Production

January 2021

2021.01.0: Monthly Production release began deployment on January 11

* Features may not be available in all Okta Product SKUs.

Generally Available Features

New Features

New phone rate limits

Users who attempt Voice and SMS enrollment can now be rate limited. Voice and SMS enrollment rate-limit events are now logged in the System Log. See Rate Limits.

WebAuthn feature validation updates with Trusted Origins API

The WebAuthn feature now supports trusted cross-origin and cross-Relying Party Identifier (RP ID) validation when using the Trusted Origins API. Trusted Origins are configured in the Okta Trusted Origins framework either through the Admin UI or the API. These Trusted Origins, configured with the CORS scope, now support orgs using WebAuthn for sign-in pages hosted at Trusted Origins distinct from the org's Okta URL (that is, different from the org's Okta or custom domain URL).

User authentication with MFA can be used as an Event Hook

The user.authentication.auth_via_mfa event type is now available for use as an event hook. See Event Types for a list of events that can be used with event hooks.

Browser Plugin notification expiration

Notifications for new features in the Okta Browser Plugin now expire after three months. See Okta Browser Plugin: Version history.

Okta Provisioning agent, version 2.0.2

This release of the Okta Provisioning agent includes vulnerability and security fixes. See Okta Provisioning agent and SDK version history.

Okta Workflows is Generally Available

Okta Workflows is an interface-driven, no-code platform for business process automation that provides integration with some of the most widely used third-party APIs in the industry, including Box, Slack, Salesforce, and G Suite Admin. See Okta Workflows.

Deployment is taking place over the course of several days to entitled orgs with the following SKUs:

  • IT Products - Advanced Lifecycle Management

  • Legacy SKU: IT Products - Lifecycle Management, Unlimited

  • Legacy SKU: IT Products - Lifecycle Management, Unlimited OIN Apps

  • Legacy SKU: IT Products - Lifecycle Management, 10 OIN Apps

APAC and HIPAA cells are excluded.

To access Workflows, select the Workflow > Workflows Console menu option from the Okta Admin Console.

Reports delivered by email

Admins can now receive the following reports by email:

  • Okta Usage Report

  • Okta Password Health Report

  • Current Assignments Report

  • MFA Usage Reports

See Reports.

Workday Field Overrides support

The Workday integration now uses Field Overrides reports to fetch custom profile data information instead of custom reports. Field Overrides is a faster report type than custom reports, so using this method is much more efficient. Existing custom report configurations will work, but new app instances will not have these configuration options. See Workday Provisioning.

Import Monitoring dashboard

The Import Monitoring dashboard is now available and displays user attribute imports for a seven day period. You can use the dashboard to view import progress, status, details, and logs. See View the Import Monitoring dashboard.

Technical admin configuration

Admins can now disable UI prompts that allow for end-users to contact technical admins and report issues. This is enabled by default for existing orgs, and disabled for new orgs.

Email address change notifications

Email change confirmation notification emails can now be sent to admins or admins and users. By default, email change confirmation notification emails are sent to admin users only. These notifications not only make admins and users aware of email address changes, they can also act as an early warning of suspicious activity. See Customize an email template. This feature will be gradually made available to all orgs.

Okta Verify support for risk-based authentication

Okta Verify with Push now supports risk-based authentication. With this feature, admins can assess the level of risk when an end user signs in to their org and attempts to authenticate with Okta Verify. See About Okta Verify. This feature will be gradually made available to all orgs.

Generally Available Enhancements

Group Membership System Log enhancement

The Add user to group membership and Remove user from group membership events have been updated. When triggered by group rules, these events now display the group rule ID in the TriggeredByGroupRuleId field under the Debug Context object.

Extra Verification UI enhancement for end users

The Extra Verification section under End-User Dashboard Settings is now displayed in the right column.

Inclusive language updates

As part of the Okta inclusive language initiative, the following is changed:

  • Application provisioning documentation and UI elements have been updated with inclusive language.

  • Allow list has replaced whitelist, block list has replaced blacklist, and source has replaced master.

  • Instances of profile masters, profile master, and profile mastering on the Okta Admin Console Profile Masters page have been updated to profile source and profile sourcing. The administrator documentation has been updated to reflect this change.

Risk Scoring settings

When enabled, Risk Scoring settings now appear in the Okta sign-on policy rule. See © 2021 Okta, Inc All Rights Reserved. Various trademarks held by their respective owners..

Early Access Features

New Features

Workplace by Facebook Push AD Manager functionality

Admins can choose to disable Push AD Manager functionality using this self-service Early Access feature. This enables admins to control the manager attribute using Okta Expression Language syntax to avoid being dependent on AD for the field. See Workplace by Facebook.

LDAP agent, new version 5.7.1

This version of the agent contains:

  • Internal improvements

  • Security fixes

To view the agent version history, see Okta LDAP Agent version history.

Manage admin email notification subscriptions using API endpoints

Admins can manage email subscriptions using the Admin Email Subscription API endpoints.

  • Super admins can configure default subscription settings by admin type.

  • All admins can manage their own admin email notification subscriptions.

Enhancements

Skip to Content improvements

End users can now click Skip to Content on the new Okta End-User Dashboard to navigate directly to the Add Apps page.

Options relocation

The Recent Activity tab, End-User preferences, Admin View, and Sign Out options are now displayed in the user drop down menu on the Okta End-User Dashboard.

Fixes

General Fixes

OKTA-329862

Indonesian translations and templates were displayed in English.

OKTA-330432

The Okta Browser Plugin continued to recommend strong passwords for apps after the setting was disabled.

OKTA-345311

The sign-in page auto refresh sometimes didn't work when factor sequencing was used.

OKTA-347526

Information text in Settings > Update Credentials was incorrect for bookmarked apps.

OKTA-352737

Self-Service Registration with inline hooks failed for some orgs.

OKTA-354151

Some users were unable to enroll in Okta Verify through TOTP and PUSH methods in some orgs.

OKTA-354967

When defined for an MFA Enrollment policy, the App Condition was not enforced when a user signed in to an application.

OKTA-355035

Security methods for Safari web authentication did not allow for biometric authentication.

OKTA-355482

When super admins edited a group admin role in Security > Administrators, only the first 10 groups were displayed.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • Adobe Sign Provisioning (OKTA-352597)

  • FIS E-ACCESS (OKTA-346510)

  • Google Analytics (OKTA-348673)

  • Nationwide Financial (OKTA-355417)

Applications

New Integrations

New SCIM Integration Application

The following partner-built provisioning integration app is now Generally Available in the OIN as partner-built:

SAML for the following Okta Verified applications

  • Culture Connect (OKTA-354618)

  • hCaptcha (OKTA-352403)

  • LinkedIn Talent Solutions (OKTA-343875)

  • Process Bolt (OKTA-353096)

SWA for the following Okta Verified applications

  • Adweek (OKTA-350720)

  • Amazon Payee Central (OKTA-347803)

  • CenturyLink (OKTA-350562)

  • TechCrunch (OKTA-343939)

  • Vue Mastery (OKTA-342948)

OIDC for the following Okta Verified applications

Weekly Updates

December 2020

2020.12.0: Monthly Production release began deployment on December 9

* Features may not be available in all Okta Product SKUs.

Generally Available Features

New Features

Admin Privilege events can be used as Event Hooks

Admin Privilege events are now available for use as Event Hooks. See Event Types for a list of events that can be used with event hooks.

Application Access Request Workflow Event Hooks

Application Access Request Workflow events are now available for use as an external Event Hook. Admins can use Application Access Request Workflow events to designate approvers for app access requests. See Event Types for a list of Events that can be used with Event Hooks.

The map view is again available in the System Log

The System Log map view, which was temporarily removed, is again available.

System Log events

  • The system.custom_error.update event indicates that the Custom Error page has been updated.

  • The system.custom_signin.update event indicates that the Custom Sign-In page has been updated.

  • The system.custom_url_domain.initiate event indicates that the Custom URL Domain setup has been initiated.

  • The system.custom_url_domain.cert_upload event indicates that a Custom URL Domain HTTPS certificate has been uploaded.

  • The system.custom_url_domain.verify event indicates that the Custom URL Domain has been verified in the DNS.

Recommendation text added to SSO IWA Agents section of the Downloads page

On the Okta Admin Console Downloads page, text has been added to the SSO IWA Agents section recommending that Agentless Desktop Single Sign-on (ADSSO) should be used to implement Desktop Single Sign-on (DSSO). This text has been added to highlight that ADSSO has a simplified configuration process and requires less maintenance. See Configure agentless Desktop Single Sign-on

Additional PIV IDP user profile mapping values

In Okta user profiles, three new attributes are available:

  • idpuser.subjectAltNameUuid
  • idpuser.subjectKeyIdentifier
  • idpuser.sha1PublicKeyHash

These attributes are available to newly created Personal Identity Verification (PIV) identity providers and to identity providers that were marked inactive and then reactivated.

Okta SSO IWA Web App agent, version 1.13.2

This release of the Okta SSO IWA Web App agent includes security enhancements and internal fixes. See Okta SSO IWA Web App version history.

Jira Authenticator, version 3.1.5

This release contains bug fixes and logging improvements. See Okta Jira Authenticator Version History.

Confluence Authenticator, version 3.1.5

This release contains bug fixes and logging improvements. See Okta Confluence Authenticator Version History.

State tokens in the Agentless DSSO authentication flow

An authentication state token has been added to the Agentless DSSO workflow to allow orgs to relay information such as fromUri. This change lets orgs shorten URLs and avoid HTTP 414 URI Too Long status code errors. See Configure agentless Desktop Single Sign-on.

SAML account linking

Admins can now enable or disable automatic account linking between SAML identity providers and Okta. They can also restrict the linking based on whether the end user is a member of any of the specified groups. See Identity Providers.

Generally Available Enhancements

Inclusive language updates

As part of the Okta inclusive language initiative, the following is changed:

Usability enhancements for OIDC app wizard

The OIDC app integration wizard interface has been updated with usability improvements and clarified help text. See Create an OIDC app integration using AIW.

Sign-in Widget and accessibility improvements

Main landmarks and skip links have been added to the Sign-in Widget. Accessibility improvements for OAuth and Admin Consent pages include focus on input fields and Don’t Allow buttons. See Configure a custom Okta-hosted sign-in page.

Contact your administrator link removed

The Client/Device certificate error page no longer contains an email link to contact your administrator.

BambooHR integration enhancement

The following org properties have been added to the BambooHR application integration:

  • Timezone aware pre-hires: This enables users' Lifecycle Management based on their Timezone/Location. If it is disabled, Okta manages users' lifecycles according to UTC timezone.

  • Preferred timezone: This option allows admins to set the main location timezone the same as in the BambooHR instance (BambooHR Settings > General Settings > Timezone). This is available only when the Timezone aware pre-hires option is enabled.

See Configure Provisioning for BambooHR.

UltiPro integration enhancement

In new instances of UltiPro, app user profile templates now contain a required EepPersonID field for external IDs. See UltiPro.

Group Password Policy enhancement

The Group Password Policies enhancement is now available for all Production orgs. By using Group Password Policies and associated rules, admins can configure and enforce password settings and set account recovery options for groups. See © 2021 Okta, Inc All Rights Reserved. Various trademarks held by their respective owners..

Early Access Features

New Features

Agentless Desktop Single Sign-on authentication progress screen updates

Agentless Desktop Single Sign-on (ADSSO) authentication progress screens have been updated to make authorization and verification progress more visible and improve the user experience. See Configure agentless Desktop Single Sign-on.

Service Principal Name functionality improvement

New Service Principal Name (SPN) functionality allows Agentless Desktop Single Sign-on (ADSSO) authentication to continue without interruption when an SPN is updated. A service account and an SPN are required for ADSSO Kerberos authentication. With this change, you can now update the SPN frequently as an additional security precaution. See Create a service account and configure a Service Principal Name.

One Time Use Refresh Token

One Time Use Refresh Token, also called Refresh Token Rotation, helps a public client to securely rotate refresh tokens after each use. A new refresh token is returned each time the client makes a request to exchange a refresh token for a new access token. See Refresh Token Rotation.

First Party Apps

First Party Apps are now available through EA Self-Service in the Okta Admin Console, allowing admins to create sign-on policies for the Okta Admin Console. See Create sign-on policies with Okta Applications.

Okta Provisioning agent, version 2.0.1

This release of the Okta Provisioning agent includes vulnerability fixes and incremental import support for adding and updating user attributes. See Okta Provisioning agent and SDK version history.

Okta Provisioning agent incremental imports

The option to incrementally import user data is now available for the Okta Provisioning agent. Incremental imports reduce the time required for synchronization by only downloading user information that has changed since the last successful import. See Okta Provisioning Agent incremental import.

Fixes

General Fixes

OKTA-325406

The Italian translation in the MFA Factor Enrolled email template was inaccurate.

OKTA-328882

The Japanese translation during the password reset process was inaccurate.

OKTA-329447

In the Integration settings of the LDAP Provisioning tab, the User Attribute help link was broken.

OKTA-335816

The password requirement message displayed to some users during the self-registration process was misleading.

OKTA-337663

The Hungarian translation during the sign-in process was inaccurate.

App Integration Fixes

The following SWA app was not working correctly and is now fixed

  • GetFeedback (OKTA-348946)

Applications

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN as partner-built:

SAML for the following Okta Verified applications

  • Adra by Trintech (OKTA-348038)

  • Authomize (OKTA-347099)

  • Axomo (OKTA-341694)

  • DefenseStorm (OKTA-345662)

  • Forcepoint Private Access (OKTA-338537)

  • IntelligenceBank (OKTA-347415)

  • KHA Online - SDS (OKTA-347435)

  • Rootly (OKTA-348648)

  • Smarklook (OKTA-346263)

  • TenForce (OKTA-338549)

  • Toggl Plan (OKTA-347528)

  • Upmarket (OKTA-344925)

  • Very Good Security (OKTA-348624)

  • WIREWAX (OKTA-347407)

Weekly Updates

November 2020

2020.11.0: Monthly Production release began deployment on November 9

* Features may not be available in all Okta Product SKUs.

Generally Available Features

New Features

Okta Browser Plugin, version 5.42.0

This version includes the following:

  • Sign-in pages are opened in a new tab only after a user installs the plugin manually, and are not opened if the plugin is installed through a group policy for Chrome, Firefox, Legacy Edge, and Chromium Edge.
  • Performance improvements.

You can download the plugin for Internet Explorer from the Okta End-User Dashboard, or for other web browsers, install through their respective stores. See Okta Browser Plugin: Version history.

OIN Manager - add app instance properties

In the OIN Manager portal, new functionality in OIDC, SAML, and SCIM submission steps allow ISVs to create custom per-tenant URLs and URIs for app integration submissions. See Configure protocol-specific settings.

Tor Anonymizer recommendation

Admins can see a new HealthInsight recommendation to view failed sign-in rates from IPs categorized as Tor Anonymizer Proxies. Okta recommends using Dynamic Zones to blacklist IPs that are categorized as Tor anonymizer proxies. See Blacklist proxies with high sign-in failure rates and HealthInsight.

Vendor-specific attributes

RADIUS agents now support vendor specific attributes. With this feature, admins can use optional settings to configure vendor specific attributes to include group membership. Note that no agent update is required for this feature. See Configure group response in the following topics:

Client-based rate limiting

Client-based rate limiting for the OAuth API /authorize endpoint is now available in Preview. It provides granular isolation between requests made to the /authorize endpoint by using a combination of the Client ID, user's IP address, and the Okta device identifier. This isolates rogue OAuth clients and bad actors, ensuring valid users and applications don't run into rate-limit violations. The client-based rate-limiting framework can exist in one of three modes set in the Admin console. See Account settings.

Salesforce REST OAuth

Admins can now upgrade to the latest version of our Salesforce integration. OAuth authentication will be now used for Provisioning and Imports. See Configure OAuth and REST integration.This feature is currently available for new orgs only.

User Consent for OAuth 2.0 Flows in API Access Management

A consent represents a user’s explicit permission to allow an application to access resources protected by scopes. As part of an OAuth 2.0 or OpenID Connect authentication flow, you can prompt the user with a popup window to approve your app's access to specified resources.

Consent grants are different from tokens because a consent can outlast a token, and there can be multiple tokens with varying sets of scopes derived from a single consent. When an application comes back and needs to get a new access token, it may not need to prompt the user for consent if they have already consented to the specified scopes. Consent grants remain valid until the user manually revokes them, or until the user, application, authorization server or scope is deactivated or deleted.

See User Consent for OAuth 2.0 and OpenID Connect Flows.

Generally Available Enhancements

Inclusive language updates

The OIN Catalog has been updated with inclusive terminology. Attribute Sourcing has replaced Attribute Mastering.

Changes in rate limit utilization notifications

All Customer Identity org super admins now get a detailed notification in the Okta Admin Console and an email when their org’s rate limit utilization meets the following criteria:

  • Crosses the threshold (60% for API products and 90% for Workforce products)
  • Reaches 100%

These warnings help super admins take preventative action and avoid service disruptions. See Account settings.

Group Password Policy enhancement

The Group Password Policies enhancement is now available for all new production orgs.

By using Group Password Policies and associated rules, admins can configure and enforce password settings and set account recovery options for groups. See © 2021 Okta, Inc All Rights Reserved. Various trademarks held by their respective owners.. This feature was already released to a subset of orgs, we are now releasing it to all new Production orgs.

ThreatInsight security enhancements

ThreatInsight enhancements improve detection of credential-based attacks from malicious IPs. See About Okta ThreatInsight.

Early Access Features

New Features

Okta SSO IWA Web App agent, version 1.13.1

This release of the Okta SSO IWA Web App agent includes security enhancements and internal fixes. See Okta SSO IWA Web App version history.

Fixes

General Fixes

OKTA-293251

In some cases, reactivated AD users signing in to Okta were presented an empty Welcome screen although no user actions were required.

OKTA-297744

On the new Okta End-User Dashboard, wide logos were cut off.

OKTA-313490

In Okta End-User Dashboard > Settings > Personal Information, some editable fields extended past their border if they contained too many characters.

OKTA-321737

In some cases, admins didn't receive the Import Summary Notification Emails from Workday when an import was completed.

OKTA-321999

In some cases, users signing into Okta through email MFA received an error message despite entering the correct passcode.

OKTA-323345

The email template for password change notifications didn't allow certain expressions used in other email templates.

OKTA-323919

Admins could exclude the mandatory email field from the self-service registration form.

OKTA-326781, OKTA-329842

Admins were stuck when attempting to load Group Rules in Directory > Groups > Group Rules for certain expressions.

OKTA-328856

The Okta Browser Plugin didn’t inject credentials into sign-in pages for Org2Org SWA apps added to dashboards.

OKTA-330549

Disabled users were imported erroneously from Confluence to Okta during provisioning.

OKTA-330615

Invalid error objects returned through a Registration Inline Hook caused the client to see a 500 error rather than a 400.

OKTA-334126

Scheduled imports failed when CSV Directory Incremental Imports was enabled.

OKTA-334163

In some cases, admins erroneously received a rate limit error when viewing Access Policies through Security > API > Authorization Servers > Access policies > Select the policy.

OKTA-334255

Enrollment and reset emails were still sent to secondary email addresses even if the admin had disabled secondary email addresses.

OKTA-334929

Due to differences in the way the new RADIUS app handles username attributes, authentication failed for some users depending on whether their username had a UPN or sAMAccountName format.

OKTA-335890

Some SWA apps in the OIN App catalog were categorized incorrectly.

OKTA-337462

In some cases, custom app names for Wizard apps weren't globally unique and caused collision issues with apps from other cells.

OKTA-338863

Admins were unable to add IP addresses to the BlockedIpZone list from the System Log.

OKTA-342006

In some cases, the footer on the new Okta End-User Dashboard didn't maintain its position at the bottom of the page.

OKTA-343802H

In the Okta Admin Console, the message displayed when a rate limit was reached was incorrect.

OKTA-345672H

The new Okta End-User Dashboard was enabled for some end users even though it was disabled by the admin. The dashboard now displays the correct version depending on whether the new dashboard is enabled or not.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • 1Password Business (OKTA-340768)

  • ADP Portal (OKTA-339374)

  • ADP TotalSource (OKTA-339601)

  • CBT Nuggets (OKTA-340787)

  • Citrix Right Signature (OKTA-336890)

  • ECP (OKTA-340794)

  • FCO (OKTA-340785)

  • ISSUU (OKTA-340784)

  • Legrand Service Center (OKTA-340769)

  • Miro (OKTA-338110)

  • Sainsburys (OKTA-340792)

  • Schwab Advisors (OKTA-337947)

  • SEMrush (OKTA-340786)

  • SmartyStreets (OKTA-340781)

  • SunTrust SunView Treasury Manager (OKTA-338770)

  • vAuto (OKTA-340782)

  • Zurich Adviser Portal (OKTA-340770)

The following SAML app was not working correctly and is now fixed

  • Sentry (OKTA-332821)

Applications

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN as partner-built:

SAML for the following Okta Verified applications

  • AlertEnterprise Guardian Access (OKTA-331898)

  • Cirrus Federation Bridge (OKTA-331296)

  • ERP Maestro 2.0 (OKTA-328139)

  • Helper Helper (OKTA-338542)

  • Nature Research (OKTA-337029)

  • Qualified (OKTA-336983)

  • Raketa (OKTA-336302)

  • Streams (OKTA-334367)

SWA for the following Okta Verified applications

  • Adyen (OKTA-337639)

  • BNP Paribas (OKTA-331531)

  • Freshbooks (OKTA-337319)

  • Schneider Electric (OKTA-330814)

OIDC for the following Okta Verified applications

Weekly Updates