Preview release notes
Current release status
| Current | Upcoming | |
|---|---|---|
| Production | 2022.09.2 | 2022.09.3 Production release is scheduled to begin deployment on October 3 |
| Preview | 2022.09.2 |
2022.09.3 Preview release is scheduled to begin deployment on September 28 |
September 2022
2022.09.0: Monthly Preview release began deployment on August 31
* Features may not be available in all Okta Product SKUs.
Generally Available Features
New Features
Okta ADFS plugin, version 1.7.11
This version of the plugin contains bug fixes, security enhancements, and support for an additional top-level domain. See Okta ADFS Plugin Version History.
Okta MFA Credential Provider for Windows, version 1.3.7
This version of the agent contains fixes, security enhancements, and support for an additional top-level domain. See Okta MFA Credential Provider for Windows Version History.
Improvements to the self-service password reset experience
Previously, the self-service password reset (SSPR) flow created unnecessary friction in the user experience. The newly enhanced SSPR feature introduces a seamless magic link experience for password reset emails. Users no longer need to provide consent when using the same browser. After a successful password reset where the password meets the application’s assurance policy, the user is signed directly to the app. See Configure the Email authenticator.
Non-deletable default authorization server
The default authorization server is a custom authorization server provided by Okta so that customers can quickly get started working with Okta. However, if a customer deletes the default authorization server, it can't be restored, causing confusion and disruption. This enhancement prevents you from deleting the default authorization server, although you can disable it if isn’t required. To aid in identification, Okta adds a Default label for the default authorization server in the Admin Console. See API Access Management.
Custom error message
Admins can now customize the error message that users receive when their access is denied. This allows admins to provide remediation steps and/or point users to documentation that helps resolve their access issues. See Customize the access denied error message.
Dynamic routing rules
Org admins can now consolidate multiple IdP routing rules into a single dynamic routing rule. Dynamic routing rules use expression language to match users to any IdP, based on attributes of their login object. This reduces the volume and complexity of routing rules and the manual effort of managing them. See Configure dynamic routing rules.
Clone authentication policies
Creating an authentication policy from scratch is a manual, error-prone task because you need to visually copy existing rules into the new policy. Okta now offers the ability to clone a policy. You can use either the Admin Console or the new Clone a Policy operation on the Policy API. See Clone an authentication policy.
App conditions in authentication policies
Admins can now apply an authentication enrollment policy rule to specific applications, to any application that supports MFA enrollment, or to Okta. This enables admins to configure their policies with more granularity, bringing even greater security and flexibility. This release brings this feature into parity with the functionality available in Classic Engine. See Configure an authentication enrollment policy rule.
Enhancements
Custom domain status
On Customizations > Domain, a new Status field indicates whether the Custom URL Domain configuration is active, pending, or certificate expired. See Customize the Okta URL Domain.
Clarified sign in widget text
The instructions on the Verify with your email page of the Sign-In Widget now specify that the end user must click the action button for Okta to generate and send the verification email.
OIN Manager user interface changes
The OIN Manager includes the following updates:
- The UI has been updated to match the current Okta style.
- The Okta logo has been updated.
- A note that lists the time required to process new submissions is displayed.
403 error for rate limit violations
When an org reaches its operational rate limit for SMS requests, a 403 Forbidden error is now displayed instead of a 429 Too many requests error. See Configure client-based rate limiting
Early Access Features
New Features
SSO apps dashboard widget
The new SSO apps widget displays the number of user sign-in events across each of your org’s apps over a selected period of time. You can use it to see which apps are used most frequently and to easily monitor the authentication activity across your org. See Monitor your SSO apps.
Enhancements
SAML app support added for email magic links
The Email Magic Link feature now supports SAML applications for self-service registration, self-service password reset, and self-service unlock operations.
Fixes
General Fixes
OKTA-482997
The Custom Authenticator sent push notifications even when the Send push automatically checkbox wasn’t selected.
OKTA-496347
The password field in the Add Person widget was incorrectly truncated.
OKTA-499408
The help link for Automatically update Okta Active Directory (AD) agents on the Early Access page pointed to an outdated help topic.
OKTA-506480
AD agent emails incorrectly indicated that agents already running the latest version had recently been auto-updated.
OKTA-515159
When an admin customized an email template not used for sign-in flows, the app.id, app.name, and app.label variables didn't resolve correctly.
OKTA-518347
Some Org2Org users had the same ExternalID on the target org.
OKTA-522912
The text in the Sign-In Widget implied that the verification code was sent in a email but Okta hadn’t generated that email yet.
OKTA-523033
Inline enrollment of additional authenticators asked users to enroll authenticators based on global session policy settings.
OKTA-523140
When Salesforce provisioning was configured using OAuth, Salesforce Community Profiles weren’t displayed.
OKTA-523607
Users could sign in with ADSSO after delegated authentication was disabled.
OKTA-524632
Searching for users on the Assign People page returned an Invalid Search Criteria error if the secondary email was marked as a sensitive attribute.
OKTA-529018
The catch-all rule in the default authentication policy required password only.
App Integration Fixes
The following SAML app was not working correctly and is now fixed
-
Salesforce (OKTA-516730)
Weekly Updates
2022.09.1: Update 1 started deployment on September 14
Generally Available
Improvements to API authorization server interface
Administrators working with OIDC client applications can now see a preview of the information contained in the refresh token and the device secret returned by the authorization server. See Build Custom Authorization Servers for API Access Management.
IdP logos added
Logos have been added to the existing IdPs.
Fixes
General Fixes
OKTA-504222
When users signed in to apps with SWA, the Sign In To App dialog contained a typo.
OKTA-507794
User attributes that weren’t mapped in the Okta to Salesforce integration were overwritten.
OKTA-510101
No error message was displayed on the Branding page when favicon uploads failed.
OKTA-514047
Unexpected routing behavior occurred when orgs with ADSSO created a PIV Identity Provider.
OKTA-516740
The origin header validation on the /token endpoint for cross-origin requests was case-sensitive, which returned an error for redirect URIs using upper-case.
OKTA-524742
Some super admins received an error when they enabled Security Notification emails.
OKTA-525344
Viewing an app target instance where the app instance was deleted resulted in an error.
OKTA-525725
Velocity Template Language wasn’t supported in the custom email subject editor.
OKTA-527486
System Log events weren’t logged when users attempted to access an app that they weren’t assigned.
OKTA-527789
The Re-authentication frequency time range was incorrect in authentication policy rules.
OKTA-528822
An exception occurred during Agentless DSSO authentication which resulted in a 500 error.
App Integration Fixes
The following SWA apps were not working correctly and are now fixed:
-
Google apps (OKTA-529613)
-
Google Workspace (OKTA-527949)
-
QuickBooks (OKTA-525562)
-
Tenable.io (OKTA-526328)
Applications
New Integrations
New SCIM Integration applications:
The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:
- Agora Console: For configuration information, see Log in to Agora through Okta.
- CultureHQ: For configuration information, see Configuring Provisioning for CultureHQ.
- domainIQ: For configuration information, see Single Sign-On (SSO) through Okta.
- Kintone: For configuration information, see Kintone-Okta Provisioning Guides.
- LaunchDarkly Federal: For configuration information, see Configuring Okta to Manage LaunchDarkly Federal Users with SCIM.
- Retrium: For configuration information, see Okta user provisioning integration with SCIM.
SAML for the following Okta Verified applications:
-
Legal Force (OKTA-517182)
-
MD Scripts (OKTA-525126)
-
Outage (OKTA-525313)
-
Spyderbot (OKTA-502986)
OIDC for the following Okta Verified application:
- Brex: For configuration information, see Single Sign-On (SSO) Integration.
2022.09.2: Update 2 started deployment on September 21
Generally Available
Fixes
General Fixes
OKTA-484162
Admins whose custom role contained the Manage applications permission couldn’t view apps with custom client IDs.
OKTA-505595
Some users of Metacompliance experienced timeouts with group push without receiving an error response.
OKTA-516161
When admins applied the Not managed filter on the Devices inventory page, some enrolled devices were missing from the list.
OKTA-518141
Imports from the Solarwinds Service Desk app to Okta failed.
OKTA-523908
The token preview interface didn't refresh when admins changed any of the values.
OKTA-524058
The Sign-In Widget displayed the identifier-first mode in orgs that used a Deny rule in the global session policy.
OKTA-524198
Single API POST calls to /api/v1/domains resulted in a concurrency rate limit notification when the token limit was set to less than 100%.
OKTA-529188
Some deleted app groups were visible on the groups page.
OKTA-532126
When admins customized an access denied error message, the Save button didn’t work.
OKTA-532129
Push updates for Org2Org with OAuth2-based integrations failed to push non-default profile attributes.
OKTA-532394
The secondEmail attribute was returned only when it was explicitly requested, but not returned when all user attributes were requested.
OKTA-535162
Users were unable to load the browser plugin configuration page due to an internal error.
App Integration Fixes
The following SWA apps were not working correctly and are now fixed:
-
Concur (OKTA-528500)
-
Inbox by Gmail (OKTA-530128)
-
Slack (OKTA-530240)
Applications
Application Update
The Inbox by Gmail app is deprecated.
New Integrations
New SCIM Integration applications:
The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:
- Canva: For configuration information, see Configuring Okta provisioning for Canva.
- Money Forward IT Management Cloud: For configuration information, see How to setup SCIM (Okta Integration Network).
- SimplyMeet.me: For configuration information, see Getting started with Okta integration.
SAML for the following Okta Verified applications:
-
Canva (OKTA-517203)
-
Datto Workplace (OKTA-485785)
Toggle password visibility on the Okta Sign-In page
End users can now toggle visibility of their password on the Sign-In Widget, allowing them to check their password before they click Sign In. Note that passwords are visible for 30 seconds and then hidden automatically. See Authentication. See Enable delegated authentication.
Email failure events in the System Log
Admins can now view email delivery failure events in the System Log. This helps admins better monitor the email event activity in their org. See System Log.
Shareable Authentication Policies
Admins can now manage authentication policies using a centralized view. While authentication policies allowed admins the ability to make application access decisions using user, device, and other contextual information, managing these policies across hundreds of applications became challenging and error-prone. On the new Authentication Policies page, admins can create new policies, apply those policies to multiple applications, and assess what application access decisions are impacted by each policy. Two policy name changes are included in this release: app sign-on policy is renamed authentication policy, and Okta sign-on policy is renamed Global Session Policy. See Authentication policies.
Choose additional filters for Office 365 sign-on policy
Filters have been added to enable admins to distinguish between web browsers and Modern Authentication clients when creating an app sign-on policy. See Office 365 sign-on rules options.
Device Authorization grant type
Advancements in internet technology have seen an explosion of smart devices and the Internet of Things. Consumers need to sign in to applications that run on these devices, but the devices either lack support for a web browser or have limited ability for input, such as smart TVs, car consoles, and thermostats. As a result, users resort to insecure authentication solutions that are error-prone and time-consuming.
The Device Authorization grant feature is an OAuth 2.0 grant type that allows users to sign in to input-constrained devices and also to devices that lack web browsers. This feature enables users to use a secondary device, such as a laptop or mobile phone, to complete sign-in to applications that run on such devices. See Configure Device Authorization.
User Verification options for admins
In the Admin Console, admins can now configure whether end users are required to provide biometrics for device enrollment. See Enable Okta FastPass
Manage admin email notification subscriptions using API endpoints
Admins can manage email subscriptions using the Admin Email Subscription API endpoints.
-
Super admins can configure default subscription settings by admin type.
-
All admins can manage their own admin email notification subscriptions.
End-User Dashboard and Plugin redesign
The Okta End-User Dashboard and Okta Browser Plugin have been redesigned with a modern look and feel that includes new sidebar navigation, fuzzy search, and sections that replaces tabs.
Admins can enable this new design all at once or by groups. The new experience is 50% faster, more intuitive to use, and more responsive to smaller screens. Design changes also improve accessibility and app discovery for end users.
See Create sign-on policies with Okta Applications.
This feature will gradually be made available to all Preview orgs.
Workflows Templates available
Workflows Templates is now available, providing users with access to a searchable catalog of installable Flows that address many common use cases. See Get started with Workflows Templates.
LDAP password reset option
LDAP delegated authentication settings can now be configured to allow users to reset their passwords. This change reduces the time needed for password management and allows users to reset their passwords quickly and easily. See Enable delegated authentication.
LDAP admin password reset
For orgs integrated with LDAP, admins can now perform password resets for an active individual end user. See Reset an individual user password.
Incremental Imports for CSV
Incremental imports improve performance by importing only users who were created, updated, or deleted since your last import. See Manage your CSV directory integration. Note that this feature is being re-released having previously been released to Production in 2020.09.0.
Password changed notification email
To eliminate unnecessary email notifications, the Password changed notification email setting is no longer enabled by default on new preview orgs. See Password changed notification for end users.
Office 365 Silent Activation
Using Okta as the Identity Provider, Okta Office 365 Silent Activation allows for a seamless experience for your Microsoft Office 365 end users accessing Office 365 apps on domain joined shared Workstations or VDI environments. Once your end users have logged into a domain-joined Windows machine, no further activation steps are required. See Office 365 Silent Activation: New Implementations.
End-user Welcome emails localized
The ability to localize the Welcome email that Okta sends to new end users by referencing the users' default locale property is now Generally Available. See Configure general customization settings.
People page improvements
The People page has been improved so the people list can be filtered by user type. See Universal Directory custom user types known issues.
Mobile tab available for mobile-capable apps
The Mobile tab available in the Okta Admin Console for mobile-capable OIN apps allows you to publish mobile applications to an App Store and deploy them to your end users.
See Enable access to managed mobile apps
Provisioning page UI element change
Drop-down menus on the Provisioning page (General Settings) were standardized.
UI element change
Drop-down menus on the Provisioning page (General Settings) are standardized. See Provision applications.
Early Access features, auto-enroll
You can now opt to auto-enroll in all Early Access features, instead of having to enable them as they become available. For more information, see Manage Early Access features.
Connecting Apps to Okta using the LDAP Interface
The LDAP Interface allows you to authenticate legacy LDAP apps to Universal Directory in the cloud. With the LDAP Interface, authentication is done directly against Okta via LDAP, without the need for an on-premise LDAP server. In addition, the LDAP interface supports other LDAP functions like search. See Set up and manage the LDAP Interface.