Production release notes

Current | Upcoming | |
---|---|---|
Production | 2022.05.1 | 2022.05.2 Production release is scheduled to begin deployment on May 23 |
Preview | 2022.05.1 |
2022.05.2 Preview release is scheduled to begin deployment on May 18 |
May 2022
2022.05.0: Monthly Production release began deployment on May 9
* Features may not be available in all Okta Product SKUs.
Generally Available Features
New Features
Okta AD agent, version 3.11.0
This version of the agent contains the following changes:
-
Increased minimum .NET version supported to 4.6.2. If the installer doesn't detect .NET 4.6.2 or higher, it won't be installed.
-
Security enhancements
-
Removed unsupported libraries
Okta ADFS plugin, version 1.7.10
This version of the plugin contains bug fixes and security enhancements. See Okta ADFSプラグインのバージョン履歴.
Okta RADIUS agent, version 2.17.4
This version of the agent contains bug fixes and security enhancements. See Okta RADIUS Serverエージェントのバージョン履歴.
Okta On-Prem MFA agent, version 1.5.0
This version of the agent contains security enhancements. See Okta On-Prem MFAエージェントのバージョン履歴.
Okta Provisioning agent, version 2.0.10
This release of the Okta Provisioning agent contains vulnerability fixes. See Okta Provisioning AgentとSDKのバージョン履歴.
Jira Authenticator, version 3.1.8
This release contains bug fixes. See Okta Jira Authenticatorのバージョン履歴.
Okta Resource Center access
The Okta Resource Center is a collection of product tours, step-by-step guides, and announcements that helps you learn about new features and how to perform tasks within the Admin Console. You can launch the Okta Resource Center by clicking the blue icon from anywhere in the Admin Console. See Okta Resource Center.
Use Okta MFA for Azure AD Conditional Access and Windows Hello for Business Enrollment
You can use Okta MFA to:
- Satisfy Azure AD Conditional Access MFA requirements for your federated Office 365 app instance.
- Enroll end users into Windows Hello for Business.
Client secret rotation and key management
Rotating client secrets without service or application downtime is a challenge. Additionally, JSON Web Key management can be cumbersome. To make client secret rotation a seamless process and improve JWK management, you can now create overlapping client secrets and manage JWK key pairs in the Admin Console. You can also create JWK key pairs from the admin console without having to use an external tool. See Manage secrets and keys for OIDC apps.
Application SAML Certificates
Separate SAML signing certificates are now assigned when admins create new SAML applications or configure SAML-enabled OIN apps. Okta previously created SAML certificates that were scoped to an entire org. With this feature, SAML certificates are issued and scoped at the application level to provide more fine-grained control and a more secure solution overall. See AIWを使用してSAML統合を作成する.
Okta API access with OAuth 2.0 for Org2Org
Previously, the Org2Org integration only supported token-based access to the Okta API. You can now configure the Org2Org integration to access the Okta API as an OAuth 2.0 client. This increases security by limiting the scope of access and providing a better mechanism to rotate credentials. See Okta Org2OrgとOktaの統合.
Enhancements
PKCE is a verification method for OIDC SPA and Native app integrations
The OIDC App Integration Wizard now identifies that PKCE is not a client authentication method. Instead, for SPA and Native apps, the AIW creates apps listing PKCE as a verification method. See AIWを使用してOIDCアプリ統合を作成する.
Add agent permissions to custom admin roles
Custom admins can perform AD agent auto-updates for AD instances they have access to. They can also view the agents dashboard page to see the statuses of all agents associated with app instances they can manage. See Automatically update Okta agents.
Group count tooltip on the Admin Dashboard
On the Admin Dashboard, the Overview section now provides an "Includes only Okta sourced groups and excludes those sourced externally, such as AD groups" tooltip for the Groups count. The new tooltip helps you understand how your groups count is calculated. You can view the tooltip by hovering your cursor over the Groups count on the Overview section. See 組織の概要を表示.
Okta End-User Dashboard enhancements
-
Unread notifications are more visible to users.
-
The End-User Dashboard Preview function bar has moved to a separate dialog. See エンド・ユーザー・ダッシュボードのタブを管理する.
-
The Last sign in link at the bottom of the Okta End-User Dashboard now includes the entire text of the message in the hyperlink.
-
The title of the copy password dialog in the Okta End-User Dashboard is more specific.
System Log enhancements for block zone events
-
The zone.make_blacklist event in the System Log now encompasses two actions: when an admin creates a blocked network zone, and when an admin marks an existing blocked zone as unblocked. Previously, this event was only recorded when a pre-existing network zone was converted into a block list.
-
The zone.remove_blacklist System Log event now encompasses two actions: when a network zone is converted into an allow list, and when an admin deletes a blocked zone. Previously, this event was only recorded when a pre-existing network zone was converted to an allow list.
System Log enhancement for network zone events
A network zone ID is now added as a target for all network zone events in the System Log.
Enhancements to ThreatInsight
ThreatInsight is improved to further protect rate limit consumption from malicious actors. Requests from actors with a high threat level continue to be logged and/or blocked depending on the org's configuration. Now, additional requests that seem malicious but have a lower threat level no longer count towards org rate limits.
OIN Catalog enhancements
Integrations in the OIN Catalog help end users address issues across a variety of industries. Okta has added the ability to filter integrations by industry to help both prospective and current Okta users identify the OIN integrations that best meet their needs. Additionally, the OIN Catalog interface has been updated with the following enhancements for improved navigation:
-
The search interface has been updated and popular search terms can now be selected.
-
Details pages for integrations have been updated for usability.
-
Navigation breadcrumbs have been added to the OIN Catalog.
-
Integrations can now be sorted alphabetically and by recently added.
OIN Catalog search functionality and filter updates
-
OIN Catalog search results now prioritize complete word matches from the search phrase.
-
Integrations in the OIN Catalog can now be filtered by RADIUS functionality.
OIN Manager enhancements
The OIN Manager now requires that ISV submissions for SCIM integrations confirm that the integration meets API response timing requirements. See Publish an OIN integration.
Auto-update task no longer requires pip
The device trust enrollment and renewal script on macOS no longer requires the pip package manager to install Python pyOpenSSL packages.
Early Access Features
New Features
Trusted Origins for iFrame embedding
You can now choose which origins can embed Okta sign-in pages and Okta End-User Dashboard using Trusted Origins for iFrame embedding. This feature offers a granular control over iFrame embedding compared to the existing embedding option in Customization, which doesn't let you distinguish between secure and non-secure origins. Trusted Origins under Security > API allows you to selectively configure the origins you trust. It also provides enhanced security as it uses a more secure frame-ancestors directive in Content Security Policy that protects your data from web attacks such as clickjacking. See Trusted Origins for iFrame embedding.
New permissions for custom admin roles
Super admins can now assign these new permissions to their custom admin roles:
-
Manage authorization server
-
View authorization server
-
Manage customizations
-
View customizations
The authorization server permissions can be scoped to all or to a subset of the org’s authorization servers. With these new permissions, super admins can now create custom admin roles with more granular permissions for managing their org’s customizations and authorization servers. See ロールの権限について.
Additional resource and entitlements reports
Reports help your Okta org manage and track user access to resources, meet audit and compliance requirements, and monitor organizational security. The following reports are now available:
-
Group Membership report: Lists individual members of a group and how membership was granted.
-
User App Access report: Lists which users can access an application and how access was granted.
Fixes
General Fixes
OKTA-386570
If an LDAP interface bind request failed, subsequent searches failed with an internal server error instead of a permissions denied error.
OKTA-435855
Web and SPA app integrations created with an Authorization code or Interaction code grant type incorrectly returned an error if the Login Initiated By Either Okta or App option was selected.
OKTA-472350
Group push mapping for multiple Org2Org applications failed for some customers.
OKTA-476896
On the Administrators page, deactivated users with assigned admin roles were included in the Individually assigned count.
OKTA-477494
Some invalid EL expressions incorrectly passed validation.
OKTA-477634
Some users experienced delays when searching for an app on the Okta End-User Dashboard.
OKTA-481752
When users tried to enroll in Okta Verify, VoiceOver screen readers didn't highlight the mobile device type correctly or allow users to select a device. It also selected the iPhone option even though the Android option was also available.
OKTA-482435
When admins upgraded an app to SAML 2.0, the SAML 2.0 setup instructions used the org-scoped certificate instead of the app-scoped certificate.
OKTA-484366
Admins couldn’t use the objectGuid attribute as a unique identifier when integrating AD LDS LDAP servers with Okta.
OKTA-488233
Parallel JIT requests for the same username created duplicate users.
OKTA-488428
Some users lost the ability to reveal passwords for an app when the app drawer feature was enabled.
OKTA-488663
When Full Featured Code Editor was enabled, the full screen toggle on the error page code editor didn’t change to a minimize icon.
OKTA-489050
Sometimes an error message was displayed when admins viewed applications in the Admin Console.
OKTA-491164
Some admins weren’t assigned the Admin Console when they were added to a group with assigned admin roles.
OKTA-491264
Sometimes when a super admin deleted a custom admin role that contained email notifications, admins couldn’t update their email notification settings.
OKTA-495549
When groups were exposed in the LDAP interface directory information tree, some filters referencing the entryDn attribute returned the incorrect result code if the group wasn’t found.
OKTA-495598
AD-sourced users who reset their passwords in AD had to reset their passwords again when using IWA or ADSSO to sign in to Okta.
App Integration Fix
The following SWA app was not working correctly and is now fixed:
-
NDFR/SDU (OKTA-485335)
Applications
New Integrations
New SCIM Integration Applications
The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:
- Cisco Umbrella User Management: For configuration information, see Cisco Umbrella - Provision Identities from Okta.
- Dialpad: For configuration information, see Dialpad + Okta | SCIM Instructions.
- Heap Analytics: For configuration information, see SCIM Provisioning: Okta.
SAML for the following Okta Verified applications
-
Common Room (OKTA-483683)
-
Datto Workplace (OKTA-487599)
-
Sounding Board (OKTA-489395)
Weekly Updates

Fixes
General Fixes
OKTA-468575
Attempting to upload a new or replacement certificate to an existing RADIUS application resulted in an error.
OKTA-469428
Users could set their username as an answer to a security question if the case of at least one character was different.
OKTA-478259
When a super admin assigned an admin role to an ineligible group, the resulting error message was unclear.
OKTA-478844
Token endpoint events weren’t logged as expected by the System Log and Splunk.
OKTA-482807
Admins received a ${request.date} is required error when they tried to add a translation for the New Sign-On Notification email template.
OKTA-485981
Admins were able to save a Global Session Policy rule to deny sign-in attempts from specified zones even though no zones were selected.
OKTA-491554
The Client Secret UI didn’t render properly when users switched between authentication methods in an app instance.
OKTA-493632
A hyphen was incorrectly added to an app's tooltip when an end user hovered over the app on the End User Dashboard.
OKTA-498263
The Activate/Deactivate button for Password Policy didn’t work.
App Integration Fixes
The following SWA apps were not working correctly and are now fixed:
-
CUES (OKTA-486595)
-
GetFeedback (OKTA-488495)
Applications
New Integrations
New SCIM Integration Applications
The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:
- Britive: For configuration information, see Integrating Okta for Provisioning.
- Uber for Business: For configuration information, see Configuring Okta Provisioning for Uber.
SAML for the following Okta Verified applications:
-
Britive (OKTA-487233)
-
OpsLevel (OKTA-484506)
-
Planview ID (OKTA-487235)
April 2022
2022.04.0: Monthly Production release began deployment on April 4
* Features may not be available in all Okta Product SKUs.
Generally Available Features
New Features
Sign-In Widget, version 6.2.0
For details about this release, see the Sign-In Widget Release Notes.
For more information about the Widget, see the Okta Sign-In Widget Guide.
Okta On-Prem MFA Agent, version 1.4.9
This version of the agent contains security enhancements. See Okta On-Prem MFAエージェントのバージョン履歴.
Okta Browser Plugin, version 6.9.0 for all browsers
This version includes the following changes:
- Keyboard navigation didn't work properly when users attempted to switch to a new app list in the plugin popover window. Users were unable to close the plugin popover window with keyboard input.
- Version 6.8.0 of the plugin caused issues for some users when they attempted to sign in to an SWA app in an iframe.
Admin Experience Redesign toggle removed
The toggle that allowed super admins to switch between the Admin Experience Redesign and the old experience has been removed. All Okta admins now benefit from our restyled Okta Admin Dashboard, responsive navigation side bar, and modern look and feel.
Allow or deny custom clients in Office 365 sign-on policy
You can filter specific clients in an Office 365 app sign-on rule to allow or deny them access to Office 365 resources. This filter can be used to deny access to untrusted clients or to only allow trusted clients. See Office 365サインオン・ポリシーでカスタム・クライアントを許可または拒否する
Improved AD group membership synchronization
The ADAppUser distinguished name field is now updated when a user is added to an Okta group and a matching group exists in AD. When an Okta provisioning request moves a user to a new organizational unit, the change is quickly duplicated in AD. This new functionality helps ensure the accuracy and integrity of AD group membership information. Active Directoryユーザーとグループの管理.
New App Drawer
The updated app settings panel on the Okta End-User Dashboard allows end users to see all app details in a single view without having to expand multiple sections. End users can quickly differentiate between SWA apps where they have set a username and password and SAML / OIDC apps that are admin-managed with no additional user settings. The updated app settings panel also provides accessibility improvements with better screen reader support and color contrast. See View the app settings page.
ShareFile REST OAuth
Admins can now upgrade to the latest version of our ShareFile integration. OAuth provides more secure authentication and will be now used for Provisioning and Imports. See Configure ShareFile OAuth and REST integration. This feature is made available to all orgs.
Enhancements
Federation Broker Mode UI improvements
The user interface prompts for Federation Broker Mode have been improved to provide more information about the feature. This feature can also be enabled through the OIDC app creation wizard. See フェデレーション・ブローカー・モードを有効化.
Recent activity page link for end users
If Recent Activity is enabled, users can click Last sign in in the footer of the left navigation bar to go directly to the Recent Activity page.
Burst rate limits available on Rate Limit Dashboard
The Rate Limit Dashboard, available from the Admin Console, now includes data on burst limits in your Okta org, in addition to rate limit warnings and violations. The Violations dashboard was renamed Events to acknowledge the increase of scope, and includes the ability to filter on timeline as well as the type of event (warning, burst, and violation). Hovering over the burst rates in the graphs provides more detail and links to the system log for individual endpoint calls. The individual Usage graphs provide details on bursts for the individual API. See Rate limit dashboard and Burst rate limits.
New ThreatInsight enforcement action
If you configure ThreatInsight to log and enforce security based on the threat level detected, ThreatInsight can either limit or block authentication requests from suspicious IP addresses. For example, if a specific IP address is suspected of malicious activity but the threat level is considered low, authentication requests from the IP address are not denied access but might be subjected to a rate limit. See Okta ThreatInsightを構成する.
New MFA help link
A new help link appears on Okta-hosted custom Sign-In Widgets. This link directs users to a page where they can learn more about the MFAn options available when they sign in. See サインイン・ページのテキストをカスタマイズする.
PIV IDP user profile mapping
You can now use idpuser.subjectUid in an Okta user profile when mapping IDP Username for Personal Identity Verification (PIV) IDPs. See スマート・カードIDプロバイダーを追加.
Custom app logo preview
Admins can now preview a custom logo before applying it to an app. See Customize an application logo.
Updated error message for Microsoft Graph API
An error message for Microsoft Graph API has been updated to include more details and a possible workaround.
Debug logging for token exchange
The following fields have been added to the System Log for assistance in debugging OAuth2 token exchange events:
- requested_token_type
- subject_token_type
- actor_token_type
- resource
Updated SAML setup instructions
Setup instructions for SAML 2.0 apps now use per app SHA2 certificate during the app creation.
Change to the number of free SMS messages allowed
To balance growing costs of SMS usage while maintaining a commitment to developer and free trial orgs, Okta is changing the number of free SMS messages these orgs are allowed each month. Beginning April 4, 2022, orgs may send a maximum of 100 messages per month. For more information about this change, visit the Okta Developer Community.
Early Access Features
Enhancement
Splunk available for Log Streaming
Many organizations use third-party systems to monitor, aggregate, and act on the event data in Okta System Log events.
Log Streaming enables Okta admins to more easily and securely send System Log events to a specified system such as the Splunk Cloud in near real time with simple, pre-built connectors. Log streaming scales well even with high event volume, and unlike many existing System Log event collectors, it doesn't require a third-party system to store an Okta Admin API token. See Log Streaming.
Fixes
General Fixes
OKTA-442031
Some Okta Mobile sign-in flows didn’t work for admins when the Okta Admin Console app required step-up authentication.
OKTA-460284
SAP Litmos imports failed with an unexpected error.
OKTA-472816
When app admins selected the Agents tab, the error message “Error rendering agents monitor table” appeared and no agents were listed.
OKTA-473180
Sometimes AssertionId for SAML1.1 assertions was poorly formatted.
OKTA-475767
Sometimes, in the Groups page Description column, an equals sign (=) replaced the forward slash ( / ) in LDAP-sourced group names.
OKTA-475773
Users could continue to use the Okta IWA Web agent to sign in to Okta when delegated authentication was disabled.
OKTA-475774
Users could use ADSSO to sign in to Okta when delegated authentication was disabled.
OKTA-478467
Admins who didn’t have permission to view the Agent monitors page received agent auto-update email notifications.
OKTA-479110
The sender email address on the Customizations > Emails page was inconsistent with the sender email address on individual templates.
OKTA-479701
Admins were shown events that were unrelated to their account in the Security Events section of the Recent Activity page.
OKTA-481319
An attribute for an app couldn't be re-added as a different type with the same variable name.
OKTA-482086
Some admins saw an error if they tried to run a report using resource sets created more than a year ago.
OKTA-482915
Admins were unable to remove unconfirmed imported users.
App Integration Fixes
The following SWA apps were not working correctly and are now fixed:
-
MyFonts (OKTA-476809)
-
Quickbooks Time Tracker (OKTA-476695)
Applications
New Integrations
New SCIM Integration Applications
The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:
- Snow Atlas SSO: For configuration information, see Okta as SSO provider.
- Transform: For configuration information, see Configuring Provisioning for Transform.
SAML for the following Okta Verified applications:
-
Atomic Console (OKTA-479344)
-
Intra-mart Accel Platform (OKTA-476864)
-
Mulesoft - Anypoint Platform (OKTA-461170)
-
OfficeTogether (OKTA-476827)
-
QTAKE Cloud (OKTA-480924)
OIDC for the following Okta Verified application:
-
ResoluteAI: For configuration information, see ResoluteAI: Setting up Okta.
Weekly Updates

Generally Available
Fixes
General Fixes
OKTA-482299
When a super admin removed all admin role assignments from a user, a time-out error sometimes appeared.
OKTA-482472
Admins with view permissions could see the Edit button in the User Account section of Customizations > Other.
OKTA-483335
When users signed in to Salesforce with the OAuth app, they weren't prompted to Allow Access. This only occurred if the Salesforce app was configured and the user already had an active session.
OKTA-483338
When users signed in to Google with the OAuth app, they weren't prompted to Allow Access. This only occurred if the Google app was configured and the user already had an active session.
OKTA-484416
In orgs that included OMM apps, Okta RADIUS agents weren’t able to service authentication requests after restart.
OKTA-484971
The Recent Activity section of the Okta End-User Dashboard didn't load properly for Internet Explorer users.
OKTA-484981
Due to a race condition and its exception handling, some users synced through imports received Access Forbidden errors for some applications.
App Integration Fixes
The following SWA apps were not working correctly and are now fixed:
-
A Bead Store (OKTA-481911)
-
Adobe (OKTA-479001)
-
Adobe Stock (OKTA-483342)
-
American Express Business (OKTA-482556)
-
Mutual of Omaha (OKTA-481802)
Applications
New Integrations
New SCIM Integration Applications
The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:
-
fax.plus: For configuration information, see SCIM - OKTA.
-
PubHive Navigator: For configuration information, see PubHive Navigator - Okta Configuration Guide.
-
Tailscale: For configuration information, see User & group provisioning for Okta.
SAML for the following Okta Verified applications:
-
CardinalOps (OKTA-482262)
-
Curator by InterWorks (OKTA-481345)
-
ModernLoop (OKTA-482260)

Generally Available
Fixes
General Fixes
OKTA-389310
The nonce length for WebAuthn challenges didn't have enough characters for the recommended level of entropy.
OKTA-461412
Reactivating some users reassigned them to deleted apps.
OKTA-473141
The Enable Provisioning link from group push led to a blank Provisioning tab.
OKTA-479938
Okta IWA agent Desktop Single Sign-on (DSSO) occasionally failed to authenticate a legitimate user when Okta was operating in safe or read-only mode.
OKTA-483618
Some app users lost static attribute mappings during a scheduled org-wide reconciliation.
OKTA-484245
Deleting a group sometimes resulted in 404 errors when admins searched for a policy.
OKTA-488985
The setup instructions for a manual WS-Federation configuration for Office 365 incorrectly displayed an SHA-2 certificate instead of the SHA-1 org-scoped certificate.
Applications
New Integrations
New SCIM Integration application:
The following partner-built provisioning integration app is now Generally Available in the OIN Catalog as partner-built:
-
Applauz: For configuration information, see Integrating Applauz with Okta.
SAML for the following Okta Verified applications:
-
Axiad Cloud (OKTA-465658)
-
BizLibrary (OKTA-438712)
-
Greene King (OKTA-480468)
-
SendGrid (OKTA-485059)
-
SourceWhale (OKTA-472980)
-
TestRigor (OKTA-486166)

Generally Available
Sign-In Widget, version 6.2.1
For details about this release, see the Sign-In Widget Release Notes.
For more information about the Widget, see the Sign-In Widget Guide.
Fixes
General Fixes
OKTA-468644
When a super admin scoped a standard role to a group or app and then saved the resource set, any unsaved role assignments were removed from the Administrator assignment by role page.
OKTA-477295
When an admin deleted a user who was excluded in a group rule, the error message Failure to activate the rule appeared.
OKTA-483742
When admins deleted Okta AD agents, scheduled agent auto-updates continued and caused exception errors.
OKTA-484482
The iframeControlHideCatalog option didn't hide the Add Apps link when the Okta End-User Dashboard was embedded.
OKTA-485860
Admins whose custom admin role contained the Edit users' authenticator operations and Edit users' lifecycle states permissions could create API tokens.
OKTA-486474
Some imports hit a roadblock when import safeguards were turned off.
OKTA-487293
SAML inline hooks with an AuthNRequest sometimes failed.
OKTA-487334
The SWA copy password window on the Okta End-User dashboard contained UI issues for Internet Explorer users.
OKTA-487453
Deleted users were reindexed in Elasticsearch when admins deleted user data.
OKTA-488616
The doctype declaration wasn’t displayed in the default template for error pages code editor.
OKTA-493627
Because of a change to the cryptographic libraries in macOS 12.3 (Monterey), Okta Device Registration Task, version 1.3.2, failed to enroll or renew certificates.
OKTA-495596H
Admins couldn't customize the End-User Dashboard layout.
OKTA-495695H
A Classic Engine org couldn't upgrade to Identity Engine if its users were enrolled in Okta Mobile.
App Integration Fixes
The following SWA apps were not working correctly and are now fixed
-
Carta (OKTA-486196)
-
Chartbeat (OKTA-485773)
-
Rippe and Kingston LMS (OKTA-482602)
Applications
New Integrations
New SCIM Integration Applications
The following partner-built provisioning integration apps are now Generally Available in the OIN catalog as partner-built:
-
Axiad Cloud: For configuration information, see OKTA Axiad Cloud App Document.
-
Loadmill: For configuration information, see Loadmill Okta SSO integration.
-
Torq: For configuration information, see Configure SSO with Okta Open ID from App Catalog.
SAML for the following Okta Verified applications
-
Heap Analytics (OKTA-486230)
-
Secure Code Warrior (OKTA-476859)
March 2022
2022.03.0: Monthly Production release began deployment on March 7
* Features may not be available in all Okta Product SKUs.
Generally Available Features
New Features
Sign-In Widget, version 6.1.0
For details about this release, see the Sign-In Widget Release Notes.
For more information about the Widget, see the Okta Sign-In Widget Guide.
Okta SSO IWA Web App agent, version 1.15.0
This version of the agent contains:
-
Security enhancements.
-
Making .NET Framework 4.6.2 the minimal supported version. Earlier versions are automatically upgraded during agent installation.
-
Okta Military Cloud support.
Okta Active Directory Password Sync agent, version 1.5.0
This version of the agent includes:
-
Security enhancements.
-
Making .NET Framework 4.6.2 the minimal supported version. Earlier versions are automatically upgraded during agent installation.
-
Okta Military Cloud support.
Okta AD agent, version 3.10.0
This version of the agent contains:
-
Okta Military Cloud support.
-
Bug fixes.
Okta LDAP agent, version 5.12.0
This version of the agent contains support for Okta Military Cloud. See Okta LDAP Agentのバージョン履歴.
Okta Provisioning agent, version 2.0.9
This release of the Okta Provisioning agent contains vulnerability fixes.
Event hooks for custom admin roles
Custom admin role events are now available for use as Event Hooks. This provides more security to admins by ensuring that they have the correct permission to perform tasks. See イベント・フック.
Enhanced email macros for email template customization
Enhanced Email Macros updates the email templating engine to use Velocity Templating Language (VTL). This feature unlocks new syntax that provides enhanced conditional logic and access to all attributes in the Okta User Profile object. This allows developers and admins more customizations in their user-facing emails. See Customize email templates (Developer docs) and メール・テンプレートをカスタマイズする.
Enforce limit and log per client mode for OAuth 2.0 /authorize and /login/login.htm endpoints
The default client-based rate limit for OAuth 2.0 /authorize and /login/login.htm endpoints is now elevated to Enforce limit and log per client (recommended) mode. This means that if your org’s client-based rate limit was previously set to Do nothing or Log per client, the setting is changed to Enforce limit and log per client (recommended) mode.
Note that based on the email communication sent out on Feb 3, 2022 and Feb 25, 2022, these changes are not applicable to certain orgs. See Default client-based rate limit mode change.
New ThreatInsight enforcement option
ThreatInsight evaluates authentication requests to detect potentially malicious activity from IP addresses exhibiting suspicious behavior. If you enable the Log and enforce security based on threat level option, ThreatInsight can limit or block authentication requests from suspicious IP addresses based on the threat level detected. For example, if a specific IP address is suspected of malicious activity but the threat level is considered low, authentication requests from the IP address are not denied access but might be subjected to a rate limit. The rate limit helps ensure that requests from a suspicious IP address don't overload authentication services and affect legitimate traffic. However, if an IP address is suspected of malicious activity and the threat level detected is high, authentication requests from the IP address are blocked. See Okta ThreatInsightを構成する.
Validation for custom message templates
If you customize the default SMS message template, the Admin Console checks the message to determine whether it contains GSM or non-GSM characters and enforces the GSM or non-GSM character limit before saving the message. This check ensures that you don't create custom SMS messages that exceed the GSM or non-GSM character limit for message segments.
If you change existing custom templates, the new restrictions are enforced if your messages contain non-GSM characters.
For more information about customizing SMS templates, see Configure and use telephony.
Custom Administrator Roles
The standard admin roles available today don’t always meet all the granular delegated administration requirements, which may result in admins having either more or less permissions than they need.
The Custom Administrator Roles feature allows super admins to:
-
Create admin assignments with granular roles, which include specific user, group, and application permissions.
-
Constrain these admin assignments to resource sets.
Use Custom Administrators Roles to:
-
Increase admin productivity.
-
Decentralize the span of access that any one admin has.
-
Grant autonomy to different business units for self-management.
Some important things to note:
-
The Administrators page has been updated with a new, more intuitive interface for managing roles and permissions. See [管理者]ページについて.
-
Your pre-existing roles are referred to as “standard roles”. The standard role functionality is the same as earlier but the UI is different. See 標準ロールを使用する.
-
You can continue using the pre-existing roles and your existing assignments remain the same.
-
You can also assign custom roles to users who have standard roles assigned.
System Log events for group app assignments
When an admin role is assigned to a group, the Okta Admin Console is now assigned to the group members much faster, and an Add assigned application to group event (group.application_assignment.add) appears in the System Log. This helps super admins monitor the event activity in their org. See システム・ログ.
Immutable unique data types for Okta LDAP and AD agent actions
Immutable unique data types can now be used with Okta LDAP and AD agent actions. The use of immutable unique data types lets admins locate users when a username is updated, or when the user is moved to another OU. Immutable unique data type support reduces the time admins spend managing users and makes sure they can always locate user profiles after an update or when a username changes.
ShareFile REST OAuth
Admins can now upgrade to the latest version of our ShareFile integration. OAuth provides more secure authentication and will be now used for Provisioning and Imports. See Configure ShareFile OAuth and REST integration. This feature is currently available for new orgs only.
Group Push enhancements
Group Push now supports the ability to link to existing groups in NetSuite. You can centrally manage these apps in Okta. This is important because it allows you to set up and push Okta groups into NetSuite instead of recreating them in NetSuite. See グループ・プッシュについて.
Support for additional social Identity Providers
Social login is a form of SSO that uses existing information from a service such as Facebook, Twitter, or Google to sign in, instead of creating a new account specifically for a third-party website. Social Identity Provider (IdP) popularity varies by industry and region. We're making it easy for Okta admins to add new IdPs with out-of-the-box integrations for GitHub, GitLab, Salesforce, and Amazon, with more to come. These integrations add to our existing social IdP catalog in the OIN, allowing users to quickly sign up or sign in to your application without entering their email or creating a new password. See External Identity Providers.
Risk and behavior evaluation
To improve the visibility of risk scoring and behavior detection, all sign-in requests are evaluated for risk factors and changes in behavior. Impacted orgs can view the results of the evaluation in the System Log. See Identity providers.
Enhancements
Copy button updates
In the app settings panel of the Okta End-User Dashboard, the copy buttons for the username and password fields are renamed Copy username and Copy password.
Group assignment priority
If a group rule results in a higher group app assignment priority on an existing app user, the user is now remapped to the higher priority group assignment.
Extensibility for notifications of group push failure circumstances
Group push failure event hooks now allow customers to monitor for failures that won't be retried and use them to trigger automations, such as execution of a flow in Okta Workflows.
Group push notification improvements
Group push failure notifications have been repurposed and improved to provide better error descriptions for customers.
Early Access Features
New Features
Group search in the Admin Console
Admins can now use the Search bar to quickly find groups, in addition to users and apps. See 管理コンソールの検索.
Automatically update public keys in the Admin Console
Using private_key_jwt as your app's client authentication method requires that you upload public keys to Okta and then use the private keys to sign the assertion. Then, you must update the client configuration each time you rotate the key pairs. This is time-consuming and error-prone. To seamlessly use key pairs and rotate them frequently, you can now configure private_key_jwt client authentication in the Admin Console for OAuth clients by specifying the URI where you store your public keys. See Manage secrets and keys for OIDC apps.
User accounts report
Use this report to view users with accounts in Okta and their profile information. It helps you manage and track user access to resources, meet audit and compliance requirements, and monitor the security of your org. The report is located in the Entitlements and Access section of the Reports page. See User Accounts report.
Enhancements
Incremental Imports for the Org2Org app
Okta now supports incremental imports for the Org2Org app. Incremental imports improve performance by only importing users that were created, updated, or deleted since your last import. See Okta Org2Org.
Fixes
General Fixes
OKTA-404202
All users imported that are not confirmed will be removed using Clear Unconfirmed Users tool.
OKTA-447833
Admins couldn’t set up a custom domain URL with a top-level domain of .inc.
OKTA-455641
The Edit Assignment page for the Box app didn’t handle non-alphabetical characters properly.
OKTA-457771
Some users imported from Active Directory were missing apps assigned through group assignment.
OKTA-460013
Okta will schedule group reconciliation for any assigned user that is operationalized.
OKTA-461371
VoiceOver screen readers didn’t read the descriptions for the options to send Okta Verify activation links using SMS and email.
OKTA-466022
Admins whose custom role contained the Run imports permission couldn’t view their org’s LDAP integrations.
OKTA-468707
The System Log didn't display ThreatSuspected=false for authentication events when no threat evaluation was done.
OKTA-469843
Sign-In Widget polling didn't resume when the network became available.
OKTA-470096
Group membership changes didn’t automatically activate Group Push.
OKTA-471299
When ThreatInsight evaluated sign-in attempts for unknown users, the threat level was incorrectly displayed as threatLevel=UNKNOWN in the System Log.
OKTA-471605H
In SP-initiated flows, users' sessions ended when they closed the browser even if they selected Keep me signed in.
OKTA-471605H
In SP-initiated flows, users' sessions ended when they closed the browser even if they selected Keep me signed in.
OKTA-472304H
Group push for some customers resulted in a timeout error after one minute.
OKTA-473512
When the Custom Admin Roles feature was enabled, super admins were called Super Organization Administrators.
App Integration Fixes
The following SWA app were not working correctly and are now fixed
- Asana (OKTA-467306)
- Dashlane Business (OKTA-466333)
- Guardian Insurance (OKTA-470966)
- Loop11 (OKTA-471181)
- Names & Faces (OKTA-468537)
- Nord Layer (OKTA-469771)
- Optum Health Financial (OKTA-465956)
- QuickBooks (OKTA-467864)
- Twitter (OKTA-470889)
Applications
New Integrations
New SCIM Integration Applications
The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:
- ArmorCode: For configuration information, see Armorcode - How to configure Armorcode app on Okta.
- Cognism: For configuration information, see Okta SCIM Configuration setup.
- Indi: For configuration information, see Okta SSO integration with Indi.
- strongDM: For configuration information, see Set up an App in Okta for User & Group Provisioning.
- Trusona: For configuration information, see Integrating Trusona and Okta SCIM.
SAML for the following Okta Verified applications:
-
Happeo (OKTA-461895)
-
ScreenMeet (OKTA-466613)
-
Shortcut (OKTA-461249)
-
Wonderwerk (OKTA-454149)
-
Zero Networks (OKTA-472331)
OIDC for the following Okta Verified applications:
- Artificial: For configuration information, see Using Okta to log in to Artificial.
- strongDM: For configuration information, see SSO with Okta.
Weekly Updates

Generally Available
Sign-In Widget, version 6.1.1
For details about this release, see the Sign-In Widget Release Notes.
For more information about the Widget, see the Sign-In Widget Guide.
Fixes
General Fixes
OKTA-374857
When admins searched for groups in the new LDAP interface, results weren’t returned if the search query contained all lowercase characters.
OKTA-375035
The error message “The operation is not allowed” appeared to users who entered their new password during self-service password recovery even though the new password was saved and could be used for authentication.
OKTA-440514
Sensitive attributes were exposed when Identity Provider routing rules contained Boolean expressions.
OKTA-452618
Admins whose custom role contained the Edit users' lifecycle states permission but not the View users and their details permission could view the Profile tab on the user page.
OKTA-457354
Updating an access policy rule through the Admin Console sometimes resulted in a browser error. This occurred if the rule was created using the Authorization Server API without an include array in the User Condition object.
OKTA-459720
Some apps that require admin configuration appeared on the App Catalog page of the End-User Dashboard.
OKTA-464002
Admins with two active Okta orgs linked together by the same company name were unable to sign in to the OIN Manager portal.
OKTA-470268
If tasks were pending, users experienced slow or unresponsive web browsers after navigating to the Tasks page of the End-User Dashboard.
OKTA-470378
Confirmation messages shown when app assignments were removed or when groups were removed from app instances were inconsistent and unclear.
OKTA-470384
Screen readers didn't properly read text in the App Settings page the when user set focus on Username or Password fields.
OKTA-470541
Sometimes importing from the SuccessFactors app integration failed after timing out.
OKTA-470701
Keyboard navigation and screen readers occasionally lost focus while in the App Settings page of the End-User Dashboard.
OKTA-471079
Users with iOS 15.3.1 devices weren’t able to change their passwords in Okta Mobile 6.29.1-14.
OKTA-472593
When the Custom Admin Roles feature was enabled, the Administrator assignment by admin, Edit resources to a standard role, and Edit resource set pages didn’t display group details for imported AD/LDAP groups.
OKTA-473963
VoiceOver screen readers didn’t read the descriptions for the options in drop-down lists on Okta Verify.
OKTA-474143
A new public key was displayed in the UI despite the new key generation operation being canceled.
OKTA-476453
Displaying the App Catalog in List View on the End-User Dashboard caused UI errors in Internet Explorer browsers.
OKTA-477943H
Admins couldn’t change the version of the Sign-In Widget for custom domains.
OKTA-478421H
When AD/LDAP users were imported into groups with assigned admin roles, the resulting admin role updates were delayed, and the Grant user privilege event didn’t appear in the System Log.
App Integration Fixes
The following SWA apps were not working correctly and are now fixed
-
Data.ai (OKTA-472317)
-
Google Play (OKTA-470657)
-
Zenefit (OKTA-472199)
Applications
New Integrations
New SCIM Integration Applications
The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:
-
SmartHR: For configuration information, see Okta user provisioning integration with SCIM.
-
Wonderverk: For configuration information, see Wonderverk's Okta documentation.
OIDC for the following Okta Verified applications:
-
ePMX: For configuration information, see Logging in with Single Sign-On (SSO) through Okta.
-
Marvin: For configuration information, see Okta Configuration Guide.
-
Pretaa: For configuration information, see Pretaa Integration with Okta- OpenID Connect.

Generally Available
Sign-In Widget, version 6.1.2
For details about this release, see the Sign-In Widget Release Notes.
For more information about the Widget, see the Sign-In Widget Guide.
Fixes
General Fixes
OKTA-411070
Some administrator roles were incorrectly given access to Okta Management device and setting endpoints.
OKTA-414109
Admins who only had the View application and their details permission could see the Self Service section on the Application > Assignments tab.
OKTA-417477
Making valid changes to the device_sso or online_access scopes in the Edit Scope dialog incorrectly returned an error message.
OKTA-441233
When a super admin saved the email notification settings for a role without making any changes, the settings weren’t restored to their default values for existing admins with that role.
OKTA-457226
Some text strings on the Multifactor page weren't translated.
OKTA-463551
Lengthy app names weren't fully listed in the search index of the Okta End-User Dashboard.
OKTA-464002
Sometimes a user was unable to access app integrations in OIN Manager when the account that submitted the integration had been disabled.
OKTA-464217
Onboarding guides were still shown to new users after admins disabled the feature in Customizations > Other > Display Options.
OKTA-466304
Messages weren't descriptive for errors that occurred during SCIM integration for custom SAML apps.
OKTA-469449
Admins couldn’t change their custom sign-in page, and the wrong error message was displayed.
OKTA-469451
Send test email failed with a 500 error for some email templates.
OKTA-471670
The ThreatSuspected field was missing in the user.session.start event for Radius sign-in requests.
OKTA-473387
Variables didn’t work in the subject lines of some email templates.
OKTA-476019
Unsaved edits appeared in the read-only view of Identity Provider routing rules.
OKTA-478605
During OAuth app creation, EC public keys weren't recognized and couldn't be validated.
OKTA-479004
Some Preview orgs experienced Office 365 import failures with the error message, “An error occurred while creating the Azure Active Directory Graph API client.”
App Integration Fixes
The following SWA apps were not working correctly and are now fixed
-
MyAtt (OKTA-473277)
-
Nationwide Financial (OKTA-473149)
Applications
New Integrations
New SCIM Integration application:
The following partner-built provisioning integration app is now Generally Available in the OIN Catalog as partner-built:
-
Qapita QapMap: For configuration information, see How to configure SSO between Qapita and Okta.
SAML for the following Okta Verified application:
-
Ashby (OKTA-470597)

Generally Available
Fixes
General Fixes
OKTA-409838
When the Custom Admin Roles feature was enabled, admins without the View users and their details permission could see the Profile tab on the user page.
OKTA-448751
The Admin Dashboard sometimes displayed an inaccurate number of user groups.
OKTA-448946
Updating a Salesforce app username created a new user instead of pushing a profile update.
OKTA-456820
If users authenticated with a custom IdP factor, their client details weren't captured in the System Log.
OKTA-461147
The Remember My Last Used Factor functionality didn’t display all available factors, and the factor that was automatically selected hadn't been previously used.
OKTA-469698
The Office 365 Tasks app didn't take users to the Tasks tab of the Outlook web app.
OKTA-472294
When using Branding or Custom Domain features, admins who clicked a button multiple times received an error even though the action completed successfully.
OKTA-472467
Screen readers couldn't tell whether Password input field was hidden or revealed.
OKTA-474997
The Registration - Email Verification email template didn't support translated text.
OKTA-479799
When the Custom Admin Roles feature was enabled, some admins couldn’t view groups on the Administrators > Admins tab.
OKTA-479983
The Client Secret page didn't render the UI correctly for orgs with the Client Secrets Management feature enabled.
OKTA-480151
Some Expression Language variables still appeared in automated emails.
App Integration Fixes
The following SWA apps were not working correctly and are now fixed
-
Angie's List (OKTA-477233)
-
FortiCloud (OKTA-478241)
-
Lutron (OKTA-476161)
-
Tableau (OKTA-471013)
Applications
New Integrations
New SCIM Integration applications:
The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:
-
EZOfficeinventory: For configuration information, see Implement User Provisioning via SCIM with EZOfficeInventory and Okta.
-
Qapita QapMap: For configuration information, see How to configure SSO between Qapita and Okta.
SAML for the following Okta Verified application:
-
Perdoo (OKTA-472102)
OIDC for the following Okta Verified application:
-
Jira SAML SSO by miniOrange: For configuration information, see OAuth/OpenID Single Sign On (SSO) into Jira using Okta.

February 2022
2022.02.0: Monthly Production release began deployment on February 7
* Features may not be available in all Okta Product SKUs.
Generally Available Features
New Features
Sign-In Widget, version 6.0.0
For details about this release, see the Sign-In Widget Release Notes.
For more information about the Widget, see the Okta Sign-In Widget Guide.
Okta AD agent, version 3.9.0
This version of the agent contains bug fixes. See Okta Active Directoryエージェントのバージョン履歴.
Okta LDAP agent, version 5.11.0
This version of the agent contains:
-
Support for Proxy Authorization Control version 2 (2.16.840.1.113730.3.4.18). Users who are required to change their password after it is reset by an admin are no longer prompted twice for their password when accessing the End-User Dashboard. This new functionality is available only with LDAP services that support Proxy Authorization Control version 2. To enable this feature, contact Okta Support.
-
Internal improvements and bug fixes.
Burst rate limits for authentication and authorization flows
Burst rate limits provide peace of mind by ensuring an unplanned spike doesn't negatively affect the end user's experience. See Burst rate limits.
OIN catalog replaces categories with use cases
Integrations in the OIN catalog address multiple use cases beyond SSO, such as LCM, social login, and identity proofing. Okta helps prospective and current orgs identify the OIN integrations that best meet their needs by highlighting the use cases that the integrations address and the functionality that the integrations use. This information is provided on both the OIN Catalog landing page and the integration details page. Okta also provides calls to action to help users immediately find value with these integrations across the Okta product platform. Use cases and functionalities replace app categories and filters, which were previously used to sort integrations. This feature will be gradually made available to all orgs.
Provisioning to Office 365 now requires Admin Consent for Microsoft Graph API
Admins are now required to grant consent for Okta to call Microsoft Graph API to enable provisioning features for Office 365 app instances. This change prepares Okta to migrate provisioning operations to Microsoft Graph API in 2022, which will improve performance and reliability for Office 365 provisioning operations. It also enhances security for Okta customers by limiting Okta's permissions in the customer's Azure Active Directory to only those operations which are required for provisioning. Okta customers who previously configured provisioning to Office 365 are required to grant admin consent in order to make any changes to their existing provisioning settings. See Microsoftに管理者の承諾を示しOktaでの認証を可能にする.
Configure a custom error page
You can customize the text and the look and feel of error pages using an embedded HTML editor. When used together with a custom URL domain (required) and a custom Okta-hosted sign-in page, this feature offers a fully customized error page. For details, see Configure a custom error page.
Configure a custom Okta-hosted sign-in page
You can customize the text and the look and feel of the Okta-hosted sign-in page using form controls and an embedded HTML editor. When used together with a custom URL domain (required) and a custom Okta-hosted error page, this feature offers a fully customized end user sign-in experience hosted by Okta. For details, see Configure a custom Okta-hosted sign-in page.
Custom domains with Okta-managed certificates
When you customize an Okta URL domain, your Okta-hosted pages are branded with your own URL. Okta-managed certificates automatically renew through a Let’s Encrypt integration, a free certificate authority. Okta-managed certificate renewals lower customer developer maintenance costs and reduce the high risk of a site outage when certificates expire. See Customize the Okta URL domain.
Secondary email option for LDAP-sourced users
Admins can now enable a secondary email option for LDAP-sourced users in new orgs. When the secondary email option is enabled, LDAP-sourced users who haven’t previously provided a secondary email are now prompted to provide it on the Okta Welcome page. The prompt continues to appear until a secondary email is provided.
A secondary email helps reduce support calls by providing LDAP-sourced users with another option to recover their password when their primary email is unavailable. See オプションのユーザー・アカウント・フィールドを構成する.
Password expiry for AD LDS-sourced users
Admins can now expire the passwords of AD Lightweight Directory Services-sourced users. Forcing users to change their password when they next sign in to Okta keeps passwords updated and enhances org security. See AD LDS LDAP統合リファレンス.
Improved password status accuracy for LDAP-sourced users
The status of LDAP-sourced users is now accurately displayed on the user’s profile page. Previously, the user status incorrectly displayed Password Reset when a password was active. This update reduces the time admins need to spend monitoring and managing user passwords. See ユーザー・アカウントのステータスについて.
New features for HealthInsight
- Administrators can now enable end user email notifications when an end user changes or resets their password. See 一般的なセキュリティー and HealthInsight.
- HealthInsight now includes a recommendation for admins to enable Password Changed email notifications if the notification isn't yet enabled for the org. See エンド・ユーザーへのパスワードの変更通知.
- HealthInsight now displays a suspicious sign-in count within the recommendation that users enable ThreatInsight in block mode. See Okta ThreatInsight
Risk scoring improvements
Risk scoring has been improved to detect suspicious sign-in attempts based on additional IP signals. See リスク・スコアリング.
Enhancements
Custom URL domain certificate expiration reminders
Email reminders for custom URL domain certificate expiration are now sent to super admins and org admins only.
OIN Manager enhancements
Users can now select a maximum of five app categories for ISV submissions. If an app category isn't selected, the app is placed in the all integrations category. See App information.
Error message and logging improvements
An error message for group push mapping to alert that a group is not active or not found has been added. Error logging has also been improved.
Email and SMS notification renamed
The New Device Notification email and SMS messages have been renamed New sign-on notification.
New behavior for Custom User Profile link
When users click the Custom User Profile link, the page now opens in a new browser tab or window.
New System Log event when user signs in
Admins now see the user.authentication.verify event in the System Log. This event is triggered when a user successfully signs in to their account. This feature is made available to all orgs.
App notes
App notes written by an admin are now displayed for users who hover over the app on the Okta End-User Dashboard.
Masking for eight digit phone numbers
The masking algorithm now reveals fewer digits for shorter phone numbers. For example, if the phone number has eight digits, the first five digits are masked and the final three digits are visible.
Early Access Features
New Features
Additional Okta username formats for LDAP-sourced users
Three additional Okta username formats are now available for LDAP-sourced users. In addition to the existing options, admins can now select Employee Number, Common Name, and Choose from schema to form the Okta username. These new options allow admins to use both delegated authentication and Just-In-Time (JIT) provisioning with LDAP directory services. With these new provisioning options, it is now easier for admins to integrate their LDAP servers with Okta. See LDAP統合設定の構成.
Okta Epic Hyperspace agent, version 1.3.2
This EA version of the agent contains security enhancements. See Okta Hyperspaceエージェントのバージョン履歴.
Fixes
General Fixes
OKTA-294735
In the email template editor, the subject was translated to the admin’s display language but the rest of the content remained in English.
OKTA-383630
Macros didn’t render correctly in the subject field for Send test email and Email preview.
OKTA-419837
The warning message for custom code editors referred to Theme builder instead of Branding.
OKTA-419847
On-Prem MFA API tokens contained scopes beyond what was required for agent operation.
OKTA-423419
Some email templates returned errors if Velocity variables weren’t enclosed in brackets. This occurred for orgs with Enhanced Email Macros enabled.
OKTA-430327
Repeatedly assigning and unassigning a user to a group that provisions applications converted that user from a group assignment to an individual assignment.
OKTA-433751
End users received errors when accessing SWA apps through the Okta End-User Dashboard if their app passwords contained ampersands.
OKTA-436486
Some orgs couldn’t save email templates containing Velocity variables. This occurred for orgs with Enhanced Email Macros enabled.
OKTA-442296
Some end users received a 400 error after signing in to the Okta End-User Dashboard.
OKTA-443420
The Admin Console became unresponsive if admins performed a search with an unlimited number of characters on the People page.
OKTA-443777
Admins couldn’t use the objectGuid attribute as a unique identifier when integrating AD LDS LDAP servers with Okta.
OKTA-451206
When admins enabled LDAP real-time synchronization, the system.agent.ad.realtimesync event erroneously appeared in the System Log.
OKTA-455372
If the information required to evaluate behavior was not available, the System Log displayed BAD_REQUEST for rules that included behavior detection.
OKTA-451159
Org2Org attempts to push users sometimes resulted in java.net.SocketTimeoutException: Read timed out errors.
OKTA-455199
Error messages weren’t shown to users who signed in to orgs using passwordless authorization and an Identity Provider from IP addresses outside of the allowed network zone.
OKTA-456690
The View logs option on the People page was available to all users.
OKTA-459571
In the admin console, the status of RADIUS agents randomly changed from Operational to Disrupted.
OKTA-460366
On Security > Networks > Add IP Zone, proxy IP addresses weren't explicitly identified as trusted proxy IP addresses.
OKTA-461015
Event information was missing from the Report Suspicious Activity page after users changed their password in the Sign-In Widget.
OKTA-461198
When the Custom Admin Roles feature was enabled, read-only admins could see the Assign to People, Assign to Groups, and Edit User buttons on the Applications page.
OKTA-461686
The error message DownloadedObjectsProcessJob: null id in com.okta.monolith.platform.groups.db.dto.MembershipOktaGroup appeared after a full import of LDAP attributes.
OKTA-462025
Admins who refreshed a page in the custom URL domain wizard weren’t returned to the correct step.
OKTA-462114
The ${user.login} variable appeared in default email templates.
OKTA-462312
No warning message appeared when an attribute was saved as both sensitive and required in the Profile Editor.
OKTA-462807
Some orgs couldn't provision out-of-sync users.
OKTA-463388
Some valid Philippines phone numbers were identified as invalid and rejected when users tried to enroll in SMS authentication.
OKTA-467470H
When the Okta Browser Plugin was installed, applications opened from the new End-User Dashboard into pop-up windows instead of regular browser tabs. This occurred for Internet Explorer users only.
App Integration Fixes
The following SWA apps were not working correctly and are now fixed
- AppSplit (OKTA-462294)
- Auth0 (OKTA-456042)
- Dockerhub (OKTA-463515)
- FinServ (OKTA-463959)
- LoansPQ (OKTA-462410)
- MeridianLink LoansPQ (OKTA-460940)
- New Relic (OKTA-464710)
- ProtonMail (OKTA-463545)
- Salto Keys (OKTA-464469)
- WePay (OKTA-462296)
- Wikispaces (OKTA-462300)
Applications
New Integrations
New SCIM Integration Applications
The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:
- BrightHire: For configuration information, see Okta SCIM Integration Guide.
- CertCentral: For configuration information, see CertCentral integration with Okta-OpenID.
- Compliance Genie: For configuration information, see Compliance Genie: Setting up SSO with OKTA.
- UniPrint InfinityCloud: For configuration information, see Configuring Okta for InfinityCloud via App Catalog.
- VidCruiter: For configuration information, see Configuring SCIM with Okta.
SAML for the following Okta Verified applications:
-
Compliance Genie (OKTA-456834)
-
SecureCodeWarrior (OKTA-455728)
OIDC for the following Okta Verified application:
- Atomic Console: For configuration information, see Atomic Console OKTA OIN App Configuration Guide.
Weekly Updates

Fixes
General Fixes
OKTA-422710
When the Custom Admin Roles feature was enabled, admins who didn’t have the Manage groups permission could view the Actions drop-down menu on the Groups > Rules tab.
OKTA-439826
Windows Server 2008 R2 was identified as a supported operating system on the Set Up Active Directory page.
OKTA-447818
Admins could remove users from a group on the Group Profile page but couldn't remove the group membership on the User Profile page.
OKTA-452937
Admins experienced page scrolling errors when approving requests for Salesforce apps.
OKTA-455572
End users were unable to see their existing password when editing sign-in information for an SWA app.
OKTA-456429
On the App Access Locked page, the contact your administrator link was broken.
OKTA-458310
The Groups page displayed the Admin roles tab for non-AD/LDAP groups. This occurred for orgs with the Custom Admin Roles feature enabled.
OKTA-460374
When a default application was configured for the Sign-In Widget, no banner indicated to users which app they were signing in to.
OKTA-460647
UI elements for app settings on the Okta End-User Dashboard were inconsistent for admins and end users.
OKTA-460719
The Add Log Stream and Add Identity Provider pages were improperly rendered in Internet Explorer 11.
OKTA-461134
Tooltips didn't wrap properly on the Okta End-User Dashboard.
OKTA-461604
The Username field was missing for admins in the self-service app request workflow.
OKTA-462025
Admins who refreshed a page in the custom URL domain wizard weren’t returned to the correct step.
OKTA-462639
Some international SMS messages had the wrong country code displayed in the System Log.
OKTA-463346
In Internet Explorer 11, apps on the Okta End-User Dashboard displayed incorrect titles.
OKTA-463905
Super admins didn't receive an error if they saved the Administrator assignment by resource set or Administrator assignment by role page without selecting a resource set/role. This occurred for orgs with the Custom Admin Role feature enabled.
OKTA-465050
The app settings drawer incorrectly displayed a password field for SAML apps.
OKTA-466901
Custom attributes identified as cn (Common Name) were automatically mapped as username in Okta.
OKTA-471193H
Group push from Okta to Office 365 didn’t work.
App Integration Fixes
The following SWA apps were not working correctly and are now fixed:
- Schwab Retirement Plan Center (OKTA-464739)
- SquareSpace (OKTA-466252)
Applications
New Integrations
New SCIM Integration Applications
The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:
-
Happeo: For configuration information, see Configuring Okta Provisioning for Happeo.
-
Orca Security: For configuration information, see Okta SSO Configuration SCIM 2.0.
-
Perimeter 81: For configuration information, see Okta (SCIM).
-
Rolebot: For configuration information, see How to configure Single Sign On (OIDC) with Okta.
-
SafeGuard Cyber: For configuration information, see SafeGuard Cyber Okta Configuration Guide.
SAML for the following Okta Verified application:
- CloudAlly (OKTA-453596)

Generally Available
Sign-In Widget, version 6.0.1
For details about this release, see the Sign-In Widget Release Notes.
For more information about the Widget, see the Sign-In Widget Guide.
Fixes
General Fixes
OKTA-449722
There was a spelling error in the Help link (Optional) section of the Settings > Account > End User Information page.
OKTA-456339
Admins whose custom admin role contained the Run imports permission couldn't click Back to Applications on the Applications page.
OKTA-456831
For self-service registered users, verification emails sent using the Resend Verification Email button didn’t appear in the System Log.
OKTA-461740
VoiceOver screen readers read the wrong description for the Okta Verify enrollment QR code.
OKTA-463803
Group push didn't work for orgs configured with a required custom attribute.
OKTA-464251
End users incorrectly received prompts to sign in again when nearing the end of their session lifetime.
OKTA-465665
End users saw a blank page if they signed in to the Okta End-User Dashboard with a custom domain that ended with com.com.
OKTA-466301
The following issues occurred in the OIN App Catalog on Internet Explorer 11:
- The app details page wasn’t shown when an app was selected from the Browse Integration Catalog search results.
- App details pages didn’t render correctly.
- Users weren't able to use the up and down arrow keys to navigate search results.
OKTA-466425
On the Okta End-User Dashboard, the app setting drawer's Reveal password wasn't accessible by keyboard commands.
OKTA-468607
When the Custom Admin Roles feature was enabled, newly added admins didn’t always appear on the Administrators page.
OKTA-469099
When orgs enabled both Branding and Custom Domain URL, the default domain displayed customized error pages.

January 2022
2022.01.0: Monthly Production release began deployment on January 10
* Features may not be available in all Okta Product SKUs.
Generally Available Features
New Features
Sign-In Widget, version 5.16.0
For details about this release, see the Sign-In Widget Release Notes.
For more information about the Widget, see the Sign-In Widget Guide.
Okta Provisioning agent, version 2.0.6
This version of the agent contains security fixes. See Okta Provisioning AgentとSDKのバージョン履歴
Okta On-Prem MFA agent, version 1.4.8
This version of the agent contains security fixes. See Okta On-Prem MFAエージェントのバージョン履歴.
Okta Active Directory agent, version 3.8.0
This version of the agent contains:
- Agent auto-update support
- Improved logging functionality to assist with issue resolution
- Bug fixes
Okta RADIUS Server agent, version 2.17.2
This version of the agent contains security fixes. See Okta RADIUS Serverエージェントのバージョン履歴.
Delivery status of SMS messages in the System Log
Administrators can now view the delivery status for SMS messages in the System Log. For information about the new event type, see Configure and use telephony.
Feature name change: New Sign-On Notification
The New Device Notification functionality is renamed to New Sign-On Notification in the Admin Dashboard, the email notification title, and elsewhere. It refers to the email notification a user receives when there’s a sign-in event from an unrecognized device.
New permissions for custom admin roles
The following new permissions can now be assigned to a custom admin role:
-
Activate users
-
Deactivate users
-
Suspend users
-
Unsuspend user
-
Delete users
-
Unlock users
-
Clear user sessions
-
Reset users' authenticators
-
Reset users' passwords
-
Set users' temporary password
-
Run imports.
The new permissions give super admins more granular control over their delegated org permissions. See ロールの権限について.
Editable Sign-in URL
End users can edit sign-in URLs for their apps on the App Settings page.
Service Principal Name functionality improvement
New Service Principal Name (SPN) functionality allows Agentless Desktop Single Sign-on (ADSSO) authentication to continue without interruption when an SPN is updated. A service account and an SPN are required for ADSSO Kerberos authentication. With this change, you can now update the SPN frequently as an additional security precaution. See サービス・アカウントを作成して、サービス・プリンシパル名を構成する.
OAuth Dynamic Issuer option
An authorization server’s issuer URL can be used to validate whether tokens are issued by the correct authorization server. You can configure the issuer URL to be either the Okta subdomain (such as company.okta.com) or a custom domain (such as sso.company.com). See .
When there are applications that use Okta’s subdomain and other applications that use the custom domain, the issuer validation breaks because the value is hard-coded to one domain or the other.
With Dynamic Issuer Mode, the issuer value in minted tokens is dynamically updated based on the URL that is used to initiate the original authorize request.
For example, if the authorize request is https://sso.company.com/api/v1/authorize, the issuer value is https://sso.company.com.
Dynamic Issuer Mode helps with:
-
Split deployment use cases
-
Migration use cases when customers migrate from the Okta domain to a custom domain
-
Support with multiple custom domains
Rate limit dashboard
The new rate limit dashboard helps you investigate the cause of rate limit warnings and violations. You can also use it to view historical data and top consumers by their IP address.
This helps you:
-
Isolate outliers
-
Prevent issues in response to alerts
-
Find and address the root cause of rate limit violations
You can access the dashboard using the link provided in the rate limit violation event in the System Log. See Rate limit dashboard.
You can also open the dashboard in the Admin Console to monitor API usage over a period of time, change rate limit settings, and customize the warning threshold. See Rate limit monitoring.
Error response updated for malicious IP address sign-in requests
If you block suspicious traffic and ThreatInsight detects that a sign-in request comes from a malicious IP address, Okta automatically denies the user access to the organization. The user receives an error in response to the request. From the user’s perspective, the blocked request can’t be identified as the result of ThreatInsight having identified the IP address as malicious.
Make Okta the source for Group Push groups
Admins can now make Okta the profile source for all members of a group that is used for Group Push. When this feature is enabled, integrated apps can't change app group memberships. This functionality allows admins to maintain the accuracy of app group membership and prevents changes to group membership after a push. See グループ・プッシュを管理する.
Password change notifications for LDAP-sourced users
Password change email notifications may now be sent to LDAP-sourced users.
LDAP-sourced users secondary email prompt on first sign in
Admins now have the option to prompt LDAP-sourced users for a secondary email when they sign in to Okta for the first time. When a secondary email is provided, password reset and activation notifications are sent to the user’s primary and secondary email addresses. Duplicating these notifications increases the likelihood they are seen by users and reduces support requests. See オプションのユーザー・アカウント・フィールドを構成する.
Directory Debugger for Okta AD and LDAP agents
Admins can now enable the Directory Debugger to provide Okta Support with access to Okta AD and LDAP agent diagnostic data. This new diagnostic and troubleshooting tool accelerates issue resolution by eliminating delays collecting data and improves communication between orgs and Okta. See Enable the Directories Debugger.
Enhancements
Improved SIW error messages
The Sign-In Widget now has improved JIT error messages.
OIN Manager enhancements
The OIN Manager includes the following updates for ISV submissions:
-
It clarifies that OID and SAML integrations must support multi-tenancy.
-
It clarifies that only one OIDC mode can be selected for an OID integration.
-
It allows the format ${app.domain}/redirect_url for URIs.
-
It no longer allows ISV submissions for the Social Login and Log Streaming categories. See OIN App Integration Catalog.
-
It allows the use of app instance properties when configuring single logout (SLO) for SAML app integrations.
-
It requires that ISV submissions specify one or more use cases. Existing submissions may need to be updated to change from previous categories to the new use cases.
Updated interstitial page animation
A new animation is displayed on a loading page when users sign in to an app from Okta.
SHA type displayed for SAML certificates
SHA type is now displayed for SAML certificates in the Admin Console.
Early Access Features
New Feature
Okta AD Agent automatic update support
Admins can now initiate or schedule automatic updates to Okta AD agents from the Admin Console. With agent auto-update functionality, admins no longer need to manually uninstall and then reinstall Okta AD agents when a new agent version is released. Agent auto-updates keep your agents up to date and compliant with the Okta support policy, and help ensure your org has the latest Okta features and functionality. Single or multiple agents can be updated on demand, or updates can be scheduled to occur outside of business hours to reduce downtime and disruption to users. See Automatically update Okta agents.
Fixes
General Fixes
OKTA-379478
The Medallia Mobile application dataAccess attribute wasn't automatically updated after changes were made to a user's group membership.
OKTA-412445
The SAML assertion sent by Okta to AWS exceeded the max character length supported by AWS (100,000 characters).
OKTA-420065
Launch on sign-in apps on the Okta End-User Dashboard launched multiple times after the user signed in.
OKTA-444924
An incorrect error message appeared when admins searched for groups and the Expression Language query included invalid attributes.
OKTA-447750
Users signing in to OIDC apps through Okta-hosted Sign-In Widgets on custom authorization servers received an access error message before they could provide their password.
OKTA-448006
Some branded pages used an org’s previously uploaded logo rather than their new theme logo.
OKTA-453672
When admins created custom language and country code attributes in the Profile Editor, the format property wasn’t updated and submitted.
OKTA-454206
Some admins without super admin permissions could view a link to the Admin role assignments report. This occurred for orgs with the Custom Admin Roles feature enabled.
OKTA-456082
Mitigation of CSV Injection wasn't provided in all Okta-generated CSV reports.
OKTA-456084H
Admins received a 500 Internal Server Error when attempting to delete a YubiKey in blocked status.
App Integration Fixes
The following SWA apps were not working correctly and are now fixed:
-
Bendigo Bank (OKTA-454211)
-
EdgeCast (OKTA-453148)
-
Maxwell Health (OKTA-454213)
-
My T-Mobile (OKTA-455732)
-
Redis (OKTA-454218)
Applications
New Integrations
New SCIM Integration Applications
The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:
- Javelo: For configuration information, see Okta SCIM - Javelo App.
- Workstream: For configuration information, see Configuring SCIM for Workstream.
SAML for the following Okta Verified application:
-
Regal Voice (OKTA-448791)
Weekly Updates

Fixes
General Fixes
OKTA-427502
After a Smart Card IDP was deactivated, the PIV button continued to appear when users signed in.
OKTA-443601
In the User Accounts section of the Customizations page, the incorrect term User Identity Master was used instead of User Identity Source.
OKTA-445110
Admins couldn’t search for suspended users on the Groups > People page.
OKTA-450647
When the Custom Admin Roles feature was enabled, the Admin role assignments report included deactivated admins.
OKTA-454965
Admins couldn’t unsubscribe from Okta AD agent auto-update email notifications because the Agent auto-update notifications: AD agent checkbox wasn’t available in the System notifications area of the Settings page.
OKTA-458760H
When the New Social Identity Provider integrations feature was enabled, IdP profiles weren't always saved and the Redirect Domain field wasn't available.
OKTA-461273H
Some Smartcard/PIV users were unable to sign in due to inaccessible Certificate Revocation Lists (CRL).
App Integration Fixes
The following SWA apps were not working correctly and are now fixed:
-
Circulation (OKTA-456780)
-
CWT (OKTA-455733)
-
Key Bank (OKTA-455731)
-
MyFitnessPal (OKTA-455735)
-
Shutterstock (OKTA-456777)
-
The Hartford EBC (OKTA-454220)
-
TimeLog (OKTA-457372)
-
Verizon Wireless Business (OKTA-455729)
-
Xfinity (OKTA-457369)
Applications
New Integrations
SAML for the following Okta Verified applications:
-
Blingby Live (OKTA-455293)
-
BrightHire (OKTA-456906)
-
Jones (OKTA-453595)
-
TrackJS (OKTA-456630)

Generally Available
Sign-In Widget, version 5.16.1
For details about this release, see the Sign-In Widget Release Notes.
For more information about the Widget, see the Sign-In Widget Guide.
Fixes
General Fixes
OKTA-288443
Links from an expired session didn't redirect users to the Okta End-User Dashboard when they signed in.
OKTA-332414
The All apps filter in the Okta End-User Dashboard catalog was incorrectly translated.
OKTA-412803
An incorrect warning message containing a user’s ID appeared when OpenLDAP-sourced users attempted to sign in to Okta.
OKTA-414419
Admins with the View application and their details permission could view the Push Status drop-down menu and the Push Groups, Refresh App Groups, and Bulk Edit buttons on the Application > Push Groups tab. This occurred for orgs with the Custom Admin Roles feature enabled.
OKTA-416052
The Sort Apps button and its drop-down menu were covered by the left navigation bar on mobile devices.
OKTA-419846
RADIUS agent API tokens contained scopes beyond what was required for agent operation.
OKTA-433758
Some users created in AD and imported into Okta were missing external IDs when automatically assigned to apps.
OKTA-441218
When the Custom Admin Roles feature was enabled, third-party admins could view their admin email notification settings.
OKTA-443467
Admins were unable to sign in to the Admin Console if they had first signed in with a non-admin user account.
OKTA-446224, OKTA-455268
New admins weren’t always provisioned for Salesforce Help Center.
OKTA-446449
Memberships to Salesforce Public Groups were removed from Salesforce when group memberships were updated in Okta.
OKTA-447069
Some users were unable to access their bookmark apps after migrating to the new Okta End-User Dashboard.
OKTA-447114
Okta sent MFA reset email notifications even though the factor deactivation didn’t take effect.
OKTA-447813
Sometimes, admins were unable to remove apps from the Create a resource set page. This occurred for orgs with the Custom Admin Roles feature enabled.
OKTA-454385
Password change email notifications were incorrectly sent to end users in orgs with URLs containing api/v1/user.
OKTA-457233
The default zone name for legacy IP zones was hardcoded in English and displayed in the Admin Console as a text string that could not be localized.
OKTA-457592
On the Admin assignment by admin and Admin assignment by role pages, an error sometimes appeared when the admin removed an existing standard role from the assignment and replaced it with another role. This occurred for orgs with the Custom Admin Roles feature enabled.
OKTA-458302
When admins enabled LDAP interface app group support, the Directory Information Tree (DIT) included app instances that users couldn’t access.
OKTA-460597
When the Custom Admin Roles and CSV Directory features were enabled, admins with the Manage applications permission couldn’t access the Directory Integrations page.
OKTA-460636
When the Custom Admin Roles and Application Entitlement Policy features were enabled, admins with the Edit application's user assignments permission couldn’t assign apps to users.
OKTA-460767
Admins could click Finish multiple times after adding or updating a custom domain certificate. This resulted in duplicate API calls.
OKTA-460908
Some lengthy app names caused UI errors on the Okta End-User Dashboard.
OKTA-462342
When a user copied their username in the app drawer, they were incorrectly notified that the app's password was copied to the clipboard.
OKTA-466809H
A script error occurred when users with an embedded Internet Explorer browser attempted to sign in to Okta.
App Integration Fixes
The following SWA apps were not working correctly and are now fixed:
-
Allegra (OKTA-449137)
-
Clio (OKTA-458076)
-
DocuSign (OKTA-456094)
-
Expedia (OKTA-455734)
-
FreeAgent (OKTA-454216)
-
Go to Connect (OKTA-454638)
-
QuickBooks (OKTA-457705)
-
SuccessFactors (OKTA-449132)
-
TeamPassword (OKTA-456778)
Applications
New Integrations
New SCIM Integration Applications
The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:
- Almanac: For configuration information, see Almanac - Okta SCIM Configuration.
- Dashworks: For configuration information, see Dashworks Integration with Okta- OpenID Connect.
- Offishall: For configuration information, see User provisioning with Okta.
- Opal: For configuration information, see Setting up Opal's Okta SCIM Integration.
- Xakia: For configuration information, see Okta App SCIM Configuration Guide.
SAML for the following Okta Verified applications:
-
Almanac (OKTA-456412)
-
Observe (OKTA-455308)
-
ReviewInc (OKTA-457711)
-
Spherexx (OKTA-453592)
-
Transform (OKTA-457712)
-
VidCruiter (OKTA-461233)
OIDC for the following Okta Verified applications:
- Atomic Dashboard: For configuration information, see Atomic Dashboard OKTA OIN App Configuration Guide.
- Fellow.app: For configuration information, see Fellow Okta Integration Guide (SSO).

December 2021
2021.12.0: Monthly Production release began deployment on December 13
* Features may not be available in all Okta Product SKUs.
Sign-In Widget, version 5.14.0
For details about this release, see the Sign-In Widget Release Notes.
For more information about the Widget, see the Okta Sign-In Widget Guide.
Choose client types for Office 365 sign-on policy
When creating app sign-on policy rules to manage access to Office 365 apps, you can now specify client types such as web browser, modern auth, or Exchange ActiveSync. This allows you to apply Office 365 sign-on policies to granular use-cases. See Office 365サインオン・ルールのオプション.
Branding now available in the Admin Console
This UI release provides admins and developers with an Admin Console UI to upload brand assets to customize their Okta-hosted pages. The Customizations tab in the Admin Console is also now moved to a top-level menu item in the left-hand navigation, and Branding-related controls have all been moved under it. The Settings > Appearance tab has also been removed, and functionality moved under the Customizations tab for ease of use. See ブランディング.
Admin Experience Redesign toggle removed
The toggle that allowed super admins to switch between the Admin Experience Redesign and the old experience has been removed. All Okta admins now benefit from our restyled Okta Admin Dashboard, responsive navigation side bar, and modern look and feel. If you need more time to adapt to the new user experience, you can revert to the old experience by contacting Okta Support until April 2022.
Upload Logo for org deprecated
The Upload Logo for Org endpoint (api/v1/org/logo) is deprecated. Use the Upload Theme Logo (/api/v1/brands/${brandId}/themes/${themeId}/logo) endpoint instead.
Policy rule events now eligible for event hooks
The following policy rule events are now eligible for event hooks:
-
policy.rule.activate
-
policy.rule.delete
See イベント・フック.
Salesforce Federated ID REST OAuth
Admins can now upgrade to the latest version of our Salesforce Federated ID integration. OAuth provides enhanced security and is now used for Provisioning and Imports authentication. This feature is currently available for new orgs only. See Configure OAuth and REST integration.
Localized SAML setup instructions
To achieve its objective of becoming the leader in identity and access management, Okta is actively expanding to numerous countries. To better serve this diverse market, Okta has begun localizing its customer-facing products to improve usability. To facilitate this process for SAML setup instructions, Okta will automatically provide the instructions in the user's chosen display language, if a translated version is available. Currently, a limited number of SAML setup instructions are now available in Japanese. See End users: set up display language.
Okta MFA Credential Provider for Windows, version 1.3.5
This version of the agent contains:
-
Security enhancements
-
Internal fixes
Okta On-Prem MFA agent, version 1.4.6
This version of the agent contains updates for certain security vulnerabilities.
Okta RADIUS Server agent, version 2.17.0
This version of the agent contains updates for certain security vulnerabilities.
Okta Browser Plugin, version 6.6.0 for all browsers
This version includes minor bug fixes and improvements. See Okta Browser Pluginのバージョン履歴 .
Enhancements
Org setting to disable device token binding
For compatibility purposes, orgs can now disable device binding. Device binding ensures that state tokens are used only by the actor who initiated the authentication flow. See 一般的なセキュリティー.
SharePoint (On-Premises) instructions updated
SharePoint (On-Premises) instructions have been updated to remove SharePoint 2010 from the Downloads page.
Early Access Features
Enhancement
Admins may now enable the Recent Activity feature
The Recent Activity functionality may now be enabled or disabled by admins. Recent Activity displays recent sign-in events and associated security events so admins can track suspicious activity and keep their environment safe. See 最近のアクティビティー.
Fixes
General Fixes
OKTA-372730
Org admins couldn't add social Identity Providers.
OKTA-393284
UI errors occurred when users hovered over a locked app on the Okta End-User Dashboard.
OKTA-416595
The spinner stayed visible after a sign-in error in some orgs with security image disabled.
OKTA-430797
Password push events were not showing in the System Log when multiple domains were federated in the same Office 365 app.
OKTA-433327
App usernames weren't updated automatically on non-provisioning enabled apps.
OKTA-438888
The Client drop-down menu wasn't displayed properly when admins added a new access policy for Authorization Servers using Internet Explorer.
OKTA-439104
Random users were unassigned from applications when imported and assigned by group.
OKTA-439327
Applying admin-managed tabs to end users occasionally completed much later, after the changes were initially made.
OKTA-441168
Users were directed to the wrong step of the Log Stream creation wizard when they clicked a link to create a specific type of Log Stream.
OKTA-443459
Some users who accessed the Okta End-User Dashboard saw a blank screen.
OKTA-449400
The text field for an app’s alternative name was missing from the app drawer.
OKTA-450158
In orgs with a custom domain URL and self-service registration enabled, users who went directly to the registration link saw a 404 error.
OKTA-450543
Users weren't prompted to correct their device’s time if their device was behind the server’s time by more than five minutes or ahead by more than 65 minutes.
OKTA-450896
The search bar on the Okta End-User Dashboard produced results that were inaccessible for screen readers.
OKTA-450927
Two scrollbars were displayed for mobile users.
OKTA-457787H
Apps on the Okta End User Dashboard on Internet Explorer opened as a pop-up window instead of a new tab.
App Integration Fixes
The following SWA apps were not working correctly and are now fixed
-
Amplitude (OKTA-449138)
-
Australian Financial Review (OKTA-450189)
-
Boxed (OKTA-449140)
-
Google Tag Manager (OKTA-448703)
-
HireFire (OKTA-448711)
-
Instacart Canada (OKTA-442943)
-
International SOS Assistance (OKTA-447156)
-
LinkedIn (OKTA-443788)
-
Mural (OKTA-443063)
-
Payroll Relief (OKTA-447159)
-
Safari Online Learning (OKTA-448707)
-
The Hartford EBC (OKTA-448956)
-
Twitter (OKTA-448961)
-
XpertHR (OKTA-449721)
Applications
Application Update
The Jive application integration is rebranded as Go To Connect.
New Integrations
New SCIM Integration Applications
The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:
- ContractS CLM: For configuration information, see ContractS CLM SCIM provisioning configuration with Okta.
- MURAL: For configuration information, see Configuring Provisioning for MURAL.
SAML for the following Okta Verified applications:
-
Chatwork (OKTA-449761)
-
ContractS CLM (OKTA-446453)
-
Elate (OKTA-448860)
-
WAN-Sign (OKTA-448922)
OIDC for the following Okta Verified applications:
- Ashby: For configuration information, see Configure an OIDC connection to Ashby.
-
Drata: For configuration information, see Connecting Okta to Drata (Note: you need to sign in to Drata to view this documentation).
-
TripleBlind: For configuration information, see Okta Configuration Guide.
Weekly Updates

Generally Available
Sign-In Widget, version 5.14.1
For details about this release, see the Sign-In Widget Release Notes.
For more information about the Widget, see the Sign-In Widget Guide.
Fixes
General Fixes
OKTA-328461
The footer in some email templates contained an incorrect link to Okta.
OKTA-410446
DebugData in the System Log didn’t include ClientSecret information.
OKTA-428685
Errors occurred when admins attempted to assign DocuSign to users.
OKTA-440608
Some admins couldn't view groups that were assigned to an app, even though their custom role had permission to view them.
OKTA-447471
Duplicate reactivation requests for the Org2Org app caused 400 errors in the System Log.
OKTA-447916
Admins received the wrong error message when they attempted to delete a custom domain.
OKTA-448321
When the Custom Admin Roles feature was enabled, groups with “#” in the group name couldn’t be assigned to a role.
OKTA-449880
When Enhanced Email Macros was enabled, the text in some default email templates was incorrect.
OKTA-451075
Security fix for the Okta Provisioning Agent. For this fix, download Okta Provisioning Agent version 2.0.6.
OKTA-451868
In new developer orgs, admins weren’t provisioned for Salesforce Help.
OKTA-452041
Attempts to sign in to the Admin Console using Safari on an iOS device were prevented by the popup blocker.
OKTA-452099
The QR verification form in the device authentication flow wasn’t pre-filled with the user code.
OKTA-454767H
Some app labels were missing in the redesigned OIN App Catalog.
App Integration Fix
The following SWA app was not working correctly and is now fixed:
-
GoDaddy (OKTA-449141)
Applications
New Integrations
New SCIM Integration Applications
The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:
-
Keepabl: For configuration information, see Set up SSO with Okta.
-
ValidSoft VoiceID: For configuration information, see the Validsoft VoiceID Provisioning Configuration Guide.

Fixes
General Fixes
OKTA-441896
Group attribute statements added in a SAML 2.0 integration app (AIW) didn’t appear in the Preview the SAML Assertion section.
OKTA-444246
Some SAML doc links in the Admin Console didn’t work.
OKTA-447069
End-users encountered a 403 error when accessing a bookmark app after being migrated to the new Okta End-User Dashboard.
OKTA-447885
When adding a custom domain, admins received the wrong error message if they left the Domain field blank.
OKTA-448560
New users received an activation email with Velocity macros instead of their name. This occurred if the org’s profile enrollment policy didn’t require first and last names.
OKTA-448936
The Create a new resource set page couldn't display groups with & in the group name. This occurred for orgs with the Custom Admin Roles feature enabled.
OKTA-448940
The Edit resources to a standard role page displayed an error when admins searched for a group. This occurred for orgs with the Custom Admin Roles feature enabled.
OKTA-451345
The Velocity parsing engine failed when email templates contained a variable that was followed by (.
OKTA-452680
Application usage reports created asynchronously for specific groups included users that didn’t belong to the groups selected for the reports.
OKTA-454197
On the Add domain page, the Next, Remove, and Verify DNS buttons were clickable while the addition was in progress.
OKTA-456383H
CSV imports failed when using Okta Provisioning Agent, version 2.0.6. For this fix, download Okta Provisioning Agent, version 2.0.7.
OKTA-458089H
Some Netsuite imports into Okta failed with the following error failure: A SOAP message cannot contain entity references because it must not have a DTD.
Applications
New Integrations
New SCIM Integration Applications
The following partner-built provisioning integration app is now Generally Available in the OIN Catalog as partner-built:
- Regal Voice: For configuration information, see Okta SCIM: Manage Regal Voice users from your Okta organization.
SAML for the following Okta Verified applications:
-
Imprivata Privileged Access Management (OKTA-450222)
-
Lucca (OKTA-450219)
-
PowerDMS (OKTA-454504)
-
Rybbon (OKTA-451438)

November 2021
2021.11.0: Monthly Production release began deployment on November 8
* Features may not be available in all Okta Product SKUs.
Generally Available Features
New Features
Sign-In Widget, version 5.13.0
For details about this release, see the Sign-In Widget Release Notes.
For more information about the Widget, see the Okta Sign-In Widget Guide.
Okta LDAP agent, version 5.10.0
This version of the agent contains:
-
Range attribute retrieval for group membership attributes (full support will be available in a future release)
-
Real-time synchronization for user profiles, groups, and group memberships (full support will be available in a future release)
-
Expired password reset support for the eDirectory LDAP service (Okta Identity Engine)
-
Bug fixes
Okta RADIUS Server agent, version 2.16.0
This version of the agent contains:
-
Government Community Cloud support
-
Internal and security fixes
Okta MFA Credential Provider for Windows, version 1.3.4
This version of the agent contains:
-
Government Community Cloud support
-
Internal fixes
Okta ADFS Plugin, version 1.7.9
This version of the agent contains:
-
Government Community Cloud support
-
Internal fixes
Okta On-Prem MFA agent, version 1.4.5
This version of the agent contains:
-
Government Community Cloud support
-
Internal fixes
Okta Browser Plugin, version 6.5.0 for all browsers
Internet Explorer local storage size for the Okta Browser Plugin has been increased. See Okta Browser Pluginのバージョン履歴 .
Brands API support for auto-detecting contrast colors
The Brands API Theme object properties primaryColorContrastHex
and secondaryColorContrastHex
automatically optimize the contrast between font color and the background or button color. The auto-detection feature can be disabled by updating either property value with an accepted contrast hex value. See Brands.
New default selection for MFA enrollment policies
For MFA enrollment policy rules, the Any application that supports MFA enrollment option is now selected by default. See 多要素認証登録ポリシーを構成する .
New error page macros for themed templates
Custom error page templates include new macros to customize the URL (href) in addition to the button text for themed templates. See Use macros.
Custom domain SSL certification expiration warnings
To prevent service disruptions, Okta now sends admins a warning email 30, 15, and 7 days before their custom domain’s SSL certificate expires. If no action is taken, an expiration notice is sent when the certificate expires.
See カスタムURLドメインを構成する .
Token-based SSO between native apps
Single Sign-On (SSO) between browser-based web applications is achieved by leveraging shared cookies. Unlike web applications, native applications can’t use web cookies. With Native SSO, Okta offers a token-based approach to achieve SSO between native applications.
Native SSO allows you to protect native OpenID Connect applications, such as desktop apps and mobile apps, and achieve SSO and Single Logout (SLO) between these applications. See Configure SSO for native apps.
Wildcards for OAuth redirect subdomains
Developers can now use the Apps API to set multiple redirect URI subdomains with a single parameter using the asterisk * wildcard. This feature provides convenience and flexibility in cases where subdomains vary by only a few characters. For example: https://subdomain*.example.com/oidc/redirect may be used to represent subdomain1, subdomain2, and subdomain3.
Sort applications on End-User Dashboard
End users can now sort applications alphabetically or by last added on the new Okta End-User Dashboard.
Asynchronous Application Reports
When enabled, this feature turns the generation of the Application Usage and the Application Password Health reports into an asynchronous process. Okta generates a report with the results and sends an email to the admin containing a download link for the CSV file. This enhancement is ideal for orgs with large amounts of user activity, as the generated reports can cover a greater range without timing out. See アプリケーション使用状況レポート and アプリのパスワードの健全性のレポート.
Risk scoring improvements
Risk scoring improvements are being slowly deployed to all organizations. See リスク・スコアリング.
Password expiry warning for LDAP group password policies
You can now configure an LDAP group password policy to provide users with a password expiry warning when their LDAP password is about to expire. Providing a password expiry warning in advance prevents users from losing access to shared resources and reduces the likelihood that you’ll need to reset passwords. See パスワード・ポリシーを構成する.
Create and manage group profiles
You now have the flexibility to manage the default profile for Okta groups in the Profile Editor. This new functionality simplifies group management and lets you quickly add, edit, or remove custom profile attributes to groups. See プロファイルと属性を操作する. This feature will be gradually made available to all orgs.
Litmos supports Advanced Custom Attributes
We’ve enriched our Litmos integration to support Advanced Custom Attributes for the user profile. This allows you to add fields into the Okta user profile. See Litmos Provisioning Guide.
AES-GCM encryption support for SAML assertions
To secure SAML assertions from attacks and to adopt a stronger security mechanism, Okta now supports AES128-GCM and AES256-GCM encryptions modes in addition to AES-128 and AES-256 for SAML applications.
Enhancements
New System Log events for custom domain setup
The following events are added to the System Log:
system.custom_url_domain.cert_renew 3
system.custom_url_domain.delete
Existing events now include CustomDomainCertificateSourceType
.
OIN App Catalog user interface changes
The following text has been updated for consistency:
-
FILTERS is now Capabilities
-
Apps is now All Integrations
-
Featured is now Featured Integrations
-
OpenID Connect is now OIDC
-
Secure Web Authentication is now SWA
Hash marks added to hex code fields
On the Branding page, hash marks are automatically added to the hex codes in the Primary color and Secondary color fields.
Event Hooks daily limit
The maximum allowable daily limit of Event Hooks for all orgs has increased from 100,000 to 200,000. A higher daily allocation of Event Hooks reduces the likelihood orgs will exceed their daily limits. See Workflows system limits.
Improved Branding preview
Branding previews now display correct text colors.
Sign-In Widget button colors standardized
To comply with accessibility contrast ratios, the default variant colors for buttons on Okta sign-in and error page have been standardized to use the Okta design system.
Early Access Features
New Features
Log Streaming
While Okta captures and stores its System Log events, many organizations use third-party systems to monitor, aggregate, and act on event data.
Log Streaming enables Okta admins to more easily and securely send System Log events to a specified system such as Amazon Eventbridge in real time with simple, pre-built connectors. They can easily scale without worrying about rate limits, and no admin API token is required. See Log Streaming.
Enhancements
Edit resource assignments for standard roles
Super admins can now quickly and easily search for, add, and remove the resource assignments for a standard role. See Edit resources for a standard role assignment.
Manage email notifications for custom admin roles
Super admins can configure the system notifications and Okta communications for custom admin roles. Configuring the email notifications helps ensure admins receive all of the communications that are relevant to their role. See Configure email notifications for an admin role.
New Velocity email templates
Orgs with Enhanced Email Macros enabled can now customize Factor Reset and Factor Enrollment email templates with Velocity Template Language. See メール・テンプレートをカスタマイズする.
Fixes
General Fixes
OKTA-243898
When multiple factors were required in the MFA for Active Directory Federation Services (ADFS) enrollment flow, only a single factor was enrolled before the user was allowed to sign in.
OKTA-409578
After the Microsoft ADFS (MFA) app Sign-On setting was changed to MFA as a Service, the app no longer appeared on the end-user home page.
OKTA-411306
Users weren't instructed to sign out and then sign in again when the mobile device management (MDM) remediation screen appeared during Intune setup.
OKTA-412100
The Identity Provider factor name wasn’t updated when the admin changed the Identity Provider name.
OKTA-412459
The YubiKey report didn’t list all YubiKeys when the user sorted the entries by Status.
OKTA-417499
When the Remove Group endpoint was called with an invalid group profile attribute, the group wasn't removed.
OKTA-418219
Sometimes when a super admin assigned several standard roles to a group at a time, some of those roles didn’t appear on the Groups page.
OKTA-422328
Screen Readers didn't interact properly with the search bar on the Okta End-User Dashboard.
OKTA-422586
On the Suspicious Activity User Report, the Login field was incorrectly labeled Email and didn't display the primary email address of the user who reported the activity.
OKTA-425318
Admins weren't able to use the Expression Language to compare a user's status to a string.
OKTA-428079
Admins weren’t able to add multiple custom attributes to an app on the Okta End-User Dashboard.
OKTA-430675
When the super org admin role was revoked from a user, the resulting email notification didn’t include the org name or URL.
OKTA-432942
Selecting the ellipses on an app card on the Okta End-User Dashboard incorrectly opened the app instead of accessing its settings.
OKTA-434233
Users attempting to enroll an MFA factor while signing in to an OIDC app received server error messages and couldn’t complete the enrollment.
OKTA-440551
The Sort Apps function didn't work when the Okta End-User Dashboard was displayed in Dutch, Brazilian, Portugese, Simplified Chinese, or Traditional Chinese.
OKTA-440618
For some orgs with Branding enabled, the theme was reset after an admin’s role changed.
OKTA-440816
Sometimes, when deactivated LDAP-sourced users attempted to sign in to Okta, an incorrect message appeared.
OKTA-440695
Some users saw an error when signing in to the new End-User Dashboard or OIDC apps for the first time.
App Integration Fixes
The following SAML app was not working correctly and is now fixed
-
Cloze (OKTA-440336)
Applications
Application Updates
-
The configuration guide for the Vable SCIM integration is updated: Okta Users Provisioning For The Vable Platform.
-
The American Express Work was a duplicate integration and has been removed from the OIN Catalog. Customers should use the American Express - Work integration.
New Integrations
New SCIM Integration Application:
The following partner-built provisioning integration app is now Generally Available in the OIN as partner-built:
- Blue Ocean Brain: For configuration information, see Configuring Provisioning for BlueOceanBrain.
OIDC for the following Okta Verified applications:
-
AIB Inc: For configuration information, see How do I use Okta to log in to AIB?
-
FortifyData: For configuration information, see FortifyData documentation here (you'll need a FortifyData account).
-
Sonarapp: For configuration information, see Okta Single Sign-On configuration guide.
-
WordPress OAuth Single Sign-On (SSO) by miniOrange: For configuration information, see Okta Single Sign-On (SSO) WordPress OAuth| Okta SSO Login.
Weekly Updates

Early Access
Okta Provisioning agent, version 2.0.4
This release of the Okta Provisioning agent contains vulnerability fixes. See Okta Provisioning AgentとSDKのバージョン履歴.
Fixes
General Fixes
OKTA-429081
When an admin deleted an app with Federation Broker Mode enabled, users could continue to sign in to the app.
OKTA-429782
Sometimes when the app group membership for a user was deactivated, any role assignments that were revoked from that user still appeared on the Administrators page.
OKTA-429868
API tokens for group admins didn't have the role displayed in the Security > API > Token section.
OKTA-431083
An error occurred when admins attempted to upload an IPA file to the Upload Mobile App page.
OKTA-434925
Email address change notifications were incorrectly sent to the new email address and not the old email address.
OKTA-435431
On the new Okta End-User Dashboard, end users were still able to request apps after an admin had disabled the app request feature.
OKTA-436761
End users were incorrectly prompted to copy password credentials to their clipboard when accessing SWA apps that were shared between users with admin-controlled passwords.
OKTA-439047
Sometimes, the System Log displayed Grant user privilege success events for admins when there were no changes to their privileges.
OKTA-439196
The Okta End-User Dashboard displayed a blank screen to users whose clocks were incorrectly set.
OKTA-441222
When a super admin changed the role notification settings for an admin, some third-party admins with that role were included in the notification subscription.
OKTA-441434
The View Setup Instructions link was broken on the Add Identity Provider page.
OKTA-444012
Branding features weren’t visible in the navigation menu of the legacy Admin Console.
App Integration Fixes
The following SWA apps were not working correctly and are now fixed:
-
Alibaba Cloud (Aliyun) (OKTA-439430)
-
Apple Store for Business (OKTA-439233)
-
ID90 Travel (OKTA-435212)
-
MessageBird (NL) (OKTA-440295)
-
Screen Leap (OKTA-440292)
-
TD Ameritrade (OKTA-436146)
Applications
New Integrations
SAML for the following Okta Verified applications:
-
Agencyzoom (OKTA-436124)
-
Altruistiq (OKTA-440339)
-
Auvik (OKTA-435860)
-
Ceresa (OKTA-437597)
-
Clumio (OKTA-440285)
-
Workstream (OKTA-441160)
SWA for the following Okta Verified application:
-
Greene King (OKTA-441236)
OIDC for the following Okta Verified application:
-
Luma Brighter Learning: For configuration information, see Okta/Luma SSO.

Fixes
General Fixes
OKTA-419946
When an admin assigned an app to a user, the Edit User Assignments window appeared too small.
OKTA-428017
When the Custom Admin Roles feature was enabled and an admin searched for a group to assign to a role, the list of groups didn’t display their respective app logos.
OKTA-436016
In orgs with deleted groups, admins couldn't run the Admin role assignments report.
OKTA-438793
On the Admin Dashboard, the Overview section displayed an incorrect Updated at time between 12:00 AM and 1:00 AM.
OKTA-441161
When a super admin edited the User Account customization settings, an error occurred after they verified their password.
OKTA-443995
End users were unable to add org-managed apps to the Okta End-User Dashboard after admins had enabled self-service.
App Integration Fixes
The following SWA apps were not working correctly and are now fixed
-
HelpSpot Userscape (OKTA-440296)
-
Instacart Canada (OKTA-442946)
-
Moffi (OKTA-442915)
Applications
New Integrations
SAML for the following Okta Verified applications:
-
Autodesk (OKTA-425911)
-
YesWeHack (OKTA-443624)
OIDC for the following Okta Verified applications:
- Autodesk: For configuration information, see Okta SCIM Setup.
- Clearwage: For configuration information, see Single Sign-On configuration guide.
- Moqups: For configuration information, see Set up SCIM for Okta.
- Profit.co: For configuration information, see Configure OKTA User Provisioning for Profit.co.

Generally Available
Sign-In Widget, version 5.13.1
For details about this release, see the Sign-In Widget Release Notes.
For more information about the Widget, see the Sign-In Widget Guide.
Fixes
General Fixes
OKTA-373558
App approval forms incorrectly listed deactivation options and available licenses for Google Workspace.
OKTA-414394
On the Applications page, some admins with a custom role could view the buttons for actions that they didn’t have permission to perform.
OKTA-414517
Users who self-registered but hadn’t completed activation were deactivated if they attempted to sign in with a Google IdP.
OKTA-424842
On the Select assignments to convert page, eligible users didn't appear in the user list.
OKTA-424897
When using the Self-Service Registration feature, users with slower internet connections could click Register again while the account was being created.
OKTA-431945
Sometimes when a third-party admin role was assigned though the public API, the admin's status didn't change in the Okta Help Center.
OKTA-433439
Push Profile updates sometimes failed due to a missing Effective Date value.
OKTA-434556
In Try Okta Free orgs, the Days left in your trial banner didn’t always display the correct number of days.
OKTA-434789
When Veeva Vault was provisioned, the authentication rate limit was incorrectly applied to bulk operations.
OKTA-435148
Unique attributes were retained when admins used a CSV file to import user attributes and the import was unsuccessful.
OKTA-438657
When a custom admin role had the View application and their details permission, admins with that role couldn’t access OIDC applications.
OKTA-441490
When previously deactivated users with expired passwords were reactivated and allowed to sign in using their Personal Identity Verification (PIV) cards, they were required to reset their passwords.
OKTA-442991
When the Custom admin roles feature was enabled, the Administrator assignment by admin and Administrator assignment by role pages displayed the Edit button for admin roles that couldn’t be constrained to a resource.
OKTA-443494
When MFA for Active Directory Federation Services (ADFS) was in OIDC mode and two users were assigned the same custom name, an incorrect error was returned.
OKTA-445826
The help link was incorrect for Settings > Customization > Configure a custom URL domain.
OKTA-453056H
When accessing reports, report admins received a 403 error.
OKTA-453535H
An older library for the RSA and RADIUS agents caused potential security issues in certain situations.
App Integration Fixes
The following SWA apps were not working correctly and are now fixed:
-
American Funds Advisor Client Login (OKTA-442550)
-
Bank of America CashPro (OKTA-444481)
-
M&T Bank - Commercial Services (OKTA-447154)
-
Nimble (OKTA-444703)
-
The Trade Desk (OKTA-445291)
Applications
New Integrations
New SCIM Integration Applications
The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:
-
Aerofiler: For configuration information, see AEROFILER SINGLE-SIGN ON GUIDE.
-
Clearwage: For configuration information, see Single Sign-On configuration guide.
-
NeuraLegion: For configuration information, see Enabling SCIM Provisioning between Okta and NeuraLegion.
-
ValueCloud by DecisionLink: For configuration information, see Configuring Okta Provisioning for ValueCloud.
SAML for the following Okta Verified applications:
-
ParkOffice (OKTA-445142)
-
SecZetta (OKTA-446467)

October 2021
2021.10.0: Monthly Production release began deployment on October 11
* Features may not be available in all Okta Product SKUs.
Generally Available Features
New Features
Sign-In Widget, version 5.12.0
For details about this release, see the Sign-In Widget Release Notes.
For more information about the Widget, see the Sign-In Widget Guide.
Okta Active Directory agent, version 3.7.0
This version of the agent contains:
-
Government Community Cloud support
-
Improved logging functionality to assist with issue resolution
-
Bug fixes
Okta LDAP agent, version 5.9.0
This version of the agent contains:
-
Government Community Cloud support
Okta SSO IWA Web App agent, version 1.14.0
This version of the agent contains:
-
Government Community Cloud support
-
Internal fixes
Okta Active Directory Password Sync agent, version 1.4.0
This version of the agent contains:
-
Government Community Cloud support
-
Security enhancements
-
Internal fixes
Okta Browser Plugin, version 6.4.0 for all browsers
-
For orgs that enable this feature through self-service EA, end users can now generate passwords from the Okta Browser Plugin pop-up window.
-
For orgs that enable this feature through self-service EA, the Okta Browser Plugin now recommends strong passwords during SWA app sign-up.
-
Plugin extension architecture for Safari has been updated to WebExtension.
SAML 2.0 Assertion grant flow
You can use the SAML 2.0 Assertion flow to request an access token when you want to use an existing trust relationship without a direct user approval step at the authorization server. The flow enables a client app to reuse an authorization by supplying a valid, signed SAML assertion to the authorization server in exchange for an access token. This flow is often used in migration scenarios from legacy Identity Providers that don't support OAuth. See .
Password management on the new Okta End-User Dashboard
Users who access the new Okta End-User Dashboard from mobile or desktop can now show and copy passwords for their apps to their clipboard. They can also use a new password management modal to edit the username or password fields for their apps.
Okta Provisioning agent incremental imports
The option to incrementally import user data is now available for the Okta Provisioning agent. Incremental imports reduce the time required for synchronization by only downloading user information that has changed since the last successful import. See Okta Provisioning Agent incremental import.
Schemas API unique attributes
The Schemas API now includes unique attributes for custom properties in Okta user profiles and the Okta group profile. You can declare a maximum of five unique properties for each user type and five unique properties in the Okta group profile. This feature helps prevent the duplication of data and ensures data integrity.
Org Under Attack for ThreatInsight
Okta ThreatInsight now has enhanced attack detection capability. “Org under attack” establishes a base line traffic pattern and adjusts based on legitimate changes in traffic patterns. When a threat is detected, the algorithms are optimized to block all malicious requests while creating a System Log event to alert on the attack. After the attack subsides, threatInsight returns into its normal mode of operation. This capability enables quick blocking action during an attack. See Okta ThreatInsightについて. This feature will be gradually made available to all orgs.
Enhancements
Custom footer enhancement
With Branding enabled, admins can now hide the Powered by Okta message in the footer of their Okta-hosted sign-in page and End-User Dashboard. See 組織のフッターを構成する.
Routing Rules performance enhancements
Performance enhancements on the Routing Rules page include optimized adding, editing, dragging, and deactivating of rules, and improved loading when the number of rules exceeds 1,000. See ルーティング・ルールを構成する.
Log per client mode for client-based rate limits
Client-based rate limits are now in Log per client mode for all orgs for both OAuth 2.0 /authorize
and /login/login.htm
endpoints. This offers additional isolation to prevent frequent rate limit violations.
Fixes
General Fixes
OKTA-325592
When LDAP delegated authentication was enabled, an incorrect event type was used to process user profile updates.
OKTA-372064, OKTA-430527, OKTA-431382
Accessibility issues occurred on the new Okta End-User Dashboard.
OKTA-420524
A password change notification email wasn’t sent to users after their password was changed by an administrator.
OKTA-421812
A Download Latest button wasn’t available for Okta LDAP agents on the Admin Console Downloads page.
OKTA-426923
When users were deleted asynchronously, the entries associated with the user weren't removed from the UniqueEntityProperty
table.
OKTA-427016
When Self-Service Registration was enabled, a change to a user's email address in their profile source caused their UPN (user principal name) in Okta to also change, despite it being mapped to the username.
OKTA-427932
When Branding was enabled, the Sign-In Widget was distorted on custom sign-in pages.
OKTA-428268
When an LDAP interface (LDAPi) client had Custom Admin Roles enabled, time-out errors sometimes occurred during group member queries.
OKTA-431349
Translated versions of AD and LDAP configuration validation messages weren’t provided.
OKTA-431868
In the UI for the SuccessFactors app, options for Active User Statuses weren't displayed.
OKTA-432400
Some dialogs didn't appear on the new Okta End-User Dashboard for some users.
App Integration Fixes
The following SWA app was not working correctly and is now fixed
-
Amplitute (OKTA-429432)
Applications
Updates
-
The configuration guide for the Asana SCIM integration is updated: Asana SCIM configuration guide for Okta.
-
The following attributes are added to the KnowBe4 SCIM app:
-
customDate1
-
customDate2
-
New Integrations
New SCIM Integration Applications
The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:
- Lucca: For configuration information, see Synchronize Lucca users and groups with Okta.
-
Seculio: For configuration information, see Okta user provisioning and SCIM integration.
OIDC for the following Okta Verified application:
- Extole: For configuration information see Okta Instructions.
Weekly Updates

Fixes
General Fixes
OKTA-383501
When a custom admin role was assigned to an existing group with standard roles, the System Log displayed duplicate Grant user privilege events for the members of the group.
OKTA-399667
Provisioning to Zendesk failed when a user with the same email already existed in Zendesk.
OKTA-414295
For orgs with Custom Administrator Roles enabled, the page filters on the Roles, Resources, and Admins tabs of the Administrators page were labeled incorrectly.
OKTA-414339
Org2Org Push Groups sometimes failed.
OKTA-415370
On OIDC app creation, if no locale was specified, it defaulted to an invalid value (en-US).
OKTA-423420
After Branding was enabled, admins could still navigate to original Settings > Customization pages.
OKTA-426692
Provisioning (create/update) users to NetSuite failed with a Null Pointer Exception (NPE).
OKTA-427646
Group rule Okta Expression Language IF
statements couldn’t include integer array attributes.
OKTA-429330
Sometimes, when an org used the Okta IWA Web Agent for Desktop Single Sign-on (DSSO), a missing objectGUID caused a 500 Internal Server Error when users attempted to sign in to Okta.
OKTA-431920
Clicking ASN Lookup when configuring a dynamic zone in the Admin Console didn't open a valid autonomous system number (ASN) lookup service.
OKTA-433981
When an admin role was constrained to a group, users with that role sometimes experienced time-out errors on the People page.
Applications
Application Updates
-
The Airtable SCIM app is updated to support Group Push and Import Groups.
-
The configuration guide for the Acronis Cyber Cloud SCIM integration is updated: Acronis Cyber Cloud SCIM configuration guide for Okta.
New Integrations
New SCIM Integration Application:
The following partner-built provisioning integration app is now Generally Available in the OIN Catalog as partner-built:
- Loom: For configuration information, see Configuring Okta provisioning for Loom.
SAML for the following Okta Verified applications:
-
Docutrax (OKTA-433521)
-
Testsigma (OKTA-405606)
OIDC for the following Okta Verified applications:
- KeepTruckin: For configuration information, see KeepTruckin SSO Guide.
- Sora: For configuration information, see [Okta] Sora configuration guide.

Generally Available
Sign-In Widget, version 5.12.2
For details about this release, see the Sign-In Widget Release Notes.
For more information about the Widget, see the Sign-In Widget Guide.
Fixes
General Fixes
OKTA-329002
The Custom Administrator Roles Early Access feature wasn’t available for Developer orgs.
OKTA-335217
OAuth applications granted authorization tokens on accounts for which users had not yet completed registration.
OKTA-419163
Some admins who were assigned a custom role could convert app assignments for users they weren’t constrained to.
OKTA-419532
The System Log didn’t display Client IP for user.lifecycle.create events from users created through self-service registration.
OKTA-421451
Permission attributes for the Dropbox application weren’t displayed correctly.
OKTA-421698
Password-reset failures due to sign-in policy violations didn't appear in the System Log.
OKTA-425798
The endUserDashboardTouchPointVariant property on the Brands API Theme object didn’t include a variant for LOGO_ON_FULL_WHITE_BACKGROUND.
OKTA-425804
Admins who viewed completed tasks on the new Okta End-User Dashboard couldn't see who approved or rejected the tasks.
OKTA-426548
A 500 Internal Server error appeared when sensitive attributes were included in attribute search results.
OKTA-428163
When using the Firefox browser, users were unable to edit the Forgot Password Text Message section of the Settings page.
OKTA-428329
Some admins who were assigned more than one custom role could manage the app assignments for users and groups they weren’t constrained to.
OKTA-431377
End users couldn't customize how long pop-ups were displayed on the new Okta End-User Dashboard.
OKTA-431675
When admins used the Add Person dialog in the new Admin Console to add users, automatic resizing of the dialog resulted in a "The field cannot be left blank" error message.
OKTA-431879
If admins edited their Branding theme after it had been applied to an Okta page, the changes weren’t applied until they performed a hard refresh.
OKTA-432829
With Enhanced Email Macros enabled, email templates that were previously customized or translated with Expression Language (EL) couldn’t be edited and saved due to invalid EL expressions.
OKTA-433352
Some end users lost access to the Pressbox and Genny apps when accessing them from the new Okta End-User Dashboard.
OKTA-434859
SAML Org2Org didn't work on the new Okta End-User Dashboard.
OKTA-435293
After Branding was enabled, admins couldn’t use their org logo on a white background for the End-User Dashboard.
OKTA-436513
After Branding was enabled, some orgs were unable to update their existing subdomain names.
OKTA-436732
After the MFA Factor Enrolled email template was customized with Enhanced Email Macros, its default template continued to be sent to users.
OKTA-436949
The Recently Used Apps section wasn't translated on the Settings page of the new Okta End-User Dashboard until the page was refreshed.
OKTA-437664
An Event Hook for group-based privilege change events sometimes didn't include the Okta subdomain events in the JSON response.
App Integration Fixes
The following SWA apps were not working correctly and are now fixed
-
Alabama Power (OKTA-437660)
-
Ally Bank (OKTA-435214)
-
American Express - Work (OKTA-438301)
-
Azure Portal Login (OKTA-436740)
-
Booking Admin (OKTA-436792)
-
Cat SIS (OKTA-436148)
-
Cronitor (OKTA-438303)
-
Exact Online (OKTA-435209)
-
Grove (OKTA-438304)
-
Key Bank (OKTA-438305)
-
Redis Labs (OKTA-436147)
-
SiteGround (OKTA-437897)
-
UBS (OKTA-436149)
-
Vitality (OKTA-436145)
Applications
New Integrations
New SCIM Integration Applications
The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:
-
Deel: For configuration information, see SCIM Provisioning of Users with OKTA.
-
embed signage: For configuration information, see Single Sign-On & User provisioning with Okta.
-
Parkable: For configuration information, see SCIM configuration.
-
SecureFlag: For configuration information, see Okta Single Sign-On Integration.
-
Smarp: For configuration information, see Manage users with SCIM provisioning.
SAML for the following Okta Verified applications
-
Level AI (OKTA-435557)
-
Loom (OKTA-398082)
-
Pima.app (OKTA-435601)
-
Polytomic (OKTA-435605)
-
Smarp (OKTA-415875)
OIDC for the following Okta Verified applications
-
Deepnote: For configuration information, see Okta SSO.
-
Inbox Monster: For configuration information, see Okta Single Sign On Integration.
-
TextUs: For configuration information, see TextUs Next + Okta SSO Process.
-
Waiter.com: For configuration information, see Okta Integration.

September 2021
2021.09.0: Monthly Production release began deployment on September 7
* Features may not be available in all Okta Product SKUs.
Sign-In Widget, version 5.10.1
For details about this release, see the Sign-In Widget Release Notes.
For more information about the Widget, see the Okta Sign-In Widget Guide.
MFA Credential Provider for Windows, version 1.3.3
This version includes hardening around certain security vulnerabilities. See Okta MFA Credential Provider for Windowsのバージョン履歴 .
Improved new device behavior detection
Stronger signals are now used for the detection of new devices. Devices with web browsers that don't store cookies are treated as new and trusted applications must send a unique identifier for each device as a device token. See 挙動検知. This feature is made available to all orgs.
Enhancements
ThreatInsight default mode for new orgs
For new orgs, the default mode for ThreatInsight is now set to Audit mode. Previously, with no mode set by default, events weren't logged unless Audit mode or Block mode was enabled manually. Now with Audit mode set by default for new orgs, the security.threat.detected event is logged once a malicious request is detected. See Okta ThreatInsight.
OIN Manager enhancements
- The UI text has been clarified for the group patch batching process in the OIN Manager for SCIM submissions. See the Submit an app integration guide.
- Partners can now provide multiple support contacts, such as email addresses, support URLs, and phone numbers for customers who need assistance when installing or configuring their app integration. This information is shared with users through the app integration’s details page in the OIN catalog. See the Submit an app integration guide.
PagerDuty SSO Domain Support
Base URL is now used instead of Organization Subdomain for PagerDuty SSO configuration. This enables customers with EU domains to input their URL when they set up SSO.
Updated End-User Dashboard icon for mobile users
The End-User Dashboard icon has been updated for mobile users.
Updated Delete Person and Delete Group dialogs
The Delete Person and Delete Group dialogs now include statements to clarify what is removed when a person or group is deleted. This can include application assignments, sign-on policies, routing rules, and user profiles. This change helps admins better understand the ramifications of deleting people and groups. See ユーザー・アカウントの非アクティブ化と削除 and グループを管理する.
Early Access Features
Enhancements
New grant type for native SSO
A new grant type, Token Exchange, is available for Authorization Server configuration. Admins can select the grant type to enable SSO for native apps. For more information see Configure SSO for Native apps.
Fixes
General Fixes
OKTA-364848, OKTA-364849, OKTA-364921, OKTA-382725, OKTA-382848, OKTA-382907
Some accessibility issues occurred on the Okta End-User Dashboard.
OKTA-386820
Group Push tasks weren't displayed on the Admin Dashboard.
OKTA-391032
Custom admins with Manage group permissions could view the Add Rule button on the Groups > Rules tab.
OKTA-393077
The View IDP Metadata link incorrectly required an active session when application-specific certificates were enabled.
OKTA-408184
A gap between the deactivation of a contractor and the activation of that user to a full-time employee caused incremental imports for Workday to fail.
OKTA-408562
On the Directory > Groups page, an icon didn’t appear for the Zendesk application.
OKTA-409182
Translations weren't provided for some unsuccessful LDAP password update error messages.
OKTA-409388
Users weren't added to groups when the locale attribute filter was set to equals in the group rule.
OKTA-411252
If an admin added an app integration but didn't complete the process and subsequently assigned it to a group, then clicking the link for the app integration through the Groups directory opened the Add app integration process instead of the settings page for that app integration.
OKTA-416414
Sign-in redirect URI requests failed due to wrapping of the designated URI in the Admin Console.
OKTA-416671
Wildcard OAuth redirect URIs failed if subdomains included underscores.
OKTA-417982
During an OAuth client lifecycle event, the debug data section of the System Log logged incorrect client IDs.
OKTA-420534
While loading, the side navigation on the new Okta End-User Dashboard was misaligned.
OKTA-421801
Some users with a custom domain URL couldn't add or edit resource sets for custom admin roles.
OKTA-421951
Adding an expiration date macro to the Password Reset email template resulted in an Invalid Expression error.
OKTA-422282
End users were able to add bookmark apps after their admins configured the App Catalog Setting to allow org-managed apps only.
OKTA-422340
The number of groups displayed in the Admin Dashboard Overview differed from the correct number of groups reported on the Directory > Groups page.
OKTA-422782
Text didn't wrap properly in the Note for requester field for app approval requests.
OKTA-425921H, OKTA-425993H
Sometimes, when users signed in to Okta and Agentless Desktop Single Sign-on (ADSSO) was enabled, groups outside of the selected organizational units were retrieved.
App Integration Fixes
The following SWA apps were not working correctly and are now fixed:
-
Avalara (OKTA-415081)
-
Fisher Scientific (OKTA-422646)
-
Microsoft Volume Licensing (OKTA-420160)
-
Quadient Cloud (OKTA-422635)
-
RescueAssist (OKTA-422643)
-
WeWork (OKTA-423570)
Applications
New Integrations
New SCIM Integration Applications
The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:
- Acronis Cyber Cloud: For configuration information, see Configuring Provisioning.
- LoopVoc: For configuration information, see Okta (Enterprise version only).
- Qooling: For configuration information, see Configuring SCIM in OKTA for Qooling.
SAML for the following Okta Verified applications:
-
Anomalo (OKTA-421527)
-
Paradime (OKTA-420444)
OIDC for the following Okta Verified application:
- Statsig: For configuration information, see Single Sign-On With Okta.
Weekly Updates

Fixes
General Fixes
OKTA-407869
Some error messages in the Sign-In Widget were translated from English to other languages when the user's language was English.
OKTA-417450
LDAP-sourced users weren’t able to sign in to the Okta Admin Console when their passwords expired and a password policy allowed passwords to be updated.
OKTA-418723, OKTA-420397
New Okta branding didn’t appear on some default error page templates.
OKTA-421227
On the Administrator assignment by admin page, the Copy groups and Paste groups buttons didn’t appear for standard roles that were constrained to one or more groups.
OKTA-421767
The User Profile > Admin roles tab was visible for deactivated users. For active users with no assigned roles, the button to add privileges was mislabeled Edit individual admin privileges.
OKTA-422485
Searches in the LDAP Interface didn’t return results when the search terms were capitalized.
OKTA-423616
The Push Groups page became unresponsive when admins created new group push mappings.
OKTA-424357
ThreatInsight didn't always block IP addresses that were identified as the source of password spray attacks.
Applications
New Integrations
New SCIM Integration Application
The following partner-built provisioning integration app is now Generally Available in the OIN Catalog as partner-built:
-
Pop: For configuration information, see Pop: Okta Integration.
SAML for the following Okta Verified application:
-
Wiz (OKTA-422626)

Fixes
General Fixes
OKTA-399959
Session timeout policy wasn't enforced during IdP-initiated login to the Admin Console.
OKTA-412102
If an admin added a rule to an app sign-on policy and named it Default sign on rule, they were unable to edit or delete the rule.
OKTA-414089
Admins with the Manage Applications custom admin permission couldn’t access the Profile Editor, Directory Integrations, or Profile Sources pages.
OKTA-414564
A Sign-in Widget message was translated into Russian incorrectly.
OKTA-420154
If client-based rate limiting was enabled, end users were sometimes presented with a 429 error instead of the sign-in page when their session expired or they signed out.
OKTA-421356
LDAP-sourced user profiles weren’t updated when an admin changed the user profile status from suspended to unsuspended.
OKTA-423419
When Enhanced Email Macros was enabled, using required variables without brackets resulted in a validation error.
OKTA-423470
Org logos on the new Okta End-User Dashboard were sometimes oversized.
OKTA-424330
Some Preview org customers received an error when accessing end-user pages after they changed their browser language to Chinese-Traditional.
OKTA-425588
Rate limit enforcement for Voice-based MFA was not mitigating certain toll fraud attacks.
OKTA-427137
DocuSign deprovisioning sometimes failed with the following error: “Adding entity to http method DELETE is not supported.”
App Integration Fixes
The following SWA apps were not working correctly and are now fixed
-
3Rivers (OKTA-424892)
-
Adobe Enterprise (OKTA-424893)
-
CallTower (OKTA-424894)
-
Parse.ly (OKTA-422625)
Applications
New Integrations
New SCIM Integration Applications
The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:
-
KnowBe4: For configuration information, see here (you need to sign in to KnowBe4 to access their documentation).
-
Verint Community: For configuration information, see How Do I Setup User Provisioning Using SCIM?
SAML for the following Okta Verified application
-
Code Climate Velocity (OKTA-424882)
OIDC for the following Okta Verified applications
-
Auditrunner: For configuration information, see Auditrunner: How to Configure SSO between Auditrunner and Okta.
-
Verint Community: For configuration information, see How Do I Setup User Provisioning Using SCIM?
-
Workrunner: For configuration information, see Workrunner: How to Configure SSO between Workrunner and Okta.

Generally Available
Sign-In Widget, version 5.11.0
For details about this release, see the Sign-In Widget Release Notes.
For more information about the Widget, see the Sign-In Widget Guide.
Fixes
General Fixes
OKTA-393693
If an app sign-on policy required re-authentication every 0 minutes, some users were unable to reset their passwords.
OKTA-419837
When Branding was enabled, custom code editor pages displayed an incorrect warning.
OKTA-423586
Function names that include blank spaces didn’t work with Enhanced Email Macros.
OKTA-425232
When Branding was enabled, the Go to Homepage button on the Okta error page didn’t use the default Okta variant color.
OKTA-425425
When a super admin tried to generate a Current Assignment report, Okta Admin Console didn’t appear as an available application.
OKTA-426446
When a third-party admin role was assigned, the admin's status didn't change in Salesforce and the Exclude admin from receiving all admin-related communications rule wasn't enforced.
OKTA-430127
When Branding was enabled and later disabled, the sign-in and error pages that were customized with HTML code editors during the enabled period could be reset to their defaults.
OKTA-430524
The default password policy was sometimes being evaluated for users instead of the configured password policy.
App Integration Fixes
The following SWA apps were not working correctly and are now fixed
-
Frame.io (OKTA-427018)
-
Google Play Developer Console (OKTA-425775)
-
PNC Borrower Insight (OKTA-426061)
-
Tech Data (OKTA-427022)
Applications
New Integrations
SAML for the following Okta Verified applications
-
Blue Ocean Brain (OKTA-426050)
-
Kintone.com (OKTA-421223)
-
Skypher (OKTA-426992)
OIDC for the following Okta Verified applications
-
APIsec: For configuration information, see How to Configure OKTA SSO for APISec.
-
Entromy: For configuration information, see Entromy Okta SSO Integration.
-
TRUCE: For configuration information, see TRUCE & Okta SSO Integration Guide.

Generally Available
Sign-In Widget, version 5.11.1
For details about this release, see the Sign-In Widget Release Notes.
For more information about the Widget, see the Sign-In Widget Guide.
Fixes
General Fixes
OKTA-327544
An HTTP 500 Internal Server Error message appeared when users attempted to sign in to Okta and their username included an asterisk (*).
OKTA-417936
During an IdP Discovery flow, routing rules were no longer observed if users clicked Back to sign in from the MFA prompt.
OKTA-420946
When admins customized the MFA Factor Enrolled or MFA Factor Reset email templates, the default template was sent to users.
OKTA-423578
Admins could create ADSSO IdP routing rules when ADSSO functionality was enabled and then disabled.
OKTA-425321
When an admin had a custom role with the Manage users and Edit users' authenticator operations permissions, they couldn’t enroll users in the YubiKey factor.
OKTA-427145
When the Admin role assignments report was filtered by a group, it didn’t include group membership admins who were constrained to that group.
App Integration Fixes
The following SWA apps were not working correctly and are now fixed
- Autotask (OKTA-429728)
- Contract Express (OKTA-429434)
- DocsCorp Support (OKTA-425176)
- Google Play Developer Console (OKTA-425775)
- SAP Concur Solutions (OKTA-427469)
- Shipwire (OKTA-426103)
- Twitter (OKTA-430242)
Applications
New Integrations
New SCIM Integration Application
The following partner-built provisioning integration app is now Generally Available in the OIN Catalog as partner-built:
- Productiv: For configuration information, see Okta SSO Provisioning Setup Guide.
SAML for the following Okta Verified applications
- Jooto (OKTA-429135)
- Merge (OKTA-430337)
OIDC for the following Okta Verified applications
- Cami.AI: For configuration information, see Okta Integration with Cami.AI.
- Provarity: For configuration information, see Okta configuration guide.
- Recollective: For configuration information, see Okta Integration (Identity Provider).
- Upward Agent: For configuration information, see SSO with Okta.

August 2021
2021.08.0: Monthly Production release began deployment on August 9
* Features may not be available in all Okta Product SKUs.
Generally Available Features
New Features
Sign-In Widget, version 5.9.0
For details about this release, see the Sign-In Widget Release Notes.
For more information about the Widget, see the Okta Sign-In Widget Guide.
Okta solution visible in footer
To help admins identify their Okta solution, the version number in the footer of the Admin Console is now appended with C for Classic Engine orgs and E for Identity Engine orgs. See Identify your Okta solution.
On-Prem MFA agent, version 1.4.4
This version includes bug fixes, security enhancements, and a new version of the Log4J library. See Okta On-Prem MFAエージェントのバージョン履歴.
ADFS Plugin, version 1.7.8
This version includes bug fixes and security enhancements. See Okta ADFSプラグインのバージョン履歴.
Root signed PIV certificate support
Certificates signed directly from a root CA certificate, with no intermediates, can now be used for Personal Identity Verification (PIV) authentication.
Multiple active user statuses for SuccessFactors integration
Support for multiple active user statuses: When importing users from SuccessFactors into Okta, admins can now select more than one active user status, such as Leave of Absence. See SAP SuccessFactors Employee Centralデータ プロビジョニングについて.
Deleted schema property scrubber
All existing data associated with a schema property is now removed when a schema property is deleted. To prevent data corruption, the property cannot be recreated until the existing data is fully removed. Previous data is no longer restored when recreating a deleted schema property with the same definition. This new functionality prevents the corruption of profile data and the associated Elastic search issues. See カスタム・ディレクトリー・スキーマ属性を追加または削除する.
This feature will be gradually made available to all orgs.
LDAP agent, version 5.8.0
This version of the agent contains:
-
Password expiry warning support for Oracle Directory Server Enterprise Edition (ODSEE), Oracle Unified Directory (OUD), OpenDJ, and SunOne 5.2 LDAP directory services
Enhancements
New warning for excessive IP addresses
A warning now appears if a gateway or proxy has an IP range with more than 5 million addresses. See IPゾーンの作成.
Start time and end time of rate limit windows
The Rate Limit Dashboard now displays the start time and end time of the rate limit window for each data point. This helps you analyze each data point with more granularity. See Rate limit dashboard.
End-User Dashboard styling
On the new Okta End-User Dashboard, text color in the side navigation has been updated. See Oktaの新しいエンド・ユーザー・エクスペリエンスを有効にする.
OIN Manager enhancements
The Apps for Good category has been added to the selectable categories list. Also, other category names have been adjusted to match those shown in the OIN App Catalog.
OIN App Catalog UI improvements
If available, support contact information now appears on the details page for app integrations.
Early Access Features
New Features
Third-Party Risk
Okta Risk Eco-System API / Third-Party Risk enables security teams to integrate IP-based risk signals to analyze and orchestrate risk-based access using the authentication layer. Practitioners can step up, reduce friction or block the user based on risk signals across the customer’s security stack. Apart from improving security efficacy, this feature also enhances the user experience by reducing friction for good users based on positive user signals. See リスク・スコアリング.
Okta Brands API
The Okta Brands API allows customization of the look and feel of pages and templates. It allows you to upload your own brand assets (colors, background image, logo, and favicon) to replace Okta's default brand assets. You can then publish these assets directly to the Okta-hosted Sign-In Page, error pages, email templates, and the Okta End-User Dashboard. See Customize your Okta experience with the Brands API.
Fixes
General Fixes
OKTA-381874
On the Agents page, admins couldn't remove deleted RADIUS agents or hide the ones that weren't in use.
OKTA-386797
Users were able to make too many attempts to enter an SMS one-time passcode when performing a self-service unlock.
OKTA-388903
Using an Office 365 thick client to open documents from the SharePoint Server didn't work consistently.
OKTA-399414
A link was broken on the OIDC Identity Provider profile mapping page.
OKTA-404612
When updating the provisioning settings for an app integration, some admins had to reload the page because the Admin Console showed a verification message and then stopped responding.
OKTA-404620
Workflow URLs with the okta-emea subdomain weren’t automatically verified when used as an Event Hook URL.
OKTA-406499
On the Admin Console Tasks page, the first 10 tasks were duplicated when Show more tasks was selected and 10 or more tasks were already listed.
OKTA-409514
If an app integration with provisioning enabled was upgraded to support the Push Groups feature, admins were repeatedly prompted to enable provisioning.
OKTA-415772
The Tasks view was missing from the new Okta End-User Dashboard.
App Integration Fixes
The following SWA apps weren't working correctly and are now fixed:
-
Azure Portal Login (OKTA-411455)
-
Cisco WebEx Meeting Center - Enterprise (OKTA-411543)
-
Matrix Teams (OKTA-415413)
Applications
New Integrations
New SCIM Integration Application
The following partner-built provisioning integration app is now Generally Available in the OIN catalog as partner-built:
- Paylocity: For configuration information, see Configure SSO and User Provisioning with Paylocity and Okta.
SAML for the following Okta Verified application:
-
Neptune (OKTA-393740)
Weekly Updates

Generally Available
Sign-In Widget, version 5.9.4
For details about this release, see the Sign-In Widget Release Notes.
For more information about the Widget, see the Sign-In Widget Guide.
Fixes
General Fixes
OKTA-386084
Error page templates were inconsistently formatted.
OKTA-409142
The Registration Inline Hook didn’t correctly display error messages to the user during user self-registration.
OKTA-411448
Users who enrolled in multifactor authentication using the Active Directory Federation Services integration were unable to download the Okta Verify app from the Apple App Store and the Google Play store during enrollment.
OKTA-415642
Theme colors weren’t applied to custom pages in Internet Explorer 11.
OKTA-416292
The password management modal was incorrectly minimized on the new Okta End-User Dashboard after an end user responded to the copy confirmation modal.
OKTA-417651
When admins attempted to delete or revoke a YubiKey from the Okta Admin Console, the Done button didn’t appear upon completion.
App Integration Fixes
The following SWA apps were not working correctly and are now fixed
-
Fannie Mae Desktop Underwriter (OKTA-416904)
-
Frame.io (OKTA-416896)
-
i-Ready (OKTA-416899)
-
InternationalSOS (OKTA-415410)
-
LifeLock (OKTA-413854)
-
Milestone Xprotect Smart Client (OKTA-416893)
-
SDGE (OKTA-416903)
-
ShipStation (OKTA-416897)
-
Simple Sales Tracking (OKTA-416906)
-
Washington Post (OKTA-416908)
-
Yodeck (OKTA-415411)
Applications
New Integrations
New SCIM Integration Applications
The following partner-built provisioning integration apps are now Generally Available in the OIN catalog as partner-built:
- GitHub AE: For configuration information, see Configuring Provisioning for GitHub AE.
- LoopVoc: For configuration information, see Single Sign On (SSO): Okta (Enterprise version only).
- MaestroQA: For configuration information, see MaestroQA/Okta SCIM configuration guide.
- MaestroQA-Enterprise: For configuration information, see MaestroQA-Enterprise/Okta SCIM configuration guide.
- Sentry: For configuration information, see Okta SCIM Provisioning.
SAML for the following Okta Verified application
-
Hiretual (OKTA-413861)
OIDC for the following Okta Verified application
-
Seamless.AI: For configuration information, see Connecting and Setting up Okta SSO.

Fixes
General Fixes
OKTA-309646
The scroll bar didn't function as expected while adding a new access policy to an authorization server.
OKTA-364838
Some accessibility issues occurred on the Okta End-User Dashboard.
OKTA-392409
Office 365 silent activation sometimes failed if the sign-on policy required re-authentication.
OKTA-407591
Prompts initiated by an admin to reset an end user’s password for an SWA app weren't displayed on the Okta End-User Dashboard.
OKTA-410027
When a user was deleted, the AlternateId field in the System Log displayed the user’s Okta identification number and not their email address.
OKTA-412526
The Note for requester field within the self-service app request approval settings didn't properly display messages.
OKTA-414136
The Office 365 integration in the Okta App Catalog showed a Group Linking option that wasn't available for Office 365.
OKTA-414387
End users who attempted to use a custom sign out URL were presented with a blank page on Internet Explorer 11.
OKTA-418656
Users weren’t prompted for additional authenticators after self-service password resets even though their sign-on policy required them.
App Integration Fixes
The following SWA apps were not working correctly and are now fixed:
-
Alerus (OKTA-418805)
-
BenXcel (OKTA-418794)
-
Inbox by Gmail (OKTA-412080)
-
IBM MaaS360 (OKTA-418799)
-
Redis Labs (OKTA-418789)
Applications
Application Updates
-
We have added the
userType
attribute to the Slab SCIM schema. For details see the Slab Okta SCIM Integration Guide. -
The FIS Global Client integration is deprecated from the OIN Catalog.
New Integrations
New SCIM Integration Applications
The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:
- Documo: For configuration information, see Okta Scim Configuration Guide.
- DocuSign CLM UAT: For configuration information, see Okta SCIM and SAML Integration.
SAML for the following Okta Verified applications:
-
Blingby Inline (OKTA-410691)
-
Panzura Data Services (OKTA-419287)
-
RudderStack (OKTA-413572)
OIDC for the following Okta Verified applications:
-
EZGIT: For configuration information, see Logging in with Okta single sign-on.
-
Joyous: For configuration information, see Okta Single Sign-On.
-
XY Sense: For configuration information, see How to add SSO Okta integration.

Fixes
General Fixes
OKTA-295856
Buttons and text were misaligned on the API > Trusted Origins tab.
OKTA-382908
A confirmation message wasn’t displayed when an admin removed the last resource from a resource set or the last permission from a role.
OKTA-385343
Group attributes weren't pushed from Okta to Active Directory (AD) as expected.
OKTA-387007
When an admin clicked Custom roles from the Overview section on the Administrators page, the Roles tab opened with the incorrect filters applied.
OKTA-402814
Users didn't receive a verification email after updating a secondary email address.
OKTA-402856
In the redesigned Admin Console, import safeguard warning messages didn’t appear on the Dashboard.
OKTA-412025
Users didn't receive a verification email after they were activated on the People page.
OKTA-413954
Certain YubiKey device make and model names didn't appear correctly on the Okta End-User and Admin Dashboards.
OKTA-417326
Some tabs and buttons on the user and group profile pages of the Custom Administrator Roles user interface were labeled incorrectly. Also, the Admin role assignment report page was called Custom reporting.
OKTA-418039
Enhanced email macros didn’t work with Branding.
OKTA-418150
On the People page, the last user with super admin permissions could be deleted without generating an error.
OKTA-418922
When a user was deleted on the People page, the PostDeleteUserEvent
event type was Initiated and not Completed.
OKTA-420122
In the redesigned Admin Console, the Actions drop-down menu for SAML app certifications didn’t expand correctly.
OKTA-420740
When a theme was applied to the Okta-hosted sign-in page, the Sign in button didn’t change to the selected primary color.
OKTA-421446
The Administrator assignment by admin page didn’t load properly when the delegated admin had a standard role that was constrained to specific apps or groups.
OKTA-421481
Some Expression Language email templates didn’t work with Branding.
App Integration Fixes
The following SWA app was not working correctly and is now fixed:
-
Vitality (OKTA-420790)
Applications
Application Update
The following integrations are deprecated from the OIN Catalog:
-
Hiveed
-
BenXcel
-
FIS Global
-
Nanigans
New Integrations
SAML for the following Okta Verified applications:
-
Blingby Programmatic (OKTA-421181)
-
Perimeter 81 (OKTA-415079)
-
Snackmagic (OKTA-419393)
-
Suveryapp (OKTA-420053)
SWA for the following Okta Verified application:
-
Integromat (OKTA-420293)
OIDC for the following Okta Verified application:
-
Hone: For configuration information, see Logging in with Okta single sign-on.

July 2021
2021.07.0: Monthly Production release began deployment on July 12
* Features may not be available in all Okta Product SKUs.
Generally Available Features
New Features
Dedicated help sites for Okta products
Three of Okta’s products — Access Gateway, Advanced Server Access, and Workflows — now have their own dedicated help sites:
This enhancement offers direct access to independent online help sites for these products from help.okta.com. The new sites provide several benefits:
- Compactly designed, product-centric content
- Streamlined navigation
- More efficient content updates and responsiveness to customer feedback
Okta Device Registration Task, version 1.3.2
This release includes internal code refactoring. You can download this version from the Settings > Downloads section of the Admin Console.
New Domains API response properties available
The Domains API includes the new response object properties of certificateSourcetype and expiration. The certificateSourcetype is a required property that indicates whether the Certificate is provided by the user. The accepted value is Manual. The expiration property on the DNSrecord object is an optional property that defines the TXT record expiration. See Domains API.
Default end-user experience
New orgs, including those created through the org creator API or the developer.okta.com website, will have the new end-user experience enabled by default in preparation for the old end-user experience deprecation starting on October 13. Learn more about this migration and other frequently asked questions in our support article.
Disable Import Groups per SCIM integration
Admins can now choose whether or not to import groups with all SCIM integrations. This new option is available when you set up provisioning for a SCIM integration.
Note that you can't disable group imports for an app if:
-
Import New Users and Profile Updates isn't enabled.
-
App Assignments based on Group exist.
-
Group policy rules exist.
-
Group Push mappings exist.
In these cases, an error is displayed.
Nutanix support
Okta Access Gateway customers can now download and deploy the Access Gateway virtual appliance on Nutanix Acropolis Hypervisor (or Nutanix AHV), a hyper-converged infrastructure platform popular among larger organizations. This provides customers with more options for infrastructure services supported by Access Gateway, including AWS, OCI, VMWare, and now Nutanix.
Remove the ability to disable Admin Experience Redesign
You can no longer disable the Admin Experience Redesign feature for your orgs.
Note: This is not applicable for orgs that didn't have Admin Experience Redesign enabled and used the legacy experience until 2021.06.4.
Windows Hello as an MFA factor is not supported for new orgs
Windows Hello as an MFA factor is no longer supported for new orgs. Existing orgs already using this feature can continue using it.
Test custom email templates
Admins can send themselves a test email to see how their custom email templates will look and function. This allows them to validate macro attributes and translations in the customized template and to see how the template will render in different email environments. Sending the test email to their primary email address eliminates their need to create a real end-to-end workflow to test customization. For more information, see カスタマイズしたメール・テンプレートをテストする .
Create LDAP group password policies
You can now create group password policies for LDAP sourced users. This gives you the flexibility to provide users with the same password policy requirements as your local LDAP directory, easing the user experience of an LDAP integration with Okta. See グループ・パスワード・ポリシーについて and サインオン・ポリシー.
Event Hook preview
Event Hook preview lets admins easily test and troubleshoot their Event Hooks, as well as send sample requests without manually triggering an actual event. This means admins can preview the payload of a specific Event Hook type and make sure that it's what they need to move forward before a full deployment to production. See イベント・フックのプレビュー.
Enhancements
Workplace by Facebook new custom attribute
Okta now supports the is_frontline custom attribute in Workplace from Facebook. Supporting user type designations enables access for frontline and deskless workers.
OIN App Catalog UI improvements
For each app integration in the OIN App Catalog, the details page has been updated to use tabs that display the overview and the specific capabilities of the app integration. The details page also shows the Capabilities in the side navigation. Clicking a specific capability returns the administrator to the main Add Application page with that capability pre-selected in the filter. When an admin searches for app integrations, the filter is now persistent through category changes or when they refresh the page.
OIN Manager category selections
For app submissions in the OIN Manager, the category designations have been updated to match the categories available in the OIN App Catalog.
Changes to group assignment options for OIDC apps
Admins can create new OIDC applications without assigning them to a group. See AIWを使用してOIDCアプリ統合を作成する.
HTML sanitizer for email templates
Velocity-based email templates are now processed by an HTML sanitizer. Templates that don’t conform to the rules of the sanitizer are corrected before they are sent. See メール・テンプレートをカスタマイズする.
Email template events
The creation and deletion of email templates are now logged as events in the System Log.
Rate limit violation event logging
Session-user and User rate violation events are now logged as operation-level events instead of org-wide events. This allows you to distinguish between rate limit violations at an org level and individual level.
Updated branding for End-User Dashboard
Okta branding on the Okta End-User Dashboard has been updated.
Early Access Features
New Feature
FIPS compliance for iOS or Android devices
Federal Information Processing Standards (FIPS) compliance is now available for iOS or Android devices. FIPS can be enabled on the Okta Verify configuration page. When FIPS compliance is enabled, admins can be confident that only FIPS-compliant software is used. See .
Enhancement
OAuth redirect URI wildcards
Admins can now use a wildcard for multiple redirect URI subdomains when configuring OIDC applications. See AIWを使用してOIDCアプリ統合を作成する.
Fixes
General Fixes
OKTA-274754
When an admin attempted to add an app integration to their org for which the org was not entitled, the error message didn't display the org's edition name.
OKTA-380653
A user-created on-the-fly app incorrectly appeared on the Tasks page under Number of apps that can have provisioning enabled.
OKTA-397607
Sometimes the failed-sign-in counter didn’t reset to zero after an end user successfully signed in, which resulted in improper lockouts.
OKTA-400220
When OpenLDAP was used with delegated authentication, an error message containing unnecessary information appeared if users attempted to change their password and it didn't meet the LDAP complexity requirements.
OKTA-401490
LDAP import schedules weren't updated when Relative Distinguished Name (RDN) attribute mapping from Okta to LDAP was missing.
OKTA-402247
New device notifications weren't sent during passwordless sign-in flows.
OKTA-404865
Group Push for Slack caused group members to be reset and gradually re-added, during which time group members couldn't access the app.
OKTA-405351
Some deactivated SAML IdP users whose attributes were updated with Just-in-time Provisioning were activated even though the reactivation JIT setting wasn't selected.
OKTA-407292
Some users were deactivated instead of deleted in Automations.
OKTA-408802
Sometimes, during SAML app configuration, the metadata link improperly required a sign-in session.
App Integration Fixes
The following SWA app was not working correctly and is now fixed
-
San Diego Gas and Electric (OKTA-407572)
Applications
New Integrations
New SCIM Integration Applications
The following partner-built provisioning integration apps are now Generally Available in the OIN as partner-built:
- PowerDMS: For configuration information, see Configuring Provisioning for PowerDMS.
- Redprint: For configuration information, see User Provisioning with Okta.
- SkillsHood: For configuration information, see How to Configure Provisioning for SkillsHood.
- Squarespace: For configuration information, see Logging in with single sign-on through Okta (Enterprise).
SWA for the following Okta Verified applications
-
Headspace (OKTA-403509)
-
Redprint (OKTA-394718)
-
SCOPE (OKTA-405791)
OIDC for the following Okta Verified applications
-
QFlow.ai: For configuration information, see How does your Okta Integration work (you need a QFlow.ai account to access this documentation).
-
ReputationDefender: For configuration information, see OIDC Configuration Guide for Okta.
-
smart technology group: For configuration information, see smart technology group and Okta OIDC Integration.
Weekly Updates

Generally Available
Sign-In Widget, version 5.8.2
For details about this release, see the Sign-In Widget Release Notes.
For more information about the Widget, see the Sign-In Widget Guide.
Fixes
General Fixes
OKTA-405084
Long-running deactivation jobs didn't overwrite user status changes after a user was deleted.
OKTA-409081
Google Chrome users saw a session lifetime warning if they accessed an end-user dashboard embedded in an iFrame.
OKTA-409227
In the OpenID Connect (OIDC) app wizard, the default Assignments selection was Allow everyone in your organization to access.
Applications
New Integrations
New SCIM Integration Applications
The following partner-built provisioning integration apps are now Generally Available in the OIN catalog as partner-built:
- Inspectify: For configuration information, see User Provisioning with Okta.
-
Reftab: For configuration information, see How do I configure SCIM with OKTA?
SAML for the following Okta Verified applications
-
4Degrees (OKTA-405438)
-
SkillsHood (OKTA-404888)

Generally Available
Sign-In Widget, version 5.8.4
For details about this release, see the Sign-In Widget Release Notes.
For more information about the Widget, see the Sign-In Widget Guide.