October 2020

2020.10.0: Monthly Production release began deployment on October 12

* Features may not be available in all Okta Product SKUs.

Generally Available Features

New Features

Inclusive language and terminology

Okta is focused on the adoption of inclusive language and communication. Some long-standing industry terminology and expressions have been updated in this release and will continue to be made in future releases. Click the Feedback button on any Okta Help page to share your suggestions on the use of inclusive language.

The following inclusive language changes have been made:

  • Allow list has replaced whitelist
  • Block list has replaced blacklist

See About Network Zones.

The following topics have begun to adopt the new inclusive language:

The network zones user interface has been updated with inclusive terminology:

  • Add IP Zone
  • Add Dynamic Zone

The OIN Manager user interface has been updated with inclusive terminology:

  • Profile Sourcing has replaced Profile Mastering

API Access Management enables scope as a claim

Admins can now name a claim scope in API Access Management custom authorization servers. Admins can also use the EL expression access.scope in custom claims to return an array of granted scope strings. See API Access Management.

OIN Manager - enable profile sourcing

For developer orgs, the Profile Sourcing option (previously Profile Mastering) for SCIM apps must be enabled by Okta developer support. If you're an ISV and need this functionality temporarily activated when you're testing and submitting a SCIM app integration, see Submission support.

Changes to removing personal app instances

When an end user adds an app from the OIN catalog that is not self-service within their org, a personal instance of the app integration is created. Previously, if the end user removed the app integration from their dashboard, then the app instance was kept but marked as deactivated in the System Log. Now, when the user removes the app integration, the personal instance is removed and it is marked as deleted in the System Log. See Common SSO Tasks for End Users.

On-Premise Jira versions confirmed for OKTA Jira Authenticator

The Okta JIRA authenticator has been certified to work with new On-Prem Jira versions. See Okta Jira Authenticator Version History .

Default sign on rule set to Deny in Client Access Policies for new Office 365 app instances

In Client Access Policies for new Office 365 app instances, the Default sign on rule is now set to Deny access (formerly set to Allow). Additionally, we've provided a rule above the Default sign on rule that allows access to only web browsers and apps that support Modern Authentication. This change is designed to help customers implement more secure policies by default. Note: Existing O365 app instances are unaffected by this change. For more information, see Get started with Office 365 sign on policies.

Self-Service improved plugin onboarding experience

The improved Okta Browser Plugin onboarding experience for new end users is now available on all web browsers except Safari. After installing the plugin, new end users will be automatically directed to the sign in page or will have their dashboard refreshed, and will be shown an introduction banner on their dashboard. See Install the Okta Browser Plugin.

Provision out of sync users

If you enable provisioning for an app that already has users assigned to it, Okta can sync these users so they now have provisioning capabilities. See Provisioning in applications.

Email address change notification templates

Email address change notification templates are now available. These templates notify users of an email address change and let them confirm the change. See Customize an email template.

Password requirements formatting

When setting a password, requirements are now shown in a list format rather than a sentence format.

Generally Available Enhancements

Okta LDAP agent log enhancement

To help identify and correct latency issues between Okta and on-premises Okta LDAP agents, a delAuthTimeTotal field has been added to the Login Events section of the Okta LDAP agent log. This field displays the time in milliseconds taken to complete a delegated authentication request between Okta and the Okta LDAP agent. See Locate the Okta LDAP agent log.

ThreatInsight security enhancements

ThreatInsight enhancements improve detection of credential-based attacks from malicious IPs. See About Okta ThreatInsight.

page auto refresh

In some cases, if end users don’t sign in on the Sign-In page and leave it idle until the authentication session expires, the Sign-In page now refreshes automatically to establish a new session.

NetMotion Mobility

The NetMotion Mobility (RADIUS) app is now available on the OIN. It supports the EAP-GTC protocol with RADIUS agent version 2.12.0 or later. See Configure NetMotion Mobility to interoperate with Okta via RADIUS.

OIN Manager - submission process improvements

The final processing step has been removed from the OIN app integrations submission process. Submitted app integrations that pass quality assurance (QA) testing by the OIN Operations team don't require further ISV input and are now automatically approved and published to the OIN.

OIN Manager - update submission email text

The email text sent to ISVs during the quality assurance (QA) portion of the OIN submission process has been clarified to make the information easier to understand.

Early Access Features

New Features

Reports delivered by email

Admins can now receive the following reports by email:

  • Okta Usage Report
  • Current Assignments Report
  • MFA Usage Reports

See Reports.

Okta Active Directory agent, version 3.6.0

This release includes performance improvements, security enhancements, and bug fixes. See Okta Active Directory agent version history.

On-Prem MFA agent, version 1.4.4

This version includes hardening around certain security vulnerabilities and includes a new version of the Log4J library.

Note: The new Log4J library stores properties in log4j2.xml. Before upgrading, save a copy of C:\Program Files (x86)\Okta\Okta On-Prem MFA Agent\current\user\config\rsa-securid\ and enter any changes into the new configuration file. See On-Prem MFA Agent Version History.

RADIUS agent, version 2.14

This version includes hardening around certain security vulnerabilities and includes support for the PEAP-EAP-GTC protocol. See Okta RADIUS Server Agent Version History.

ADFS plugin, version 1.7.8

This version includes bug fixes and hardening around certain security vulnerabilities. See Okta ADFS Plugin Version History.

MFA Credential Provider for Windows, version 1.3.1

This version includes hardening around certain security vulnerabilities. See Okta MFA Credential Provider for Windows Version History .

Custom IdP factor authentication with OIDC support

Custom IdP factor authentication now supports OpenID Connect. See Custom IdP Factor Authentication.

Optional Display Preferences for new Okta End-User Dashboard

Users can now set Display Preferences on the new Okta End-User Dashboard. They can enable or disable the Recently Used section and organize their dashboard as a grid or a list. See New Okta End-User experience.

Import Monitoring dashboard

The Import Monitoring dashboard is now available and displays user attribute imports for a seven day period. You can use the dashboard to view import progress, status, details, and logs. See View the Import Monitoring dashboard.


General Fixes


In some cases, removing tasks from the Okta Admin Dashboard failed.


When searching for apps on the new Okta End-User Dashboard, app logos included in the search results were too large.


In some cases, a user's DisplayName appeared as their user ID in the System Log.


For certain app admin operations, rate-limit error messages in the System Log erroneously suggested that admins retry failed operations manually instead of waiting for the operations to be rescheduled.


After selecting certain attributes in Advanced RADIUS settings, the On-Prem MFA agent returned the proxy IP instead of the IP address of the RSA agent.


Grammarly and Dragon extensions on Chrome caused issues for users who attempted to sign in to apps that required Okta MFA.


Users deactivated in Okta weren't deactivated correctly in the Salesforce app.


If an account was deleted while the user was in an active session, Okta presented an error instead of redirecting the user to the Sign-in page.


Certain custom attributes that were updated in Okta weren't subsequently updated in LDAP.


Admin privileges couldn't be removed from users who had an invalid email address.


When updating a security question for password recovery, end users could use the non-domain part of their email as an answer.


Some Japanese translations on the Sign-In page weren't displayed correctly.


Some email templates in Italian were inaccurately translated.


In some cases, the Pending email address change email sent to end users didn't include dynamic content.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • Acronis Cloud (OKTA-333972)

  • Cisco Partner Login (OKTA-334409)

  • Flipboard (OKTA-332426)

  • Flock ( (OKTA-333132)

  • The Hartford EBC (OKTA-332871)


New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN as partner-built:

New RADIUS integration

SAML for the following Okta Verified applications

  • CodeSignal (OKTA-333537)

  • Lexion (submitted via ISV Portal). SLA: 22/Sep/20 (OKTA-331539)

  • Mindtickle (OKTA-331529)

  • TerraTrue (OKTA-331899)

  • TransPerfect GlobalLink Dashboard (OKTA-331544)

  • Trotto Go Links (OKTA-330216)

  • WorkSafe (OKTA-334374)

Weekly Updates

September 2020

2020.09.0: Monthly Production release began deployment on September 08

* Features may not be available in all Okta Product SKUs.

Generally Available Features

New Features

New features for SuccessFactors integration

The following new features have been added to the SuccessFactors integration:

  • Time zone based pre-hires and deactivations: Admins can deactivate SuccessFactors users and import pre-hires into Okta based on the time zone of their location.
  • Incremental imports: Incremental imports improve performance by importing only users who were created, updated, or deleted since the last import.

See Learn about SAP SuccessFactors Employee Central data provisioning.

Modern authentication support

We have extended our Office 365 Sign On policies to include the ability to distinguish between web browser and modern authentication clients, giving you even more granularity in controlling how users are accessing corporate data. You access this functionality by creating a new App Sign On Rule. See Rule Configuration.

Inline Hook preview

The Inline Hook preview feature lets admins preview and validate Inline Hook requests before making them active. See Preview an Inline Hook .

Improved new device behavior detection

Stronger signals are now used for the detection of new devices. Devices with web browsers that don't store cookies are treated as new and trusted applications must send a unique identifier for each device as a device token. See Security Behavior Detection.

This feature is currently available for new orgs only.

Okta mastered attribute updates

Okta mastered attributes are now updated in a master app user profile when an org disables email customization.

Base attributes added to user profiles

When users access the Okta End-User Dashboard, all default base attributes are now added to their user profile.

Identity Provider Discovery

Using Identity Provider Discovery and routing rules, Okta directs users to different identity providers based on certain criteria. These criteria include location, device, the app being accessed, the user's domain, and specific user attributes. See Identity Provider Discovery. This feature will be gradually made available to all orgs.

Early Access Features

New Features

New Recent Activity page on the new Okta end-user dashboard

The Recent Activity page provides end users with a summary of recent sign-in and security events for their Okta account. End users can also report suspicious activity to their Okta admin by clicking I don’t recognize this. See Recent Activity.

Multiple active user statuses for SuccessFactors integration

Support for multiple active user statuses: When importing users from SuccessFactors into Okta, admins can now select more than one active user status, such as Leave of Absence.

See Learn about SAP SuccessFactors Employee Central data provisioning.


General Fixes


Filtering groups that were pushed by group also displayed groups that were pushed by name.


On the Activate User page, Search by Group didn't work if the search term included the vertical bar sign |.


In some cases, creating a custom SAML or SWA app using a bearer token failed.


Okta Workflows didn’t restrict application assignment to super admins.


When defined for an MFA Enrollment policy, the App Condition was not enforced when a user signed in to an application.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • Autotask (OKTA-318506)

  • ccLink Provider Portal (OKTA-324140)

  • Chubb Personal Insurance (OKTA-323264)

  • Earth Class Mail (OKTA-322840)

  • Jobvite (OKTA-318586)


Application Updates

  • The Zoom SCIM app schema is updated. See Configuring Zoom with Okta for more information.
  • Provisioning support has been removed from the BigMachines and GoToMeeting apps due to their low customer usage, lack of standards based integration, and high supportability cost.

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN as partner-built:

SAML for the following Okta Verified applications

  • Australian Access Federation (OKTA-317867)

  • Estateably (OKTA-324912)

  • Hopin (OKTA-324248)

  • Signal AI (OKTA-322928)

  • SocialHP (OKTA-322572)

  • Thematic (OKTA-322576)

OIDC for the following Okta Verified applications

Weekly Updates

August 2020

2020.08.0: Monthly Production release began deployment on August 10

* Features may not be available in all Okta Product SKUs.

Generally Available Features

New Features

G Suite Role Management support

Admins can manage G Suite admin roles directly from the Okta Assignments tab during user create, update, or delete operations. See G Suite Provisioning.

Note: Customers need to contact Okta Support to migrate their Universal Directory profile template to enable this feature.

Delete OIN draft submissions

Draft submissions of app integrations in the OIN Manager portal can now be deleted. See Update your published integration.

Configurable email OTP lifetime

Admins can now set the expiration of one-time passcodes in email messages up to 30 minutes when email is enabled for multifactor authentication. See Email in MFA.

Okta IWA Web agent Just-In-Time operation failures

When using Agentless Desktop Single Sign-on (DSSO) or the Okta IWA Web agent, Just-In-Time (JIT) operations fail when users are disconnected from Active Directory (AD) and the Profile & Life cycle Mastering settings don’t allow user reactivation. This behavior is expected, and consistent with JIT operations in non-IWA AD environments. See Install and configure the Okta IWA Web agent for Desktop Single Sign-on.

Group push for Active Directory

You can now use group push on the Okta Admin Console to copy groups and their members to Active Directory. See Push groups from Okta to Active Directory.

Custom TOTP Factor for MFA

Admins can now enable a custom MFA factor based on the Time-based One-time Password (TOTP) algorithm. See Custom TOTP Factor.

Apple as an Identity Provider

Adding Apple as an Identity Provider allows users to sign in to your app using their Apple ID. See Add an external Identity Provider.

PIV Card authentication option added to identifier first Sign In page

A PIV Card authentication option is now provided on the identifier first Sign In page when you configure a Smart Card Identity Provider and a corresponding IdP Routing Rule in the Okta Admin console. See Add and configure a Smart card.

Multiple Smart Card/PIV Card Identity Providers

Our Multiple Certificate Chain Support for PIV Auth feature allows you to leverage multiple Smart Card/PIV Card IdPs, each with different certificate chains, to allow access to a single Okta org. The correct IdP will be automatically selected based on matching the user's chosen certificate to a configured certificate chain. See Identity Providers.

End-user profile reauthentication

The Customization section has a new setting that allows an admin to set the re-authentication time when an end user edits their profile. See Reauthentication Settings.

Okta Verify support for risk-based authentication

Okta Verify with Push now supports risk-based authentication. With this feature, admins can assess the level of risk when an end user signs in to their org and attempts to authenticate with Okta Verify. See About Okta Verify. This feature will be gradually made available to all orgs.

MFA for reactivated accounts

End users are now prompted for MFA before landing on the Welcome page if their accounts were reactivated and already enrolled in one or more MFA factors. This feature is currently available for new orgs only.

Extended Client Access policy capability for apps

When creating App Sign-On Policy rules to manage access to apps, admins can now specify additional granularity for platform types. Office 365 Client Access policies will continue to provide additional granularity for clients (that is, Web vs EAS). See Add Sign-On policies for applications and Office 365 Client Access Policies.

App condition for MFA enrollment policy

Admins can now use a new condition when setting a rule for an MFA enrollment policy. When this condition is configured, end users are prompted for factor enrollment when accessing all of their applications or only for those selected by their org admin. See App Condition for MFA Enrollment Policy.

Generally Available Enhancements

System Log enhancement

When a System Log event contains more than two targets, they're now displayed in an expandable list.

Workday time zone-based user deactivation support check box

The feature that allows Workday users to be deactivated based on their local time zone is now enabled using a check box on the Workday Provisioning page. See Workday.

Improved AWS Provisioning

When a customer has an AWS instance that was configured to use the Amazon AWS IAM role as the Sign On mode, and removes an optional child account from that instance, they're warned in the UI that their role provisioning will be removed and an event is generated in the System Log.

Add Administrator Group update

To prevent permission overrides, existing admin groups can only be granted new roles through the Edit option. The Add Administrator Group feature is available for new admin groups only. See Assign administrator permissions.

OIN Manager improvements

The OIDC tab in the OIN Manager portal has been updated with new fields - a configuration guide link, additional URI tenant customization questions, and a sign-in flow option question. The improvements also include minor fixes to the UI text on the SAML tab. See Configure protocol-specific settings.

OIN Manager automated emails for discarded submissions

The OIN Manager sends an automated email to an ISV when an app integration submission is moved back to a draft state due to inaction by the ISV.

Early Access Features

New Features

LDAP agent, version 5.7.0

This version of the agent contains:

  • Support for LDAP group password policies
  • Bug fixes

See Okta LDAP agent version history.

Create LDAP group password policies

You can now create group password policies for LDAP mastered users. Group password policies and associated rules help you enforce password settings at the group level. See About group password policies and Create Group Password Policies.

MFA for Windows Credential Provider, version 1.3.0

MFA for Windows Credential Provider version 1.3.0 is now available, adding support for Windows Server 2019. See Okta MFA Credential Provider for Windows Version History .

Allow or deny custom clients in Office 365 sign on policy

Admins can filter specific clients in an Office 365 app sign-on rule to allow or deny them access to Office 365 resources. This filter can be used to deny access to untrusted clients or to only allow trusted clients. See Allow or deny custom clients in Office 365 sign on policy.


New Okta End-User Dashboard enhancements

The following improvements have been added to the new Okta End-User Dashboard:

  • Improved bookmark creation experience: End users can now create bookmarks for apps that aren’t in their catalog by searching for the app.
  • Optional banner prompts: Admins can now choose whether to prompt users to download the Okta Browser Plugin.
  • Aesthetic enhancements: The new Okta End-User Dashboard has had its colors and font updated.


General Fixes


Group members in a BambooHR-mastered group weren't correctly reflected into Okta after the group import.


The Remember me check box on the Sign On page didn't respond to the space key when using Firefox, Internet Explorer, or Edge.


The German translation of password policy requirements wasn't accurate.


Some Turkish characters in email templates didn't render correctly.


A user could be created without providing values for required custom arrays.


When the API Access Management feature was enabled, end users signing in to an OIDC app using Agentless Desktop SSO weren't correctly redirected to the app.


The position of the app logo was mis-aligned on the Add Application page.


When existing apps that were incorrectly labeled as new were selected, errors occurred.


L10N_ERROR[connector-agents] errors erroneously appeared in the UI in some Security > Multifactor sections.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • Cloud Guru (OKTA-315734)

  • Google AdWords (OKTA-312421)

  • Vision Planner (OKTA-316019)


New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN as partner-built:

SAML for the following Okta Verified applications

  • Coursera (OKTA-315355)

  • MediaValet (OKTA-313684)

  • Security Studio (OKTA-313793)

OIDC for the following Okta Verified application

Weekly Updates