March 2019

2019.03.0: Monthly Production release began deployment on March 11

* Features may not be available in all Okta Product SKUs.

Generally Available Features

New Features

Default sign on rule set to Deny in Client Access Policies for new Office 365 app instances

In ClientEssentially, a client is anything that talks to the Okta service. Within the traditional client-server model, Okta is the server. The client might be an agent, an Okta mobile app, or a browser plugin. Access Policies for new Office 365 appAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in. instances, the Default sign on rule is now set to Deny access (formerly set to Allow). Additionally, we've provided a rule above the Default sign on rule that allows access to only web browsers and apps that support Modern Authentication. This change is designed to help customers implement more secure policies by default. Note: Existing O365 app instances are unaffected by this change. For more information, see Office 365 Client Access Policies.

Skip importing groups during Office 365 user provisioning

While provisioning Office 365 in Okta, you can choose to skip importing Office 365 user groupsGroups allow you to organize your end users and the apps they can access. Assigning apps to large sets of end users is made easier with groups. and group memberships into Okta. This allows you to focus initially on user provisioning and take care of group assignments later in the deployment process. For more information, see Skip importing groups during Office 365 user provisioning.

Additional Custom Attributes for Webex integration

Our Webex integration is enhanced by adding support several new custom attributes. Okta imports these attributes that you can then map as additional custom properties. For more information see the Webex Provisioning Guide.

System Log enhancement

We’ve enhanced our System Log to take advantage of our new Network Zones feature. Admins can now hover over an IP address that's part of an event and navigate through the series of menus to add that IP address to either the gateway or proxy list of IP addresses.

SCIM App Wizard

Okta supports SCIM (System for Cross-domainA domain is an attribute of an Okta organization. Okta uses a fully-qualified domain name, meaning it always includes the top-level domain (.com, .eu, etc.), but does not include the protocol (https). Identity Management specification) provisioning for apps created with the Okta App Integration Wizard (AIW).

For more information about SCIM, see SCIM-Based Provisioning Integration. For instructions to enable SCIM for app-wizard apps, see The SCIM App Wizard.

View admin list by role

Super admins can now filter the list of admins by role and type for easier searching.

New macOS Device Trust Registration Task, version 1.2.0

This release includes the following:

  • Slack is added to the default app whitelist.
  • The System event in the System Log now reports the DeviceDisplayName attribute in the DebugContext:

  • Improvements to the logs that the Registration Task publishes to Jamf Pro during deployment.
  • Internal fixes and performance enhancements.

For version history, see Device Trust for macOS Registration Task Version History.

Social Identity Providers

This feature allows your end usersIn Okta literature, we generally refer to "end users" as the people who have their own Okta home page (My Applications), using chiclets to authenticate into all of their apps. End users do not have any administrative control. When we refer to "users" we are generally referring to the individual(s) who have administrative control. to self-register with your custom applications by first authenticating through their existing social identity accounts, such as Facebook, Google, Yahoo, or LinkedIn. For new usersIn Okta literature, we generally refer to "users" as the people who serve as Okta administrators. When we refer to "end users" we are generally referring to the people who the administrators serve. That is, those who use Okta chiclets to access their apps, but have no administrative control. of your custom application, Okta creates a Just In Time (JIT) Okta user profile based on attributes stored in their social profiles.

For more information see Identity Providers.

Connecting Apps to Okta using the LDAP Interface

The LDAP Interface allows you to authenticate legacy LDAP apps to Universal Directory in the cloud. With the LDAP Interface, authentication is done directly against Okta via LDAP, without the need for an on-premise LDAP server. In addition, the LDAP interface supports other LDAP functions like search. For details, see Using the LDAP Interface.

Enhanced Group Push for Litmos

Group Push now supports the ability to link to existing groups in Litmos. While this option is currently only available for some apps, we’ll periodically add this functionality to more provisioning-enabled apps. For details about this feature, see Using Group Push.

Schema Discovery for Litmos

The Litmos provisioning app now supports UD and Schema DiscoveryAbility to import additional attributes to Okta. For more information, see the Litmos Provisioning Guide.

Assign admin privileges to an Okta group

Super admins can now assign Okta admin privileges to Okta groups, making it easier to onboard large numbers of admins quickly. Everyone in the group receives the admin privileges assigned to the group. For details, see Assign admin privileges.

System Log events for YubiKey Seed

New System Log events have been added when a user uploads or revokes a YubiKey Seed successfully.

System Log events for Active Directory imports

A new System Log event appears when an Active Directory import is converted from an incremental to a full import.

A new System Log event appears when a full Active Directory import is required.

Admin role behavior changes

Admin roles assigned by adding a user to an Admin group can no longer be edited or customized for individual users. To edit or remove admin privileges from a user that were assigned by adding the user to an admin group, you must remove the user from the group. Additionally, if a user has individual admin privileges assigned to them as well as admin privileges they received due to being in an admin group, each admin privilege will be listed separately. The icons indicate whether the privilege was assigned individually or as a result of group membership. For details, see Admin assignment page overview and Assign admin privileges.

Use Expression Language (EL) to map AD attribute to Workplace by Facebook

Okta now uses EL to map manager from AD to the Workplace by Facebook app for all new apps. For more information about Workplace by Facebook provisioning, see the Workplace by Facebook Provisioning Guide.

CPC app operations throttling

To ensure execution of all customers’ provisioning operations in a timely manner, operations for CPC apps are now throttled on a per org basis.

Enhanced Okta Mobile Security Settings for Android and iOS

Applies to:

  • Okta Mobile 3.8.1+ for Android
  • Okta Mobile 5.22.0+ for iOS

From the admin console, you can configure the following security settings for devices running specific versions of Okta Mobile:

  • Specify the PIN length.
  • Allow/disallow use of a simple PIN (repeating/ascending/descending numeric sequences).
  • (Android only) Allow/disallow users taking screenshots, recording videos, or sharing their screen.

For details, see Okta Mobile Settings.

Generic OIDC

Generic OpenID Connect (OIDC) allows users to sign in to an Okta org using their credentials from their existing account at an OIDC Identity Provider (IdPAn acronym for Identity Provider. It is a service that manages end user accounts analogous to user directories such as LDAP and Active Directory, and can send SAML responses to SPs to authenticate end users. Within this scenario, the IdP is Okta.). A generic OIDC IdP can be a third-party IdP that supports OIDC, such as Salesforce or Yahoo or your own custom IdP. You can also configure federation between Okta orgs using OIDC as a replacement for SAMLAn acronym for Security Assertion Markup Language, SAML is an XML-based standard for exchanging authentication and authorization data between an identity provider (IdP) and a service provider (SP). The SAML standard addresses issues unique to the single sign-on (SSO) solution, and defines three roles: the end user, the IDP, and the SP.. For more information, see Generic OpenID Connect.

Generally Available Enhancements

Enhanced search for Group membership rules

You can now search for group rules by name, target groups, and expression conditions. For more information about Group membership rules, see Using group membership rules.

Change to Reset Password page

When Administrators navigate to Directory > People > Reset Password, the default view is now Locked Out users instead of All. This has been changed for performance reasons. For details, see Reset end user passwords.

Documentation links for Security Checklist

The Security Checklist on the admin console is updated to include documentation links for each setting. For more information about this feature, see Security Checklist.

Region codes updated for network zones

Network zones region codes are updated to adhere to the specifications of the ISO-3166 standard. This update includes changes to region names within Mexico, the Democratic Republic of the Congo, and Czech Republic. For more information about using country and region codes, see Networks.

Early Access Features

New Features

App condition for MFA enrollment policy

Admins can now use a new condition when setting a rule for an MFA enrollment policy. When this condition is configured, end-users are prompted for factor enrollment when accessing all of their applications or only for those selected by their org admin. For more information, see App Condition for MFA Enrollment Policy.

Review prompt on Okta Mobile for iOS

End-users using Okta Mobile on iOS are prompted to provide an App Store rating for the app. When they provide a rating in the app and click Submit, they are taken to the App Store page for the Okta Mobile app to provide more optional feedback about the app. They can click Not now to dismiss the option. For more information, see Review prompt on Okta Mobile (iOS only).

Schedule user imports

When you set up Provisioning to import users from an app or from a CSV directory to Okta, you can set up a schedule for imports at regular intervals on an hourly, daily, or weekly basis. If your app supports incremental imports, then you can set up both full and incremental import schedules. This integration applies to all non-AD and LDAP applications that support imports such as CSV directory, Workday, SuccessFactors, BambooHR, Salesforce, and so on. For more information, see Scheduling imports.

Okta On-Prem MFA Agent, version 1.4.0

This release replaces the JRE with the Amazon Corretto 8.0 version of OpenJDK JRE. For the agent version history, see Okta On-Prem MFA Agent Version History.

OIN Manager supports multiple application submissions

When submitting a new application integration for review by Okta, the OIN Manager now supports multiple concurrent application submissions (for new orgs only).


Early Access Enhancements

Custom domain certificate update

Custom domain setup can support up to 4096-bit certificates in the certificate chain. For more information about custom domains, see Configure a custom URL domain.

Custom domain HTTP to HTTPS redirect

Custom domain can redirect from HTTP to HTTPS. For more information about custom domains, see Configure a custom URL domain.


General Fixes


Disabled users in the Roambi app were incorrectly imported into Okta.


The tooltip for username was missing on the Identifier-first login page when using IdP Discovery.


The Okta Interstitial page used an incorrect font on Windows OS.


The authentication process took more time than expected when the "Permit Automatic Push for Okta Verify Enrolled Users option for the RADIUS application was activated.


End-users could not see the Zip Code on the Personal Information page on the end-user dashboard despite having read-write permissions.


Customers were not properly redirected to the correct JIRA On-Prem instance after updating to JIRA On-Prem version 3.0.7.


Updates to the Okta Reporting Path were not saved on the first attempt and failed with errors when configuring API integration for the UltiPro app.


When configuring an OPP app with a SCIM connector, authentication headers were sometimes misconfigured.


For Desktop Device Trust flows, authentication failures reported in the System Log lacked sufficient detail.


When Single Line Prompt was enabled in the Radius app, login using a soft token generated duplicate events in the System Log.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed


Application Updates

New Integrations

New SCIM Integration Application

The following partner-built provisioning integration apps are now available in the OIN as partner-built Early Access:

Mobile application for use with Okta Mobility Management (OMM) (Android and iOS)

  • Zscaler 2.0 (OKTA-210280)

SAML for the following Okta Verified applications

  • Idiomatic (OKTA-210213)

  • Stack Overflow Enterprise (OKTA-211271)

SWA for the following Okta Verified applications

  • 1st Global: Identity Server (OKTA-203266)

  • Amazon Incentives (OKTA-205373)

  • ClickToTweet (OKTA-206100)

  • Cumberland (OKTA-202677)

  • ForeScout (OKTA-203181)

  • Fremont Bank (OKTA-205715)

  • GoodHabitz (OKTA-206150)

  • HR Certification Institute (OKTA-204048)

  • Johnson & Johnson (OKTA-207334)

  • LinkedIn Sales Navigator (OKTA-202984)

  • LivePerson LiveEngage (OKTA-206681)

  • Lutron (OKTA-206149)

  • PNC Retirement Directions Participant Login (OKTA-206676)

  • SagicoreLife: Agent Login (OKTA-202262)

  • SecurePay (OKTA-210232)

  • Supermetrics (OKTA-205909)

  • Template Two Page Plugin App (OKTA-207162)

  • Texas Mutual (OKTA-207028)

  • Zscaler 2.0 (OKTA-210280)

Weekly Updates

February 2019

2019.02.0: Monthly Production release began deployment on February 19

* Features may not be available in all Okta Product SKUs.

Generally Available Features

New Features

PIV Support for MTLS

Authentication for PIV (Personal Identification Verification) now supports the MTLS protocol and may be used once you have whitelisted the following domain: * For more information about IP whitelisting and Okta domains, refer to Configuring Firewall Whitelisting.

Location-based network zones

Zones can now be defined based on geo-location. For more information on location zones, see Networks.

Remember Device setting enabled by default

As part of sign-on policy rules, admins can now enable by default the setting for end users to not be challenged on the same device again upon sign in. For more information on this feature, see Security Policies.

Support for converting contractors to full time employees in Workday

Added support for converting contractors to full time employees within Workday. For more information see Workday Provisioning Guide.

End-user plugin settings

End users can now configure Okta Plugin settings directly from the Your Apps menu in their browser. This feature lets end users customize the local behavior of the plugin, and helps end users and admins troubleshoot problems that may occur with the plugin. For details, see Configure the Okta browser plugin (end-user settings). This feature is GA for Preview orgs only.

Copy temporary password to clipboard

When resetting a password, admins can copy the temporary password directly to the clipboard by clicking the copy to clipboard icon.

Google Integration updated

Okta's Google social login integration has been updated to account for the deprecation of the Google+ API. More information can be found in our Knowledge Base.

Signature and Digest Algorithms for Template WS-Fed Applications

Template WS-Fed applications can now choose between SHA1 vs SHA256 options for their Signature and Digest Algorithms. In addition, all Template WS-Fed applications will have X.509 certificates signed with SHA256. For more information, see Configuring the Okta Template WS Federation Application.

Okta Plugin for Safari updated to 5.26.1

The Okta plugin for Safari browsers is updated to version 5.26.1. To meet Apple requirements, Okta built this version of the plugin as an App Extension to replace the legacy .safariextz architecture. This and future versions of the Okta Safari plugin will be available from the Mac App Store. For history, see Browser Plugin Version History

Generally Available Enhancements

Email notifications enabled by default

The setting for sending an email notification to end users who enroll in a new factor or request a factor reset is now enabled by default. For more information, see General Security.

EA Feature Manager feature list expanded

You can now enable Early Access features in the EA Feature Manager that may have other feature dependencies. If you select an EA feature that has a dependency on another feature, you must enable the required feature dependency before enabling your initial selection. For details, see Manage Early Access Features .

G Suite Provisioning Guide

Provisioning for G Suite now includes a link to the G Suite Provisioning Guide.

Early Access Features

New Features

Okta Active Directory agent, version 3.5.6

This release includes the following changes:

  • Back-end changes to improve how the agent refreshes its DNS entries and connects to servers during disaster recovery.

  • The MaxRetryLimitSleep parameter default is now 8 minutes.
  • A bug fix resolving group membership issues when a user is created by JIT.

For more information, see Okta Active Directory agent version history.

Okta LDAP agent, version 5.5.4

This release contains internal changes and bug fixes. For more information, see Okta Java LDAP agent version history.

Use Okta MFA for Azure AD Conditional Access and Windows Hello for Business Enrollment

  • Satisfy Azure AD Conditional Access MFA requirements for your federated Office 365 (O365) app instance.
  • Enroll end users into Windows Hello for Business.

For more information, see Use Okta MFA to satisfy Azure AD MFA requirements for Office 365.

MFA for ePCS

Okta provides multifactor authentication for the Electronic Prescribing for Controlled Substances (ePCS) system with its integration to Epic Hyperspace, which is the front-end software that launches ePCS. For more information, see Okta MFA for Electronic Prescribing for Controlled Substances (ePCS)


Automations enable you to quickly prepare and respond to situations that occur during the lifecycle of Okta-mastered end users. You can set up and schedule the following automations to perform actions upon the groups you select:

  • User inactivity
  • User password expiration

For more information, see Automations .

Prevent web browsers from saving sign-in credentials

You can prevent browsers such as Chrome from saving  an end user's sign-in credentials for Okta as well as for third-party apps accessed through the Okta Dashboard. For more information, see Prevent web browsers from saving sign-in credentials.

Mark Okta user profile attribute as sensitive

Okta now allows Super admins to mark an attribute in the Okta user profile as sensitive, which ensures that no one in Okta can view the information stored in that attribute field. You can also use sensitive attributes in SAML assertions to apps, allowing you to pass these sensitive attributes from the source app through Okta to an upstream app. For details, see Hide sensitive attributes.

Early Access Enhancements

Inline MFA Enrollment for RADIUS Apps

Admins can now either allow or prohibit end users to access resources protected by RADIUS to enroll in MFA while authenticating. For more information, see Configuring RADIUS applications in Okta.


General Fixes


The response error message included a typo when an invalid 4-byte UTF-8 character (such as an emoji) was input into a text field


Sometimes when a Microsoft proxy was used, the proxy IP was displayed as the client IP in the System Log although the policies were enforced on the client IP.


End users had difficulty entering an SMS MFA code on the Okta sign-in page because a large portion of the Enter Code field was not clickable.


The Early Access feature that allows Okta-mastered users to move across OUs sometimes failed to update the organizational unit for Active Directory users whose account was pushed to Active Directory from Okta and whose AD username (CN) contained one of the following characters: ,\#+<>;"=


User profile updates for the Cornerstone app failed if the user already existed in Cornerstone.


In some cases group rules dependent on other group rules were not processed properly during user updates.


The Identity Provider list did not properly display the Authorize URI and Redirect URI fields.


Attempts to apply an app Sign On Policy Rule to users returned a spinning icon. This issue only occurred on Preview orgs.


The app Sign On Policy Rule that denied user access was not logged in the System Log’s application.policy.sign_on.deny_access event.

App Integration Fixes

The following SAML app was not working correctly and is now fixed

  • CyberArk Password Vault Web Access (OKTA-206890)

The following SWA apps were not working correctly and are now fixed

  • BullsEye Telecom (OKTA-207387)

  • Easy Projects (OKTA-207086)

  • Google Data Studio (OKTA-207296)

  • Infor EAM (OKTA-206680)

  • Looker (OKTA-206856)

  • ThinkHR (OKTA-207312)

  • Visible Equity (OKTA-206845)


Application Updates

New Integrations

New SCIM Integration Application

The following partner-built provisioning integration apps are now available in the OIN as partner-built Early Access:

SAML for the following Okta Verified applications

  • Boostr (OKTA-203119)

  • Pavaso (OKTA-207100)

  • PitchBook (OKTA-206101)

  • Revivn (OKTA-206671)

  • Rockset (OKTA-207102)

SWA for the following Okta Verified application

  • Zywave Home (OKTA-193830)

Weekly Updates

January 2019

2019.01.0: Monthly Production release began deployment on January 14

* Features may not be available in all Okta Product SKUs.

Generally Available Features

New Features

Email notifications for Factor Enrollment and Factor Reset

Admins can enable two new settings for email notifications that are sent to end users. When enabled, end users will receive an email confirmation if the end user or an admin enrolls in a new factor or resets an existing factor for their account. For more information on end user email notifications, see General Security.

Automatically send an email to locked-out end users

You can automatically send your users an email if their account becomes locked due to too many failed sign-in attempts. You can insert a link in the email to let users unlock their account. For details, see Configure lockout settings.

Group Push enhancements

Group Push now supports the ability to link to existing groups in the following application integrations:

  • Slack
  • Dropbox for Business
  • ServiceNow UD

You can centrally manage these apps in Okta. For details, see Enhanced Group Push.

Enhanced provisioning for Office 365

With additional enhancements to Microsoft Office 365 integration admins can now synchronize identities from on-premises to cloud-based Office 365, provision a user profile that is extended further to include over 100 attributes, as well as synchronize distribution groups, contacts, and resources such as conference rooms.

Admins can also manage user licenses and roles, independent of other provisioning flows. The new provisioning type for Office 365, License/Roles Management Only, allows admins to manage user license assignment and role delegation for existing Office 365 users and for users provisioned to Office 365 with third-party tools. For more details, see Okta Enhancements with Microsoft Office 365 Integration.

Modern authentication support

We have extended our Office 365 Sign On policies to include the ability to distinguish between web browser and modern authentication clients, giving you even more granularity in controlling how users are accessing corporate data. You access this functionality by creating a new App Sign On Rule.

Extended Client Access policy capability for apps

When you create App Sign on Policy rules, you can now specify platform types with greater granularity. For details, see Add Sign On policies for applications.  

Additional Custom Attributes for DocuSign integration

Our DocuSign integration is enhanced by adding support several new custom attributes. Okta imports these attributes that you can then map as additional custom properties. For details, see the DocuSign Provisioning Guide.

System Log save and reuse searches

After performing a System Log search, a Save button now appears next to the query. Click Save and you are prompted to name your search. Once saved, your named search appears on the main Reports page. You can reuse your saved search, modify it, or delete it. Note that saved searches can only be seen by the user who created them. A maximum of 20 searches can be saved at any time.

LDAP Interface, query performance improvement

LDAP Interface queries will no longer return the memberOf attribute unless requested specifically, or when all operational attributes are queried using “+”. This change brings performance improvement to searches that did not require this attribute. Improvements were also made to return additional operational attributes that were part of LDAP core schema. This list includes hasSubordinates, structuralObjectClass, entryDN, subschemaSubentry, and numSubordinates. Note that numSubordinates is not calculated for users and groups containers. For details, see Connecting to Okta using the LDAP Interface.

XFF Evaluation for Dynamic Zones and Behavior Detection

As part of Dynamic Zone and Behavior Detection evaluation, the client IP is now validated using the trusted proxies that have been configured for that org. In the admin System Log, this IP appears as the Client IP. For more information, see Dynamic Zone Evaluation.

New Windows Device Trust Registration Task, version 1.3.0

This release includes the following:

  • Improved support for organizations that route internet traffic through a proxy server.
  • Fixes an issue in which some Device Trust System Log events reported the Windows operating system version inaccurately on Windows desktops running Windows 8.1 or higher.

For version history, see Device Trust for Windows Desktop Registration Task Version History.

Support for Vietnamese language

Support for the Vietnamese language for the end user experience is now available to all customers. You can select the default language preference for your entire org, and your end users can select a different language preference for their own experience. For more information, see Configure the Display Language.

JIRA On-Prem Authenticator, version 3.0.7

This release includes enhanced SP-initiated SAML flow and support for spUsers and spGroups to handle JIRA only users. For version history, see JIRA Authenticator Version History.

Okta Browser Plugin, version 5.25.0

Okta Browser Plugin has been updated to version 5.25.0 for Chrome, Edge, Firefox, and Internet Explorer. This version contains security enhancements in addition to enhanced end-user settings. For version history, see Okta Plugin Version History. (Version history/browser ver history).

Enforce Device Trust for managed Windows computers

Okta Device Trust for Windows allows you to prevent unmanaged Windows computers from accessing enterprise services through browsers and native applications. For details, see Enforce Device Trust for managed Windows computers.

Generally Available Enhancements

EA Feature Manager

To provide more information about self-serviceable EA Features, links to help or developer documentation are now available for select features in the EA Feature Manager. For details, see Manage Early Access features.

New device notification enhancement

The setting for end users to receive a new device notification email when signing in to Okta from a new or unrecognized device is now enabled by default for all orgs. For more information about email notification settings, refer to New or Unknown Device Notification Emails.

Username passes to IdP when using identity-first IdP Discovery flow

When using an identifier-first IdP discovery flow and the user is redirected to the Identity Provider, such as SAML, Google, Microsoft, or Generic OIDC, the username value is passed on to the Identity Provider so the user does not have to type it in again.

API Token size increased for OAuth

We have increased the API token size when configuring OAuth 2.0 based authentication from 2 kB to 64 kB. For more information about OAuth, see OpenID Connect & OAuth 2.0 API.

Logos available for all Social Identity Providers

All social identity providers have the default logos shown below:

LDAP Interface, increased page size

The LDAP page size is increased from 200 to 1001, allowing LDAP clients to use a multiple page size of 1000. For details, see Connecting to Okta using the LDAP Interface.

Search range for group membership

The Okta LDAP Interface previously limited membership searches to the first 200 users for a group. This restriction has been removed and the LDAP Interface will iterate through all pages before returning membership response back to the client. This applies to LDAP searches that query uniquemember and ismemberOf attributes. For details, see Connecting to Okta using the LDAP Interface.

Early Access Features

New Features

Scoping admin privileges, AD and LDAP-mastered groups now supported

Super admins can now scopeA scope is an indication by the client that it wants to access some resource. Group and Help Desk admin privileges to AD and LDAP-mastered groups in addition to Okta-mastered groups. This EA Feature can be enabled in the Feature Manager. For details, see Assign Help Desk admin privileges.

Multi-forest support for Windows Device Trust enrollment

IWA web app version 1.12.2 supports cross-forest/cross-domain Windows device trust enrollment. Now an IWA web app running in one forest can detect and assess the trust posture of Windows desktop devices located in another trusted forest and then allow these devices to enroll in Windows Device Trust. For more about Windows Device Trust, see Enforce Okta Device Trust for managed Windows computers.

Okta collecting product feedback from end users

Admins can allow Okta to collect feedback from end users. If this feature is turned on, end users will see a prompt on their Okta dashboard requesting feedback about our products and services. You can opt out of Okta User Communication in Settings > Customization > General. For more information, see End User Communication.

Web Authentication for U2F as a Factor

Admins can enable the factor Web Authentication for U2F, where U2F keys are authenticated using the WebAuthn standard. For more information, see Web Authentication for U2F.

Okta SSO IWA Web App Agent, version 1.12.2

This EA release includes: Security fixes. Support for cross-forest/cross-domain Windows device trust enrollment. Now an IWA web app running in one forest can detect and assess the trust posture of Windows desktop devices located in another trusted forest and then allow these devices to enroll in Windows Device Trust. For details, see Okta SSO IWA Web App Agent Version History.


General Fixes


In the admin System Log, the zone field was populated for all events that matched a sign-on policy even when the IP of the client request did not match any zones configured in the policy.


When the same user was API and App Admin, only OIDC apps were visible in the Universal Directory profile editor.


A misleading error message was displayed when the rate limit was exceeded while using the LDAP Interface to query LDAP.


Fixed inconsistent behavior with the Reset Password Link for LDAP users.


In some cases, Okta-mastered users were deactivated when their linked accounts in Active Directory were deactivated.


Logging on through Jira on-prem chiclet didn't error out properly if the end user didn't exist in the target app.


Some orgs were unable to create the number of users that they were entitled to.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • ADP Portal (Admin) (OKTA-198299)

  • Bloomberg BNA (OKTA-202952)

  • Blue Cross Blue Shield North Carolina (OKTA-191585)

  • Coolblue (OKTA-203010)

  • Copper (OKTA-202311)

  • Dell EMC (OKTA-197625)

  • Egencia France (OKTA-202309)

  • Garveys (OKTA-202308)

  • Google AdWords (OKTA-200072)

  • Google Play Developer Console (OKTA-201061)

  • GT Nexus (OKTA-203008)

  • Monster Hiring (OKTA-202848)

  • Newton Software (OKTA-202111)

  • ONE by AOL Mobile (OKTA-201772)

  • SAP NetWeaver Application Server (OKTA-202310)

  • Tenable Support Portal (OKTA-201111)

  • The San Diego Union-Tribune (OKTA-202856)


Application Updates

The following partner-built provisioning integration app is now Generally Available in the OIN as partner-built:

New Integrations

New SCIM Integration Application

The following partner-built provisioning integration app is now available in the OIN as partner-built Early Access:

  • Effy: Freshservice Provisioning: For configuration information, see Effy: Freshservice Provisioning's Configuring SCIM with Okta.

SAML for the following Okta Verified applications

  • Oracle Cloud Infrastructure (OKTA-203179)

  • PerimeterX (OKTA-202317)

  • Visitly (OKTA-202988)

  • Workpath (OKTA-202894)

SWA for the following Okta Verified applications

  • AIMA (OKTA-197142)

  • BioDigital (OKTA-197194)

  • Cisco Registered Envelope Service (OKTA-197090)

  • DeKalb Physician Portal (OKTA-197193)

  • Financial News (OKTA-198739)

  • Fresh Direct (OKTA-197128)

  • My Eaton (OKTA-200770)

  • Ocado (OKTA-197129)

  • Private Advisors (OKTA-198720)

Weekly Updates

2018 Production Releases

2018 Application Integrations and Updates