. This feature is available on Okta Browser Plugin version 5.29.0 or higher. For more information, see Okta Browser Plugin.

App condition for MFA enrollment policy

Admins can now use a new condition when setting a rule for an MFA enrollment policy. When this condition is configured, end users are prompted for factor enrollment when accessing all of their applications or only for those selected by their org admin. For more information, see App Condition for MFA Enrollment Policy.

Add event hooks from the Admin Console

Admins can now add event hooks from the Admin Console. Event hooks send outbound calls from Okta that trigger asynchronous process flows in admins' own software. For more details, see Event Hooks.

LDAP Admin password reset

For orgs integrated with LDAP, admins can now perform password resets for an active individual end user. For details see Reset user passwords.

Generally Available Enhancements

Adobe CQ Enhancement

You can specify whether to ignore inactive users or not during imports to/from Adobe CQ.

Group Admin behavior change

When a group admin with permissions to manage a single group adds a new user to the org, the group name is automatically populated.

New System Log event for email challenge

The new event now includes more debugData information to indicate whether an email challenge was answered (redeemed) using the same browser from which it was initiated.

Scope Naming Restriction

OAuth Scopes may not start with the okta. prefix. See Create scopes.

Early Access Features

New Features

User Type support in Okta user profiles

Universal Directory now supports custom user types. You can customize the attributes in up to 9 user types.

See About custom user types in Universal Directory.

Fixes

General Fixes

OKTA-220377

When assigning users to Microsoft Office 365, a Profile push error message was displayed. Users could still sign in and their profiles were updated correctly.

OKTA-221078, OKTA-231642

When Okta MFA for Azure AD Conditional Access was enabled, admins were unable to configure Microsoft Office 365 using the I want to configure WS-Federation myself using PowerShell option.

OKTA-233578

Deactivated users were imported from Adobe CQ.

OKTA-235187

In OAuth 2.0/OIDCOpenID Connect (OIDC) is an authentication layer on top of OAuth 2.0, an authorization framework. The standard is controlled by the OpenID Foundation. /authorize request, the Okta Sign-In Widget incorrectly rendered the login_hint parameter, substituting + with a space.

OKTA-236849

Users were unable to sign in to the GoAnywhere SWA app automatically and had to enter their credentials manually.

OKTA-237085

Admins could not add an IP to a Network Zone in the System Log if there were more than 20 Network Zones. Only the first 15 zones were displayed.

OKTA-240197

The group icon for the Namely app was incorrectly displayed on the Directory > Groups page.

OKTA-240375

MFA factor enrollment policies were not enforced when Factor Sequencing was enabled.

OKTA-243056

When admins removed a user from a group with more than one # character in the group name, the confirmation message ignored all text preceding the last #. This resulted in an incorrect confirmation message.

OKTA-244957

Users were able to sign in to the NorthWest Evaluation Association MAP app only when using Sign in with 1 click.

OKTA-245114

Imports failed in Preview instances of the WebEx (Cisco) app.

OKTA-246107

In SP-initiated flows for the AnyBill app, the Okta plugin did not route the user to the correct URL.

OKTA-247915

Admins were allowed to subscribe to email notifications for which they did not have permission.

OKTA-248760

When admins entered a username to test if a new LDAP configuration was valid, the Next button did not work.

OKTA-250256

In some cases, the group attribute for Template WS-Fed apps was evaluated incorrectly.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • Chicago Tribune (OKTA-248424)

  • CrowdStrike Support Portal (OKTA-250779)

  • Cube19 (OKTA-253339)

  • MailGun (OKTA-250727)

  • Nice inContact Workforce Management (OKTA-250421)

  • Template 2 Page Plugin (OKTA-249755)

Applications

Application Updates

  • Provisioning support removed for Huddle and Connected Data apps - Provisioning support has been removed from the Huddle and Connected Data apps due to its low customer usage, lack of standards based integration, and high supportability cost.

New Integrations

SAML for the following Okta Verified applications

  • Compusense (OKTA-252571)

  • Moesif API Analytics (OKTA-251060)

Weekly Updates

Closed2019.10.1: Update 1 started deployment on October 21

Fixes

General Fixes

OKTA-235246

Org2Org setup created a new appUser instead of restoring the original user after encountering an Error while Reactivating user message.

OKTA-247437

Report admins did not have access to the Proxy IP Usage Report.

OKTA-249412

403 return status in API caused spinning icon in UI when Mobile admins tried to view the Security Health Check page.

OKTA-249465

Users encountered an error if they switched between WebAuthn and other factors when signing in to Okta in a web browser.

OKTA-250499

Telangana was missing as a region for India in Network Zones.

OKTA-252845

Immediately after enabling WebAuthn, users saw Windows Hello in a stale window when resetting an enrollment factor.

OKTA-253687

Back to Settings link incorrectly appeared in the OIDC sign-in flow.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • 2145 Parkplace (OKTA-250451)

  • Adobe Creative (OKTA-254693)

  • Adobe Enterprise (OKTA-254514)

  • Cisco Webex Meetings (OKTA-253433)

  • Dealer Daily Lexus (OKTA-253658)

  • Google Analytics (OKTA-253582)

  • My T-Mobile (OKTA-251610)

  • Paycor (OKTA-253575)

  • SSQ Financial Group (OKTA-253421)

Applications

New Integrations

SAML for the following Okta Verified applications

  • CyberArk Password Vault Web Access (OKTA-251875)

  • DataRails (OKTA-251850)

  • Elevio (OKTA-253738)

  • SimpliGov (OKTA-249789)

  • Visibly (OKTA-253409)

  • VMWare Workspace ONE (OKTA-252568)

SWA for the following Okta Verified application

  • Adobe Admin Console (OKTA-254510)

Closed2019.10.2: Update 2 started deployment on November 4

Fixes

General Fixes

OKTA-208239

Duplicate notifications were displayed in the Profile Editor after a new attribute was added.

OKTA-218100

Security email notifications sometimes displayed extra commas.

OKTA-231286

Editing AD instances sometimes resulted in a provisioning error in Office 365 instances.

OKTA-237415

Activation emails were sent to end users despite being configured otherwise.

OKTA-237944

When saving a user's updated profile details from the Profile page, a manual refresh was required.

OKTA-244162

The MFA Factor Reset email displayed the TOTP factor with an error.

OKTA-244298

The Import from Active Directory tab did not describe what type of import will remove AD groups in Okta if the groups have been deleted in the AD.

OKTA-244986

Behavior Detection logs showed UNKNOWN for user's first sign-in, but showed POSITIVE for sign-in after resetting the behavior profile.

OKTA-247912

If the IdP routing rule contained a user identifier condition and an application condition, some users were routed incorrectly.

OKTA-249204

For orgs that allow non-email usernames, users with an ID me were not able to sign in due to an API conflict. This ID is no longer allowed, but existing users with that ID are unaffected.

OKTA-254883

Duo factor activation events were not generated.

OKTA-255088

The Early Access Self-Service link for User Types incorrectly pointed to the Beta doc rather than the EA release topic in online help.

OKTA-255517

In the Security > General page, the Learn More link next to the Report Suspicious Activity selection pointed to the wrong page in the online help.

OKTA-255582

In Preview orgs, users who removed Okta Verify through their Settings page remained enrolled in the factor.

OKTA-255940

After access to Okta Support was enabled, impersonation could be disabled or enabled in the impersonated session.

OKTA-256720

Import settings for Salesforce were unintentionally reset and lost.

OKTA-256724

Users who signed in via IWA after their password was reset with the Temporary Password option were prompted to change their password twice.

OKTA-257203

Resetting all factors for a user resulted in an error.

OKTA-257353

Auth schema inline hooks could not be renamed.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • Adobe Fonts (OKTA-254976)

  • Adobe Licensing Website (OKTA-254315)

  • Amazon UK (OKTA-255211)

  • Eden (OKTA-221449)

  • Entelo (OKTA-253476)

  • GoToMeeting (OKTA-255995)

  • iTunes Connect (OKTA-257282)

  • Jive (OKTA-256518)

  • JumpCloud (OKTA-254291)

  • Knoll (OKTA-257055)

  • Kyriba (OKTA-255894)

  • MIBOR (OKTA-257057)

  • My Jive (OKTA-256680)

  • Nexus System Connect (OKTA-254290)

  • The Wall Street Journal (OKTA-255220)

  • Threads Culture (OKTA-256355)

  • U.S. Bank (OKTA-254309)

  • WP Engine (OKTA-257193)

  • YouCanBook.me (OKTA-257284)

  • Zoominfo (OKTA-243203)

Applications

 

Application Updates

  • Netskope now supports the following Provisioning features (this is in addition to the other provisioning features it already supports):

    • Group Push

    Users who have previously set up the Netskope integration and enabled Provisioning need to follow the migration steps detailed in the Netskope Configuration Guide if they want to use the new feature.

  • OfficeSpace Software now supports the following Provisioning features (this is in addition to the other provisioning features it already supports):
    • Importing users
    • Profile/Attribute Level Mastering
    • Schema updates

    Users who have previously set-up the OfficeSpace Software integration and enabled Provisioning need to follow the migration steps detailed in the OfficeSpace Software Configuration Guide if they want to use the new features

New Integrations

The following partner-built provisioning integration apps are now Generally Available in the OIN as Okta Verified:

SAML for the following Okta Verified applications

  • Accrualify (OKTA-256378)

  • Ambient.ai (OKTA-254752)

SWA for the following Okta Verified applications

  • E-Link (OKTA-249632)

  • EagleBank (OKTA-242296)

  • TECtok (OKTA-245077)

  • Time Clock Plus Manager (OKTA-244676)

ClosedSeptember 2019

September 2019

2019.09.0: Monthly Production release began deployment on September 9

* Features may not be available in all Okta Product SKUs.

Content

Generally Available Features

New Features

Customizable email template for LDAP users

The LDAP Forgot Password Denied email template can now be customized for LDAP users who have requested a password reset but must have their password reset by an admin. See Email customization .

New System Log event for event hooks

Event hook eligible System Log events now display the event hook ID in the Debug Context object under the TargetEventHookId field.

For a list of event hook eligible System Log events, filter our Event Types Catalog by the event-hook tag.

Okta Browser Plugin, version 5.32.0 for all browsers

This version includes the following:

  • Custom URL domain support for the plugin (available through the EA Feature Manager)
  • Back-end enhancements

See Okta Browser Plugin: Version History.

End of support for Okta Mobile Connect on iOS 13 and iPad OS 13

Okta Mobile Connect will not function on iPhones and iPads that upgrade to iOS 13 and iPad OS 13, respectively, because version 13 introduces changes that affect the way an Apple API handles external requests to open Okta Mobile. See Okta Mobile Connect.

User enrollment of multiple Web Authentication factors

End users now have the option to enroll in more than one instance of a WebAuthn-based factor, which can be set up either from the sign-in widget or from the end user dashboard settings. See Web Authentication (FIDO2) .

Active Directory, honor AD password policy

If an AD-mastered user has forgotten their password the AD password policy is honored when the user resets their password.

Support for LDAP provisioning

With the addition of the following Provisioning Features, Okta's LDAP integrations now closely match the functionality already available to Okta Active Directory (AD) integrations.

  • Create Users

  • Update and deactivate LDAP accounts

  • DN customization

  • Profile Masters

For more information, see Provisioning Features.

Admin report CSV changes

The Administrator report containing information about all admins, their roles, and permissions will now be generated asynchronously. Super admins can generate the report by clicking Request Report and they will receive an email with a download link when the report is ready. For details, see The Super admin role .

Inline Hooks

Admins can now add Inline Hooks from the admin console. Inline Hooks enable admins to integrate custom functionality into Okta process flows. For more information, see Inline hooks.

Configure Okta Device Trust for Native Apps and Safari on MDM managed iOS devices

Okta Device Trust for MDM managed iOS devices allows you to prevent unmanaged iOS devices from accessing enterprise services through browsers and native applications:

Note: This feature requires Okta Mobile 5.12 for iOS (or later), available in the App Store beginning February 1st.

For details, see Configure Okta Device Trust for Native Apps and Safari on MDM managed devices.

ThreatInsight Threat Detection

Admins can now configure ThreatInsight — a new feature that detects credential-based attacks from malicious IP addresses. ThreatInsight events can be displayed in the admin system log and also be blocked once this feature is configured. For more information, see ThreatInsight.

Apps supporting incremental imports

Workday joins Active Directory and LDAP in the ability to run immediate, incremental imports. Okta strives to add this functionality to more and more provisioning-enabled apps.  This feature is currently only available for Preview orgs.

Note: To use this functionality, your org must also have the Workday Incremental Imports (ENG_PROV_WORKDAY_INCREMENTAL_IMPORTS) Early Access feature enabled.

Early Access Features

New Features

Quick Access tab on the Okta Browser Plugin available through EA feature manager

Quick Access tab on the Okta Browser Plugin is now available through the EA feature manager. See Allow end-users to quickly access apps.

MFA for Oracle Access Manager

With Okta MFA for Oracle Access Manager (OAM), customers can use OAM as their Identity Provider (IdP) to applications and also use Okta for MFA to provide a strong method of authentication for applications. For more information, see MFA for Oracle Access Manager.

New Windows Device Registration Task, version 1.4.0

This release includes the following:

Okta On-Prem MFA agent, version 1.4.1

This release of the agent contains security enhancements. See On-Prem MFA Agent Version History.

Factor Sequencing

Admins can now provide end users with the option to sign in to their org using various MFA factors as the primary method of authentication in place of using a standard password. See Factor Sequencing.

Fixes

General Fixes

OKTA-192270

The translations were missing for the API AM User Consent buttons.

OKTA-230781

On the Push Groups to Active Directory > Push Groups by Name page, clicking Show more incorrectly redirected the admin to the People page.

OKTA-232406

The Self-Service Create Account Registration form did not clear a failed password validation status even after the password was updated to meet complexity requirements.

OKTA-237684

The last MFA factor used was not remembered for some orgs that use app-level MFA rules and a custom URL domain for sign-in attempts initiated by a Service Provider.

OKTA-237864

The Active Directory Settings page was slow or unresponsive for directories with more than 10,000 Organizational Units (OUs). To obtain the fix for this bug, contact Support.

OKTA-238146

When Factor Sequencing was enabled and a user clicked Sign Out from the sign-in widget, the browser page had to be refreshed manually for the user to sign in again.

OKTA-240089

Some authentication error messages for the custom IdP factor were not displayed by the sign-in widget.

OKTA-242345

Some sign-on policies and rules for IWA were not applied when a user signed in.

OKTA-246020

An extra character > appeared in the Admin navigation header.

OKTA-246246H

The temporary password was not displayed in developer account activation emails.

OKTA-247093

Web Authentication factor names were not displayed correctly under Extra Verification in end user settings.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • Active Campaign (OKTA-245468)

  • Aegify (OKTA-245093)

  • BSPlink (OKTA-239934)

  • Check Point (OKTA-244812)

  • CultureIQ (OKTA-245092)

  • DesignCrowd (OKTA-245635)

  • Google Play Developer Console (OKTA-241992)

  • Hippo CMMS (OKTA-246930)

  • Key Bank (OKTA-245091)

  • MyFax (OKTA-244628)

  • OnePath Advisor (OKTA-243552)

  • ProjectManager.com (OKTA-244279)

  • Shutterfly (OKTA-245801)

  • Wells Fargo Funding (OKTA-244825)

Applications

Application Updates

To reflect Webex name changes we have updated our documentation as follows:

  • Webex (Cisco) is renamed to Cisco Webex Meetings

New Integrations

SAML for the following Okta Verified applications

  • 15five (OKTA-245730)

  • Centrify Privilege Access Service (OKTA-244805)

  • COMPASS by Bespoke Metrics (OKTA-246403)

  • Gateway Software Solutions (OKTA-231714)

  • Good2Give (OKTA-244842)

  • Legal Diary (OKTA-231714)

  • Wellness360 (OKTA-242402)

SWA for the following Okta Verified application

  • United Capital (OKTA-240147)

Weekly Updates

Closed2019.09.1: Update 1 started deployment on September 16

Fixes

General Fixes

OKTA-239075

After having their passwords reset by an admin, AD-mastered users who changed their AD password and then used Delegated Authentication to sign in to Okta encountered an unnecessary password reset page during the IWA Desktop SSO sign-in flow.

OKTA-239805

It was possible to remove the last individually assigned super admin from an org.

OKTA-243796

The Import Now button did not appear for newly created OPP app instances.

OKTA-244073

Jira service failed to start after upgrading the Jira Authenticator from 3.0.7 to 3.1.1.

Note: To receive this bug fix, download the latest Jira Authenticator 3.1.2.

OKTA-248184

Suspicious Activity emails sent to admins erroneously included information about actions taken as a result of the suspicious activity.

OKTA-248458

When an org admin toggled the WebAuthn factor feature, non-Windows users with their browsers open to the sign-in page erroneously saw the Windows Hello factor.

OKTA-249451H

Sending an Okta Verify push, then while waiting for the end user's response, switching to WebAuthn as a factor resulted in an error.

Applications

New Integrations

SAML for the following Okta Verified applications

  • Airbrake (OKTA-247505)

  • Parley Pro (OKTA-239461)

Closed2019.09.2: Update 2 started deployment on September 23

Fixes

General Fixes

OKTA-221735

The Docusign app did not display the Permission profile values correctly.

OKTA-230033

Admins were allowed to attempt to assign a U2F factor to a user even when it was disallowed by policy.

OKTA-238336

Provisioning more than 3600 requests from Okta to Salesforce caused both user creation and user updates to fail.

OKTA-240371

During an SP-initiated app sign in to a custom domain, the behavior of the Remember Device check box was inconsistent for App-level and Org-level MFA.

OKTA-240769

WebEx was not provisioning the correct email attribute value.

OKTA-241439

User profile mappings did not generate errors when Expression Language group functions were used inside an App to Okta mapping.

OKTA-241761

A new NetSuite domain name was missing from the list of NetSuite options.

OKTA-241916

There was a typo in one of the Feature Manager Early Access features.

OKTA-244297

After having their passwords reset by an admin, AD-mastered users who changed their AD password and then signed in to Okta encountered an unnecessary password reset page during the IWA Desktop SSO sign-in flow.

To obtain the fix for this bug, contact Support.

OKTA-244537

Users were able to re-enroll in a previously enrolled WebAuthn authenticator.

OKTA-245768

While it was still pending verification, WebAuthn appeared on the end user's Settings page as an enrolled factor.

App Integration Fixes

The following SAML app was not working correctly and is now fixed

  • Workday (OKTA-245265)

The following SWA apps were not working correctly and are now fixed

  • Air Canada Travel Agency (OKTA-246673)

  • Alerus Retirement (OKTA-248084)

  • Alerus: Account Access (OKTA-246929)

  • BigBlueOnline (OKTA-248218)

  • Duo Security (OKTA-247829)

  • HackerRank For Work (OKTA-247487)

  • Mimecast (OKTA-246444)

  • OneSignal (OKTA-247482)

  • ProofHub (OKTA-247818)

  • Sun Life Financial (OKTA-246462)

  • SyncHR (OKTA-247514)

  • The Hartford At Work (OKTA-247955)

  • Wistia (OKTA-246913)

  • Zuman (OKTA-247537)

Applications

New Integrations

SAML for the following Okta Verified applications

SWA for the following Okta Verified applications

  • ContentSquare (OKTA-244251)

  • Wells Fargo - Personal (OKTA-244153)

  • WhiteHat Customer Portal (OKTA-243554)

Mobile application for use with Okta Mobility Management (OMM) (Android and iOS)

  • Clarizen (OKTA-248809)

  • Doxis4 (OKTA-244112)

  • MobileIron Cloud (OKTA-248803)

  • xMatters (OKTA-248805)

  • Zscaler Private Access (OKTA-248807)

Mobile application for use with Okta Mobility Management (OMM) (Android)

  • Igloo (OKTA-248490)

  • Syncplicity (OKTA-248487)

Closed2019.09.3: Update 3 started deployment on September 30

Fixes

General Fixes

OKTA-230273

Clicking the name of an Organizational Unit rather than selecting its check box in Group OUs connected to Okta caused the corresponding Organizational Unit in User OUs connected to Okta to be selected.

OKTA-235285

When signing in to an app, users were prompted to enroll in email authentication instead of specific apps that were included as part of the App Condition for Enrollment policy.

OKTA-239833

Clarizen provisioning configured for a sandbox environment failed.

OKTA-245037

The Custom Email Templates preview CSS appeared to be different from the actual email.

OKTA-246931

Okta groups of type APP_GROUP failed to be marked as deleted using Group API when the original App Group was already marked as DELETED.

OKTA-247199

WebAuthn did not work with custom domains.

OKTA-248625

After upgrading from U2F to WebAuthn and then disabling WebAuthn, U2F users did not see a U2F option on the enrollment page.

OKTA-249385

Admins could add the same property name with different cases into the appUser profile for Generic OIDC IdP.

OKTA-250615

Users for orgs without a group-based Okta MFA enrollment policy could not enroll WebAuthn factors from the end user Settings page.

OKTA-250722

The custom sign-in page call-out displayed the wrong version number as the latest version of the Okta Sign-in Widget.

OKTA-251211H

Metadata about Active Directory domains was not updated in Okta during imports from AD. In some cases this prevented features which rely on this metadata, for example Agentless Desktop SSO, from working correctly or being configured for the first time.

To obtain this fix, download the Okta Active Directory agent, version 3.5.9.

OKTA-251828H

App icons on the Okta End-User Dashboard took longer to load in Chrome 77 when hardware acceleration was on.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • ADP Employee Self Service Portal (OKTA-247820)

  • Evernote (OKTA-247819)

  • Microsoft Office 365 (OKTA-239332)

  • Milestone XProtect Smart Client (OKTA-248227)

  • MobileIron Cloud (OKTA-247821)

  • MyFax (OKTA-244628)

  • OnceHub (OKTA-249321)

  • Universal Production Music (OKTA-249121)

  • Wells Fargo (Commercial Electronic Office) (OKTA-249085)

  • Work Number Commercial Verifier (OKTA-248228)

Applications

New Integrations

The following partner-built provisioning integration app is now Generally Available in the OIN as partner-built:

SAML for the following Okta Verified applications

  • OpsRamp (OKTA-247509)

  • RSA SAML Test Service Provider (OKTA-246422)

  • SevenRooms (OKTA-248528)

  • SpotMe (OKTA-248481)

  • ValenceDocs (OKTA-244909)

Mobile applications for use with Okta Mobility Management (OMM) (Android and iOS)

  • ADP (OKTA-248495)

  • Cvent (OKTA-248498)

  • SolarWinds Service Desk (OKTA-249028)

  • Wordpress by MiniOrange (OKTA-249020)

Mobile applications for use with Okta Mobility Management (OMM) (Android)

  • Atlassian Confluence Server (OKTA-248497)

  • Benevity (OKTA-248496)

Closed2019.09.4: Update 4 started deployment on October 7

Fixes

General Fixes

OKTA-219847

Provisioning tasks for G Suite failed to complete when the daily limit for API calls was reached.

OKTA-221627

The honorificSuffix and honorificPrefix were mapped incorrectly between Okta and AD.

OKTA-241281

Samanage import failed with an Error while download schema enum values: null error.

OKTA-245525

Okta to App profile mappings could not be saved after provisioning settings were enabled for an application.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • Apptio (OKTA-249495)

  • BAML Works (OKTA-250531)

  • ESRI Customer Care Portal (OKTA-249497)

  • Lucidchart (OKTA-239922)

  • LucidChart (OKTA-239922)

  • Mailchimp (OKTA-250518)

  • Nice inContact (OKTA-245717)

  • Trustwave (OKTA-249499)

Applications

New Integrations

The following partner-built provisioning integration app is now Generally Available in the OIN as partner-built:

SAML for the following Okta Verified applications

  • Clutch (OKTA-247508)

  • Cyberator (OKTA-250305)

  • PurelyHR (OKTA-250517)

  • Scout CMS (OKTA-251113)

  • Smart360 (OKTA-248575)

ClosedAugust 2019

August 2019

2019.08.0: Monthly Production release began deployment on August 12

* Features may not be available in all Okta Product SKUs.

Content

Generally Available Features

New Features

System Log event for Agentless Desktop SSO authentication error

A new System Log event (User not found during agentless DSSO Auth) appears when there is an Agentless DSSO authentication error due to one of the following reasons:

  • The UPN is not in a valid format multiple users match
  • The search criteria no users match the search criteria

Okta Active Directory agent, version 3.5.8

This release of the Okta AD agent implements a check on the AD agent service startup. The check overrides the value of the connectionLimit parameter if it is misconfigured. If the value is acceptable but not optimal, a warning message that describes the recommended value is logged. For details about the recommended values, see AD agent configuration variable definitions. For agent version history, see Okta Active Directory agent version history.

Install Plugin button on the end-user dashboard on Firefox goes to Firefox Add-ons

In the Firefox browser, the Install Plugin button on the end-user dashboard now redirects to Firefox Add-ons, where users can download the latest version of Okta Browser Plugin.

LDAP settings, user interface changes

The LDAP settings user interface is updated. It is now more consistent with how other application settings are configured. For details, see Manage LDAP provisioning, import, and integration settings.

Remove Duo from end user settings

Duo may now be removed from end user settings so that end user enrollment takes place only at sign-in, based on the configured MFA enrollment policy. For more information, see Duo Security for MFA.

Admin console search

Admins can now use a quick search for the names of end users or apps. However you only see search results based on what you have admin permission to view. When the search results are presented, if the name or app you are seeking is listed, you can click on the item and be taken to the corresponding user page or application page. For details, see Admin console search.

Scoping admin privileges, AD and LDAP-mastered groups now supported

Super admins can now scope Group and Help Desk admin privileges to AD and LDAP-mastered groups in addition to Okta-mastered groups. This EA Feature can be enabled in the Feature Manager. For details, see Assign Help Desk admin privileges.

LinkedIn IdP Creation Re-Enabled

Creation of LinkedIn Identity Providers has been re-enabled in all Preview Orgs. For more information, see Set up a LinkedIn app.

Incremental import support for LDAP users

LDAP users can now take advantage of incremental imports, eliminating the need for full imports every time. Incremental imports improve performance by only importing users that were created, updated, or deleted since your last import. For details, see Install and Configure the Okta Java LDAP Agent.

Reauthentication prompts

All prompts for reauthentication now use the Sign In widget rather than the Classic UI.

IWA Desktop SSO, behavior change

If you turn off IWA DSSO, the IWA Routing Rule will be switched to Inactive. The next Routing Rule will be used to direct your users to the appropriate sign in. When you turn IWA DSSO on again, you must also switch the IWA Routing Rule to Active again. For details, see Step 5: Configure Routing Rules in Install and configure the Okta IWA Web agent for Desktop SSO.

Generally Available Enhancements

Devices menu is changing to the OMM menu

The Devices menu and other OMM-specific areas of Admin Console have been renamed to OMM or Okta Mobility Management. This was done to:

  • Clarify that items in the menu and associated product areas are relevant only for orgs that have configured Okta Mobility Management.
  • Free-up the label Devices for future use.

Active Directory, first and last name optional

You can now mark the first and last name attributes as optional for AD-mastered users. This allows you to import users with one or both of these blank fields. For details, see Make first and last name optional in Active Directory.

New prompt during WebAuthn enrollment

A new prompt during WebAuthn enrollment that asks the user if they want to Allow Okta to see authenticator data. Fore details, see Web Authentication (FIDO2) .

Closed

Early Access Features

New Features

Custom TOTP Factor

Admins can now enable a custom MFA factor based on the TOTP algorithm. For more information, see Custom TOTP Factor.

Custom Factor Authentication

Custom Factor Authentication allows admins to enable an Identity Provider factor using SAML authentication. For more information, see Custom IdP Factor Authentication.

Integrate Okta Device Trust with VMware Workspace ONE for iOS and Android devices

The Okta + VMware integration is a SAML-based solution that combines the power of Okta Contextual Access Management with device signals from VMware Workspace ONE to deliver a secure and seamless end-user experience. For details, see Integrate Okta Device Trust with VMware Workspace ONE for iOS and Android devices.

Risk Scoring sign-on policy rule

Admins can now set a risk level as part of a sign-on policy rule. Setting a risk level helps determine potential security risks that are associated with an end user when they attempt to sign in to their org. For more information, see Risk Scoring.

On Premises Provisioning agent, version 1.3.3

This release changes from Oracle JRE to Amazon Corretto JRE 8.202.08.2. The OPP Agent now supports CSV Directory imports from a CSV file with a byte order mark. Additionally, imports will now fail if the OPP Agent attempts to send a message that is too large for Okta. For agent version history, see On Premises Provisioning Agent and SDK Version History.

Fixes

General Fixes

OKTA-194153

SCIM App template URI requests were using + instead of %20 (space), making them RFC non-compliant.

OKTA-207634

In some cases, there were redirect issues after upgrading to JIRA On-Prem version 3.0.7.

OKTA-228380

MFA-required users with , in their passwords did not automatically go through the proper PUSH flow.

OKTA-229541

To preserve cross-site functionality in light of upcoming updates to Chrome (https://www.chromestatus.com/feature/5088147346030592), Okta has added the SameSite=None attribute to all relevant cookies.

OKTA-239067

The Get Okta Mobile on the App Store page was corrupted when attempting to add a new account to native Outlook app.

OKTA-239419

Agentless DSSO failed when the Routing Rules feature was enabled because no IdP rule was created.

OKTA-240083

When Agentless DSSO failed and there was no OnPrem IWA agent, users were redirected to a default login page (an example default login page URL custom.com/login/default) instead of the customer’s login page (an example URL custom.com) configured by the customer under Identify Provider Settings.

OKTA-240115

Attempts to change Group Roles through the public API failed and incorrect events were logged in the System Log.

OKTA-240523

If Prompt for factor was cleared for an existing rule, Factor mode and Factor Lifetime were erroneously displayed when the rule was expanded.

OKTA-240669

No customer-facing error messages were displayed when admins tried to save a customized email template with a subject that exceeded the 128-character limit.

OKTA-71860

An incorrect error message was shown when the body of a customized email template exceeded the maximum number of characters.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • AnyBill (OKTA-240273)

  • FCO (OKTA-241250)

  • Indianapolis Business Journal (OKTA-241433)

  • Knoll (OKTA-240954)

  • Nextiva VOIP (OKTA-240856)

  • Sfax (OKTA-241251)

  • Twilio (OKTA-241252)

  • Webex Premium (OKTA-241571)

  • WORK NUMBER Social Service Verifier (OKTA-241573)

Applications

New Integrations

SAML for the following Okta Verified applications

  • Arxspan (OKTA-240204)

  • DataGrail (OKTA-239290)

  • Getabstract (OKTA-239289)

  • HackEDU (OKTA-237775)

  • ITProTV (OKTA-238934)

  • RStudio Connect (OKTA-241802)

  • Zoom (OKTA-143049)

SWA for the following Okta Verified applications

  • One Net Receptionist (OKTA-234416)

  • Thrift Savings Plan (OKTA-233571)

  • Vendor Invoicing Portal (OKTA-233570)

Mobile applications for use with Okta Mobility Management (iOS)

  • Adobe Fill & Sign - Doc Filler (OKTA-235517)

  • Adobe Scan (OKTA-235515)

  • Adobe Scan: Mobile PDF Scanner (OKTA-235514)

Weekly Updates

Closed2019.08.1: Update 1 started deployment on August 19

Fixes

General Fixes

OKTA-229898

If the Service account username field was left blank on the Desktop SSO settings page when configuring Agentless Desktop SSO settings for Active Directory, the error message incorrectly used the term SPN instead of Service account username.

OKTA-237827

In Feature Manager, when an Open Beta had a dependency on a Closed Beta, the Contact Support link was missing from the Open Beta description.

OKTA-237924

Some LDAPi search requests using group membership filters timed out.

OKTA-241759

When an end user canceled their enrollment in an Identity Provider factor, they were not returned to the Okta enrollment screen automatically.

OKTA-242944

When admins enabled a Beta feature, the confirmation email they received contained incorrect Beta feature names.

OKTA-244013H

The attribute for userId in the SAML assertion was interpreted as Okta userid instead of the value sent.

OKTA-244527H

Some users could not login to their Okta org using samAccountname.

App Integration Fixes

The following SWA app was not working correctly and is now fixed

  • IBM MaaS360 (OKTA-232700)

Applications

New Integrations

SAML for the following Okta Verified applications

  • Lab Horizon (OKTA-240597)

  • Motus (OKTA-240602)

  • Purchasing Platform (OKTA-231720)

  • Target Solutions (OKTA-241682)

SAML for the following Community Created application

  • Area 1 Horizon (OKTA-241845)

Closed2019.08.2: Update 2 started deployment on August 26

Fixes

General Fixes

OKTA-240654

When admins customized the sign-in page, tool tip fields appeared when there should be none.

OKTA-241861

When editing the On-Prem Desktop SSO form on the Security > Delegated Authentication page, the Cancel button at the top of the form was not displayed.

OKTA-179828

Admins could deactivate a SAML Identity Provider when it was still active as an Idp Factor.

OKTA-223737

For some users, the ACTIVATE MY ACCOUNT button did not render correctly in the Activate your developer account email.

OKTA-226475

In the BambooHR app, users were imported one day before their actual start dates.

OKTA-236983

When factor sequencing feature was enabled, the Add button was displayed even when all authentication options had been added.

OKTA-239014

AD-mastered users were not able to update their primary phone number on the Settings page when the attribute was Okta-mastered and with READ-WRITE permissions.

OKTA-242976

When factor sequencing feature was enabled, for orgs that require Okta Verify with push notifications, users that were enrolled for Okta Verify TOTP and not push notifications could not sign in.

OKTA-243197

When factor sequencing feature was enabled and an Idp factor was configured, the default factor strength of the IdP factor was missing.

OKTA-243624

No results were displayed when filtering application group's membership by application name.

OKTA-243665

Users could not sign in if they were enrolled in Custom TOTP by an admin but the factor enrollment policy included both Custom TOTP as a required factor and any other factor as an optional/required factor.

OKTA-244032

A change was made to prevent conflicts with the Universal Directory expression language. It now correctly fetches the configured userId.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • First Advantage Enterprise Advantage (OKTA-239473)

  • Microsoft Office 365 (OKTA-239316)

  • Mitel Sky Portal (OKTA-241260)

  • Nice inContact Workforce Management (OKTA-242929)

  • QANTAS (OKTA-241871)

Applications

New Integrations

The following partner-built provisioning integration apps are now available in the OIN as partner-built Early Access:

SAML for the following Okta Verified applications

  • Arbitrip (OKTA-242956)

  • Assetnote (OKTA-243043)

  • CaseFleet (OKTA-242714)

  • Contentful (OKTA-242957)

  • Conversocial Bots Platform (OKTA-243282)

  • Good2Give (OKTA-242715)

  • Nutanix Frame (OKTA-239515)

  • Zestful (OKTA-242404)

SWA for the following Okta Verified applications

  • GetYourGuide for Suppliers (OKTA-236209)

  • Inman (OKTA-236695)

  • Oracle Textura Payment Management (OKTA-236554)

  • Simmons Insights (OKTA-236319)

  • Sprout Mortgage (OKTA-233945)

  • Telesystem CommPortal (OKTA-237396)

  • Telesystem Hosted VoIP Admin CommPortal (OKTA-237395)

  • The Trade Desk API (OKTA-241847)

Mobile application for use with Okta Mobility Management (iOS/Android)

  • OrgWiki (SCIM) (OKTA-242734)

Closed2019.08.3: Update 3 started deployment on September 3

Fixes

General Fixes

OKTA-221428

Group push failed if the group name shared a prefix with an already pushed group.

OKTA-222859

The Token Inline Hook service did not trigger Inline Hook System Log events.

OKTA-226939

The SAML Inline Hook service did not trigger Inline Hook System Log events.

OKTA-231689

The Resend Activation Email prompt showed the incorrect expiration time-frame.

OKTA-243785

The MFA Factor Reset email displayed an error for a custom TOTP factor.

OKTA-243953

Calls and SMS from some US regions were considered international instead of domestic for billing purposes.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • Cisco Webex Teams (OKTA-243546)

  • ClearCompany (OKTA-243545)

  • General Motors GlobalConnect (OKTA-243537)

  • Instacart (OKTA-243551)

  • Nice inContact (OKTA-243548)

  • Stampli (OKTA-243543)

Applications

Application Updates

To reflect GitHub name changes we have updated our documentation as follows:

  • GitHub is renamed to GitHub Team
  • GitHub Enterprise Cloud is renamed GitHub Enterprise Cloud – Organization

New Integrations

SAML for the following Okta Verified applications

  • Concur Travel and Expense (Early Access) (OKTA-239059)

  • Conversocial Bots Platform (OKTA-243282)

  • FaxLogic Administrator Dashboard (OKTA-244803)

  • IntSights (OKTA-243531)

  • KCM GRC Platform (OKTA-244907)

  • Trestle (OKTA-244439)

SWA for the following Okta Verified applications

  • Armstrong e-Service (OKTA-245629)

  • Armstrong Online Order Tracker (OKTA-237974)

  • Australian Injectable Drugs Handbook (AIDH) (OKTA-242364)

  • Foxpass (OKTA-239867)

  • GlobeTax ESP (OKTA-236982)

  • Honey (OKTA-238638)

  • IBM Micromedex (OKTA-239816)

  • NYC Procurement and Sourcing Solutions Portal (PASSPort) (OKTA-242930)

  • Quest (OKTA-241899)

  • Slido (OKTA-239865)

  • TRAXPayroll (OKTA-239158)

  • Zuman (OKTA-239495)

ClosedJuly 2019

July 2019

2019.07.0: Monthly Production release began deployment on July 15

* Features may not be available in all Okta Product SKUs.

Content

Generally Available Features

New Features

Timeout warning added to the Sign-In Widget

A timeout warning has been added to the Sign-In Widget for SMS and Voice Factor enrollment and challenge flows. For more information, see Customize the Okta-hosted sign-in page.

Token expiration window increased to five years

The expiration window of Refresh Tokens can be configured up to five years in custom authorization servers. The minimum expiration is unchanged. For more information, see API Access Management.

AD Desktop Single-Sign On, interface changes

The user interface for the Security > Delegated Authentication page used to configure Desktop Single-Sign On has been streamlined. There are no functional changes. For details, see Install and configure the Okta IWA Web agent for Desktop Single Sign-on.

Okta Verify factor available for all orgs

All orgs now have the option to configure and enable Okta Verify as a factor. For more information, see Multifactor Authentication or Okta Verify.

ADFS app support for OIDC authentication

The ADFS app now provides support for OIDC authentication. For more information, see Enable Open ID Connect with existing ADFS installations.

Custom Email Template enhancement

To curtail phishing, free editions of Okta are no longer able to create and send customized email templates. For feature information, see Email customization .

Okta Browser Plugin for Firefox available from Firefox Add-ons

Okta Browser Plugin version 5.31.0 for Firefox is now available from the Firefox Add-ons. For version history, see Okta Browser Plugin: Version History.

OPP agent, version 1.3.2

On Premises Provisioning Agent version 1.3.2 supports CSV Directory Integration. For version history, see On Premises Provisioning Agent and SDK Version History.

Email as an MFA Factor

Email is now available as an MFA factor. See the Email section of Multifactor Authentication for more details.

Prevent end users from choosing commonly used passwords

Admins can restrict the use of commonly used passwords through the group password policy. For more information, see Configuring an Organization-wide Password Policy.

Multifactor Authentication for admins

MFA for Admins allows Super admins to enable mandatory multifactor authentication for all administrators accessing admin functionality. For details see Authentication. This feature is currently available for new orgs only.

New admin role, Report admin

The Report admin role grants a user read-only access to all reports and the System Log. Report admins do not have edit access to any data. For more information, see The Report admin role.

Dynamic network zones

You can define dynamic network zones that match IP type and geolocation specifications. For more information, see Network Zones.

Configure a custom Okta-hosted sign-in page

You can customize the text and the look and feel of the Okta-hosted sign-in page using form controls and an embedded HTML editor. When used together with a custom URL domain (required) and a custom Okta-hosted error page, this feature offers a fully customized end user sign-in experience hosted by Okta. For details, see Configure a custom Okta-hosted sign-in page.

Configure a custom error page

You can customize the text and the look and feel of error pages using an embedded HTML editor. When used together with a custom URL domain (required) and a custom Okta-hosted sign-in page, this feature offers a fully customized error page. For details, see Configure a custom error page.

LDAP support for Auxiliary Object classes

You can now input a comma-separated list of auxiliary object classes when importing users from LDAP. For more information, see Configuring Your LDAP Settings.

Current Assignments and Recent Unassignments reports added to the Reports page

Current Assignments and Recent Unassignments reports are now linked from the Application Access Audit section of the Reports page. These match the reports available from the Applications tab. For information, see Reports.

Generally Available Enhancements

New System Log event for sent emails

A new System Log event has been added to notify admins when an email is sent to a user for verification. When fired, this event contains information about the token lifetime in the debugData.

New System Log event for redeemed credentials in an email

A new System Log event has been added to identify when a credential sent in an email to a user has been redeemed, meaning the link was clicked or the code was entered. When fired, this event contains information about the result and debugData with the action.

Validate service account credentials for Kerberos realm

When configuring the service account credentials for the Kerberos realm, you can now optionally choose to validate these credentials. For more information on Agentless DSSO, see Configure Agentless Desktop Single Sign-on - new implementations.

UI enhancements for Sign-On Policies and Password Policies

When creating a new MFA sign-on policy, the Prompt for Factor option is now selected by default. When creating a new password policy, the option to enforce a password history is now set to the last four passwords by default. For more information about sign-on policies and password policies, see to Security Policies.

System Log events for Behavior Settings

New System Log events now appear when creating, deleting, or updating behavior settings.

 

Closed

Early Access Features

New Features

LDAP agent, version 5.6.1

This version of the agent contains internal improvements. For version history, see Okta Java LDAP agent version history.

Enforce Okta Device Trust for Native Apps and Browsers on MDM-managed Android devices

Okta Device Trust for Native Apps and Browsers on MDM-managed Android devices allows you to prevent unmanaged Android devices from accessing enterprise services through browsers and native applications.

Note: This feature requires Okta Mobile 3.14.1 for Android (or later). For details, see Enforce Okta Device Trust for Native Apps and Browsers on MDM-managed Android devices.

Okta SSO IWA Web App agent, version 1.13.0

This release of the Okta SSO IWA Web App agent includes bug fixes. For version history, see Okta SSO IWA Web App agent Version History.

Okta user profile, enforce custom attribute uniqueness

You can enforce attribute uniqueness across your organization for custom attributes in the Okta user profile. You may mark up to 5 custom attributes as requiring uniqueness. For details, see Work with Okta user profiles and attributes.

Early Access Enhancements

Agentless Desktop SSO, feature dependency

If you are using Agentless Desktop Single Sign On, there is now a dependency on Identity Provider Routing Rules. If you do not have Identity Provider Routing Rules enabled, contact Support. For feature details, see Configure Agentless Desktop Single Sign-on - new implementations and Identity Provider Routing Rules.

New System Log events for Inline Hooks

  • Log all Inline Hook response events: All inline hook success and failure events are now logged. Logged events provide context around how the response was used.
  • Inline Hook Type events also log the type of Inline Hook.

For more feature information, see Inline hooks.

New System Log event for ThreatInsight

When ThreatInsight configuration is updated, the System Log now displays a new event to reflect these configuration changes. For more information about this feature, see ThreatInsight.

Sign-In Widget labeling

The Sign-In Widget has been updated to use labels for form fields instead of placeholder text.

Note: This update applies to the default login page. If you are using a custom login page you need to manually upgrade to the 3.0 version of the Widget to get this update.

For more feature information, see Configure a custom Okta-hosted Sign-In page.

Before:

After:

Fixes

OKTA-215899

The Downloads page incorrectly reported that some agents needed to be upgraded.

OKTA-221328

Group rules were not applied to reactivated users.

OKTA-235794

When MULTIPLE_FACTOR_ENROLLMENTS was enabled and MULTIPLE_OKTA_VERIFY_ENROLLMENTS disabled, changing the Okta Verify factor to REQUIRED returned a 400 error.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • Amgen FIRST STEP (OKTA-234000)

  • Bank of America CashPro (OKTA-234532)

  • Bullhorn Jobscience (OKTA-233305)

  • Credible Behavioral Health (OKTA-236584)

  • eFax Corporate Admin (OKTA-232145)

  • HRConnection by Zywave (OKTA-234054)

  • Mimecast Personal Portal v3 (OKTA-235247)

  • Percolate (OKTA-235361)

  • Thomson Reuters Legal Tracker (OKTA-228672)

  • Xfinity (OKTA-234737)

Applications

Application Updates

The following partner-built provisioning integration app is now Generally Available in the OIN as partner-built:

New Integrations

New SCIM Integration Application

The following partner-built provisioning integration app is now available in the OIN as partner-built Early Access:

SAML for the following Okta Verified applications

  • Panorays (OKTA-233837)

  • Teamie (OKTA-233564)

SWA for the following Okta Verified applications

  • A.I.D.A. Virtual Cards (OKTA-229475)

  • Aquera apps (OKTA-232806):

    • AD LDS by Aquera
    • Adobe Cloud by Aquera
    • ADP Workforce Now by Aquera
    • Atlassian by Aquera
    • Box by Aquera
    • Ceridian Dayforce by Aquera
    • Documentum by Aquera
    • Fastly by Aquera
    • InvisionApp by Aquera
    • Jama Software by Aquera
    • LaunchDarkly by Aquera
    • MongoDB by Aquera
    • Runscope by Aquera
    • Smartsheet by Aquera
    • VividCortex by Aquera

  • Avery (OKTA-228198)

  • Cision Communications Cloud (OKTA-231151)

  • Coalfire (OKTA-228801)

  • Correspondent Hub (OKTA-229741)

  • Grip On It (OKTA-224027)

  • Jackson (OKTA-231411)

  • Moneris Gateway (OKTA-228650)

  • Music Vine (OKTA-229245)

  • National Life Group Agents Login (OKTA-231088)

  • Nationwide Financial (OKTA-231408)

  • OneMobile Oath (OKTA-224130)

  • PerfectServe (OKTA-230812)

  • Structural (OKTA-229603)

  • TIAA (OKTA-231409)

  • VPAS Life (OKTA-231407)

  • Zix Customer Support (OKTA-229476)

Weekly Updates

Closed2019.07.1: Update 1 started deployment on July 22

Fixes

General Fixes

OKTA-212923

A deleted LDAP instance was still visible on the Profile Editor page.

OKTA-220203

A SCIM Patch request did not handle a 204 No content response as expected.

OKTA-229606

In some cases, email notification settings for Helpdesk admins were not honored.

OKTA-237862

Instructions in Okta Verify to upgrade to Push Notifications mistakenly instructed end users to click Edit instead of + (plus) on Android devices.

OKTA-237865

Using the System Log Advanced Filter feature generated errant rate limit events.

App Integration Fixes

The following SWA app was not working correctly and is now fixed

  • Carta (OKTA-234742)

Applications

Application Updates

The following partner-built provisioning integration app is now Generally Available in the OIN as partner-built:

New Integrations

The following partner-built provisioning integration apps are now available in the OIN as partner-built Early Access:

SAML for the following Okta Verified applications

  • Good2Give (OKTA-233039)

  • InVision V7 (OKTA-227283)

  • PandaDoc (OKTA-236095)

  • Pathmatics Explorer (OKTA-236215)

  • QuestionPro (OKTA-236060)

  • Small Batch Learning (OKTA-237044)

  • Springer Link (OKTA-235129)

  • Viima (OKTA-235095)

  • VirtualPeople.ai (OKTA-236075)

SWA for the following Okta Verified applications

  • Angus (OKTA-233616)

  • Typography Hoefler and Co (OKTA-233903)

Mobile application for use with Okta Mobility Management (OMM) (iOS)

  • Citrix Netscaler Gateway (OKTA-227497)

Closed2019.07.2: Update 2 started deployment on August 5

Fixes

General Fixes

OKTA-182061

The system.agent.ad.read_topology System Log event contained a misspelling and also saved with no display message.

OKTA-222840

The 404 error page in French contained a spelling error on the Go to home page button.

OKTA-226817

Read Only admins had access to Add Origin and Edit buttons on the Trusted Origins page, but they received a You do not have permission to perform the requested action error message when trying to add or edit an origin.

OKTA-227476

For the Netsuite app, non-mandatory object attributes were treated as mandatory for group app assignments.

OKTA-228324

When signing in to an app with a factor originally registered as U2F then subsequently used as WebAuthn, users received a success message but the sign-on process looped, prompting continuously for MFA.

OKTA-228418

For the Workday app, username mappings were deleted when Provisioning settings were saved for the application.

OKTA-228446

The Japanese translation on the Password Reset screen had unnecessary punctuation.

OKTA-228963, OKTA-229818

The Japanese translation on the Okta-generated Activation page was incorrect.

OKTA-231247

For the Samanage app, user deactivation failed.

OKTA-232686

Active Directory scheduled imports ran as full imports instead of incremental.

OKTA-233323

When saving the Profile and Lifecycle Mastering settings for an LDAP directory, an error message was displayed if the Allow LDAP to master Okta users option was selected along with any Okta to LDAP provisioning features were also enable.

OKTA-233327

Changes made to the Allow <App name> to master Okta users option in an app's Provisioning settings were lost if the admin subsequently clicked the Save button in the To App section, without reloading the page.

OKTA-234463

The getManagerUser("active_directory").$attribute expression used the appuser schema to look up the property definition instead of the Okta user.

OKTA-235669

The Get Okta Mobile on the app store screen did not display correctly on the iPhone SE.

OKTA-236083

When deleting a YubiKey seed, the confirmation messages were misleading.

OKTA-236260

The Hyperspace Agent checked for SSL pinning against all requests instead of only Okta requests.

OKTA-236860

Admins were able to remove all groups and individually assigned Super Admins for an org. We now check to ensure there is always at least one Super Admin in the org.

OKTA-238999

The Okta Verify icon displayed on the User Factor Reset page of the Admin Console was outdated.

OKTA-239323

In existing free trial editions of Okta, the pencil icon that allows admins to edit customized email templates was grayed out instead of active, as expected. Note that in new free trial editions, the pencil icon is grayed out as a security precaution.

App Integration Fixes

The following SAML app was not working correctly and is now fixed

  • Zapier SAML (OKTA-239414)

The following SWA apps were not working correctly and are now fixed

  • AvePoint Online Services (OKTA-236799)

  • Constellation Energy Manager (OKTA-239151)

  • Dynatrace (OKTA-236800)

  • Equinix Customer Portal (OKTA-237306)

  • FastMail (OKTA-236798)

  • Flickr (OKTA-237551)

  • Forrester Research (OKTA-233568)

  • GS1 US (OKTA-237509)

  • Gusto (OKTA-239476)

  • Inbox by Gmail (OKTA-237790)

  • Informatica Cloud (OKTA-239291)

  • Liquid Web (OKTA-237452)

  • LiveChat (OKTA-239926)

  • MassMutual RetireSmart (OKTA-239477)

  • Microsoft Embedded Communication Extranet (OKTA-237786)

  • My NS Business (OKTA-236797)

  • Notion (OKTA-236796)

  • Parse.ly (OKTA-239314)

  • Peapod (OKTA-236795)

  • PremiumBeat (OKTA-236801)

  • Royal Caribbean Cruise Lines (OKTA-239334)

  • Sainsburys Groceries (OKTA-238858)

  • Skrill (OKTA-236794)

  • Societe Generale: Markets (OKTA-237787)

  • The Wall Street Journal (OKTA-237636)

  • Thomson Reuters Legal Tracker (OKTA-237785)

  • VSP (OKTA-238098)

  • Wells Fargo Funding (OKTA-236805)

Applications

Application Updates

The following partner-built provisioning integration app is now Generally Available in the OIN as partner-built:

New Integrations

The following partner-built provisioning integration apps are now available in the OIN as partner-built Early Access:

SAML for the following Okta Verified applications

  • Amazon Business (OKTA-236081)

  • Circula (OKTA-233040)

  • Forcepoint Web Security (OKTA-209495)

  • Wealth Access (OKTA-238247)

SWA for the following Okta Verified applications

  • 8x8 PartnerXchange (OKTA-226146)

  • Agilent (OKTA-232699)

  • Aimsio (OKTA-232267)

  • Behance (OKTA-234044)

  • Bpost (OKTA-231079)

  • citibank (OKTA-239471)

  • CodySoft Health Plan Management System (OKTA-231679)

  • Evan Evans Tours (OKTA-232322)

  • HERE Developer (OKTA-233014)

  • M Financial Group (OKTA-231423)

  • MenaITech (OKTA-233606)

  • MillerSearles (OKTA-231421)

  • Pacific Life Annuities (OKTA-231420)

  • Schwab Institutional (OKTA-230675)

  • SmartFile (OKTA-237953)

  • Trustwave Portal (OKTA-231868)

ClosedJune 2019

June 2019

2019.06.0: Monthly Production release began deployment on June 10

* Features may not be available in all Okta Product SKUs.

Content

Generally Available Features

New Features

Matching imported users

When you import users, you now can set up Okta rules to match any attribute that is currently mapped from an AppUser profile to an OktaUser profile. This helps you sync identities across systems and determine whether an imported user is new or if the user profile already exists in Okta. For more information, see Match imported users.

Enhanced Okta LDAP integrations with Universal Directory

Okta LDAP integrations now feature custom mapping, schema discoveryAbility to import additional attributes to Okta, and a fully extensible attribute schema that allows you to import or update any attribute stored in LDAP. With these enhancements, Okta LDAP matches the schema functionality already available to Okta's Active Directory integrations. Note: This feature is in Production for new orgs only.For more information, see Profile Editor.

Last factor remembered for authentication

End users who attempt to sign in to their org are prompted to authenticate with the last factor they used based on the device or client. For more information about authentication factors, see Multifactor Authentication .

Enhanced Group Push for Samanage

Group Push now supports the ability to link to existing groups in Samanage. For details about this feature, see Using Group Push

Location zones support blacklisting

You can blacklist an entire location zone to prevent clients in the zone from accessing any URL for your org. For more information on zones, see Networks.

LDAP support for Auxiliary Object classes

You can now input a comma-separated list of auxiliary object classes when importing users from LDAP. For more information, see Configuring Your LDAP Settings.

New macOS Device Trust Registration Task, version 1.2.1

This release provides the following:

  • The enrollment process is halted if the default keychain is unavailable for some reason (for example, is corrupted or missing). This ensures that end users are not prompted to reset the keychain.
  • An improved Registration Task update process ensures that enrolled devices are not inadvertently unenrolled in the event the update itself fails.
  • Provides support for a query allowing admins to determine which version of the Registration Task is installed on the device.

For details, see Device Trust for macOS Registration Task Version History.

New Windows Device Trust Registration Task, version 1.3.1

This release includes the following:

  • Improved handling of private keys to ensure successful certificate renewal.
  • To fix an issue in earlier versions where a failed certificate renewal could leave computers in a bad state, this version allows admins to trigger certificate renewal on a per-computer basis. For details, see Force certificate renewal in some circumstances.

For version history, see Device Trust for Windows Desktop Registration Task Version History.

Okta Windows Credential Provider, version 1.1.4

This version contains bug fixes and general improvements

For more details, see Okta MFA for RDP.

Okta Browser Plugin version 5.29.0 for all browsers

This version includes the following:

  • Quick Access apps tab (currently available as Early Access)
  • Real time reflection of apps and profile changes in the end-user dashboard (currently Generally Available for Preview orgs)
  • Back-end enhancements

For more information, see Allow end-users to quickly access apps.

Generally Available Enhancements

Password policy default for new orgs

The default password policy for new orgs is updated to enforce that a password may not be reused if it matches one of four previously used passwords. For more information, see Security Policies.

Early Access Feature Manager enhancement

The EA Feature Manager now displays a dialog box detailing any known limitations for that Early Access feature. Admins will be prompted to acknowledge they have read and accept these limitations. For more information, see Manage Early Access and Beta features .

Aquera apps timeout increased

We have increased the SCIM API timeout value for Aquera and Aquera (Basic Auth) apps to 5 minutes.

Okta Sign-on widget improvements

The look and feel of the Okta Sign-on Widget has been improved for accessibility and readability.

Closed

Early Access Features

New Features

DocuSign Provisioning enhancement

Users created in DocuSign with a status of ActivationSent couldn't be provisioned in Okta until now. This feature adds support to link such users in Okta while provisioning. For more provisioning information, see the DocuSign Provisioning Guide.

Allow end users to quickly access everyday apps

End users can find recently used apps in a separate Quick Access section on their dashboard as well as in the Quick Access tab from the Okta Browser Plugin. For more information, see Allow end-users to quickly access apps.

LDAP agent, version 5.6.0

This version of the agent contains internal improvements. For version history, see Okta Java LDAP agent version history.

System Log event for Agentless Desktop SSO configuration updates

When changes are made to the Agentless DSSO configuration, the System Log tracks the action as shown below. For more information on Agentless Desktop SSO, see Configure Agentless Desktop SSO.

System Log event for Kerberos realm settings

When changes are made to the Kerberos realm settings, the System Log tracks the action as shown below. This event also indicates the initiator of the event and the current setting for Kerberos Realm. For more information on Agentless Desktop SSO, see Configure Agentless Desktop Single Sign-on - new implementations.

System Log event for Agentless Desktop SSO redirects

When Agentless Desktop SSO redirects to the IWA SSO agent or the default Sign In page, the System Log tracks the action as shown below. For more information on Agentless Desktop SSO, see Configure Agentless Desktop Single Sign-on - new implementations.

Early Access Enhancements

Updated labels in Device Trust enablement flow for Integration types

Some labels in the Admin Console for Device Trust enablement are updated to align with changes in partner branding. Existing functionality is unaffected by this update. For details, see Okta Device Trust documentation.

Web Authentication security key enrollment

Admins may now enroll a WebAuthn security key on behalf of their end users through user profile settings. For more information about MFA and WebAuthn, see Web Authentication (FIDO2) .

Fixes

General Fixes

OKTA-145726

Admins were able to enter more than one name into the Add Administrator dialog box.

OKTA-198019

Okta didn't push the user reactivation to Salesforce when a user was reassigned to the application in Okta.

OKTA-214457

Report admins were able to view the Directory > People tab.

OKTA-218387

Super admins were able to assign Org admin notifications to include Rate limit warning and violation emails.

OKTA-222666

When a user was mastered by both LDAP and AD, group rules that are dependent on the second master's group membership weren't triggered.

OKTA-225931

Inline hooks weren't called when importing data using a CSV Directory integration.

OKTA-227137

In the Device Trust set up for iOS and Android, the Reset Secret Key dialog box was too wide.

OKTA-227449

When using Internet Explorer to view Step 2 of the Device Trust Setup wizard in the Admin Console, the Previous button was missing.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • Airbnb (OKTA-223490)

  • Atlassian Jira Service Desk (OKTA-225796)

  • Butler University (OKTA-225109)

  • Comerica Business Connect (OKTA-228368)

  • Corporate Traveler (OKTA-228370)

  • Curalate (OKTA-228373)

  • Go365 (OKTA-229492)

  • HighBond (OKTA-228038)

  • HM Revenue and Customs (HMRC) (OKTA-229496)

  • Hyatt Legal Plans (OKTA-229498)

  • InVision (OKTA-227444)

  • Lifeworks (OKTA-225685)

  • Lucky Orange (OKTA-228407)

  • Okta Help Center (OKTA-229494)

  • PowerDMS (OKTA-228367)

  • Safari Online Learning (OKTA-228404)

  • Schwab StockPlanManager (OKTA-226694)

  • Sonic Boom (OKTA-229495)

  • Squarespace V5 (OKTA-228400)

  • The Trade Desk (OKTA-219683)

  • TigerText (OKTA-229690)

The following SAML apps were not working correctly and are now fixed

  • HighBond (OKTA-228037)

  • Service-Now UD (OKTA-210568)

Applications

Application Updates

The following partner-built provisioning integration app is now Generally Available in the OIN as partner-built:

New Integrations

New SCIM Integration Application

The following partner-built provisioning integration app is now available in the OIN as partner-built Early Access:

SAML for the following Okta Verified applications

  • Bamboo by miniOrange (OKTA-225331)

  • Chargebee (OKTA-228025)

  • COR (OKTA-223779)

  • Fisheye/Crucible by miniOrange (OKTA-225341)

  • MindTouch (OKTA-222766)

  • QuestionPro (OKTA-229101)

  • StatusHub Admin (OKTA-228032)

  • Synerion Enterprise (OKTA-229100)

SWA for the following Okta Verified applications

  • Barracuda Email Security Service (OKTA-223499)

  • Constellation Energy Manager (OKTA-217426)

  • Greenbyte Breeze (OKTA-226657)

  • ISACA (OKTA-220349)

  • NetFortris HUD Web (OKTA-221616)

  • Techsmith (OKTA-221549)

  • UHOne Broker Portal (OKTA-224243)

Weekly Updates

Closed2019.06.1: Update 1 started deployment on June 17

Fixes

General Fixes

OKTA-207466

When locked-out user emails were sent to all admins, not just those able to unlock the users, the emails did not include user information.

OKTA-218823

When editing an existing Device Trust configuration using the new mobile Device Trust wizard, the Mobile device management provider field was blank instead of containing the vendor name.

OKTA-219430

When using the Radius app for authentication, after the initial push notification, subsequent notifications from Okta Verify listed the incorrect location.

OKTA-220139

The Send test email feature attempted to send emails to admin’s username instead of their email address.

OKTA-221079

Not all zones were displayed in the Exempt Zones search filter when there were more than 10 search results.

OKTA-224052

When users tried to sign in but chose the incorrect PIV card, clicking Retry displayed the Okta 404 error page instead of the custom error page.

OKTA-224158

Trying to access custom apps on Okta Mobile Android browser failed.

OKTA-225869

Group admins were able to add a user to an administrator group upon user creation.

OKTA-226049

If no Device Trust platform was configured in Security > Device Trust, an incorrect message was displayed in the Device Trust section of the Add Rule dialog box when creating a Sign On policy.

OKTA-226145

LDAP provisioning failed when trying to deactivate users in the AD Lightweight Directory Services (LDS) server.

OKTA-226369

The documentation icon and link on the FIDO2 (WebAuthn) factor type page was formatted incorrectly.

OKTA-229440

When a user attempted to reset the Webauthn factor and the reset failed, the wrong error message was shown.

OKTA-229725

Two System Log events were generated instead of one when the name of an Inline Hook was changed.

App Integration Fixes

The following SAML app was not working correctly and is now fixed

  • HighBond (OKTA-230762)

The following SWA apps were not working correctly and are now fixed

  • American Express - Work (OKTA-230058)

  • Appsee (OKTA-230282)

  • GitHub (OKTA-229516)

  • PowerDMS (OKTA-230286)

  • Spiceworks (OKTA-230304)

Applications

New Integrations

SAML for the following Okta Verified application

  • Way We Do (OKTA-229995)

SWA for the following Okta Verified applications

  • Amgen FIRST STEP (OKTA-217876)

  • Apptio (OKTA-223714)

  • BSPlink (OKTA-224041)

  • Flightradar24 (OKTA-71196)

  • GitHub.com (OKTA-229516)

  • Notion (OKTA-220840)

  • Snowflake (OKTA-227090)

  • Synopsys eLearning (OKTA-226662)

Closed2019.06.2: Update 2 started deployment on June 24

Fixes

General Fixes

OKTA-218818

Identity Provider Routing Rules produced unnecessary System Log events.

OKTA-227097

The SMS Usage Report categorized messages to Canada as international instead of domestic.

OKTA-230756

Navigating the System Log and maps generated rate limit warnings and violations.

OKTA-231842

The Windows Hello factor was listed as enabled when only the U2F factor was enrolled.

OKTA-232420

On the Okta Privacy page, information in the Introduction and Contact Us sections was out of date.

 

App Integration Fixes

The following SAML app was not working correctly and is now fixed

  • RedLock (OKTA-228626)

The following SWA apps were not working correctly and are now fixed

  • AT&T Business Direct (OKTA-225556)

  • Bing Ads (OKTA-230606)

  • Carta (OKTA-231435)

  • Commuter Check Direct (OKTA-230032)

  • Flexential Portal (OKTA-231722)

  • Intel - Supplier (OKTA-229135)

  • MyRackspace Portal (OKTA-231264)

Applications

Application Updates

  • We are updating the names of some app integrations as follows:

    • Jira On-premise > Atlassian Jira Server

    • Confluence On-premise SAML > Atlassian Confluence Server

    • Atlassian Confluence Server > Atlassian Confluence Cloud

    • Jira Cloud (Atlassian) > Atlassian Jira Cloud

  • Tableau Online now supports the following Provisioning features (this is in addition to the other provisioning features that it already supports):
    • Update user attributes
    • New attribute: Site Role

    Users that set up the Tableau Online integration and enabled Provisioning before June 12, 2019 need to follow the steps detailed in the Tableau Online Configuration Guide in order to use this new feature and/or attribute.

New Integrations

The following partner-built provisioning integration app is now available in the OIN as partner-built Early Access:

SAML for the following Okta Verified applications

  • Avochato (OKTA-228020)

  • Stack Overflow for Teams (OKTA-229999)

  • Whimsical (OKTA-232056)

SWA for the following Okta Verified applications

  • American Banker (OKTA-227046)

  • Ivanti Partners (OKTA-228205)

Closed2019.06.3: Update 3 started deployment on July 1

Fixes

General Fixes

OKTA-145001

When a user entered an invalid country code in a user profile, the error message was not specific enough.

OKTA-221804

Reports listing App adminAn app admin can be granted access to all instances of an app, or just specific instances of that application. This allows for more granular access control. application assignments incorrectly displayed All <appname> Apps instead of only the scoped applications that the admin had access to.

OKTA-222453

Org admins were able to access the Getting Started page.

OKTA-225137

The IWA web app redirected user sessions to the incorrect user when the web app was located behind AWS Network Load Balancer.

OKTA-228723

Updating more than one inline hook field created a System Log entry for each changed field.

OKTA-229765

Sign-in attempts that were prevented by the Pre Authentication Sign-On Policy Evaluation were not identified correctly in the System Log.

OKTA-231465

Searching for groups using the LDAP Interface worked only when the Paged Search option was enabled in the LDAP settings.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • Comcast Business (OKTA-229067)

  • Toggl (OKTA-230708)

  • CloudAlly (OKTA-232109)

  • Synopsys eLearning (OKTA-232254)

Applications

Application Updates

  • We have made the following changes to our OrgWiki SCIM OAuth integration:

    • Changed the assignedID attribute to assignedId

    • Changed attribute mapping for assignedId attribute from user.employeeNumber to user.email

  • We have added the following SAML attribute to our Zapier integration:

    • Name: internalId, value: user.id

  • We have added the following SAML endpoints to our Sumologic integration:
    • https://service.ca.sumologic.com
    • https://service.de.sumologic.com
    • https://service.jp.sumologic.com

New Integrations

SAML for the following Okta Verified applications

  • Jumpstart (OKTA-225579)

  • ClickUp (OKTA-231641)

  • Atatus (OKTA-231643)

  • Auryc (OKTA-231655)

  • Postman (OKTA-233559)

  • Cloud Management Suite (OKTA-204349)

  • ChurnZero (OKTA-207112)

  • Sigma (OKTA-231716)

  • BigID (OKTA-231654)

Closed2019.06.4: Update 4 started deployment on July 8

Fixes

General Fixes

OKTA-155522

The Get access with Okta mobile link was underlined inconsistently in webview.

OKTA-205368

When an app sign-on policy rule was set to deny not-in-zone authentications, users who were denied the access were not redirected to the contact admin page as expected.

OKTA-221617

When using the group search API to search based on group names, if the group name contained a %(percentage) symbol the API call failed and returned no value.

OKTA-227706

api/v1/groups endpoint did not return the next page header unless limit was specified and defaulted to 10,000, even when more than 10,000 groups existed.

OKTA-227747

Downloading the list of admins in CSV format from the Devices > Devices tab failed with a 500 error.

OKTA-228245

The default new user activation emails were not formatted correctly when viewed inside Outlook 2016 client on Windows 10.

OKTA-229130

If an app name was bigger than 50 characters, a POST call to /api/v1/meta/schemas/apps/$instanceId/default failed with the error name: The field is too long.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • Betterment (OKTA-232680)

  • GoAnywhere Login (OKTA-233563)

  • Iheart Radio (OKTA-233013)

  • Microsoft Office 365 (OKTA-232668)

  • PlanGuru (OKTA-233010)

  • ServiceM8 (OKTA-233011)

  • Shopify (OKTA-231343)

  • Solarwinds (OKTA-233164)

  • Udacity (OKTA-233012)

Applications

New Integrations

SAML for the following Okta Verified applications

  • BigID (OKTA-231654)

  • New Relic (Limited Release) (OKTA-233359)

  • SWBC - AutoPilot Portal (OKTA-226704)

  • Wandera (OKTA-233317)

  • Zscaler Private Access 2.0 (OKTA-193443)

Mobile application for use with Okta Mobility Management (OMM) (Android and iOS)

  • Aquera (OKTA-230755)

SWA for the following Okta Verified application

  • Aquera (OKTA-230755)

ClosedMay 2019

May 2019

2019.05.0: Monthly Production release began deployment on May 13

* Features may not be available in all Okta Product SKUs.

Content

Generally Available Features

New Features

Password Expiry settings for Active Directory

You can specify the password expiry policies for Active Directory for all preview organizations to set the number of days before password expiry when the user receives a warning.

Improved mobile Device Trust enablement flow for admins

The new mobile Device Trust enablement flow uses a 2-step wizard for a clearer, more consistent admin experience. Existing enablement settings are migrated automatically to the new flow, so there's no need for customers with existing Device Trust deployments to change their configuration. For details, see Okta Device Trust for Mobile Devices.

Assign admin privileges to an Okta group

Super admins can now assign Okta admin privileges to Okta groups, making it easier to onboard large numbers of admins quickly. Everyone in the group receives the admin privileges assigned to the group. For details, see Assign admin privileges.

IdP Extensible Matching Rules

IdP extensible matching rules allow you to define a regular expression pattern to filter untrusted IdP usernames. For details, see our IdPs page.

Configure a custom URL domain

You can customize your Okta org by replacing the Okta domain name with a custom URL domain name that you specify. For example, if the URL of your Okta org is https://example.okta.com, you can configure a custom URL for the org such as https://id.example.com. For details, see Configure a custom URL domain.

CSV Directory Integration

The CSV directory integration is a lightweight out-of-the-box option that enables you to build custom integrations for on-premises systems using the Okta On-Premises Provisioning agent. For more information, see Configure the CSV Directory Integration.

Active Directory agent, version 3.5.7

This version of the AD agent includes fixes to close and recreate connection groups and add a retry in response to 502 errors during import.

For agent version history, see Okta Active Directory agent version history.

System Log events for blacklisted countries

When a country is added or deleted from a blacklist, the System Log tracks the action, as shown below. For more information on blacklisting, see Network Security.

Generally Available Enhancements

Accounts locked after ten successive lockouts without a successful sign-in attempt

If an account has ten successive account lockouts followed by auto-unlocks with no successful sign-in attempts, Okta ceases auto-unlocks for the account and logs an event. For more information on account locking, see Security Policies.  

Okta SSO IWA Web agent, new version 1.12.3

This version of the Okta SSO IWA Web agent contains internal fixes. For version history, see Okta SSO IWA Web App agent Version History.

UI Improvements for Security Email Notifications

Settings for end user email notifications have been moved to their own section: Security Notification Emails. For more information, see General Security.

WebEx additional attributes

We have added more extensible attributes to the WebEx application. For details, see the WebEx Provisioning Guide.

DocuSign authentication mode change

We are switching the authentication mode of our DocuSign provisioning integration to OAuth. For more information, see the DocuSign Provisioning Guide.

Okta Browser Plug-in version 5.28.0 for all browsers except Internet Explorer

This version includes the following enhancements:

  • Accessibility improvements
    • ARIA attributes for UI elements
    • Alt text for logos and images
    • Access to controls and tooltips through keyboard
  • Real-time reflection of the end user dashboard (currently an Early Access feature). For more information, see Okta Browser Plugin: Version History.

Early Access Features

New Features

Early Access Enhancements

Schema Discovery for Cornerstone On Demand

The Cornerstone On Demand provisioning app now supports Universal Directory and Schema Discovery. For more information, see the Cornerstone On Demand Provisioning Guide.

Fixes

General Fixes

OKTA-215983

Email templates translations for MFA Factor Enrolled and MFA Factor Reset did not work when the Thai language was selected.

OKTA-217878

For Self Service app registration for apps with provisioning enabled, when admins changed the Approval setting from Required to Not Required the resulting error message was misleading.

OKTA-218001

System Log entries for Device Trust displayed incorrect spacing for some entries.

OKTA-220849

The SuccessFactors app import API did not work.

OKTA-221717

Routing rules for Identity Provider discovery were ignored when both IWA Desktop SSO and Agentless SSO were enabled.

OKTA-221914

Identity Provider routing rules that set User Matches to User Attribute matches Regex were not evaluated correctly.

OKTA-222256

CSV Directory scheduled incremental imports failed.

OKTA-222632

Admins who manage two groups, one granted via individual assignment, and the other via group assignment, could not assign users from one group into the other.

OKTA-222660

When using the LDAP interface, pagination on groups containing more than 1000 users failed.

OKTA-224104

Users assigned admin roles by group did not get assigned the correct default admin email settings.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • Adobe Fonts (OKTA-222877)

  • Air France (OKTA-223010)

  • The Australian (OKTA-221618)

  • FINRA IARD (OKTA-223775)

  • Keap (OKTA-222416)

  • LastPass (OKTA-206231)

  • Metropolitan Bank US (OKTA-222451)

  • Mimecast Personal Portal v2 (OKTA-221490)

  • Nationale Nederlanden: Pensioen Service Online for Business (OKTA-222412)

  • Nextdoor (OKTA-223774)

  • Nmbrs (OKTA-223801)

  • Oakland Public Library Catalog (OKTA-222415)

  • Onfido (OKTA-223804)

  • Optimal Blue (OKTA-223500)

  • Plooto (OKTA-223747)

  • Poll Everywhere (OKTA-223776)

  • The San Diego Union-Tribune (OKTA-223015)

  • WhiteHat Sentinel (OKTA-222784)

  • Wrike (OKTA-223803)

Applications

New Integrations

New SCIM Integration Application

The following partner-built provisioning integration apps are now available in the OIN as partner-built Early Access:

SAML for the following Okta Verified applications

  • Buildkite (OKTA-215231)

  • ExpenseIn (OKTA-223019)

  • FireHydrant (OKTA-221216)

  • StoriesOnBoard (OKTA-223754)

  • Syndio (OKTA-221802)

  • Zoom SAML (OKTA-223027)

SWA for the following Okta Verified applications

  • Dynatrace (OKTA-221851)

  • Legislative Tracking System (OKTA-219355)

  • Park-line (OKTA-222807)

  • Tax Workflow (OKTA-222999)

Mobile application for use with Okta Mobility Management (OMM) (Android and iOS)

  • RescueAssist (OKTA-220114)

Weekly Updates

Closed2019.05.1: Update 1 started deployment on May 20

Fixes

General Fixes

OKTA-211631

Active Directory imports failed when federation broker mode was disabled for the app.

OKTA-212278

The Japanese translation of the end-user activation page needed improvement.

OKTA-213647

The System Log advanced search returned a 500 error when processing search terms containing the percent character (%).

OKTA-221535

Admins saw a loop when they enabled Multifactor Authentication for admins with no MFA factor set as Optional or Required in the corresponding MFA policy.

OKTA-221914

In cases where IdP Discovery was enabled, when a routing rule was configured to use User Attribute matches Regex for User Matches, the regular expression would be evaluated improperly.

OKTA-222183

If an Event Hook name was changed after it had been verified, users were asked to verify the Event Hook again.

OKTA-224205

Local users not assigned the RDP app were able to sign in to the app without being prompted for MFA if their user account on the server had rights to connect to RDP sessions and InternetFailOpenOption was set to True. Okta Windows Credential Provider version 1.1.4.0 needs to be downloaded for this fix.

OKTA-225805

The Security > General > Security Email Notifications page briefly displayed incorrect values after the email fields were set to Enabled and then the page was refreshed.

OKTA-225584H

When using the LDAP interface if a soft token was specified as a part of a bind request’s credentials, a push notification may have been erroneously sent to the user’s phone while normal authentication using the soft token was taking place.

App Integration Fixes

The following SAML app was not working correctly and is now fixed

  • RedLock (OKTA-213155)

The following SWA apps were not working correctly and are now fixed

  • Cisco (OKTA-218994)

  • Visual Website Optimizer (OKTA-224230)

Applications

New Integrations

SAML for the following Okta Verified applications

  • CloudAcademy (OKTA-220845)

  • Druva 2.0 (OKTA-224318)

  • PitchBook (OKTA-222083)

  • Squadcast (OKTA-223018)

SWA for the following Okta Verified applications

  • CodySoft (OKTA-223598)

  • iAuditor (OKTA-225943)

  • Medi-Cal (OKTA-225406)

  • Saia (OKTA-223491)

Closed2019.05.2: Update 2 started deployment on May 28

Fixes

General Fixes

OKTA-220205

Failed authentication using FIDO factors were counted towards account lockout limit.

OKTA-222410

Mobile admins could not edit native apps despite having necessary permissions.

OKTA-223821

An IWA Auth event was incorrectly triggered in the System Log when a user logged in via Agentless Desktop SSO. The Authenticate User via IWA event has been removed from this flow. No other events in the flow are impacted.

OKTA-224002

Changing the LDAP configuration did not convert the next LDAP incremental import to a full import as expected.

OKTA-226976H

Setting up JAMF failed when testing the API credentials for On-Premises JAMF server that uses SSL certificate signed by by USERTrust RSA Certification Authority.

OKTA-227307

A user identifier condition evaluation for IdP Discovery sometimes returned an HTTP 400 bad request error when either the user or the attribute being evaluated was not found.

OKTA-228350H

When the EA feature, OFFICE365_USE_GRAPH_API_FOR_PROVISIONING was enabled, in certain cases Office 365 groups were deleted during an import.

OKTA-2285347H

Imports from Office 365 failed if the EA feature, OFFICE365_USE_GRAPH_API_FOR_PROVISIONING was enabled.

OKTA-230034H

Agentless Desktop SSO failed to authenticate on misconfigured Chrome browsers, resulting in a 400 Bad Request error.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • Boxed (OKTA-226698)

  • CBT Nuggets (OKTA-226697)

  • Contract Express (OKTA-225826)

  • Copper (OKTA-223771)

  • Customer Service Portal (OKTA-225821)

  • Mimecast Personal Portal v2 (OKTA-226257)

  • Nextiva NextOS 3.0 (OKTA-225822)

  • Prosperworks (OKTA-225823)

  • Rackspace Admin Control Panel (OKTA-225820)

  • WP Engine (OKTA-225575)

Applications

Application Updates

The MaestroQA application integration now supports Just In Time (JIT) provisioning.

New Integrations

The following partner-built provisioning integration apps are now available in the OIN as partner-built Early Access:

SAML for the following Okta Verified applications

  • Activaire Curator (OKTA-226658)

  • Aqua Cloud Security Platform (OKTA-220542)

  • CallPlease (OKTA-225465)

SWA for the following Okta Verified applications

  • Cisco Webex Teams (OKTA-221715)

  • Healthx (OKTA-226236)

  • Key Travel (OKTA-223497)

  • Technology Review (OKTA-225508)

Closed2019.05.3: Update 3 started deployment on June 03

Fixes

General Fixes

OKTA-193320

When Agentless Desktop SSO was denied due to Network Zone settings, the default Okta Sign In page was presented instead of defaulting to agent-based Desktop SSO.

OKTA-218719

No more than five applications could be created through the Admin Console for developer production orgs.

OKTA-219246

Users were unable to sign in to Okta when using Chrome browsers on Chromebooks.

OKTA-220360

The Identity Provider (IdP) admin page encountered a rate limit error when there were a large number of IdPs configured and an admin clicked through the list quickly.

OKTA-220640

Deactivated admins were not listed on the Administrators page.

OKTA-222413

Clicking the Resend Activation Email button sent the Password Reset email instead of the User Activation email.

OKTA-225581

The System Log did not log the User account unlock by admin event when a bulk account unlock action was performed by an admin.

OKTA-226272

After an OAuth2 authorize flow, ID Tokens were missing the nonce claim if a routing rule was configured to default to a social IdP.

OKTA-229525H

When a user tried to sign in to an IdP that was set up as a profile master, it sometimes resulted in incorrectly creating a new user instead of linking to the existing user.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • Amazon UK (OKTA-226343)

  • Bing Ads (OKTA-226105)

  • IBM Cloud (OKTA-226062)

  • Northern Trust (OKTA-225827)

  • Sterling HSA (OKTA-223769)

  • UBS One Source (OKTA-226305)

Applications

Application Updates

The following partner-built provisioning integration app is now Generally Available in the OIN as partner-built:

New Integrations

The following partner-built provisioning integration app is now available in the OIN as partner-built Early Access:

SAML for the following Okta Verified applications

  • Aspen Mesh (OKTA-223014)

  • BitBucket by miniOrange (OKTA-225246)

  • Confluence by miniOrange (OKTA-225240)

  • Jira by miniOrange (OKTA-225231)

  • Juno (OKTA-227096)

  • productboard (OKTA-225440)

SWA for the following Okta Verified application

  • GoToMeeting (OKTA-226649)

ClosedApril 2019

April 2019

2019.04.0: Monthly Production release began deployment on April 15

* Features may not be available in all Okta Product SKUs.

Content

Generally Available Features

New Features

Enhanced Group Push for Litmos

Group Push now supports the ability to link to existing groups in Litmos. While this option is currently only available for some apps, we’ll periodically add this functionality to more provisioning-enabled apps. For details about this feature, see Using Group Push.

Schema Discovery for Litmos

The Litmos provisioning app now supports UD and Schema Discovery. For more information, see the Litmos Provisioning Guide.

Enhanced Okta Mobile Security Settings for Android and iOS

Applies to:

  • Okta Mobile 3.8.1+ for Android
  • Okta Mobile 5.22.0+ for iOS

From the admin console, you can configure the following security settings for devices running specific versions of Okta Mobile:

  • Specify the PIN length.
  • Allow/disallow use of a simple PIN (repeating/ascending/descending numeric sequences).
  • (Android only) Allow/disallow users taking screenshots, recording videos, or sharing their screen.

For details, see Okta Mobile Settings.

Enhanced search for Group membership rules

You can now search for group rules by name, target groups, and expression conditions. For more information about Group membership rules, see Create group rules.

Change to Reset Password page

When Administrators navigate to Directory > People > Reset Password, the default view is now Locked Out users instead of All. This has been changed for performance reasons. For details, see Reset user passwords.

LDAP Agent, version 5.5.7

This release includes the following:

  • Bug fixes for incremental import.