Okta Identity Engine release notes (2021)

December 2021

2021.12.0: Monthly Production release began deployment on December 13

* Features may not be available in all Okta Product SKUs.

Content

Generally Available Features

New Features

Choose client types for Office 365 sign-on policy

When creating app sign-on policy rules to manage access to Office 365 apps, you can now specify client types such as web browser, modern auth, or Exchange ActiveSync. This allows you to apply Office 365 sign-on policies to granular use-cases. See Office 365 sign-on rules options.

Branding now available in the Admin Console

This UI release provides admins and developers with an Admin Console UI to upload brand assets to customize their Okta-hosted pages. The Customizations tab in the Admin Console is also now moved to a top-level menu item in the left-hand navigation, and Branding-related controls have all been moved under it. The Settings > Appearance tab has also been removed, and functionality moved under the Customizations tab for ease of use. See Branding.

Admin Experience Redesign toggle removed

The toggle that allowed super admins to switch between the Admin Experience Redesign and the old experience has been removed. All Okta admins now benefit from our restyled Okta Admin Dashboard, responsive navigation side bar, and modern look and feel. If you need more time to adapt to the new user experience, you can revert to the old experience by contacting Okta Support until April 2022.

Upload Logo for org deprecated

The Upload Logo for Org endpoint (api/v1/org/logo) is deprecated. Use the Upload Theme Logo (/api/v1/brands/${brandId}/themes/${themeId}/logo) endpoint instead.

Salesforce Federated ID REST OAuth

Admins can now upgrade to the latest version of our Salesforce Federated ID integration. OAuth provides enhanced security and is now used for Provisioning and Imports authentication. This feature is currently enabled by default for new orgs only. See Configure OAuth and REST integration.

Okta MFA Credential Provider for Windows, version 1.3.5

This version of the agent contains:

  • Security enhancements

  • Internal fixes

See Okta MFA Credential Provider for Windows Version History.

Okta On-Prem MFA agent, version 1.4.6

This version of the agent contains updates for certain security vulnerabilities.

See Okta On-Prem MFA Agent Version History.

Okta RADIUS Server agent, version 2.17.0

This version of the agent contains updates for certain security vulnerabilities.

See Okta RADIUS Server Agent Version History.

Enhancements

Improved text on the Get started with Okta page

On the Get started with Okta page, several heading and button labels now provide more accurate and helpful text:

  • Select MFA factors is now Select Authenticators.

  • Select the MFA factors you'd like your organization to use is now Select the Authenticators you'd like your organization to use.

  • The Enable Factors button is now labeled Enable Authenticators.

Org setting to disable device token binding

For compatibility purposes, orgs can now disable device binding. Device binding ensures that state tokens are used only by the actor who initiated the authentication flow. See General Security.

Sign-In Widget error message

An error message now appears on the Sign-In Widget if an end user needs to open their laptop lid to use biometrics.

Early Access Features

Early Access features from this release are now Generally Available.

Fixes

General Fixes

OKTA-393284

UI errors occurred when users hovered over a locked app on the Okta End-User Dashboard.

OKTA-439327

Applying admin-managed tabs to end users occasionally completed much later, after the changes were initially made.

OKTA-441168

Users were directed to the wrong step of the Log Stream creation wizard when they clicked a link to create a specific type of Log Stream.

OKTA-442241

If a SWA app's profile enrollment policy contained a newly added required attribute, users were prompted for it twice.

OKTA-443459

Some users who accessed the Okta End-User Dashboard saw a blank screen.

OKTA-443607

An incorrect name appeared for the YubiKey Authenticator on the Add Authenticators page.

OKTA-449400

The text field for an app’s alternative name was missing from the app drawer.

OKTA-450543

Users weren't prompted to correct their device’s time if their device was behind the server’s time by more than five minutes or ahead by more than 65 minutes.

OKTA-450927

Two scrollbars were displayed for mobile users.

OKTA-453065H

Admins encountered an error when trying to assign an app back to the default profile enrollment policy.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • Amplitude (OKTA-449138)

  • Australian Financial Review (OKTA-450189)

  • Boxed (OKTA-449140)

  • Google Tag Manager (OKTA-448703)

  • HireFire (OKTA-448711)

  • Instacart Canada (OKTA-442943)

  • International SOS Assistance (OKTA-447156)

  • LinkedIn (OKTA-443788)

  • Mural (OKTA-443063)

  • Payroll Relief (OKTA-447159)

  • Safari Online Learning (OKTA-448707)

  • The Hartford EBC (OKTA-448956)

  • Twitter (OKTA-448961)

  • XpertHR (OKTA-449721)

Applications

Application Update

The Jive application integration is rebranded as Go To Connect.

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:

SAML for the following Okta Verified applications:

  • Chatwork (OKTA-449761)

  • ContractS CLM (OKTA-446453)

  • Elate (OKTA-448860)

  • WAN-Sign (OKTA-448922)

OIDC for the following Okta Verified applications:

Weekly Updates

Fixes

General Fixes

OKTA-328461

The footer in some email templates contained an incorrect link to Okta.

OKTA-410446

DebugData in the System Log didn’t include ClientSecret information.

OKTA-434725

Admins could deactivate apps that were used as the default redirect for the Sign-In Widget.

OKTA-440608

Some admins couldn't view groups that were assigned to an app, even though their custom role had permission to view them.

OKTA-446499, OKTA-446506, OKTA-446511

The user’s status wasn’t synchronized with Active Directory when they deleted their account from Okta Verify or toggled to a different biometric authenticator.

OKTA-447471

Duplicate reactivation requests for the Org2Org app caused 400 errors in the System Log.

OKTA-448321

When the Custom Admin Roles feature was enabled, groups with “#” in the group name couldn’t be assigned to a role.

OKTA-449563

Activating the Allow Web and Modern Auth policy (the default) for Microsoft Office 365 caused a lock to appear on Office 365 apps on the End-User Dashboard.

OKTA-449880

The text in some default email templates was incorrect.

OKTA-451868

In new developer orgs, admins weren’t provisioned for Salesforce Help.

OKTA-452041

Attempts to sign in to the Admin Console using Safari on an iOS device were prevented by the popup blocker.

OKTA-452099

The QR verification form in the device authentication flow wasn’t pre-filled with the user code.

OKTA-454767H

Some app labels were missing in the redesigned OIN App Catalog.

App Integration Fix

The following SWA app was not working correctly and is now fixed:

  • GoDaddy (OKTA-449141)

Applications

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:

Fixes

General Fixes

OKTA-441896

Group attribute statements added in a SAML 2.0 integration app (AIW) didn’t appear in the Preview the SAML Assertion section.

OKTA-444246

Some SAML doc links in the Admin Console didn’t work.

OKTA-447069

End-users encountered a 403 error when accessing a bookmark app after being migrated to the new Okta End-User Dashboard.

OKTA-447885

When adding a custom domain, admins received the wrong error message if they left the Domain field blank.

OKTA-448560

New users received an activation email with Velocity macros instead of their name. This occurred if the org’s profile enrollment policy didn’t require first and last names.

OKTA-448936

The Create a new resource set page couldn't display groups with & in the group name. This occurred for orgs with the Custom Admin Roles feature enabled.

OKTA-448940

The Edit resources to a standard role page displayed an error when admins searched for a group. This occurred for orgs with the Custom Admin Roles feature enabled.

OKTA-451345

The Velocity parsing engine failed when email templates contained a variable that was followed by (.

OKTA-452680

Application usage reports created asynchronously for specific groups included users that didn’t belong to the groups selected for the reports.

OKTA-453668

Duplicate enrollments caused authentication issues.

OKTA-453892

Orgs with a large number of users experienced timeouts during user Enhanced Email Macros queries.

OKTA-454197

On the Add domain page, the Next, Remove, and Verify DNS buttons were clickable while the addition was in progress.

OKTA-454655H

The Keep me signed in option for Google Authenticator was not honored.

OKTA-456383H

CSV imports failed when using Okta Provisioning Agent, version 2.0.6. For this fix, download Okta Provisioning Agent, version 2.0.7.

OKTA-458089H

Some Netsuite imports into Okta failed with the following error failure: A SOAP message cannot contain entity references because it must not have a DTD.

Applications

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration app is now Generally Available in the OIN Catalog as partner-built:

SAML for the following Okta Verified applications:

  • Imprivata Privileged Access Management (OKTA-450222)

  • Lucca (OKTA-450219)

  • PowerDMS (OKTA-454504)

  • Rybbon (OKTA-451438)

November 2021

2021.11.0: Monthly Production release began deployment on November 8

* Features may not be available in all Okta Product SKUs.

Content

Generally Available Features

New Features

Okta LDAP agent, version 5.10.0

This version of the agent contains:

  • Range attribute retrieval for group membership attributes (full support will be available in a future release)

  • Real-time synchronization for user profiles, groups, and group memberships (full support will be available in a future release)

  • Expired password reset support for the eDirectory LDAP service (Okta Identity Engine)

  • Bug fixes

See Okta LDAP Agent version history.

Okta RADIUS Server agent, version 2.16.0

This version of the agent contains:

  • Government Community Cloud support

  • Internal and security fixes

See Okta RADIUS Server Agent Version History.

Okta MFA Credential Provider for Windows, version 1.3.4

This version of the agent contains:

  • Government Community Cloud support

  • Internal fixes

See Okta MFA Credential Provider for Windows Version History.

Okta On-Prem MFA agent, version 1.4.5

This version of the agent contains:

  • Government Community Cloud support

  • Internal fixes

See Okta On-Prem MFA Agent Version History.

Brands API support for auto-detecting contrast colors

The Brands API Theme object properties primaryColorContrastHex and secondaryColorContrastHex automatically optimize the contrast between font color and the background or button color. The auto-detection feature can be disabled by updating either property value with an accepted contrast hex value. See Brands.

New error page macros for themed templates

Custom error page templates include new macros to customize the URL (href) in addition to the button text for themed templates. See Use macros.

Custom domain SSL certification expiration warnings

To prevent service disruptions, Okta now sends admins a warning email 30, 15, and 7 days before their custom domain’s SSL certificate expires. If no action is taken, an expiration notice is sent when the certificate expires.

See Configure a custom domain.

Token-based SSO between native apps

Single Sign-On (SSO) between browser-based web applications is achieved by leveraging shared cookies. Unlike web applications, native applications can’t use web cookies. With Native SSO, Okta offers a token-based approach to achieve SSO between native applications.

Native SSO allows you to protect native OpenID Connect applications, such as desktop apps and mobile apps, and achieve SSO and Single Logout (SLO) between these applications. See Configure SSO for native apps.

Asynchronous Application Reports

When enabled, this feature turns the generation of the Application Usage and the Application Password Health reports into an asynchronous process. Okta generates a report with the results and sends an email to the admin containing a download link for the CSV file. This enhancement is ideal for orgs with large amounts of user activity, as the generated reports can cover a greater range without timing out. See Application Usage report and App Password Health report.

Risk scoring improvements

Risk scoring improvements are being slowly deployed to all organizations. See Risk scoring.

Password expiry warning for LDAP group password policies

You can now configure an LDAP group password policy to provide users with a password expiry warning when their LDAP password is about to expire. Providing a password expiry warning in advance prevents users from losing access to shared resources and reduces the likelihood that you’ll need to reset passwords. See Configure a password policy.

Litmos supports Advanced Custom Attributes

We’ve enriched our Litmos integration to support Advanced Custom Attributes for the user profile. This allows you to add fields into the Okta user profile. See Litmos Provisioning Guide.

Enhancements

New System Log events for custom domain setup

The following events are added to the System Log:

system.custom_url_domain.cert_renew 3

system.custom_url_domain.delete

Existing events now include CustomDomainCertificateSourceType.

OIN App Catalog user interface changes

The following text has been updated for consistency:

  • FILTERS is now Capabilities

  • Apps is now All Integrations

  • Featured is now Featured Integrations

  • OpenID Connect is now OIDC

  • Secure Web Authentication is now SWA

See Add existing app integrations.

Hash marks added to hex code fields

On the Branding page, hash marks are automatically added to the hex codes in the Primary color and Secondary color fields.

Event Hooks daily limit

The maximum allowable daily limit of Event Hooks for all orgs has increased from 100,000 to 200,000. A higher daily allocation of Event Hooks reduces the likelihood orgs will exceed their daily limits. See Workflows system limits.

Improved Branding preview

Branding previews now display correct text colors.

Sign-In Widget button colors standardized

To comply with accessibility contrast ratios, the default variant colors for buttons on Okta sign-in and error page have been standardized to use the Okta design system.

Admins can save Profile Enrollment settings with errors

If Profile Enrollment settings contain errors in externally sourced attributes, the Admin Console displays a warning but allows the admin to save.

CAPTCHA messages translated

CAPTCHA verification error messages are now translated in the Sign-In Widget.

Upgrade validation check for customAPPLoginURL

A new validation check prevent orgs from upgrading to Okta Identity Engine if they have a customAppLoginURL enabled.

Okta Verify can’t be deactivated

Okta Verify can’t be deactivated if any app sign-on policies require it.

Early Access Features

New Features

Windows Autopilot integration with Okta

You can now use Okta to secure and streamline the Windows Autopilot flow on end-user devices. Before this integration, if you were using Okta Device Trust or Okta FastPass, it prohibited the enrollment of a new device through Windows Autopilot. The new integration now allows you to accommodate Not Trusted devices with Windows Autopilot while continuing to use Okta Device Trust and Okta FastPass for Trusted devices. It also allows you to add a sign-on policy rule in Okta that requires MFA when enrolling a device through Windows Autopilot. This increases security without compromising the user experience and ensures that the right person gets the access to the device. See Typical workflow for using Okta with Windows Autopilot.

Enhancements

Manage email notifications for custom admin roles

Super admins can configure the system notifications and Okta communications for custom admin roles. Configuring the email notifications helps ensure admins receive all of the communications that are relevant to their role. See Configure email notifications for an admin role.

Fixes

General Fixes

OKTA-418219

Sometimes when a super admin assigned several standard roles to a group at a time, some of those roles didn’t appear on the Groups page.

OKTA-420608

When users outside of an AD OU attempted to sign in to Okta using ADSSO, an Unable to complete your request error message appeared instead of the expected sign in dialog.

OKTA-425318

Admins weren't able to use the Expression Language to compare a user's status to a string.

OKTA-425375

FastPass was rejected for signing in when the user’s laptop was closed even though FastPass was enrolled with user verification enabled.

OKTA-430675

When the super org admin role was revoked from a user, the resulting email notification didn’t include the org name or URL.

OKTA-431057

Apple Safari browser version 15.0 on macOS 10.15.7 on orgs that were rolled back to Okta Classic Engine froze when users tried to delete an authenticator from their Settings page.

OKTA-434792

The user.session.start System Log event incorrectly displayed a result of SUCCESS when users were denied access by a policy.

OKTA-436651

Okta Verify and FastPass appeared as unknown authenticators on the Recent Activity page even though Okta Verify and FastPass were enabled.

OKTA-437001

During sign-in, the authenticator enrollment process displayed authenticators that were disabled in multifactor authentication, and allowed users to enroll in them.

OKTA-437011

Users who weren’t enrolled in Okta Verify in orgs that had app sign-on policies that required the use of hardware-protected authenticators received the “Unable to sign in” error message instead of being prompted to enroll in Okta Verify.

OKTA-437764

In orgs with a self-hosted Sign-In Widget and interaction code enabled, users couldn’t sign in with a social IdP.

OKTA-438981

The HealthInsight report incorrectly described newly created policies as missing required authenticators, even though those policies were configured with at least one required authenticator.

OKTA-440618

For some orgs with Branding enabled, the theme was reset after an admin’s role changed.

OKTA-440695

Some users saw an error when signing in to the new End-User Dashboard or OIDC apps for the first time.

App Integration Fixes

The following SAML app was not working correctly and is now fixed

  • Cloze (OKTA-440336)

Applications

Application Updates

  • The configuration guide for the Vable SCIM integration is updated: Okta Users Provisioning For The Vable Platform.

  • The American Express Work was a duplicate integration and has been removed from the OIN Catalog. Customers should use the American Express - Work integration.

New Integrations

New SCIM Integration Application:

The following partner-built provisioning integration app is now Generally Available in the OIN as partner-built:

OIDC for the following Okta Verified applications:

Weekly Updates

Generally Available

AD Del Auth users can add secondary email

AD Delegated Authentication users can now add secondary email during their first sign in. See About delegated authentication with Active Directory.

New option on the Okta Sign-On Policy Add Rule dialog

AND Identity provider is option enables you to specify which Identity Provider end users can use to sign in to Okta. You can specify Any, Okta, or Specific IdP. The Specific IdP option presents a list of Identity Providers that have been set up in your org. See Add a global session policy rule.

System Log change: User login to Okta event reason

In the System Log, the reason for the User login to Okta event has been changed to Login denied when the sign-on policy denies access or the user is unable to satisfy its requirements.

Fixes

General Fixes

OKTA-429081

When an admin deleted an app with Federation Broker Mode enabled, users could continue to sign in to the app.

OKTA-429782

Sometimes when the app group membership for a user was deactivated, any role assignments that were revoked from that user still appeared on the Administrators page.

OKTA-429868

API tokens for group admins didn't have the role displayed in the Security > API > Token section.

OKTA-432269

If Sign-up was enabled in an org’s profile enrollment policy, and that org reverted back to Classic Engine, end users who had already started the sign-up process received an error when they clicked their activation link.

OKTA-433617

App-sign on policies weren't evaluated for SAML 1.1 template apps.

OKTA-435527

Sometimes users were prompted to re-enter their password when switching between apps.

OKTA-439047

Sometimes, the System Log displayed Grant user privilege success events for admins when there were no changes to their privileges.

OKTA-441222

When a super admin changed the role notification settings for an admin, some third-party admins with that role were included in the notification subscription.

OKTA-441434

The View Setup Instructions link was broken on the Add Identity Provider page.

OKTA-441763

When admins created a new profile enrollment policy with Sign-up enabled, the link didn’t appear on the Sign-In Widget.

OKTA-444012

Branding features weren’t visible in the navigation menu of the legacy Admin Console.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed:

  • Alibaba Cloud (Aliyun) (OKTA-439430)

  • Apple Store for Business (OKTA-439233)

  • ID90 Travel (OKTA-435212)

  • MessageBird (NL) (OKTA-440295)

  • Screen Leap (OKTA-440292)

  • TD Ameritrade (OKTA-436146)

Applications

New Integrations

SAML for the following Okta Verified applications:

  • Agencyzoom (OKTA-436124)

  • Altruistiq (OKTA-440339)

  • Auvik (OKTA-435860)

  • Ceresa (OKTA-437597)

  • Clumio (OKTA-440285)

  • Workstream (OKTA-441160)

SWA for the following Okta Verified application:

  • Greene King (OKTA-441236)

OIDC for the following Okta Verified application:

  • Luma Brighter Learning: For configuration information, see Okta/Luma SSO.

Enhancement

New warning for deleted devices

A warning message now appears when an admin attempts to delete a device from the Devices page.

Fixes

General Fixes

OKTA-428017

When the Custom Admin Roles feature was enabled and an admin searched for a group to assign to a role, the list of groups didn’t display their respective app logos.

OKTA-436016

In orgs with deleted groups, admins couldn't run the Admin role assignments report.

OKTA-438793

On the Admin Dashboard, the Overview section displayed an incorrect Updated at time between 12:00 AM and 1:00 AM.

OKTA-441161

When a super admin edited the User Account customization settings, an error occurred after they verified their password.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • HelpSpot Userscape (OKTA-440296)

  • Instacart Canada (OKTA-442946)

  • Moffi (OKTA-442915)

Applications

New Integrations

SAML for the following Okta Verified applications:

  • Autodesk (OKTA-425911)

  • YesWeHack (OKTA-443624)

OIDC for the following Okta Verified applications:

Enhancement

New Device Trust error

An error message now appears if an admin attempts to delete a Device Trust (Classic Engine) configuration without correctly configuring app sign-on policies for devices that are not trusted.

Fixes

General Fixes

OKTA-414394

On the Applications page, some admins with a custom role could view the buttons for actions that they didn’t have permission to perform.

OKTA-418245

The Mobile tab incorrectly appeared on the App Integrations page. Okta Mobile isn't supported in Identity Engine.

OKTA-419443

Users were able to enroll in Okta Verify and access their dashboard and apps even though their account was locked out or suspended.

OKTA-419491

Push notifications appeared repeatedly to users after they had already approved them.

OKTA-431945

Sometimes when a third-party admin role was assigned though the public API, the admin's status didn't change in the Okta Help Center.

OKTA-433439

Push Profile updates sometimes failed due to a missing Effective Date value.

OKTA-434556

In Try Okta Free orgs, the Days left in your trial banner didn’t always display the correct number of days.

OKTA-434789

When Veeva Vault was provisioned, the authentication rate limit was incorrectly applied to bulk operations.

OKTA-438657

When a custom admin role had the View application and their details permission, admins with that role couldn’t access OIDC applications.

OKTA-439081

No messages or warnings were displayed when admins set up factor requirements in an Okta sign-on policy rule.

OKTA-441340

user.session.start and user.session.stop events didn’t include app context.

OKTA-442991

When the Custom admin roles feature was enabled, the Administrator assignment by admin and Administrator assignment by role pages displayed the Edit button for admin roles that couldn’t be constrained to a resource.

OKTA-444028, OKTA-444242, OKTA-448506

Sign-In Widget lifecycle errors for some device states and following silent probing were incorrect or misleading.

OKTA-444459

App sign-on policies weren’t deleted when their associated apps were deleted.

OKTA-445826

The help link was incorrect for Settings > Customization > Configure a custom URL domain.

OKTA-447296

If an admin canceled deactivation for a device, and then clicked Deactivate again, no confirmation dialog appeared.

OKTA-453535H

An older library for the RSA and RADIUS agents caused potential security issues in certain situations.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed:

  • American Funds Advisor Client Login (OKTA-442550)

  • Bank of America CashPro (OKTA-444481)

  • M&T Bank - Commercial Services (OKTA-447154)

  • Nimble (OKTA-444703)

  • The Trade Desk (OKTA-445291)

Applications

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:

SAML for the following Okta Verified applications:

  • ParkOffice (OKTA-445142)

  • SecZetta (OKTA-446467)

October 2021

2021.10.0: Monthly Production release began deployment on October 11

* Features may not be available in all Okta Product SKUs.

Content

Generally Available Features

New Features

Org Under Attack for ThreatInsight

Okta ThreatInsight now has enhanced attack detection capability. “Org under attack” establishes a base line traffic pattern and adjusts based on legitimate changes in traffic patterns. When a threat is detected, the algorithms are optimized to block all malicious requests while creating a System Log event to alert on the attack. After the attack subsides, threatInsight returns into its normal mode of operation. This capability enables quick blocking action during an attack. See About Okta ThreatInsight. This feature will be gradually made available to all orgs.

Enhancements

Custom footer enhancement

With Branding enabled, admins can now hide the Powered by Okta message in the footer of their Okta-hosted sign-in page and End-User Dashboard. See Configure the footer for your org.

Log per client mode for client-based rate limits

Client-based rate limits are now in Log per client mode for all orgs for both OAuth 2.0 /authorize and /login/login.htm endpoints. This offers additional isolation to prevent frequent rate limit violations.

Hidden password for dynamic SCEP URL

When you generate a dynamic SCEP URL to integrate Okta with your device management provider, or when you reset the dynamic SCEP password, the password is hidden for enhanced security. To reveal or copy the password, click Show password.

See Configure Okta as a CA with delegated SCEP challenge for Windows using MEM (formally Intune) and Configure Okta as a CA with dynamic SCEP challenge for macOS using Jamf Pro

Early Access features from this release are now Generally Available.

Fixes

General Fixes

OKTA-325592

When LDAP delegated authentication was enabled, an incorrect event type was used to process user profile updates.

OKTA-346989

Global redirect URIs weren’t maintained after an upgrade to Okta Identity Engine from Classic Engine.

OKTA-353822

If an Okta Classic Engine org had an app sign-on policy rule configured for all six platforms and then migrated to Okta Identity Engine, the app sign-on policy rule for AND Device Platform is wasn't marked as Any platform.

OKTA-361609

Non-active users were able to sign in to the Office 365 app using Silent Activation.

OKTA-413405

During enrollment, a check mark didn’t appear correctly beside required authenticators on the Set up multifactor authentication page.

OKTA-419156

During phone MFA setup, users weren’t able to request another one-time passcode after entering the first one incorrectly.

OKTA-422719

A warning message appeared when users attempted to open the URL of an app that wasn’t assigned to them, and then when they clicked Sign in with Okta FastPass or signed in by entering the same username, an error message with the same information was appended to the warning message.

OKTA-423103

When selecting an authenticator for sign-in, users sometimes saw an unclear error message.

OKTA-427932

When Branding was enabled, the Sign-In Widget was distorted on custom sign-in pages.

OKTA-428268

When an LDAP interface (LDAPi) client had Custom Admin Roles enabled, time-out errors sometimes occurred during group member queries.

OKTA-429894

When a user entered an incorrect password in the Sign-In Widget and then refreshed the browser for another password attempt, the Expecting credential field warning still appeared.

OKTA-431349

Translated versions of AD and LDAP configuration validation messages weren’t provided.

OKTA-431757

The User is not assigned to this application message appeared as an INFO error rather than a WARNING.

OKTA-431868

In the UI for the SuccessFactors app, options for Active User Statuses weren't displayed.

OKTA-435586H

Some users were unable to sign in if their org's default app was deactivated or deleted.

App Integration Fixes

The following SWA app was not working correctly and is now fixed

  • Amplitute (OKTA-429432)

Applications

Updates

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:

OIDC for the following Okta Verified application:

  • Extole: For configuration information see Okta Instructions.

September 2021

2021.09.0: Monthly Production release began deployment on September 7

* Features may not be available in all Okta Product SKUs.

Content

Generally Available Features

New Features

Okta as a certificate authority

New CA functionality

Okta supports additional certificate authority (CA) functionality for admins:

  • When you use Okta as a CA, Okta now revokes device certificates that were issued but not used for successful authentication within 90 days.

  • Okta now supports certificate revocation when you provide your own CA. Only certificate revocation list (CRL) endpoints that use the HTTP or HTTPS protocol are supported. CRLs must be signed by the same intermediate certificate that the admin uploaded, and the client certificate should include the certificate distribution point URI. See Configure a Certificate Authority

Support for dynamic SCEP

Okta now supports dynamic Simple Certificate Enrollment Protocol (SCEP) for macOS using Jamf Pro. See Configure Okta as a CA with dynamic SCEP challenge for macOS using Jamf Pro

New System Log events

The following System Log events are new:

  • The pki.cert.issue event indicates that a certificate was issued to a device.

  • The pki.cert.bind event indicates that a certificate was bound to a device.

  • The pki.cert.lifecycle.suspend event indicates that a certificate was suspended because an admin deactivated the device that it was bound to.

  • The pki.cert.lifecycle.delete event indicates that a certificate was deleted because an admin deleted the device that it was bound to.

  • The pki.cert.lifecycle.revoke event indicates that a certificate was revoked and placed on the certificate revocation list (CRL).

  • The pki.cert.lifecycle.hold event indicates that a certificate was placed on temporary hold and placed on the CRL.

  • The pki.cert.lifecycle.activate event indicates that a certificate was removed from temporary hold, and removed from the CRL.

Enhancements

ThreatInsight default mode for new orgs

For new orgs, the default mode for ThreatInsight is now set to Audit mode. Previously, with no mode set by default, events weren't logged unless Audit mode or Block mode was enabled manually. Now with Audit mode set by default for new orgs, the security.threat.detected event is logged once a malicious request is detected. See Okta ThreatInsight.

Profile Enrollment policy changes

AppUser attributes that are required in a user schema are no longer checked by Profile Enrollment policies. See Manage Profile Enrollment policies.

New System Log event for successful user sign-in

Admins will now see the user.authentication.verify event in the System Log. This event is triggered when a user successfully signs in to their account.

Admin Console UI changes

In the Admin Console, the Device Management page (accessed from Security > Device Integrations) was renamed Device Integrations.

Sign-in Widget clarification

In the Sign-In Widget, the message for email verification now instructs the user to either click the email magic link or enter the one-time password (OTP) code for verification.

Account recovery clarification

After successful account recovery, screen messaging that instructs users to return to the original sign-in browser tab is now more descriptive.

Early Access Features

Early Access features from this release are now Generally Available.

Fixes

General Fixes

OKTA-391032

Custom admins with Manage group permissions could view the Add Rule button on the Groups > Rules tab.

OKTA-412278

After a self-service account unlock error, users saw duplicate Back to the sign in links.

OKTA-417463

The Username field in the Sign-In Widget wasn’t pre-populated with the config.username value.

OKTA-419565

The magic link for self-service password reset directed users to the sign-in page if an active session for another user was present in the browser.

OKTA-419713

The error message wasn't clear when a user tried to claim email account recovery links multiple times.

OKTA-421801

Some users with a custom domain URL couldn't add or edit resource sets for custom admin roles.

OKTA-422155

Users received a multifactor reset email in addition to the multifactor enrollment email when they enrolled in Okta FastPass.

OKTA-422158

Some legacy Universal 2nd Factor (U2F) users weren't able to use their YubiKey devices to authenticate after their org was upgraded to Okta Identity Engine.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed:

  • Avalara (OKTA-415081)

  • Fisher Scientific (OKTA-422646)

  • Microsoft Volume Licensing (OKTA-420160)

  • Quadient Cloud (OKTA-422635)

  • RescueAssist (OKTA-422643)

  • WeWork (OKTA-423570)

Applications

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:

SAML for the following Okta Verified applications:

  • Anomalo (OKTA-421527)

  • Paradime (OKTA-420444)

OIDC for the following Okta Verified application:

August 2021

2021.08.0: Monthly Production release began deployment on August 9

* Features may not be available in all Okta Product SKUs.

Content

Generally Available Features

New Features

Polling support for ADSSO and IWA authentication sessions

Agentless Desktop Single Sign-on (ADSSO) and Integrated Windows Authentication (IWA) authentication sessions now include polling to reduce the likelihood customers will receive 429 Too Many Requests errors when they are trying to access Okta during peak periods. Rather than immediately denying an authentication request, the server is continually polled for 30 seconds until the user can be authenticated. With this change, authentication requests are more likely to be successful and wait times are reduced. See Active Directory Desktop Single Sign-on.

Name change: Authenticator is now called Security Method

The term Authenticator has been replaced with Security Method everywhere that multifactor authentication methods are displayed to end users. The term hasn't changed in the Admin Console.

New session behavior

Users who sign in from the same browser they used to enroll in Okta Verify won't have to verify their authenticators again unless they've exceeded their org's policy reauthentication time limit.

LDAP agent, version 5.8.0

This version of the agent contains:

  • Password expiry warning support for Oracle Directory Server Enterprise Edition (ODSEE), Oracle Unified Directory (OUD), OpenDJ, and SunOne 5.2 LDAP directory services

See Okta LDAP Agent version history.

Enhancements

New warning for excessive IP addresses

A warning now appears if a gateway or proxy has an IP range with more than 5 million addresses. See Create zones for IP addresses.

Start time and end time of rate limit windows

The Rate Limit Dashboard now displays the start time and end time of the rate limit window for each data point. This helps you analyze each data point with more granularity. See Rate limit dashboard.

Okta Mobile removed from the Admin Console

Links to Okta Mobile for iOS and Okta Mobile for Android have been removed from the Mobile Apps section of the Settings > Downloads page. Okta Mobile settings have been hidden from the Security > General page. Okta Mobile isn't available for Identity Engine.

Removal of new experience settings for enabled environments

Settings to enable the new end-user experience won't be shown to orgs that have enabled the feature and removed access to the old experience.

UI Change for Okta Verify Users

The Sign in using Okta Verify on this device button has been changed to Sign in with Okta FastPass.

Early Access Features

New Features

Third-Party Risk

Okta Risk Eco-System API / Third-Party Risk enables security teams to integrate IP-based risk signals to analyze and orchestrate risk-based access using the authentication layer. Practitioners can step up, reduce friction or block the user based on risk signals across the customer’s security stack. Apart from improving security efficacy, this feature also enhances the user experience by reducing friction for good users based on positive user signals. See Risk scoring.

Fixes

General Fixes

OKTA-381874

On the Agents page, admins couldn't remove deleted RADIUS agents or hide the ones that weren't in use.

OKTA-405384

Users who enrolled in platform authenticators, such as Okta Verify Desktop or WebAuthn, and tried to authenticate on a different device or enroll Okta Verify on their mobile device were unable to authenticate.

OKTA-407918

The custom sign-out page URL didn’t match the address configured in Customization Settings.

OKTA-408448

Users didn’t receive an error message when they reached the rate limit for submitting OTP codes.

OKTA-408851

The OAuth scope consent page sometimes displayed incorrect messages.

OKTA-410951

Just-in-Time provisioning didn't automatically initiate self-service unlock for AD or LDAP-sourced users who were locked out of Okta but not out of their AD or LDAP accounts.

July 2021

2021.07.0: Monthly Production release began deployment on July 12

* Features may not be available in all Okta Product SKUs.

Content

Generally Available Features

New Features

Dedicated help sites for Okta products

Three of Okta’s products — Access Gateway, Advanced Server Access, and Workflows — now have their own dedicated help sites:

This enhancement offers direct access to independent online help sites for these products from help.okta.com. The new sites provide several benefits:

  • Compactly designed, product-centric content
  • Streamlined navigation
  • More efficient content updates and responsiveness to customer feedback

Okta Device Registration Task, version 1.3.2

This release includes internal code refactoring. You can download this version from the Settings > Downloads section of the Admin Console.

New Domains API response properties available

The Domains API includes the new response object properties of certificateSourcetype and expiration. The certificateSourcetype is a required property that indicates whether the Certificate is provided by the user. The accepted value is Manual. The expiration property on the DNSrecord object is an optional property that defines the TXT record expiration. See Domains API.

Default end-user experience

New orgs, including those created through the org creator API or the developer.okta.com website, will have the new end-user experience enabled by default in preparation for the old end-user experience deprecation starting on October 13. Learn more about this migration and other frequently asked questions in our support article.

Disable Import Groups per SCIM integration

Admins can now choose whether or not to import groups with all SCIM integrations. This new option is available when you set up provisioning for a SCIM integration.

Note that you can't disable group imports for an app if:

  • Import New Users and Profile Updates isn't enabled.

  • App Assignments based on Group exist.

  • Group policy rules exist.

  • Group Push mappings exist.

In these cases, an error is displayed.

Nutanix support

Okta Access Gateway customers can now download and deploy the Access Gateway virtual appliance on Nutanix Acropolis Hypervisor (or Nutanix AHV), a hyper-converged infrastructure platform popular among larger organizations. This provides customers with more options for infrastructure services supported by Access Gateway, including AWS, OCI, VMWare, and now Nutanix.

Remove the ability to disable Admin Experience Redesign

You can no longer disable the Admin Experience Redesign feature for your orgs.

Note: This is not applicable for orgs that didn't have Admin Experience Redesign enabled and used the legacy experience until 2021.06.4.

Windows Hello as an MFA factor is not supported for new orgs

Windows Hello as an MFA factor is no longer supported for new orgs. Existing orgs already using this feature can continue using it.

Test custom email templates

Admins can send themselves a test email to see how their custom email templates will look and function. This allows them to validate macro attributes and translations in the customized template and to see how the template will render in different email environments. Sending the test email to their primary email address eliminates their need to create a real end-to-end workflow to test customization. For more information, see Test a customized email template .

Create LDAP group password policies

You can now create group password policies for LDAP sourced users. This gives you the flexibility to provide users with the same password policy requirements as your local LDAP directory, easing the user experience of an LDAP integration with Okta. See About group password policies and Sign-on policies.

Event Hook preview

Event Hook preview lets admins easily test and troubleshoot their Event Hooks, as well as send sample requests without manually triggering an actual event. This means admins can preview the payload of a specific Event Hook type and make sure that it's what they need to move forward before a full deployment to production. See Event hook preview.

Enhancements

Workplace by Facebook new custom attribute

Okta now supports the is_frontline custom attribute in Workplace from Facebook. Supporting user type designations enables access for frontline and deskless workers.

OIN App Catalog UI improvements

For each app integration in the OIN App Catalog, the details page has been updated to use tabs that display the overview and the specific capabilities of the app integration. The details page also shows the Capabilities in the side navigation. Clicking a specific capability returns the administrator to the main Add Application page with that capability pre-selected in the filter. When an admin searches for app integrations, the filter is now persistent through category changes or when they refresh the page.

OIN Manager category selections

For app submissions in the OIN Manager, the category designations have been updated to match the categories available in the OIN App Catalog.

Changes to group assignment options for OIDC apps

Admins can create new OIDC applications without assigning them to a group. See Create OIDC app integrations.

HTML sanitizer for email templates

Velocity-based email templates are now processed by an HTML sanitizer. Templates that don’t conform to the rules of the sanitizer are corrected before they are sent. See Customize an email template.

Email template events

The creation and deletion of email templates are now logged as events in the System Log.

Rate limit violation event logging

Session-user and User rate violation events are now logged as operation-level events instead of org-wide events. This allows you to distinguish between rate limit violations at an org level and individual level.

Updated branding for End-User Dashboard

Okta branding on the Okta End-User Dashboard has been updated.

Early Access Features

New Feature

FIPS compliance for iOS or Android devices

Federal Information Processing Standards (FIPS) compliance is now available for iOS or Android devices. FIPS can be enabled on the Okta Verify configuration page. When FIPS compliance is enabled, admins can be confident that only FIPS-compliant software is used. See Enable FIPS-mode encryption (Early Access).

Fixes

General Fixes

OKTA-274754

When an admin attempted to add an app integration to their org for which the org was not entitled, the error message didn't display the org's edition name.

OKTA-380653

A user-created on-the-fly app incorrectly appeared on the Tasks page under Number of apps that can have provisioning enabled.

OKTA-397607

Sometimes the failed-sign-in counter didn’t reset to zero after an end user successfully signed in, which resulted in improper lockouts.

OKTA-400220

When OpenLDAP was used with delegated authentication, an error message containing unnecessary information appeared if users attempted to change their password and it didn't meet the LDAP complexity requirements.

OKTA-401490

LDAP import schedules weren't updated when Relative Distinguished Name (RDN) attribute mapping from Okta to LDAP was missing.

OKTA-402247

New device notifications weren't sent during passwordless sign-in flows.

OKTA-404865

Group Push for Slack caused group members to be reset and gradually re-added, during which time group members couldn't access the app.

OKTA-405351

Some deactivated SAML IdP users whose attributes were updated with Just-in-time Provisioning were activated even though the reactivation JIT setting wasn't selected.

OKTA-407292

Some users were deactivated instead of deleted in Automations.

OKTA-408802

Sometimes, during SAML app configuration, the metadata link improperly required a sign-in session.

App Integration Fixes

The following SWA app was not working correctly and is now fixed

  • San Diego Gas and Electric (OKTA-407572)

Applications

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN as partner-built:

SWA for the following Okta Verified applications

  • Headspace (OKTA-403509)

  • Redprint (OKTA-394718)

  • SCOPE (OKTA-405791)

OIDC for the following Okta Verified applications

Weekly Updates

Generally Available

Sign-In Widget, version 5.8.2

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Sign-In Widget Guide.

Fixes

General Fixes

OKTA-405084

Long-running deactivation jobs didn't overwrite user status changes after a user was deleted.

OKTA-409081

Google Chrome users saw a session lifetime warning if they accessed an end-user dashboard embedded in an iFrame.

OKTA-409227

In the OpenID Connect (OIDC) app wizard, the default Assignments selection was Allow everyone in your organization to access.

Applications

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN catalog as partner-built:

SAML for the following Okta Verified applications

  • 4Degrees (OKTA-405438)

  • SkillsHood (OKTA-404888)

Generally Available

Sign-In Widget, version 5.8.4

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Sign-In Widget Guide.

Fixes

General Fixes

OKTA-382511

Users saw the wrong error message if they attempted self-service registration with a unique attribute (such as Customer Account Number) that was already in use.

OKTA-383402

In Identity Provider routing rules, the User attributes input field for the AND User Matches condition was narrow and misaligned.

OKTA-394734

The Admin Console Search field was unavailable with Lightweight Directory Access Protocol integrations.

OKTA-398165

Admins who selected the Users Locked Out task on the Admin Dashboard were redirected to the Reset Password page instead of the Unlock People page.

OKTA-399643

Org groups didn't appear as expected on the Admin Console Groups page.

OKTA-401969

Active Directory Single Sign-On users who were prompted to upgrade to Okta Verify with Push Authentication received an error 403 Forbidden message.

OKTA-404295

When an app request email was sent to an admin, the encoded URL was listed instead of its punycode URL.

OKTA-404488

During searches for Lightweight Directory Access Protocol-sourced users, concurrency limit violations caused 429 Too Many Requests errors.

OKTA-405064

Deleted user profiles were permanently removed when they were reactivated.

OKTA-405259

Sometimes, an agent status email wasn’t sent when the Okta IWA Web agent was unavailable.

OKTA-406581

End users who were unable to sign in successfully with Just-in-Time provisioning were sometimes redirected back to the sign-in page without seeing an error message.

OKTA-410072

Sample app bundle downloads didn’t use the current SDK version.

OKTA-411109

The Russian translation for an expired token was inaccurate.

OKTA-413703

Some orgs experienced an issue where the More Integrations section of the Okta App Catalog appeared empty.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • Addison Lee (OKTA-410400)

  • Business Insider Prime (OKTA-411534)

  • Calxa (OKTA-411523)

  • CB Insights (OKTA-410399)

  • Cloudapp (OKTA-411535)

  • Dashlane Business (OKTA-410403)

  • Dealer Daily Lexus (OKTA-411531)

  • eFlex Employee (OKTA-411513)

  • Fresh Direct (OKTA-410395)

  • Instacart (OKTA-411491)

  • Instacart Canada (OKTA-411510)

  • Ned Davis Research (OKTA-409608)

  • New York Times (OKTA-410985)

  • Office Tools Portal (OKTA-410397)

  • Passkey (OKTA-411526)

  • Samsara (OKTA-410392)

  • Skillsoft (OKTA-410402)

  • Soundcloud (OKTA-411532)

  • Trustwave (OKTA-410406)

  • United Tranzactions (OKTA-411519)

  • Untangle (OKTA-411520)

  • Wall Street Journal (OKTA-410396)

  • Zocdoc (OKTA-410398)

  • Zscalerbyz (OKTA-410405)

Applications

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN catalog as partner-built:

SAML for the following Okta Verified applications

  • Bonsai (OKTA-409442)

  • Cafe (OKTA-405554)

  • Dashlane (OKTA-407393)

  • eSuite (OKTA-405607)

  • FileFlex (OKTA-410143)

  • ShopRun (OKTA-411470)

  • TeamPay (OKTA-393790)

  • Transcend Engagement (OKTA-409454)

SWA for the following Okta Verified application

  • Samsara (Driver Sign In) (OKTA-414275)

OIDC for the following Okta Verified applications

June 2021

2021.06.0: Monthly Production release began deployment on June 7

* Features may not be available in all Okta Product SKUs.

Content

Generally Available Features

New Features

Okta Sign-In Widget, version 5.7.0

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Sign-In Widget Guide.

MFA Credential Provider for Windows, version 1.3.1

The MFA Credential Provider for Windows version 1.3.1 includes hardening around certain security vulnerabilities, support for Windows 2019, and other general bug fixes and improvements. See Okta MFA Credential Provider for Windows Version History

Okta Device Registration Task, version 1.3.1

This release is based on Python 3, to support macOS 10.15.xx (Catalina) and above. It addresses the known issue of device enrollment failures. You can download this version from the Settings > Downloads section of the Admin Console. See Enforce Okta Device Trust for Jamf Pro managed macOS devices and Device Trust for macOS Registration Task Version History.

LDAP Interface sign on policy

When creating a sign on policy, you can now create rules that apply only to LDAP Interface user authentications. With this change, you can apply a sign on policy to LDAP Interface authentications and exclude other authentication methods. See Sign-on policies.

Import Safeguard Event Hook

The Import Safeguard event is available for use as an Event Hook. Admins can use the Import Safeguard event to generate a notification when an import safeguard occurs. See Import safeguards and Event Types.

App Integration Wizard improvements

The App Integration Wizard has been updated with several usability improvements. For quicker access, you can now launch the wizard from either the Applications page or the Browse App Integration Catalog page. The platform and sign-on method selection process has been streamlined to remove unnecessary inputs. Help hints in the wizard have been improved to eliminate the need to look up definitions and guidance from the documentation. To save time, trusted origins and group assignment tasks can now be completed as part of the process rather than after the wizard creates the app integration. See Create custom app integrations.

Polling support for Agentless Desktop Single Sign-on and Integrated Windows Authentication authentication sessions

Agentless Desktop Single Sign-on (ADSSO) and Integrated Windows Authentication (IWA) authentication sessions now include polling to reduce the likelihood of service disruptions during periods of high bandwidth use. For users authenticating with ADSSO or IWA during peak periods, this change increases the likelihood that a server will be available to process their authentication request. See Active Directory Desktop Single Sign-on.

Okta Verify support for risk-based authentication

Okta Verify with Push now supports risk-based authentication. With this feature, admins can assess the level of risk when an end user signs in to their org and attempts to authenticate with Okta Verify. See . This feature will be gradually made available to all orgs.

RADIUS support for EAP-TTLS

The RADIUS agents now support the EAP-TTLS network authentication protocol. See the supported factors section in any RADIUS integrations. This feature is now enabled by default for all orgs.

Recently Used Apps

A Recently Used apps section has been added to the top of the Okta End-User Dashboard and the Okta Browser Plugin to make it easier for end users to access their applications. End users can enable and disable the Recently Used setting in their Preferences panel or Account Settings on the Okta End-User Dashboard.

When enabled, the Recently Used apps section is visible at the top of the Okta End-User Dashboard regardless of the number of apps assigned to the end user or whether any apps have been launched. If an end user re-enables the Recently Used apps section, apps that were used when the feature was previously enabled are not preserved. See Recently used applications. This feature will be gradually made available to all orgs.

Recently used apps section on the Okta dashboard

Recently used apps section on the Okta dashboard

Enhancements

OIN Manager category selection changes

The choices in the OIN Manager App category selection list have been updated to match the categories available in the public OIN catalog. For existing submissions, the category choice isn't changed until the ISV updates the app submission in the OIN Manager. ISVs can also now select up to three categories for their app integration. See Submit an app integration.

OIN Manager OIDC enhancements

ISVs can now select which OpenID Connect modes their application supports: Single-Page Application (SPA) or Web. See OIDC settings.

Rate limit System Log Event Hook enhancements

The system.operation.rate_limit.warning event has been updated and now notifies administrators when their org is approaching an Event Hook rate limit.

The system.operation.rate_limit.violation event has been updated and now notifies administrators when their org has exceeded an Event Hook rate limit.

See Event Types.

OAuth scope flexible consent

When user consent is required for an OAuth scope, a new check box is available to enable Flexible consent, which blocks services from requesting the scope. See API access management.

Combined OAuth claim evaluation events

To reduce system load and operational cost, a single app.oauth2.as.evaluate.claim event is now recorded per request, instead of separate events for access tokens and ID tokens.

Updated UI for provisioned username options

If an app integration doesn't support the Create only option in the Application username format drop-down menu, the option is now disabled rather than hidden.

Session synchronization

All browser tabs that access the Okta End-User Dashboard now maintain the same session lifetime.

Hidden fields in Sign-In Widget

Hidden username and password fields in the Sign-In Widget are no longer identifiable by screen readers.

File upload tool tips

Tool tip text formatting has been standardized on the App Instance page.

Active SAML certificate warning

A warning now appears when currently active SAML certificates are set as inactive in the Okta Admin Console.

Early Access features from this release are now Generally Available.

Fixes

General Fixes

OKTA-371017

Assigning attributes when provisioning to Webex sometimes resulted in errors.

OKTA-374204

When a custom sign-out page was configured, users who reset their password with SMS and then clicked Back to sign in were redirected to the custom page.

OKTA-386816

Some app tasks that weren't mapped to Okta users didn't appear on the Admin Dashboard.

OKTA-387918

Admins were unable to view the Import Monitoring dashboard for applications when the application admin role was assigned to specific applications.

OKTA-388914

Okta erroneously pushed profile updates to Rally upon user reactivation when updates to user attributes were disabled.

OKTA-389233

The Sign-In Widget appeared blank for users who attempted to sign in while using multiple WebAuthn authenticator enrollments.

OKTA-393663

Some Firefox 88.0 users on Mac devices were presented with a blank page after signing in to Okta.

OKTA-395953

An incorrect error message was displayed when a user was created with a duplicate unique property.

OKTA-396812

If a user tried to re-enroll via RADIUS after their SMS factor was reset, they weren't prompted to verify their phone number.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • Addepar (OKTA-396929)

  • Ustream (OKTA-396921)

Applications

Application Updates

Adobe Sign now supports OAuth and REST API mode for provisioning for new app instances. Existing app instances should be migrated to the new app, see the Adobe Sign Migration Guide for details.

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration app is now Generally Available in the OIN as partner-built:

SAML for the following Okta Verified applications

  • AlphaSense (OKTA-394744)

  • cloudtamer.io (OKTA-399136)

Weekly Updates

Generally Available

Sign-In Widget, version 5.7.1

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Sign-In Widget Guide.

Fixes

General Fixes

OKTA-386890

Automation rules that were created to delete inactive users sometimes failed due to deprovisioning errors.

OKTA-388300

When the new Admin redesign experience was enabled, the Agents Dashboard displayed incorrect version information about upgraded RADIUS agents.

OKTA-388727

The Clear Unconfirmed Users button didn't work consistently on the Active Directory (AD) Import page.

OKTA-389975

The Sign On page was unresponsive after the Credentials Details section of Bookmark apps was updated.

OKTA-391272

Provisioning errors occurred when email addresses were pushed from Okta to UltiPro after being updated in Active Directory.

OKTA-398218

Syncplicity couldn't be provisioned for EU-based domains.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • 1Password Business (OKTA-398705)

  • Eden Workplace (OKTA-398670)

  • Gong (OKTA-394257)

  • Instagram (OKTA-398090)

  • Schwab Advisors (OKTA-401549)

Applications

Application Update

The existing Cacoo integration is deprecated and renamed Cacoo (deprecated). Customers should now use the Nulab Pass (Backlog Cacoo Typetalk) (SAML) integration in our OIN catalog.

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN catalog as partner-built:

OIDC for the following Okta Verified applications

Generally Available

Sign-In Widget, version 5.7.2

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Sign-In Widget Guide.

Fixes

General Fixes

OKTA-381119

Silent Activation was blocked for certain orgs if the app sign on-policy required MFA reauthentication.

OKTA-383213

Admins could create an app using the App Integration Wizard even when their trusted origin configuration was incorrect.

OKTA-384020

The Active Directory Self-Service Unlock Account email template didn't recognize ${samAccountName} as a valid input.

OKTA-391097

Admins couldn't clear the Auxiliary Object Class attribute for an LDAP integration after setting the attribute's value.

OKTA-392165

Pushing a group from Okta to Slack failed if the group contained more than 15,000 users.

OKTA-393207

End users with custom user types couldn't modify their personal information from End-User Dashboard > Settings.

OKTA-393223

Admins weren't able to use the tab key to navigate in the Upload Logo section of the App Integration Wizard.

OKTA-395044

Factor enrollment with Device Trust failed for some users when they attempted to sign in to Airwatch Workspace One for the first time.

OKTA-398676

Admin permissions were sometimes revoked unexpectedly when new permissions were assigned to the admin.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • 8x8 Account Manager (OKTA-402020)

  • Airbnb (OKTA-400493)

  • Certify (OKTA-401731)

  • Dodge Company Shop (OKTA-402526)

  • Enterprise (OKTA-402529)

  • LiveWell (OKTA-402511)

  • Recorded Future SSO (OKTA-402503)

  • Shopify (OKTA-401733)

  • Techsmith (OKTA-400221)

Applications

Application Updates

  • The Boardvantage Meetx/Director app integration is renamed to Nasdaq Boardvantage.

  • The Udemy for Business SCIM app is updated as follows:

    • The Separate Group and Membership Creation setting is enabled.

    • Batch size is updated to 500

  • The Zoom SCIM app integration schema is updated. For details, see Okta user management with Zoom.

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN catalog as partner-built:

SAML for the following Okta Verified applications

  • Muck Rack (OKTA-399126)

  • Pave Commute (OKTA-399131)

SWA for the following Okta Verified application

  • HomeTagz (OKTA-402746)

OIDC for the following Okta Verified applications

Generally Available

Sign-In Widget, version 5.7.3

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Sign-In Widget Guide.

Fixes

General Fixes

OKTA-372803

When set to custom, Okta Username format was autofilled with an invalid SpEL expression in the AD General Settings.

OKTA-386004

Some text strings in the End-User Dashboard weren't translated.

OKTA-386545

Exchange ActiveSync Settings in the Office 365 app > Mobile tab couldn't be saved.

OKTA-386841

When admins clicked the Application requests waiting task in the new Admin Dashboard, nothing happened.

OKTA-388959

The app import status showed as In Progress even when the import job had failed.

OKTA-395489

The Create new app integration and CAPTCHA integration forms used the term sign-on instead of sign-in.

OKTA-398094

The new End-User Dashboard displayed options to download Okta Mobile.

OKTA-399667

Some new Zendesk users weren't correctly provisioned in Okta.

OKTA-402379

Some admins could add apps to their orgs after the app limit was reached.

OKTA-402547

Users were prompted for MFA after they reset their passwords using Okta Windows Credential Provider.

OKTA-404379

The OIDC default scopes link sometimes added non-default scopes to access policy rules for authorization servers.

OKTA-407122H

Routing rules were ignored when using the user matches expression.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • CarGurus (OKTA-404542)

  • Delivery Slip (OKTA-402517)

  • SAP Concur Solutions (OKTA-404533)

  • Small Improvements (OKTA-402942)

  • Spectrum Business: Time Warner Cable (OKTA-402523)

  • SquareSpace Template (GT) (OKTA-404538)

  • Staples Advantage (OKTA-402525)

  • Workday Community (OKTA-404532)

Applications

New Integrations

New SCIM Integration Application

The following partner-built provisioning integration app is now Generally Available in the OIN catalog as partner-built:

SAML for the following Okta Verified application

  • Vimeo (OKTA-403474)

OIDC for the following Okta Verified applications

Fixes

General Fixes

OKTA-294735

Some text strings in the default email template editor weren’t translated.

OKTA-378363

When a user signed in over the Cisco Meraki network, using the RADIUS agent and Cisco Meraki app, and then changed their password, their account became locked.

OKTA-383559

Profile updates failed to push to the G Suite app and no error information was logged.

OKTA-386081

Error page templates for default and custom domains had inconsistent styling.

OKTA-387154

After the Content Delivery Network (CDN) was disabled for an org, the Sign-In Widget was still served from their custom domain.

OKTA-397685

On the Applications page, the cursor changed to show an extended hand cursor for non-clickable items.

OKTA-400622

The Browse App Catalog button on the Applications page was disabled for app admins.

OKTA-404562

The password policy requirements for LDAP-sourced user passwords were shown in a sentence format instead of a list.

OKTA-408809H

The MS Dynamic application icon didn't work as expected.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • Akamai EdgeControl (OKTA-406128)

  • AutoEntry (OKTA-406126)

  • AxurePortal (OKTA-405442)

  • Lincoln Financial Group (OKTA-404686)

  • Recorded Future (OKTA-405697)

  • SharePoint (OKTA-405464)

  • WealthEngine (OKTA-405780)

Applications

Application Update

  • The Bluecross Member Central - Massachusetts integration is deprecated and has been removed from the OIN catalog.

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN catalog as partner-built:

SAML for the following Okta Verified application

  • TrueCare (OKTA-405039)

OIDC for the following Okta Verified application

May 2021

2021.05.0: Monthly Production release began deployment on May 10

* Features may not be available in all Okta Product SKUs.

Content

Generally Available Features

New Features

Okta Sign-In Widget, version 5.6.0

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Okta Sign-In Widget Guide.

Okta Browser Plugin, version 5.45.0 for all browsers

  • The Recently Used apps section is now visible and accessible from the plugin popover.

  • The Recently Used apps section can be configured by end users on the Okta End-User Dashboard.

  • Plugin popover loading times have been decreased.

  • The plugin’s design and images have been updated.

See Okta Browser Plugin version history.

Agentless Desktop Single Sign-on authentication progress screen updates

Agentless Desktop Single Sign-on (ADSSO) authentication progress screens have been updated to make authorization and verification progress more visible and improve the user experience. See Configure agentless Desktop Single Sign-on.

Group push mapping change

When admins create a group push mapping and link it to a group whose members were imported through another method, those users are now Okta sourced. See About Group Push.

New Select assignments to convert screen

The addition of a Select assignments to convert screen to the Okta Admin Console makes the conversion of app assignments from individually-managed to group-managed easier. With the click of a button you can now quickly locate, select, and then convert individual users, or convert all eligible assignments. See Convert an individual assignment to a group assignment.

Generally Available Enhancements

System Log enhancements

OAuth refresh token event details

System Log events now display information that indicates whether an OAuth refresh token is rotating or persistent.

System Log debug field changes

System Log Advanced Filters no longer support the Contains operator for the following fields:

  • debugContext.debugData.url

  • debugContext.debugData.requestUri

This is to ensure that service stability and operations aren't impacted.

actionId value now available in the System Log

To identify the Okta Active Directory agent used to process a delegated authentication request, the actionId value has been added to the user.authentication.auth_via_AD_agent event in the System Log . For orgs that use multiple agents, this value makes it easier to identify the specific location of log data used to resolve authentication issues. See System Log.

OIN Manager - SCIM submission enhancement

When submitting a SCIM app in the OIN Manager, ISVs can now specify the maximum number of group membership changes that can be included in a single PATCH request. See Configure protocol-specific settings.

Open On-Prem MFA and RSA SecurID page on select

When admins select either On-Prem MFA or RSA SecurID token names from Security > API, the associated MFA factor page now opens.

New help text for Initiate Login URI field

The Initiate login URI field, available in an application’s General Settings tab, now includes additional inline help text to clarify the correct URI to add to this field.

TLS certificate update for okta.com

The TLS certificate for okta.com will be updated beginning on May 6th, 2021, US Pacific Time. The updated certificate will be signed with a new trust chain and Root Certificate Authority (CA) trust anchor. The Root CA will change from the DigiCert High Assurance EV Root CA to the DigiCert Global Root CA. To avoid negative impact and service outages, customers who have a limited or non-standard set of certificates in their trust stores must take action prior to May 6th, 2021. See FAQs.

Password Health Report enhancement

Date columns in the Password Health Report are now in ISO 8601 format to improve readability.

Increased authorization code lifetime

The OAuth authorization code lifetime is increased from 1 to 5 minutes.

Early Access Features

Early Access features from this release are now Generally Available.

Fixes

General Fixes

OKTA-379813

In some cases, end users who verified with IdP as a factor and selected the option to Remember this device were unable to save their configuration.

OKTA-379879

When signing in to a third-party identity provider (IdP), the sign in hint wasn’t provided as a request parameter to the IdP.

OKTA-380784

In some cases, the security.threat.detected event type in the System Log was missing geographic information when ThreatInsight was enabled.

OKTA-387800

Vanity URLs for deleted users incorrectly included stack trace information with the 404 error.

OKTA-390301

Radius authentication with Duo sometimes failed if Single-line MFA prompts were disabled.

OKTA-391166

The link from the OIN Manager to the OIDC concepts document was broken.

Applications

Application Updates

The catalog descriptions for many OIN app integrations have been updated to improve accuracy and show available capabilities.

New Integrations

New SCIM Integration Application

The following partner-built provisioning integration app is now Generally Available in the OIN as partner-built:

OIDC for the following Okta Verified applications

Weekly Updates

Generally Available

Okta Sign-In Widget, version 5.6.1

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Okta Sign-In Widget Guide.

Fixes

General Fixes

OKTA-215049

When an OpenID Connect application was created using a deactivated application's name, a Duplicate Client Name error appeared.

OKTA-374204

End users were incorrectly redirected to the sign-out page if they reset their password through SMS and clicked the Back to Sign In link on the Code Verification page.

OKTA-380326

When an application was edited, the Initiate login URI field was erroneously auto-populated with a default value.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • ADP Vantage HCM (OKTA-390470)

  • ISACA (OKTA-391074)

  • ServiceNow (OKTA-390773)

  • Ticketmaster Account Manager (OKTA-390224)

  • United Health Care Member Login (OKTA-390993)

  • Xandr (AppNexus) (OKTA-390469)

Applications

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN as partner-built:

SAML for the following Okta Verified applications

  • Assembly (OKTA-387208)

  • Calendly (OKTA-390432)

  • Crosschq (OKTA-392449)

  • Ground Truth Intelligence (OKTA-385029)

  • ICI App (OKTA-391167)

  • Kaonavi (OKTA-389262)

  • Listrak (OKTA-386611)

  • MaestroQA-Enterprise (OKTA-393110)

  • Malt (OKTA-389581)

  • Officebooking (OKTA-389582)

  • QueryPie (OKTA-388315)

  • Webcasts.com Admin (OKTA-391005)

OIDC for the following Okta Verified applications

Generally Available

Okta Sign-In Widget, version 5.6.3

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Okta Sign-In Widget Guide.

Fixes

General Fixes

OKTA-362581

End users who attempted to sign in to the new Okta End-User Dashboard while access was prevented were not redirected to the proper error page.

OKTA-369101

Admins couldn't save login mappings for some OIDC Identity Providers.

OKTA-376269

When some users updated their recovery question, the password import inline hook was erroneously triggered.

OKTA-379913

Admins couldn't use the Tab key to advance to the next text field in the Test Delegated Authentication modal.

OKTA-383803

Creating new users in Coupa through Okta provisioning failed with a password length error even though the Sync password option was not selected.

OKTA-386927

The Light Agent role was not available to the users assigned to the Zendesk app.

OKTA-387820

The Current Assignment report in Application Access Audit sometimes failed to load and returned a 500 error.

OKTA-389874

The Client Credentials Flow could not implement a custom claim named scope.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • 1Password Business (OKTA-392758)

  • Concur - ProTrav (OKTA-394860)

  • Cradlepoint NetCloud (OKTA-392389)

  • Lifeworks (OKTA-395025)

  • SAP Concur Solutions (OKTA-395184)

  • The Washington Post (OKTA-393397)

Applications

Application Updates

The following SWA integrations are deprecated from the OIN:

  • Mindtickle - Admin

  • Lead Apparel

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN as partner-built:

SAML for the following Okta Verified applications

  • Acronis Cyber Cloud (OKTA-393653)

  • Emerge (OKTA-393802)

OIDC for the following Okta Verified applications

Generally Available

Sign-In Widget, version 5.6.4

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Sign-In Widget Guide.

Content security policy enforcement on end-user pages

Content security policy is now enforced for end-user pages. Content Security Policy headers provide an additional layer of security that helps to detect attacks such as cross-site scripting and data injection by ensuring browsers know what kind of actions the webpage can execute. We already had a policy enforced in our admin pages from last year and in report-only mode for end-user pages. We plan that future iterations of our Content Security Policy enforcement for end-user pages will become stricter than this first release.

This feature will be gradually made available to all orgs.

Fixes

General Fixes

OKTA-330390

On the Onboarding tasks page, the Create an app integration task wasn’t marked Complete after an OIDC or OIN app was added.

OKTA-363972

The RelayState value sent from Jira on-prem to Okta was invalid.

OKTA-378981

SAML requests and responses weren't logged in the System Log as distinct event fields and lacked detail about the SAML assertion.

OKTA-385091

Attempts to push blank values from Okta to any custom app attributes in Google Workspace failed.

OKTA-386112

Imports of more than 2,000 users from Adobe Experience Manager sometimes failed.

OKTA-390477

Suspended users were automatically unlocked but appeared as suspended in the Admin Console.

OKTA-393682

Automatic provisioning of users to Google Workspace sometimes failed with a java.io.IOException error.

OKTA-396391

Some Internet Explorer users received a ScriptError alert when signing in to apps.

OKTA-398081

If the users and groups in an app-level policy were deleted, the Admin Console incorrectly showed the policy as applied to all users and groups.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • Airbnb (OKTA-395954)

  • Boxed (OKTA-396919)

  • CultureIQ (OKTA-396932)

  • Eden (OKTA-395029)

  • Fortune (OKTA-395031)

  • Gong (OKTA-394257)

  • Granite Rock Reports (OKTA-393958)

  • LivePerson Expert (OKTA-390448)

  • Moffi (OKTA-395032)

  • MURAL (OKTA-395023)

  • Notion (OKTA-395035)

  • Odoo (OKTA-394706)

  • Traackr (OKTA-396931)

Applications

Application Updates

The following SWA integrations are deprecated from the OIN:

  • EverFi NEXT

  • AppNexus (replaced by Xandr)

New Integrations

New SCIM Integration Application

The following partner-built provisioning integration app is now Generally Available in the OIN as partner-built:

  • Sisense for Cloud Data Teams: For configuration information, see Sisense SCIM documentation.

SAML for the following Okta Verified applications

  • iHASCO Training Suite (OKTA-396044)

  • Mursion (OKTA-394726)

  • PoliteMail (OKTA-393990)

  • Soveren (OKTA-389257)

  • Writer.com (OKTA-393658)

SWA for the following Okta Verified applications

  • IDEE MFA (OKTA-393819)

  • Xandr (OKTA-394701)

OIDC for the following Okta Verified applications

April 2021

2021.04.0: Monthly Production release began deployment on April 12

* Features may not be available in all Okta Product SKUs.

Content

Generally Available Features

New Features

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Okta Sign-In Widget Guide.

Okta Active Directory agent, version 3.6.1

This version of the agent contains:

  • Improved query performance for customers with a large number of organizational units.

  • Security enhancements.

  • Improved logging functionality to assist with issue resolution.

  • Managed service account support for the Okta Active Directory agent.

  • Bug fixes.

See Okta Active Directory agent version history.

New operators available in Advanced Filters for System Log

Admins can now filter using new Advanced Filters operators:

  • ends with

  • not equal

  • is present (value exists)

  • greater than

  • greater than or equal to

  • less than

  • less than or equal to

Additionally, admins can now use the not equal, ends with, and is present operators in the System Log search bar. These operators provide greater flexibility when filtering System Log events. See System Log filters and search.

Admin Experience Redesign

With the Admin Experience Redesign feature, the Okta Admin Console now has:

  • A modern look and feel with improved responsiveness for the new navigation side bar.

  • A redesigned Okta Admin Dashboard that displays more practical insights for admins.

  • An Agents page in the Okta Admin Dashboard that shows the status and version of every Okta agent that is connected to customers' on-premises servers.

This improves the accessibility of the product, improves admin productivity, and helps admins to be more proactive with security issues.

Okta Applications

Okta admins can now create app-based sign-on policies for the Okta Dashboard, Okta Admin Console, and Okta Browser Plugin.

Previously, sign-on policies couldn't be configured for these first party applications. With this release, policy based on context such as user location, device, behavior, risk level, group membership, and more is included. This gives admins more flexibility and granular control over sign-on requirements for these first party apps. For example, different MFA requirements might apply to the Okta Admin Console for different groups of people.

See Control access to the Okta End-User Dashboard.

Okta End-User Dashboard redesign

Generally Available Enhancements

TLS certificate update for okta.com

The TLS certificate for okta.com will be updated beginning on May 6th, 2021, US Pacific Time. The updated certificate will be signed with a new trust chain and Root Certificate Authority (CA) trust anchor. The Root CA will change from the DigiCert High Assurance EV Root CA to the DigiCert Global Root CA. To avoid negative impact and service outages, customers who have a limited or non-standard set of certificates in their trust stores must take action prior to May 6th, 2021. See FAQs.

Email notification settings

Email notification settings for New sign-on, MFA enrolled, and MFA reset are no longer enabled by default for new orgs. This change prevents new orgs from unintentionally sending email notifications to end users. See General Security.

NetSuite integration enhancement

Okta can now import the supervisor/manager ID for an employee from NetSuite, removing the dependency on Active Directory.

OIN Manager supports variable SAML ACS URLs

SAML app integrations that support multiple ACS URLs can now use app instance property variables to create non-static single sign-on URLs in their submissions.

Okta ThreatInsight free trial

Orgs that use free trial editions now see a limited functionality notification in the Okta ThreatInsight Settings section of the Security > General page. See General Security.

End users on new dashboard can request apps

End users can now request an app through the link in the footer of the new Okta End-User Dashboard. To turn this setting on, go to the Okta Admin Console > Applications > Self Service and enable Allow users to email "Technical Contact" to request an app.

Early Access Features

Early Access features from this release are now Generally Available.

Fixes

General Fixes

OKTA-336939

For some orgs, the user activation page didn't display logos correctly if it was accessed through the redirect link in the User Activation email.

OKTA-337030, OKTA-375978, OKTA-378809, OKTA-379613, OKTA-380069, OKTA-380636, OKTA-381076, OKTA-381639

Some orgs that have the Admin Redesign Experience feature enabled had the following issues:

  • Scrolling functionality didn’t work as expected on some pages.

  • The Okta Admin Dashboard reached the rate limit threshold rapidly, causing a failure to load data in the Admin Dashboard widgets.

  • The spotlight search input field had extra padding.

  • Some pages had layout issues.

  • Some dialog boxes had unwanted scrollbars.

  • Some conditions in group rules were unreadable.

  • Group icons weren't display properly on the Group Assignment page.

OKTA-362647

Self-Service Registration incorrectly appeared in the Directory menu for group admins. This feature is available to super admins only.

OKTA-363849

The 12-hour timestamp on the Import Monitoring Dashboard didn’t display AM or PM.

OKTA-369992

The Report Suspicious Activity page didn’t display the geolocation and the IP address of the suspicious request.

OKTA-373689H

Sometimes the public OAuth metadata API responses did not include a Vary: Origin header, resulting in some browsers incorrectly caching the response across Origins.

OKTA-373957

Some iPhone and iPad users using Okta Mobile couldn’t sign in to Microsoft Teams.

OKTA-375702

The Okta Workflows app erroneously counted towards an org's app limit.

OKTA-375878

The Import Safeguard help documentation link on the Directories page was broken.

OKTA-376041

Some pop-up messages during the OAuth validation process incorrectly had scrollbars.

OKTA-376281

During creation of a new SPA app integration, the App Integration Wizard incorrectly enabled the Allow Access Token option under the Implicit grant type by default.

OKTA-376795

Registration Inline Hook sometimes failed during the self-service registration process.

OKTA-378045H

The Applications page in Developer orgs didn't have clear instructions about how to create more custom apps by upgrading to an Enterprise plan.

OKTA-378989

For some orgs, SAML inline hooks didn’t work as expected.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • AlertLogic (OKTA-380563)

  • Blacklane Car Service (OKTA-380186)

  • Bookmark App (OKTA-377640)

  • DHL Express (OKTA-380565)

  • Fortune (OKTA-380576)

  • ImpactOffice (OKTA-380575)

  • Music Vine (OKTA-380580)

  • mySE: My Schneider Electric (OKTA-375671)

  • Tumblr (OKTA-380562)

  • WordFly (OKTA-380953)

The following SAML app was not working correctly and is now fixed

  • Mimecast Personal Portal v3 (OKTA-381518)

Applications

New Integrations

SAML for the following Okta Verified applications

  • Altitude Networks (OKTA-369534)

  • Cerby (OKTA-381104)

  • LogMeOnce (OKTA-376650)

  • Millie (OKTA-378822)

  • Sketchboard (OKTA-377849)

  • Starred (OKTA-379901)

  • Vulcan Cyber (OKTA-366907)

Weekly Updates

April 19

Generally Available Features

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Okta Sign-In Widget Guide.

Generally Available Enhancements

Password Health Report enhancement

Date columns in the Password Health Report are now in ISO 8601 format to improve readability.

Increased authorization code lifetime

The OAuth authorization code lifetime is increased from 1 to 5 minutes.

Fixes

General Fixes

OKTA-360669

Errors on the App Sign On Policy page were displayed at the top of the page rather than near the respective fields.

OKTA-360937

In some cases, Okta didn't import all users from ServiceNow.

OKTA-362325

Attributes with the number data type were reported to have been updated after CSV Directory imports even if nothing had changed.

OKTA-362647

Self-Service Registration, a super admin feature, incorrectly appeared in the Directory menu for group admins.

OKTA-375536

Developer org admins were incorrectly redirected to the user app page instead of the Admin Dashboard.

OKTA-375698

In some cases, the OAuth access token for Salesforce expired daily, which caused issues with provisioning.

OKTA-377265

In some cases, admins received a 500 error while creating a new user with JIT provisioning.

OKTA-380356

The Trusted Origin field in the new App Integration Wizard appeared even if the user didn't have the permission to manage the field.

OKTA-380892

Some help documentation links in the Agentless Desktop SSO and Silent Activation section didn't work.

OKTA-382214

In some cases, Group Administrators were incorrectly displayed as User Administrators in the Email Notification dropdown on the Account Settings page.

OKTA-382433

The text in the App Embed Link section of the Custom SAML App page was misaligned.

OKTA-385342

The new App Integration Wizard showed an error when creating an API Services app due to incorrect response type validation.

OKTA-388027

The Email Change Confirmed Notification configuration (part of Email & SMS Customization) didn’t have an option to specify whether admins only, or admins and end users received the notification.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • Carta (OKTA-380324)

Applications

Updates

  • The Nature.com SWA integration is deprecated from the OIN.

    Use the Nature Research SAML app instead.

New Integrations

SAML for the following Okta Verified applications

  • Productive.io (OKTA-377469)

  • TigerConnect (OKTA-382369)

OIDC for the following Okta Verified application

May 03

Generally Available

Okta Sign-In Widget, version 5.5.4

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Okta Sign-In Widget Guide.

Fixes

General Fixes

OKTA-355894

The Recently Used tab on the Okta End-User Dashboard wasn't translated for all languages.

OKTA-361861

During a full import, profile updates occurred in Workday even if no attributes were changed for the user in Okta.

OKTA-369527

AD-sourced users received misleading error messages when they attempted to reset their passwords while the AD agent was down.

OKTA-371158

Some LDAP-sourced users' temporary passwords became their main passwords after they used them to sign in.

OKTA-373409

Some AD-sourced users were redirected to the default Okta org when they clicked the activation link in their welcome email.

OKTA-373578

Some Dynamic Network zones didn't block traffic as configured.

OKTA-375317

Some users received errors when they authenticated to Okta from ADFS with a custom domain.

OKTA-376991

After reactivation, some users weren't properly reassigned their applications.

OKTA-377853, OKTA-379764

International phone numbers were incorrectly parsed during profile updates in Workday.

OKTA-378405

Pushing AD-imported groups from one Okta instance to another failed.

OKTA-379707

The ThreatSuspected field in the System Log wasn’t consistently updated.

OKTA-380165

Previously scheduled Workday imports were still shown on the Import Monitoring dashboard after provisioning was disabled.

OKTA-381764

Some admins couldn't save settings for Incremental Import Schedule when they integrated a new CSV Directory.

OKTA-382686

The Upload CSV button wasn't clearly visible on the Application Import page of the new Okta Admin Console.

OKTA-382711

Syntax highlights were not correct in the Okta Admin Console code editors for the Custom Sign-In Widget and the Custom Error pages.

OKTA-383630

Preview and test emails in the Okta Admin Console didn’t render customization variables in the email subject field.

OKTA-383632

After a custom domain was configured, the test email dialog in the Okta Admin Console displayed the default email sender details as Okta <noreply@okta.com>.

OKTA-383647

Admins received timeout errors when they deactivated AD-sourced users through imports from Active Directory.

OKTA-384306

Icons in the Okta API Scopes tab were misaligned for OAuth apps.

OKTA-385297

Text on the Sign On tab was misaligned for some apps.

OKTA-389502H

In some cases when the new Okta End-User Dashboard was enabled, Okta incorrectly made hourly token renewal requests that caused user sessions to be active longer than configured.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • Accertify (OKTA-388719)

  • Adobe (OKTA-385008)

  • ADP IPayStatements (OKTA-389106)

  • Apollo (OKTA-382989)

  • Beeline TMS (OKTA-383007)

  • Calendly (OKTA-382474)

  • Citi Credit Cards (OKTA-385007)

  • Cradlepoint NetCloud (OKTA-388566)

  • Delta Dental (OKTA-379327)

  • Dow Jones Private Equity and Venture (OKTA-388720)

  • Federal Procurement Data System (OKTA-382991)

  • Grammarly (OKTA-388717)

  • Jitterbit (OKTA-385006)

  • KeyBank (OKTA-385011)

  • LastPass Sync (OKTA-386955)

  • Milestone XProtect Smart Client (OKTA-386601)

  • MongoDB Cloud (OKTA-385010)

  • Portal Nutanix (OKTA-386598)

  • Shatswell MacLeod (OKTA-386604)

  • WEX Health Cloud (OKTA-385013)

  • WorkFlowy (OKTA-386597)

  • XpertHR (OKTA-382990)

  • ZeeMaps (OKTA-388718)

Applications

Application Updates

  • Our Dynamic Signal integration has been updated as follows:

    • The existing Dynamic Signal integration is deprecated and renamed Dynamic Signal (Deprecated).

    • A new Dynamic Signal integration is now available, without provisioning functionality.

  • The following SWA integrations are deprecated from the OIN:

    • Crazy Egg

    • Dow Jones Private Equity and Venture

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN as partner-built:

  • Cato Networks Provisioning: For configuration information, see Cato Networking documentation here. Note that this documentation is only available for Cato authenticated users.

SAML for the following Okta Verified applications

  • brandworkz (OKTA-380978)

  • Dooly (OKTA-384467)

  • Feroot (OKTA-387002)

  • Folia (OKTA-369123)

  • Jobcan (OKTA-383754)

  • JoVE (OKTA-386197)

  • LINE WORKS (OKTA-387869)

  • MPulse 9 (OKTA-379463)

  • Open Practice Solutions (OKTA-379650)

  • Planisware Enterprise (OKTA-382573)

  • Propel PRM (OKTA-385027)

  • QReserve (OKTA-383759)

  • Thrive LXP (OKTA-385858)

  • Webcasts Admin (OKTA-382549)

SWA for the following Okta Verified applications

  • Atlanta Fine Homes (OKTA-383598)

  • Walkthechat (OKTA-385436)

  • WSRB (OKTA-385426)

OIDC for the following Okta Verified applications

  • Mantra: For configuration information, see Okta SSO.

March 2021

2021.03.0: Monthly Production release began deployment on March 8

* Features may not be available in all Okta Product SKUs.

Content

Generally Available Features

New Features

LDAP agent, version 5.7.2

This version of the agent contains:

  • Support for Lightweight Directory Access Protocol (LDAP) group password policies

  • Internal improvements and security fixes

  • Bug fixes

To view the agent version history, see Okta LDAP Agent version history.

RADIUS Agent, version 2.15.1

RADIUS agent version 2.15.1 GA contains all updates release since version 2.7.4 EA, including:

  • Support for EAP-GTC and EAP-TTLS to improve security and extend support network access vendors, such as Netmotion Mobility.

  • Support for TLS 1.2, which is required for all connections to Okta.

  • Support for internet proxies.

  • A simplified installer, which no longer requires shared secrets and ports.

And has been tested on new Linux operating systems:

  • CentOS 7.6.

  • Ubuntu 20.04.1 LTS.

  • Red Hat Enterprise Linux release 8.3.

  • Windows Server 2016.

  • Windows Server 2019.

In summary, the new agent provides admins with an easier installation, configuration, and run-time experience, and we recommend it for all Okta RADIUS customers.

See Okta RADIUS Server Agent Version History.

Okta Sign-In Widget, version 5.4.0

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Okta Sign-In Widget Guide.

New number challenge options in Okta Verify admin settings

New Okta Verify settings in the Admin Console now allow admins to control when users receive a number challenge. Number challenge is an existing Okta Verify feature in eligible orgs that helps Android and iOS users enrolled in Okta Verify with Push avoid accepting fraudulent push notifications when they try to access a protected app. Completing the challenge ensures that the sign-in attempt came from the user and not from an unauthorized person. Admins can now choose to never challenge users, challenge with all push notifications, or challenge only for high-risk sign-in attempts. See Enable Number Challenge with Okta Verify with Push.

Option to switch between Admin Experience Redesign and the old experience

Super admins can now switch between Admin Experience Redesign and the old experience by using the option provided on the Okta Admin Dashboard. This gives admins time to adapt to the new user experience, which is on by default, and the option to revert to the old experience if required.

OIN Catalog enhancements

The OIN catalog adds several customer identity categories, highlights key app integrations, and now shows relevant Okta Workflow connectors and templates. Administrators can click Add integration to add a specific app integration directly to their org. These improvements make it easier for administrators and application developers to learn about Okta’s customer identity integrations. They can browse for relevant integrations like social identity providers and identity proofing solutions and add these integrations to their Okta org.

This feature will be gradually made available to all orgs.

Deleted schema property scrubber

All existing data associated with a schema property is now removed when a schema property is deleted. To prevent data corruption, the property cannot be recreated until the existing data is fully removed. Previous data is no longer restored when recreating a deleted schema property with the same definition. This new functionality prevents the corruption of profile data and the associated Elastic search issues. See Add or remove custom directory schema attributes.

This feature will be gradually made available to all orgs.

OIDC App tab improvements

The following improvements have been made to the OIDC App tab:

  • The default tab is now General instead of Assignments.

  • Client Credentials moved to the top of the page.

  • Downloaded sample apps now have pre-populated environment variables.

See Create OIDC app integrations.

This feature is available for all new Production orgs.

LDAP self-service password reset

End users can now perform a self-service reset of their LDAP password using SMS (Short Message Service). Without compromising security, this functionality simplifies the password reset process and removes the need to involve IT Help Desk for credential management. Using SMS for password resets reduces the Help Desk workload and support costs. See Manage self-service password reset.

Improved auto-complete functionality

To improve the accuracy and speed of user searches, the auto-complete functionality on the Okta Admin Console administrator pages is updated.

Generally Available Enhancements

Improvements to the OIN Manager submission QA process

The Okta Operations team now conducts a final internal QA test for app integration submissions in the OIN Manager Portal and sends an email when the final review is complete. If the review is successful, your submission is automatically published in the OIN. These changes streamline the QA and approval process for OIN app integrations.

OIN Manager additional fields

The OIN Manager portal now accepts encrypted SAML assertion certificates. Also, fields are added to clarify OIDC configuration requirements and to confirm that SCIM app integrations are prepared properly for submission. See Configure protocol-specific settings. These changes simplify the ISV submission process, reducing unnecessary communications with the Okta Operations team.

Early Access Features

Early Access features from this release are now Generally Available.

Fixes

General Fixes

OKTA-209671

Updating a user address field with a string that was too long returned a 500 error response instead of a 400 error with appropriate details.

OKTA-335776

In rare cases when an admin re-typed their password in the Office 365 Admin Password field and then clicked Fetch and Select on the Sign On tab, the Fetch and Select command failed with an error.

OKTA-336326

Sometimes, when the Office 365 Provisioning option was selected to Licenses/Roles Management Only, roles and licenses assigned to Office 365 users in Okta didn't sync in Microsoft.

OKTA-346766

Text on some AD Import pages in the new Okta Admin Console was misaligned.

OKTA-352294

Workday incremental imports sometimes failed with a NullPointerException error.

OKTA-359091

Expanding Admin Tasks on the Admin Dashboard changed the index value of the tasks.

OKTA-367327

When IDP as Factor was enabled, some users received the Invalid Token error on stale sign-in pages.

OKTA-367834

The QR code image in the Setup Okta Verify flow didn't include alt text, which caused screen readers to not recognize the image.

OKTA-367844

The SCIM provisioning feature was not enabled for the Lifecycle Management SKUs included with API products.

OKTA-367999

Some end users were stuck in an authentication loop when trying to sign in to Okta.

OKTA-370037

Text on some pages in the new Okta Admin Console was misaligned.

OKTA-371599

Text on the LDAP tab of the Delegated Authentication page was not rendered properly.

OKTA-372049

Text on the Sign On tab of the App Settings page was misaligned.

OKTA-372436

An issue with ThreatInsight was resolved for some organizations who upgraded a free trial edition to Production.

OKTA-372678

Sometimes the sign-in page didn't refresh if the token was expired.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • Aflac (OKTA-372087)

  • Alarm (OKTA-372091)

  • CBRE (Employee Login - The Navigator) (OKTA-370216)

  • Frontier Communications (OKTA-370218)

  • GoCompare (OKTA-370219)

  • MX Merchant (OKTA-370217)

  • MxToolbox (OKTA-370503)

  • Premium Audit Advisory Service (PAAS) (OKTA-368399)

  • Rippe and Kingston LMS (OKTA-372081)

  • ShopAtHome (OKTA-372067)

  • The Economist (OKTA-372207)

  • Visage MobilityCentral (OKTA-372095)

Applications

New Integrations

SAML for the following Okta Verified applications

  • Banyan Command Center (OKTA-370640)

  • Five9 Plus Adapter for Microsoft Dynamics CRM (OKTA-367992)

  • Noticeable (OKTA-370631)

SWA for the following Okta Verified application

  • Clarizen One (OKTA-371928)

OIDC for the following Okta Verified application

Weekly Updates

March 15

Fixes

General Fixes

OKTA-337155

Sometimes, if a refresh token flow contained an invalid refresh token, the hash was not logged in the System Log.

OKTA-340754

In some cases, users couldn't be assigned to or removed from a group from their Okta Profile.

OKTA-347379

The Okta Browser Plugin incorrectly suggested a new password for the ServiceNow app.

OKTA-362310

The Dutch translation for password requirements on the password reset screen was incorrect.

OKTA-369737

Search boxes on some pages under Security had a CSS issue.

OKTA-370192

Some admins couldn't create users for Box if the default input value for the parent folder path was left empty in Okta.

OKTA-370944

In some cases, after a user deletion legitimately failed, admins were unable to delete other users.

OKTA-378843H

Invalid token requests resulted in a 500 error.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • Benchmarking (OKTA-375324)

  • Forbes (OKTA-372724)

  • Fusion MortgagebotLOS (OKTA-373862)

  • Google Workspace (OKTA-374871)

  • Hawaiian Airlines (OKTA-375320)

  • Papertrail (OKTA-375327)

  • Pingdom (OKTA-375323)

  • Schwab Advisors (OKTA-358544)

  • Taboola (OKTA-371937)

  • WorkdayCommunity (OKTA-374314)

  • Zapier (OKTA-374811)

  • Zoom (OKTA-372449)

Applications

Application Updates

Our OrgWiki integration has been updated as follows:

  • The existing OrgWiki integration is renamed OrgWiki (Deprecated).

  • Customers should now use the OrgWiki (SCIM) integration in our catalog.

New Integrations

SAML for the following Okta Verified applications

  • Admin By Request (OKTA-372458)

  • Fortanix Self Defending Key Management Service (OKTA-373374)

  • Taskize Connect (OKTA-369898)

March 22

Generally Available Features

Okta Sign-In Widget, version 5.4.3

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Okta Sign-In Widget Guide.

Fixes

General Fixes

OKTA-297743

Apps weren't highlighted automatically if they matched a user’s search terms in the App Catalog.

OKTA-319109

In orgs with the Admin Experience Redesign feature enabled, the Imports Paused task was missing from the Dashboard page in the Okta Admin Console.

OKTA-345217

Some user interface elements on sign-on policy pages for apps were formatted incorrectly.

OKTA-355148

LDAP-sourced users received a 500 error error while attempting a self service password reset that violated common password patterns.

OKTA-362677

In orgs with the Admin Experience Redesign feature enabled, when admins clicked Workflow > Workflow console, the page didn't open in a new browser tab.

OKTA-368354H

Some Adobe Experience Manager imports failed.

OKTA-370306

The side navigation in the Okta Admin Console didn't scroll automatically to a selected item.

OKTA-371058

In some cases, users experienced performance issues on the Okta End-User Dashboard and had to refresh the page manually.

OKTA-372440

The Add Section button was missing from the new Okta End-User Dashboard app list when embedded in an iframe.

OKTA-373004

The Upload button for Encryption Certificates was missing from the Sign-On settings tab in the Okta Admin Console.

OKTA-373729

In some cases, importing users from Active Directory to Okta failed and app assignment didn't complete if a single user failed to import.

OKTA-373944

In orgs with the Admin Experience Redesign feature enabled, admins who didn't have search permissions could see the search box in a deactivated state.

OKTA-375432

In some cases, the onboarding checklist for new developer orgs wasn't populated correctly upon registration.

OKTA-375541

Some app sign-on policy pages had display issues.

OKTA-375953

Smart Card authentication failed if an org had multiple Smart Card Identity Providers (IdPs) configured.

OKTA-375998

The Help documentation link on the Active Directory introductory page redirected users to the wrong documentation page.

OKTA-376620

The error message shown to end users when the login page had an expired token was unclear.

OKTA-379196

End users that belonged to environments without the new Okta End-User Dashboard self-service feature enabled were presented with a blank page after signing onto a custom domain.

App Integration Fixes

The following SWA app was not working correctly and is now fixed

  • Domo (OKTA-373343)

Applications

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN as partner-built:

SAML for the following Okta Verified applications

  • JustCall (OKTA-375104)

  • Rent Dynamics (OKTA-373350)

  • Roadster (OKTA-359604)

  • Vonage (OKTA-373104)

March 29

EA Enhancement

Dashboard and Browser Plugin apps available in Admin Console

Admins of the orgs that have enabled the new Okta End User Dashboard and First Party Applications can now see the Okta Dashboard and Okta Browser Plugin apps in Okta Admin Console > Applications. They can also set up sign-on policies for these apps. See Control access to the Okta End-User Dashboard. This feature will be gradually made available to all orgs.

Fixes

General Fixes

OKTA-333391, OKTA-362811, OKTA-372138, OKTA-372662, OKTA-372959, OKTA-375504, OKTA-375682, OKTA-375977, OKTA-376890, OKTA-376908, OKTA-376985, OKTA-376988, OKTA-377189

Orgs with the Admin Experience Redesign feature enabled had the following issues on some pages:

  • Text or UI elements were misaligned or didn’t wrap correctly.
  • Drop-downs didn’t work properly.
  • Old UI elements replaced the new ones.
  • Font or font color was inconsistent.
  • The scroll functionality didn’t work properly.

OKTA-354628

The RADIUS app didn't have a configuration option to permit MFA-only configuration to allow access-challenge responses.

OKTA-372692

If multiple users matching a UPN or SAM Account Name existed, the authentication process failed even if only one of those users was assigned the RADIUS app.

OKTA-373288

In rare cases, during multifactor authentication (MFA) enrollment with SMS as a factor, users could have multiple unverified phone numbers and weren't able to verify any of them.

OKTA-373963

Group memberships were still being synced to an app even when API integration for the app was disabled.

OKTA-377201

After the local numbers were changed to 10 digits, users in Ivory Coast enrolling in SMS and Voice Call authentication received a warning about the phone numbers not being valid, and they had to retry the same number to complete the enrollment.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • Azure Manage (OKTA-377470)

  • Baystate Benefits - Employee (OKTA-377235)

  • Brainerd Dispatch (OKTA-377232)

  • Chase Bank - Personal (OKTA-377215)

  • Domo (OKTA-377226)

  • GuideStar (OKTA-377224)

  • IBM Blueworks Live (OKTA-377219)

  • IntraLinks (OKTA-377496)

  • Iola (OKTA-377217)

  • Jack Henry & Associates Client Portal (OKTA-377212)

  • Lucidchart (OKTA-376367)

  • SAP Concur Solutions (OKTA-375460)

  • Skykick (OKTA-377845)

  • Staples (OKTA-377474)

  • Texas Mutual (OKTA-355698)

  • The Information (OKTA-372438)

  • TSheets QuickBooks (OKTA-372937)

Applications

Application Updates

  • The Fastly application is now private and is renamed Fastly (Deprecated)

  • The Signal Sciences application is now private is renamed Signal Sciences (Deprecated)

  • The Fastly SAML is renamed Fastly and is updated with SWA Sign On mode.

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration app is now Generally Available in the OIN as partner-built:

SAML for the following Okta Verified applications

  • EVA Voice Biometrics (OKTA-379067)

  • FortiSASE SIA (OKTA-379066)

  • GitHub Enterprise Managed User (OKTA-379065)

  • IDrive360 (OKTA-378511)

  • Lucid (OKTA-377238)

  • SecureFlag (OKTA-377229)

February 2021

2021.02.0: Monthly Production release began deployment on February 8

* Features may not be available in all Okta Product SKUs.

Content

Generally Available Features

New Features

Option to activate and deactivate rate limit warning and violation notifications for all orgs

All admins now receive the warning and violation notifications for rate limits. Additionally, you have the option to activate and deactivate the notification from the Admin Console.

Additional events available for use as Event Hooks

The following event types are now available for use as an Event Hook:

  • The user.account.lock event makes admins aware of accounts that are locked because of suspicious activity or due to multiple incorrect sign-in attempts. Admins can also use this Event Hook to take action against affected accounts.
  • The user.account.unlock event makes admins aware of accounts that are no longer locked. Admins can also notify users of appropriate next steps to prevent future account locking.

  • The group.lifecycle.create event notifies admins when new Okta groups are created. The group.lifecycle.delete event notifies admins when new Okta groups are deleted. Admins can use Event Hooks based on these events to initiate automated custom flows.

  • The system.org.rate.limit.warning event notifies admins when their org is approaching an org-wide rate limit. The system.org.rate.limit.violation event notifies admins when their org has exceeded an org-wide rate limit. Admins can use Event Hooks based on these events to trigger a real-time alert to a downstream system, such as PagerDuty.

  • The system.import.group.create event helps admins to automate IT processes, such as providing members of the imported group with access to applications.
  • The system.import.group.delete event helps admins use these events to trigger actions in downstream systems, such as an Okta Workflows Flow that creates a Slack notification.

  • The user.mfa.factor.suspend and user.mfa.factor.unsuspend events notify your service when enrolled MFA factors are suspended or unsuspended. This typically occurs when a registered device associated with the factor is suspended or unsuspended either through the Okta Admin Console or the Okta API.

New System Log events for MFA factor activity and for importing users through CSV

The following System Log event types are now available:

  • The system.mfa.factor.activate event indicates that the MFA factor is activated.

  • The system.mfa.factor.deactivate event indicates that the MFA factor is deactivated.

These events help admins collect metrics for MFA factor activity and track user action for activating and deactivating an MFA factor. These events are triggered when an MFA factor is activated and when it is deactivated.

  • The system.import.user_csv.start event indicates that the process to import users from CSV is started.

  • The system.import.user_csv.complete event indicates that the process to import users from CSV is completed.

These events help admins track user activity of batch importing users through CSV. These events are triggered when the process to import users from CSV is started and when it is completed.

Support for Safari user interaction requirement for WebAuthn flows

Okta now supports Safari's user interaction security requirement for WebAuthn flows. When accessing resources protected by an Okta WebAuthn MFA policy, end users now must tap Verify before they're challenged to provide biometrics or a security key.

General Availability of Workflows

Okta Workflows is now Generally Available for additional customers in the APAC cell.

Okta Workflows is an interface-driven, no-code platform for business process automation that provides integration with some of the most widely used third-party APIs in the industry, including Box, Slack, Salesforce, and Google Workspace. See Okta Workflows.

Deployment is taking place over the course of several days to entitled orgs with the following SKUs:

  • IT Products - Advanced Lifecycle Management

  • Legacy SKU: IT Products - Lifecycle Management, Unlimited

  • Legacy SKU: IT Products - Lifecycle Management, Unlimited OIN Apps

  • Legacy SKU: IT Products - Lifecycle Management, 10 OIN Apps

To access Workflows, select the Workflow > Workflows console menu option from the Okta Admin Console.

Limit group stats when searching for user groups during admin assignment

In search results, groups with more than 10,000 users or apps now appear with a count of 10,000. This speeds up results when super admins search for groups to assign admin privileges. The actual totals are not impacted and can be viewed on the group's page.

New System Log delAuthTimeout and LDAP delAuth values

The following values now appear in the System Log:

  • The delAuthTimeout value identifies the authentication timeout value. The delegated authentication timeout value is the time in milliseconds that Okta waits for delegated authentication responses. Knowing this value can help identify when timeout values are too high and consuming system resources unnecessarily. See System Log.

  • The Ldap delAuth value identifies the delegated authentication type. The values returned are LDAP or AD. Knowing this value can help you identify and resolve delegated authentication issues. See Enable delegated authentication.

Generally Available Enhancements

Admins only receive rate limit warning and violation notifications for org events

All admins are notified for rate limit warning and violations for their orgs in the Admin Console and by email. These notifications are for org-wide events and not for client and operations-based events. This reduces unnecessary email notifications.

Updates to the text in rate limit warning and violation notifications

The text in the rate limit warning and violations notification in the Admin Console and email has been updated to make it more user-friendly. Now, the email notification also contains a link to the Rate limit overview document to boost your understanding of rate limits. See Rate limits.

Link to Okta agent support policies

The Downloads page in the Admin Console now has a direct link to the latest Okta agent support policies. See Okta agent support policies.

Enhancement to the OIDC app creation message

After an OIDC application is created, the Application created successfully notification is frequently missed because it only appears briefly after an app is saved. The message now appears after the UI redirects to the new application's main page.

Okta Workflows URL verification in Event Hooks

Admins can now enter a Workflow API Endpoint URL as an Event Hook URL without the need for verification. This helps admins easily configure a Workflow to be triggered from an Event Hook for multiple events or for events not yet available in Workflows.

See Event hooks.

Enhancements to policy scheduled execution System Log events

The policy.scheduled.execute event has been updated. When triggered by Okta Automations, this event now displays the number of user lifecycle state changes for deactivations, deletions, and suspensions in the SuccessfulDeactivations, SuccessfulDeletions, and SuccessfulSuspensions fields under the DebugContext object. This event is useful for admins to measure the number of user accounts that have been affected by Okta Automations.

New color scheme for the map view in System Log

The mapview in the System Log now has a new color scheme that increases visibility and clarity.

Early Access Features

New Features

Enhanced Admin Console search

Admins can now search for end user email addresses in the Spotlight Search field in the Admin Console. You can also view the user's status in the search results when you search by username and email address. This robust global search helps you find what you need in the Admin Console quickly, thereby, saving time and increasing productivity. See Admin Console search.

Fixes

General Fixes

OKTA-336933

Some Office 365 users were deprovisioned with an incorrect localization error.

OKTA-347240

During account creation, if a user's input violated the length constraints, the error message didn't include the value of the length constraint.

OKTA-348024

SuccessFactor users weren't deactivated by timezone.

OKTA-351180

SAML Preview returned the 400 Bad Request error if the SAML sign-on mode for an app was configured with Single Logout.

OKTA-353734

Some users who had successfully authenticated received a sign-in failed error when they attempted to sign in to an app that wasn't assigned to them.

OKTA-355854

The Okta Admin Dashboard wasn't properly aligned in Internet Explorer 11.

OKTA-358580

Admins couldn't approve or deny app access requests in the new Okta End-User Dashboard.

OKTA-358736

Resend SMS factor sometimes resulted in a 400 error upon app sign-in.

OKTA-359104

Some base attributes were missing from the User Profile.

OKTA-359189

The Preview banner in Preview orgs wasn't properly displayed.

OKTA-361024

The new Okta End-User Dashboard didn't show all company-managed apps or the Show More button.

OKTA-361741

In an IdP-initiated flow, end users were prompted to verify the IdP factor when they accessed an app even if they'd verified a factor when they signed in to the Okta End-User Dashboard.

OKTA-362034

In some browsers, extra scroll bars appeared on the Okta Admin Dashboard.

OKTA-362764

The Tasks card on the Okta Admin Dashboard didn't load properly in Internet Explorer 11.

OKTA-363398

The Help documentation link under Customization > New End User Experience was broken.

OKTA-364583

In the SmartSheet provisioning profile, when admins tried to change the Group Priority setting to Combine values across groups for the variable smartsheet.userPermissions, the error message: Not allowed to modify property userPermissions from the base schema was returned.

OKTA-366948H

Some imports from AD were delayed, especially when large number of import jobs were being run.

OKTA-367152H

In some cases, MS Office authentication did not prompt for MFA and failed.

Applications

  • The Okta SAML Toolkit is deprecated and removed from the Okta Downloads page.

  • Google Apps is rebranded as Google Workspace. We have updated the OIN Application and associated documentation.

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN as partner-built:

SAML for the following Okta Verified applications

  • TravelPerk (OKTA-362457)

Weekly Updates

February 16

Fixes

General Fixes

OKTA-348508

During Okta to Box provisioning, if the Create personal Box folder when new user account is provisioned option was selected, the admin was sometimes added to the folder with the user.

OKTA-350375

Some profiles were not updated when Active Directory (AD) attributes were pushed to custom attributes in Okta.

OKTA-358884

During CSV import, attempts to add and update User Profile attributes failed.

OKTA-359569

During password reset, an incorrect error message was reported if security requirements were not met.

OKTA-360989

Admins couldn't enable the Okta Browser Plugin toolbar for specific groups.

OKTA-361726

In the new Okta Admin Console, the Overview section of the Admin Dashboard didn't reflect the correct last-updated date for reports.

OKTA-362107

A non-functioning Learn More link was displayed under Status in the Agents panel.

OKTA-363845

In the new Okta Admin Console, the number of apps displayed on the dashboard was different from the number of actual apps.

OKTA-365531

The Russian translation for the Show More button in the App Catalog was inaccurate.

OKTA-366755

In Internet Explorer 11, the left navigation menu was missing from the new Okta Admin Dashboard.

OKTA-367191

The word Authenticator was not translated on the new Okta End-User Dashboard or in the security enrollment flow.

OKTA-367776

When using a browser other than Safari to access resources protected by an Okta WebAuthn MFA policy, end users were required to tap Verify before they were challenged to provide biometrics or a security key.

OKTA-370361H

Admins sometimes encountered errors when attempting to update O365 app settings or with provisioning related operations to AAD.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • 123RF (OKTA-365452)

  • Avery (OKTA-361758)

  • Chrome River (OKTA-364083)

  • CSI - WatchDOG Elite (OKTA-362468)

  • Exclusive Resorts (OKTA-364063)

  • mySE: My Schneider Electric (OKTA-364080)

  • Nationwide Evictions (OKTA-367116)

  • Notion (OKTA-366913)

  • Skrill (OKTA-366912)

  • SmartyStreets (OKTA-361757)

  • vAuto (OKTA-361755)

  • Visionplanner (OKTA-360707)

  • Wayfair (OKTA-366424)

Applications

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN as partner-built:

SAML for the following Okta Verified applications

  • A Cloud Guru (OKTA-361798)

  • Genesys Cloud (OKTA-362719)

  • Onfido (OKTA-365910)

  • Strings (OKTA-364012)

  • zkipster (OKTA-364003)

February 22

Fixes

General Fixes

OKTA-344871

Although the Add Rule button on the Groups page appeared inactive, in some cases users accessed the Add Rule dialog box after clicking the button.

OKTA-345647

3-byte characters weren't readable in the Okta Password Health report.

OKTA-347025

Group admins could view all Okta tenant users and not just the ones in their group.

OKTA-354798

Sometimes, sign-in attempts with Just-In-Time provisioning using LDAP failed with an UNKNOWN_USER error when delegated authentication was enabled.

OKTA-356023

Importing users from SAP Litmos to Okta failed in some cases.

OKTA-358253

The Okta End-User Dashboard didn't display localized content when the web browser's default language was set to Indonesian.

OKTA-360983

Password requirement error messages shown during self-service registration weren't consistent.

OKTA-361189

In the new Okta Admin Console, the My Settings link erroneously redirected to the organization's Settings page instead of the end-user Settings page.

OKTA-364406

When creating a new app integration as part of the developer onboarding experience, users were redirected to the deprecated Okta Developer Console App Integration Wizard, instead of the App Integration Wizard in the Okta Admin Console.

OKTA-365037

Sometimes, Just-In-Time provisioning or Real Time Sync wasn't triggered during Active Directory delegated authentication.

OKTA-365205/OKTA-366761

Some pages in the new Okta Admin Console didn't display properly in Internet Explorer 11.

OKTA-365925

Sometimes, admins received a 500 Internal Server Error when they deleted a user.

OKTA-367666

When creating a new SAML 2.0 app integration, the Attribute Statement heading in the wizard wasn't grouped with the corresponding input fields.

OKTA-367941

On the Create OpenID Connect App Integration page in the Okta Admin Console, the yellow bar was missing from the side note.

OKTA-368138

In the new Okta Admin Console, removed app instances were identified as agent down on the Dashboard > Agents page.

OKTA-368828

In the new Okta Admin Console, selected child pages were sometimes not highlighted in the left navigation menu.

OKTA-370995

The Admin Console search didn't deliver expected search results when customers searched by the full name of the user. As part of this fix, the ability to search by email address and to view the user's status has been rolled back and is now only available as Early Access.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • Arena Solutions (OKTA-366918)

  • CoderPad (OKTA-368916)

  • IBM Blueworks Live (OKTA-366917)

  • NewEgg (OKTA-366340)

  • UserVoice (OKTA-366920)

Applications

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN as partner-built:

SAML for the following Okta Verified applications

  • Cybereason (OKTA-364009)

  • EmployerD Payroll and HR Solutions (OKTA-356069)

  • Exium (OKTA-367104)

  • HyperStore (OKTA-365050)

  • Samdesk (OKTA-367358)

SWA for the following Okta Verified applications

  • Beyond Identity (OKTA-354040)

  • Secret Double Octopus (OKTA-353300)

  • Silverfort (OKTA-352875)

  • Trusona (OKTA-352871)

  • Truu (OKTA-352866)

March 1

Fixes

General Fixes

OKTA-332375

Sometimes, admins received a generic 500 error for agentless Desktop Single Sign-On failures caused by request timeout.

OKTA-341050

Some banners in the new Okta Admin Console had inconsistent style.

OKTA-344854

The Sign-In Widget pages were missing language attributes required by screen readers.

OKTA-358773

For deactivated users, apps were still displayed in the Assigned Applications list although they had been unassigned.

OKTA-358826

In the new Okta Admin Console, after opening and closing the spotlight search window with the keyboard shortcut Control + Space, the window no longer opened when admins clicked the Search field or icon.

OKTA-363680/OKTA-371218

Sometimes, a user that was removed from a group wasn't unassigned from the apps assigned to that group, and was instead left with individual assignment.

OKTA-365542

In the new Okta End-User Dashboard, the check box for Lightweight Directory Access Protocol (LDAP) delegated authentication settings was misaligned.

OKTA-365604

Although the See Password and Update Credential settings shouldn't be available for bookmark apps, these settings were still displayed in the Okta End-User Dashboard.

OKTA-370942

Sometimes, a deactivated Office 365 app instance in Okta couldn't be deleted if the username and password for the app instance failed authentication in Microsoft.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • Google Workspace (OKTA-368883)

  • Onfido (OKTA-368220)

Applications

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration app is now Generally Available in the OIN as partner-built:

SAML for the following Okta Verified applications

  • Claim Leader (OKTA-369552)

  • FAX.PLUS (OKTA-370972)

  • Gamesight (OKTA-360548)

  • IBMid (OKTA-367991)

  • MyCarSpot (OKTA-355697)

  • Osano (OKTA-368805)

  • Sigma on AWS (OKTA-369098)

  • SmartHR (OKTA-368788)

  • Tanda (OKTA-352713)

  • Very Good Security (OKTA-369127)

  • Whil (OKTA-370655)

January 2021

2021.01.0: Monthly Production release began deployment on January 11

* Features may not be available in all Okta Product SKUs.

Content

Generally Available Features

New Features

New phone rate limits

Users who attempt Voice and SMS enrollment can now be rate limited. Voice and SMS enrollment rate-limit events are now logged in the System Log. See Rate Limits.

WebAuthn feature validation updates with Trusted Origins API

The WebAuthn feature now supports trusted cross-origin and cross-Relying Party Identifier (RP ID) validation when using the Trusted Origins API. Trusted Origins are configured in the Okta Trusted Origins framework either through the Admin UI or the API. These Trusted Origins, configured with the CORS scope, now support orgs using WebAuthn for sign-in pages hosted at Trusted Origins distinct from the org's Okta URL (that is, different from the org's Okta or custom domain URL).

User authentication with MFA can be used as an Event Hook

The user.authentication.auth_via_mfa event type is now available for use as an event hook. See Event Types for a list of events that can be used with event hooks.

Browser Plugin notification expiration

Notifications for new features in the Okta Browser Plugin now expire after three months. See Okta Browser Plugin version history.

Okta Workflows is Generally Available

Okta Workflows is an interface-driven, no-code platform for business process automation that provides integration with some of the most widely used third-party APIs in the industry, including Box, Slack, Salesforce, and G Suite Admin. See Okta Workflows.

Deployment is taking place over the course of several days to entitled orgs with the following SKUs:

  • IT Products - Advanced Lifecycle Management

  • Legacy SKU: IT Products - Lifecycle Management, Unlimited

  • Legacy SKU: IT Products - Lifecycle Management, Unlimited OIN Apps

  • Legacy SKU: IT Products - Lifecycle Management, 10 OIN Apps

APAC and HIPAA cells are excluded.

To access Workflows, select the Workflow > Workflows Console menu option from the Okta Admin Console.

Reports delivered by email

Admins can now receive the following reports by email:

  • Okta Usage Report

  • Okta Password Health Report

  • Current Assignments Report

  • MFA Usage Reports

See Reports.

Workday Field Overrides support

The Workday integration now uses Field Overrides reports to fetch custom profile data information instead of custom reports. Field Overrides is a faster report type than custom reports, so using this method is much more efficient. Existing custom report configurations will work, but new app instances will not have these configuration options. See Workday Provisioning.

Import Monitoring dashboard

The Import Monitoring dashboard is now available and displays user attribute imports for a seven day period. You can use the dashboard to view import progress, status, details, and logs. See View the Import Monitoring dashboard.

Technical admin configuration

Admins can now disable UI prompts that allow for end-users to contact technical admins and report issues. This is enabled by default for existing orgs, and disabled for new orgs.

Email address change notifications

Email change confirmation notification emails can now be sent to admins or admins and users. By default, email change confirmation notification emails are sent to admin users only. These notifications not only make admins and users aware of email address changes, they can also act as an early warning of suspicious activity. See Customize an email template. This feature will be gradually made available to all orgs.

Generally Available Enhancements

Group Membership System Log enhancement

The Add user to group membership and Remove user from group membership events have been updated. When triggered by group rules, these events now display the group rule ID in the TriggeredByGroupRuleId field under the Debug Context object.

Extra Verification UI enhancement for end users

The Extra Verification section under End-User Dashboard Settings is now displayed in the right column.

Inclusive language updates

As part of the Okta inclusive language initiative, the following is changed:

  • Application provisioning documentation and UI elements have been updated with inclusive language.

  • Allow list has replaced whitelist, block list has replaced blacklist, and source has replaced master.

  • Instances of profile masters, profile master, and profile mastering on the Okta Admin Console Profile Masters page have been updated to profile source and profile sourcing. The administrator documentation has been updated to reflect this change.

Risk Scoring settings

When enabled, Risk Scoring settings now appear in the Okta sign-on policy rule. See Security Policies.

Early Access Features

New Features

Workplace by Facebook Push AD Manager functionality

Admins can choose to disable Push AD Manager functionality using this self-service Early Access feature. This enables admins to control the manager attribute using Okta Expression Language syntax to avoid being dependent on AD for the field. See Workplace for Facebook.

Enhancements

Skip to Content improvements

End users can now click Skip to Content on the new Okta End-User Dashboard to navigate directly to the Add Apps page.

Options relocation

The Recent Activity tab, End-User preferences, Admin View, and Sign Out options are now displayed in the user drop down menu on the Okta End-User Dashboard.

Fixes

General Fixes

OKTA-329862

Indonesian translations and templates were displayed in English.

OKTA-330432

The Okta Browser Plugin continued to recommend strong passwords for apps after the setting was disabled.

OKTA-345311

The sign-in page auto refresh sometimes didn't work when factor sequencing was used.

OKTA-347526

Information text in Settings > Update Credentials was incorrect for bookmarked apps.

OKTA-352737

Self-Service Registration with inline hooks failed for some orgs.

OKTA-354151

Some users were unable to enroll in Okta Verify through TOTP and PUSH methods in some orgs.

OKTA-354967

When defined for an MFA Enrollment policy, the App Condition was not enforced when a user signed in to an application.

OKTA-355035

Security methods for Safari web authentication did not allow for biometric authentication.

OKTA-355482

When super admins edited a group admin role in Security > Administrators, only the first 10 groups were displayed.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • Adobe Sign Provisioning (OKTA-352597)

  • FIS E-ACCESS (OKTA-346510)

  • Google Analytics (OKTA-348673)

  • Nationwide Financial (OKTA-355417)

Applications

New Integrations

New SCIM Integration Application

The following partner-built provisioning integration app is now Generally Available in the OIN as partner-built:

SAML for the following Okta Verified applications

  • Culture Connect (OKTA-354618)

  • hCaptcha (OKTA-352403)

  • LinkedIn Talent Solutions (OKTA-343875)

  • Process Bolt (OKTA-353096)

SWA for the following Okta Verified applications

  • Adweek (OKTA-350720)

  • Amazon Payee Central (OKTA-347803)

  • CenturyLink (OKTA-350562)

  • TechCrunch (OKTA-343939)

  • Vue Mastery (OKTA-342948)

OIDC for the following Okta Verified applications

Weekly Updates

January 19

Fixes

General Fixes

OKTA-336092

The import of user accounts from Adobe Experience Manager to Okta failed if there were duplicate entries in the database.

OKTA-336966

The password requirements presented to LDAP-sourced users during password reset didn’t match the password policy definition.

OKTA-337515

In some cases, the link to activate an account through self-service registration led to an empty page.

OKTA-340836

When admins enabled password change notification, end users going through self-service registration erroneously received a password change notification in addition to the account activation email.

OKTA-341729

In some cases, when a role was deleted from the Amazon Web Services (AWS) console, refreshing the app data in Okta removed group assignments causing users to lose access to AWS.

OKTA-343739

Some users received notifications for new app assignments although no new apps had been assigned to them.

OKTA-346826

In the SmartSheet provisioning profile, when admins tried to change the Group Priority setting to Combine values across groups for the variable smartsheet.userPermissions, the error message: Not allowed to modify property userPermissions from the base schema was returned.

OKTA-354279

In some orgs, after account activation, Active Directory users were redirected to a blank page instead of the Okta End-User Dashboard.

OKTA-355574

Some generic or anonymized WebAuthn factors were inaccurately labeled YubiKey.

OKTA-358425

When evaluating risk using device token as a signal, some new users signing in to Okta were incorrectly marked as high risk.

OKTA-359363

Reactivated users from AD did not maintain their group memberships after import.

App Integration Fixes

The following SWA app was not working correctly and is now fixed

  • Cisco Webex Meetings (OKTA-356220)

Applications

Integration Updates

The Tableau Online SAML app has been updated to add support for Single Logout (SLO). Customers who previously added the integration should refer to the SAML Setup Instructions to enable this new feature.

New Integrations

New SCIM Integration Application

The following partner-built provisioning integration app is now Generally Available in the OIN as partner-built:

SAML for the following Okta Verified applications

  • Communifire (OKTA-353568)

  • LabLog (OKTA-356012)

  • Ybug (OKTA-356075)

SWA for the following Okta Verified applications

  • eClinical Works (OKTA-349360)

  • SiteLink myHub (OKTA-354952)

February 1

Fixes

General Fixes

OKTA-303059

API calls to Workday sometimes removed the secondary email of a user when attempting to update the user information.

OKTA-324780

Failed Lightweight Directory Access Protocol (LDAP) sign-in attempts were logged as failed Active Directory (AD) sign-in events in the System Log.

OKTA-333518

Using SAML-based Device Trust with VMware for Identity Provider (IdP) initiated flows threw a 404 error for some users.

OKTA-334383

After entering an invalid username in the Okta Sign-In Widget, users sometimes received a 404 error after refreshing the browser.

OKTA-351888

When editing a user profile, the value of a custom attribute defaulted to the first value, rather than blank (null).

OKTA-353590

If end users accessed Okta by using a Sign-In Widget in Internet Explorer, their origin header wasn't logged in the System Log.

OKTA-354271

Removing a permission set in Salesforce sometimes caused provisioning failures in Okta even though that permission set was no longer selected for the Salesforce app assignment.

OKTA-354309

The EmailEncodingKey attribute in Okta orgs was sometimes incorrectly reported to Salesforce.

OKTA-355368

Profile sourcing and attribute-level sourcing functionality was erroneously not available for Universal Directory SKUs.

OKTA-356087

Send SMS button text was not displayed correctly if the text was too long for certain languages.

OKTA-357656

When using Agentless Desktop Single Sign-on (ADSSO), admins sometimes received scripting errors.

OKTA-358469

The client IP was sometimes missing from user.authentication and policy.evaluate_sign_on events.

OKTA-358970

The logo on the user activation page didn't display correctly if it included a redirect to an application.

OKTA-359173

Inactive users were sometimes erroneously displayed in the Current Assignments report.

OKTA-362398

If the username was different from the email address, Okta Password Health reports were sent erroneously to the username instead of the user's primary email.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • ADP Workforce Now (Employee) (OKTA-361462)

  • Angus (OKTA-360602)

  • Cisco Partner (OKTA-359699)

  • MessageBird (NL) (OKTA-361828)

  • Parallels (OKTA-360298)

  • RIMS (OKTA-360587)

  • Sylvania (OKTA-360624)

  • The Economist (OKTA-360588)

  • Xero (OKTA-361732)

Applications

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN as partner-built:

SAML for the following Okta Verified applications

  • Airbase (OKTA-356338)

  • Kandji (OKTA-360958)

  • Pactflow (OKTA-355531)

  • Partnerize (OKTA-345643)

  • Pave Total Comp (OKTA-359579)

  • Pilgrim SmartSolve (OKTA-359054)

  • Sapling (OKTA-358186)

  • Sociabble (OKTA-355695)

  • Tax1099 (OKTA-355507)

  • ThankYouKindly (OKTA-354613)

  • WhosOffice (OKTA-355012)

  • Yonyx Interactive Guides (OKTA-355527)