Preview release notes

May 2022

2022.05.0: Monthly Preview release began deployment on May 4

* Features may not be available in all Okta Product SKUs.

Generally Available Features

New Features

Okta AD agent, version 3.11.0

This version of the agent contains the following changes:

  • Increased minimum .NET version supported to 4.6.2. If the installer doesn't detect .NET 4.6.2 or higher, it won't be installed.

  • Security enhancements

  • Removed unsupported libraries

See Okta Active Directory agent version history.

Okta ADFS plugin, version 1.7.10

This version of the plugin contains bug fixes and security enhancements. See Okta ADFS Plugin Version History.

Okta RADIUS agent, version 2.17.4

This version of the agent contains bug fixes and security enhancements. See Okta RADIUS Server Agent Version History.

Okta On-Prem MFA agent, version 1.5.0

This version of the agent contains security enhancements. See Okta On-Prem MFA Agent Version History.

Jira Authenticator, version 3.1.8

This release contains bug fixes. See Okta Jira Authenticator Version History.

Okta Resource Center access

The Okta Resource Center is a collection of product tours, step-by-step guides, and announcements that helps you learn about new features and how to perform tasks within the Admin Console. You can launch the Okta Resource Center by clicking the blue icon from anywhere in the Admin Console. See Okta Resource Center.

Improved email magic link authentication experience

Email magic links have been enhanced to allow end users to authenticate in two different contexts. They can authenticate in the same location where they click the link and quickly return to the application context. Or, if the end user clicks the link in a different browser, they can enter a one-time password to proceed with authentication. Previously when using email magic links to sign in to an application, end users had to return to the original browser location where they initiated the sign-in attempt. Okta ensures that end users can prove ownership of both the originating tab and the tab where they clicked the email magic link. See Configure the Email authenticator and Sign in to resources protected by Okta.

Password as optional authenticator

Passwords are weak authenticators and prone to security issues. Currently all users are required to enroll a password. This also causes friction during the self-service registration process. You can now create a password-optional or passwordless sign-in experience for your end users. It makes the registration process quicker by removing the need to set up a password. It also provides a safer and more secure sign-in experience as users can instead use stronger authenticators such as possession-based authenticators or biometrics. Okta gives you the flexibility to target specific groups of users in your organization with passwordless flows, allowing you to gradually roll out the experience across your entire user base. See Set up passwordless sign-in experience.

Symantec VIP authenticator now available

The Symantec VIP authenticator is now available in Okta Identity Engine. Enterprises that use Symantec VIP to verify their users’ identities may now integrate this authenticator into their Okta environments and use it to protect access to their Okta orgs and apps. See Configure Symantec VIP authenticator.

Expose groups in the LDAP interface directory information tree (DIT)

To simplify access control decisions for their orgs, admins can now select the groups they want to expose in the LDAP interface directory information tree (DIT). In addition to Okta groups, admins now have the option to view the application groups that are significant to their orgs, including Active Directory (AD) and LDAP groups. See Expose app groups in the LDAP interface directory information tree.

Bulk assign users to groups

Admins can now use bulk import functionality to assign multiple users to specific Okta groups. Bulk user import significantly reduces the time admins spend managing user group assignments. In addition, this functionality makes it easier for large enterprise orgs to adopt Okta as their access management provider. See Bulk assign people to a group.

Advanced search for users and groups

To make it easier for admins to quickly locate and manage users and groups, enhanced people and group search functionality is now available. Admins can limit search results to specific criteria using the SCIM protocol to query. They can also use Created On and Last Updated On in their queries to identify when users or groups were created or last modified, and search for groups and users using both base and custom attributes. These advanced search options optimize search results and help reduce the time spent searching for specific information. See View group members.

Okta Admin Console Groups page enhancements

The Okta Admin Console Groups page has been updated to simplify the addition of large numbers of users to groups and reduce the likelihood that all users can be accidentally removed from a group. In addition, search functionality has been significantly improved to make adding and removing users from groups quicker and easier. See Manage groups.

Enhancements

Custom help links in the Sign-In Widget

Admins can add a custom help link on the authenticator page of the Sign-In Widget. This link can provide just-in-time help with multifactor authentication and can point to an in-house resource or other location. See Customize text on your sign-in page.

PKCE is a verification method for OIDC SPA and Native app integrations

The OIDC App Integration Wizard now identifies that PKCE is not a client authentication method. Instead, for SPA and Native apps, the AIW creates apps listing PKCE as a verification method. See Create OIDC app integrations using AIW.

Add agent permissions to custom admin roles

Custom admins can perform AD agent auto-updates for AD instances they have access to. They can also view the agents dashboard page to see the statuses of all agents associated with app instances they can manage. See Automatically update Okta agents.

Group count tooltip on the Admin Dashboard

On the Admin Dashboard, the Overview section now provides an "Includes only Okta sourced groups and excludes those sourced externally, such as AD groups" tooltip for the Groups count. The new tooltip helps you understand how your groups count is calculated. You can view the tooltip by hovering your cursor over the Groups count on the Overview section. See View your org at a glance.

Okta End-User Dashboard enhancements

  • Unread notifications are more visible to users.

  • The End-User Dashboard Preview function bar has moved to a separate dialog. See Preview an end user's dashboard.

  • The Last sign in link at the bottom of the Okta End-User Dashboard now includes the entire text of the message in the hyperlink.

  • The title of the copy password dialog in the Okta End-User Dashboard is more specific.

System Log enhancements for block zone events

  • The zone.make_blacklist event in the System Log now encompasses two actions: when an admin creates a blocked network zone, and when an admin marks an existing blocked zone as unblocked. Previously, this event was only recorded when a pre-existing network zone was converted into a block list.

  • The zone.remove_blacklist System Log event now encompasses two actions: when a network zone is converted into an allow list, and when an admin deletes a blocked zone. Previously, this event was only recorded when a pre-existing network zone was converted to an allow list.

System Log enhancement for network zone events

A network zone ID is now added as a target for all network zone events in the System Log.

Enhancements to ThreatInsight

ThreatInsight is improved to further protect rate limit consumption from malicious actors. Requests from actors with a high threat level continue to be logged and/or blocked depending on the org's configuration. Now, additional requests that seem malicious but have a lower threat level no longer count towards org rate limits.

Enhancements to multifactor authentication validation in authentication policies

When creating authentication policies, admins can only select authenticators that are enabled in their org and available to the associated group of users.

OIN Catalog enhancements

Integrations in the OIN Catalog help end users address issues across a variety of industries. Okta has added the ability to filter integrations by industry to help both prospective and current Okta users identify the OIN integrations that best meet their needs. Additionally, the OIN Catalog interface has been updated with the following enhancements for improved navigation:

  • The search interface has been updated and popular search terms can now be selected.

  • Details pages for integrations have been updated for usability.

  • Navigation breadcrumbs have been added to the OIN Catalog.

  • Integrations can now be sorted alphabetically and by recently added.

See Add existing app integrations.

OIN Catalog search functionality and filter updates

  • OIN Catalog search results now prioritize complete word matches from the search phrase.

  • Integrations in the OIN Catalog can now be filtered by RADIUS functionality.

See Add existing app integrations.

OIN Manager enhancements

The OIN Manager now requires that ISV submissions for SCIM integrations confirm that the integration meets API response timing requirements. See Publish an OIN integration.

Early Access Features

New Features

Trusted Origins for iFrame embedding

You can now choose which origins can embed Okta sign-in pages and Okta End-User Dashboard using Trusted Origins for iFrame embedding. This feature offers a granular control over iFrame embedding compared to the existing embedding option in Customization, which doesn't let you distinguish between secure and non-secure origins. Trusted Origins under Security > API allows you to selectively configure the origins you trust. It also provides enhanced security as it uses a more secure frame-ancestors directive in Content Security Policy that protects your data from web attacks such as clickjacking. See Trusted Origins for iFrame embedding.

New permissions for custom admin roles

Super admins can now assign these new permissions to their custom admin roles:

  • Manage authorization server

  • View authorization server

  • Manage customizations

  • View customizations

The authorization server permissions can be scoped to all or to a subset of the org’s authorization servers. With these new permissions, super admins can now create custom admin roles with more granular permissions for managing their org’s customizations and authorization servers. See About role permissions.

Additional resource and entitlements reports

Reports help your Okta org manage and track user access to resources, meet audit and compliance requirements, and monitor organizational security. The following reports are now available:

  • Group Membership report: Lists individual members of a group and how membership was granted.

  • User App Access report: Lists which users can access an application and how access was granted.

See Entitlements and Access Reports.

Fixes

General Fixes

OKTA-386570

If an LDAP interface bind request failed, subsequent searches failed with an internal server error instead of a permissions denied error.

OKTA-435855

Web and SPA app integrations created with an Authorization code or Interaction code grant type incorrectly returned an error if the Login Initiated By Either Okta or App option was selected.

OKTA-476570

The System Log didn’t display the app name when users entered invalid credentials during an SP-initiated flow.

OKTA-476896

On the Administrators page, deactivated users with assigned admin roles were included in the Individually assigned count.

OKTA-477494

Some invalid EL expressions incorrectly passed validation.

OKTA-477634

Some users experienced delays when searching for an app on the Okta End-User Dashboard.

OKTA-481752

When users tried to enroll in Okta Verify, VoiceOver screen readers didn't highlight the mobile device type correctly or allow users to select a device. It also selected the iPhone option even though the Android option was also available.

OKTA-482266

During PIV authentication where no certificate or an expired certificate was provided, a 404 error was displayed.

OKTA-482435

When admins upgraded an app to SAML 2.0, the SAML 2.0 setup instructions used the org-scoped certificate instead of the app-scoped certificate.

OKTA-483062

Custom application access error pages redirected to the default Okta error page.

OKTA-484366

Admins couldn’t use the objectGuid attribute as a unique identifier when integrating AD LDS LDAP servers with Okta.

OKTA-486141

If an inline hook was registered and in use under a profile enrollment policy, admins could deactivate or delete the hook. This resulted in an error when that policy was used for self-service registration.

OKTA-486974

An internal ID incorrectly appeared in a policy System Log event.

OKTA-488233

Parallel JIT requests for the same username created duplicate users.

OKTA-488234

The sign-in page didn’t load correctly for some orgs after they upgraded to Identity Engine.

OKTA-488428

Some users lost the ability to reveal passwords for an app when the app drawer feature was enabled.

OKTA-488663

When Full Featured Code Editor was enabled, the full screen toggle on the error page code editor didn’t change to a minimize icon.

OKTA-489050

Sometimes an error message was displayed when admins viewed applications in the Admin Console.

OKTA-489448

In SP-initiated flows, the message instructing users to create their accounts was formatted incorrectly.

OKTA-490811

When an unenrolled device attempted to access an app that required device management, the sign-in request didn't fail gracefully.

OKTA-491164

Some admins weren’t assigned the Admin Console when they were added to a group with assigned admin roles.

OKTA-491264

Sometimes when a super admin deleted a custom admin role that contained email notifications, admins couldn’t update their email notification settings.

OKTA-495549

When groups were exposed in the LDAP interface directory information tree, some filters referencing the entryDn attribute returned the incorrect result code if the group wasn’t found.

OKTA-495598

AD-sourced users who reset their passwords in AD had to reset their passwords again when using IWA or ADSSO to sign in to Okta.

App Integration Fix

The following SWA app was not working correctly and is now fixed:

  • NDFR/SDU (OKTA-485335)

Applications

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:

SAML for the following Okta Verified applications

  • Common Room (OKTA-483683)

  • Datto Workplace (OKTA-487599)

  • Sounding Board (OKTA-489395)

Weekly Updates

Password synchronization for LDAP-sourced users

When the passwords of LDAP-sourced users are reset in Okta and LDAP delegated authentication is enabled, the new password is now immediately synchronized to the user's assigned applications that are configured for password synchronization. This change makes sure that user passwords remain current and reduces the likelihood that users will be unable to access their applications. See Application password synchronization.

ShareFile REST OAuth

Admins can now upgrade to the latest version of our ShareFile integration. OAuth provides more secure authentication and will be now used for Provisioning and Imports. See Configure ShareFile OAuth and REST integration. This feature is made available to all orgs.

Choose additional filters for Office 365 sign-on policy

Filters have been added to enable admins to distinguish between web browsers and Modern Authentication clients when creating an app sign-on policy. See Office 365 sign-on rules options.

LDAP real-time synchronization

With real-time synchronization, user profiles, groups, and group memberships can now be updated when LDAP-sourced users sign in to Okta, or when they refresh their People page. Admins no longer need to perform full or incremental imports of user attributes, and user profiles, groups, and group memberships are always up to date. Real-time synchronization also reduces the burden on system resources because user attributes are imported and updated individually and not in large groups. See Manage your LDAP integration.

Device Authorization grant type

Advancements in internet technology have seen an explosion of smart devices and the Internet of Things. Consumers need to sign in to applications that run on these devices, but the devices either lack support for a web browser or have limited ability for input, such as smart TVs, car consoles, and thermostats. As a result, users resort to insecure authentication solutions that are error-prone and time-consuming.

The Device Authorization grant feature is an OAuth 2.0 grant type that allows users to sign in to input-constrained devices and also to devices that lack web browsers. This feature enables users to use a secondary device, such as a laptop or mobile phone, to complete sign-in to applications that run on such devices. See Configure Device Authorization.

User Verification options for admins

In the Admin Console, admins can now configure whether end users are required to provide biometrics for device enrollment. See Enable Okta FastPass

Improved New Device Behavior Detection

Improved New Device Behavior Detection provides stronger signals that are now used for the detection of new devices. Devices using web browsers that don't store cookies are treated as new trusted applications and must send a unique identifier, such as a device token, for each device. See Improved New Device Behavior Detection. This feature will be gradually made available to all orgs.

Manage admin email notification subscriptions using API endpoints

Admins can manage email subscriptions using the Admin Email Subscription API endpoints.

  • Super admins can configure default subscription settings by admin type.

  • All admins can manage their own admin email notification subscriptions.

 

End-User Dashboard and Plugin redesign

The Okta End-User Dashboard and Okta Browser Plugin have been redesigned with a modern look and feel that includes new sidebar navigation, fuzzy search, and sections that replaces tabs.

Okta End-User Dashboard redesign

Okta End-User Dashboard redesign

Admins can enable this new design all at once or by groups. The new experience is 50% faster, more intuitive to use, and more responsive to smaller screens. Design changes also improve accessibility and app discovery for end users.

See Create sign-on policies with Okta Applications.

This feature will gradually be made available to all Preview orgs.

 

Workflows Templates available

Workflows Templates is now available, providing users with access to a searchable catalog of installable Flows that address many common use cases. See Get started with Workflows Templates.

LDAP password reset option

LDAP delegated authentication settings can now be configured to allow users to reset their passwords. This change reduces the time needed for password management and allows users to reset their passwords quickly and easily. See Enable delegated authentication.

LDAP admin password reset

For orgs integrated with LDAP, admins can now perform password resets for an active individual end user. See Reset an individual user password.

Windows Device Registration Task, version 1.4.1

This release fixed the following issues:

  • If there was a space in the sAMAccountName, an error appeared when installing the Okta Device Registration task and the installation completed but didn't function.
  • An unknown publisher warning appeared after double-clicking the Okta Device Registration MSI file.

Affected customers should uninstall the registration task and install 1.4.1 or later.

See B.2 — Obtain and install the Device Registration Task and Okta Device Trust for Windows Desktop Registration Task Version History.

 

Incremental Imports for CSV

Incremental imports improve performance by importing only users who were created, updated, or deleted since your last import. See Manage your CSV directory integration. Note that this feature is being re-released having previously been released to Production in 2020.09.0.

Tor Anonymizer recommendation

Admins can see a new HealthInsight recommendation to view failed sign-in rates from IPs categorized as Tor Anonymizer Proxies. Okta recommends using Dynamic Zones to blacklist IPs that are categorized as Tor anonymizer proxies. See and HealthInsight.

Vendor-specific attributes

RADIUS agents now support vendor specific attributes. With this feature, admins can use optional settings to configure vendor specific attributes to include group membership. Note that no agent update is required for this feature. See Configure group response in the following topics:

Salesforce REST OAuth

Admins can now upgrade to the latest version of our Salesforce integration. OAuth authentication will be now used for Provisioning and Imports. See Configure OAuth and REST integration.This feature is currently available for new orgs only.

Password changed notification email

To eliminate unnecessary email notifications, the Password changed notification email setting is no longer enabled by default on new preview orgs. See Password changed notification for end users.

Generally Available Enhancements

Group Password Policy enhancement

By using Group Password Policies and associated rules, admins can configure and enforce password settings and set account recovery options for groups. See Security Policies. This feature was already released to a subset of orgs, we are now releasing it to all new Preview orgs.

ThreatInsight security enhancements

ThreatInsight enhancements improve detection of credential-based attacks from malicious IPs. See About Okta ThreatInsight.

OAuth Consent enabled as event hook

The event app.oauth2.as.consent.grant is now eligible for use as an event hook.

Email address change notifications

Users without admin permissions now receive email notifications to confirm an email address change. See Customize an email template.

Office 365 Silent Activation

Using Okta as the Identity Provider, Okta Office 365 Silent Activation allows for a seamless experience for your Microsoft Office 365 end users accessing Office 365 apps on domain joined shared Workstations or VDI environments. Once your end users have logged into a domain-joined Windows machine, no further activation steps are required. See Office 365 Silent Activation: New Implementations.

End-user Welcome emails localized

The ability to localize the Welcome email that Okta sends to new end users by referencing the users' default locale property is now Generally Available. See Configure general customization settings.

 

 

 

People page improvements

The People page has been improved so the people list can be filtered by user type. See Universal Directory custom user types known issues.

Mobile tab available for mobile-capable apps

The Mobile tab available in the Okta Admin Console for mobile-capable OIN apps allows you to publish mobile applications to an App Store and deploy them to your end users.

See Enable access to managed mobile apps

 

 

Provisioning page UI element change

Drop-down menus on the Provisioning page (General Settings) were standardized.

UI element change

Drop-down menus on the Provisioning page (General Settings) are standardized. See Provision applications.

 

 

Early Access features, auto-enroll

You can now opt to auto-enroll in all Early Access features, instead of having to enable them as they become available. For more information, see Manage Early Access features.

Connecting Apps to Okta using the LDAP Interface

The LDAP Interface allows you to authenticate legacy LDAP apps to Universal Directory in the cloud. With the LDAP Interface, authentication is done directly against Okta via LDAP, without the need for an on-premise LDAP server. In addition, the LDAP interface supports other LDAP functions like search. See Set up and manage the LDAP Interface.