Production release notes

  Current Upcoming
Production 2022.05.1 2022.05.2 Production release is scheduled to begin deployment on May 23
Preview 2022.05.1

2022.05.2 Preview release is scheduled to begin deployment on May 18

May 2022

2022.05.0: Monthly Production release began deployment on May 9

* Features may not be available in all Okta Product SKUs.

Content

Generally Available Features

New Features

Okta AD agent, version 3.11.0

This version of the agent contains the following changes:

  • Increased minimum .NET version supported to 4.6.2. If the installer doesn't detect .NET 4.6.2 or higher, it won't be installed.

  • Security enhancements

  • Removed unsupported libraries

See Okta Active Directoryエージェントのバージョン履歴.

Okta ADFS plugin, version 1.7.10

This version of the plugin contains bug fixes and security enhancements. See Okta ADFS Plugin Version History.

Okta RADIUS agent, version 2.17.4

This version of the agent contains bug fixes and security enhancements. See Okta RADIUS Serverエージェントのバージョン履歴.

Okta On-Prem MFA agent, version 1.5.0

This version of the agent contains security enhancements. See Okta On-Prem MFAエージェントのバージョン履歴.

Jira Authenticator, version 3.1.8

This release contains bug fixes. See Okta Jira Authenticator Version History.

Okta Resource Center access

The Okta Resource Center is a collection of product tours, step-by-step guides, and announcements that helps you learn about new features and how to perform tasks within the Admin Console. You can launch the Okta Resource Center by clicking the blue icon from anywhere in the Admin Console. See Okta Resource Center.

Use Okta MFA for Azure AD Conditional Access and Windows Hello for Business Enrollment

You can use Okta MFA to:

  • Satisfy Azure AD Conditional Access MFA requirements for your federated Office 365 app instance.
  • Enroll end users into Windows Hello for Business.

See Use Okta MFA to satisfy Azure AD MFA requirements for Office 365.

Sign-In Widget enhancements for self-service password reset and default registration page

Okta has enabled the self-service password reset function for embedded authorization on all new and upgraded Identity Engine orgs. For integrations using embedded authentication, client applications can now use a recovery token when launching the Sign-In Widget to start the recovery flow. In addition, a new endpoint at /{orgurl}/signin/register gives you the ability to point your Sign-In Widget directly to the registration page for default applications.

Client secret rotation and key management

Rotating client secrets without service or application downtime is a challenge. Additionally, JSON Web Key management can be cumbersome. To make client secret rotation a seamless process and improve JWK management, you can now create overlapping client secrets and manage JWK key pairs in the Admin Console. You can also create JWK key pairs from the admin console without having to use an external tool. See Manage secrets and keys for OIDC apps.

Personal Identity Verification

Personal Identity Verification is now supported on Okta Identity Engine. See Add a Smart Card IdP.

Okta API access with OAuth 2.0 for Org2Org

Previously, the Org2Org integration only supported token-based access to the Okta API. You can now configure the Org2Org integration to access the Okta API as an OAuth 2.0 client. This increases security by limiting the scope of access and providing a better mechanism to rotate credentials. See Okta Org2OrgとOktaの統合.

Enhancements

Custom help links in the Sign-In Widget

Admins can add a custom help link on the authenticator page of the Sign-In Widget. This link can provide just-in-time help with multifactor authentication and can point to an in-house resource or other location. See サインイン・ページのテキストをカスタマイズする.

PKCE is a verification method for OIDC SPA and Native app integrations

The OIDC App Integration Wizard now identifies that PKCE is not a client authentication method. Instead, for SPA and Native apps, the AIW creates apps listing PKCE as a verification method. See Create OIDC app integrations using AIW.

Add agent permissions to custom admin roles

Custom admins can perform AD agent auto-updates for AD instances they have access to. They can also view the agents dashboard page to see the statuses of all agents associated with app instances they can manage. See Automatically update Okta agents.

Group count tooltip on the Admin Dashboard

On the Admin Dashboard, the Overview section now provides an "Includes only Okta sourced groups and excludes those sourced externally, such as AD groups" tooltip for the Groups count. The new tooltip helps you understand how your groups count is calculated. You can view the tooltip by hovering your cursor over the Groups count on the Overview section. See View your org at a glance.

Okta End-User Dashboard enhancements

  • Unread notifications are more visible to users.

  • The End-User Dashboard Preview function bar has moved to a separate dialog. See Preview an end user's dashboard.

  • The Last sign in link at the bottom of the Okta End-User Dashboard now includes the entire text of the message in the hyperlink.

  • The title of the copy password dialog in the Okta End-User Dashboard is more specific.

System Log enhancements for block zone events

  • The zone.make_blacklist event in the System Log now encompasses two actions: when an admin creates a blocked network zone, and when an admin marks an existing blocked zone as unblocked. Previously, this event was only recorded when a pre-existing network zone was converted into a block list.

  • The zone.remove_blacklist System Log event now encompasses two actions: when a network zone is converted into an allow list, and when an admin deletes a blocked zone. Previously, this event was only recorded when a pre-existing network zone was converted to an allow list.

System Log enhancement for network zone events

A network zone ID is now added as a target for all network zone events in the System Log.

Enhancements to ThreatInsight

ThreatInsight is improved to further protect rate limit consumption from malicious actors. Requests from actors with a high threat level continue to be logged and/or blocked depending on the org's configuration. Now, additional requests that seem malicious but have a lower threat level no longer count towards org rate limits.

Enhancements to multifactor authentication validation in authentication policies

When creating authentication policies, admins can only select authenticators that are enabled in their org and available to the associated group of users.

OIN Catalog enhancements

Integrations in the OIN Catalog help end users address issues across a variety of industries. Okta has added the ability to filter integrations by industry to help both prospective and current Okta users identify the OIN integrations that best meet their needs. Additionally, the OIN Catalog interface has been updated with the following enhancements for improved navigation:

  • The search interface has been updated and popular search terms can now be selected.

  • Details pages for integrations have been updated for usability.

  • Navigation breadcrumbs have been added to the OIN Catalog.

  • Integrations can now be sorted alphabetically and by recently added.

See Add existing app integrations.

OIN Catalog search functionality and filter updates

  • OIN Catalog search results now prioritize complete word matches from the search phrase.

  • Integrations in the OIN Catalog can now be filtered by RADIUS functionality.

See Add existing app integrations.

OIN Manager enhancements

The OIN Manager now requires that ISV submissions for SCIM integrations confirm that the integration meets API response timing requirements. See Publish an OIN integration.

Early Access Features

New Features

Trusted Origins for iFrame embedding

You can now choose which origins can embed Okta sign-in pages and Okta End-User Dashboard using Trusted Origins for iFrame embedding. This feature offers a granular control over iFrame embedding compared to the existing embedding option in Customization, which doesn't let you distinguish between secure and non-secure origins. Trusted Origins under Security > API allows you to selectively configure the origins you trust. It also provides enhanced security as it uses a more secure frame-ancestors directive in Content Security Policy that protects your data from web attacks such as clickjacking. See Trusted Origins for iFrame embedding.

New permissions for custom admin roles

Super admins can now assign these new permissions to their custom admin roles:

  • Manage authorization server

  • View authorization server

  • Manage customizations

  • View customizations

The authorization server permissions can be scoped to all or to a subset of the org’s authorization servers. With these new permissions, super admins can now create custom admin roles with more granular permissions for managing their org’s customizations and authorization servers. See ロールの権限について.

Additional resource and entitlements reports

Reports help your Okta org manage and track user access to resources, meet audit and compliance requirements, and monitor organizational security. The following reports are now available:

  • Group Membership report: Lists individual members of a group and how membership was granted.

  • User App Access report: Lists which users can access an application and how access was granted.

See Entitlements and Access Reports.

Fixes

General Fixes

OKTA-386570

If an LDAP interface bind request failed, subsequent searches failed with an internal server error instead of a permissions denied error.

OKTA-435855

Web and SPA app integrations created with an Authorization code or Interaction code grant type incorrectly returned an error if the Login Initiated By Either Okta or App option was selected.

OKTA-476570

The System Log didn’t display the app name when users entered invalid credentials during an SP-initiated flow.

OKTA-476896

On the Administrators page, deactivated users with assigned admin roles were included in the Individually assigned count.

OKTA-477494

Some invalid EL expressions incorrectly passed validation.

OKTA-477634

Some users experienced delays when searching for an app on the Okta End-User Dashboard.

OKTA-481752

When users tried to enroll in Okta Verify, VoiceOver screen readers didn't highlight the mobile device type correctly or allow users to select a device. It also selected the iPhone option even though the Android option was also available.

OKTA-482266

During PIV authentication where no certificate or an expired certificate was provided, a 404 error was displayed.

OKTA-482435

When admins upgraded an app to SAML 2.0, the SAML 2.0 setup instructions used the org-scoped certificate instead of the app-scoped certificate.

OKTA-483062

Custom application access error pages redirected to the default Okta error page.

OKTA-484366

Admins couldn’t use the objectGuid attribute as a unique identifier when integrating AD LDS LDAP servers with Okta.

OKTA-486141

If an inline hook was registered and in use under a profile enrollment policy, admins could deactivate or delete the hook. This resulted in an error when that policy was used for self-service registration.

OKTA-486974

An internal ID incorrectly appeared in a policy System Log event.

OKTA-488233

Parallel JIT requests for the same username created duplicate users.

OKTA-488234

The sign-in page didn’t load correctly for some orgs after they upgraded to Identity Engine.

OKTA-488428

Some users lost the ability to reveal passwords for an app when the app drawer feature was enabled.

OKTA-488663

When Full Featured Code Editor was enabled, the full screen toggle on the error page code editor didn’t change to a minimize icon.

OKTA-489050

Sometimes an error message was displayed when admins viewed applications in the Admin Console.

OKTA-489448

In SP-initiated flows, the message instructing users to create their accounts was formatted incorrectly.

OKTA-490811

When an unenrolled device attempted to access an app that required device management, the sign-in request didn't fail gracefully.

OKTA-491164

Some admins weren’t assigned the Admin Console when they were added to a group with assigned admin roles.

OKTA-491264

Sometimes when a super admin deleted a custom admin role that contained email notifications, admins couldn’t update their email notification settings.

OKTA-495549

When groups were exposed in the LDAP interface directory information tree, some filters referencing the entryDn attribute returned the incorrect result code if the group wasn’t found.

OKTA-495598

AD-sourced users who reset their passwords in AD had to reset their passwords again when using IWA or ADSSO to sign in to Okta.

App Integration Fix

The following SWA app was not working correctly and is now fixed:

  • NDFR/SDU (OKTA-485335)

Applications

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:

SAML for the following Okta Verified applications

  • Common Room (OKTA-483683)

  • Datto Workplace (OKTA-487599)

  • Sounding Board (OKTA-489395)

Weekly Updates

Early Access

Introducing the Progressive Enrollment experience

Typically, collecting end-user data during the initial sign-up process creates friction and abandonment. The addition of the Progressive Enrollment feature helps you to capture the minimum user information required to create a profile and then expand and enhance those user profiles during subsequent sign-in operations. Admins can control what information is collected, validate those input values, and trigger inline hooks during the self-service registration and progressive enrollment flows. See エンド・ユーザーの登録.

ChromeOS as a device platform

You can now enable support for ChromeOS as a device platform in the Admin Console. After you enable this feature, you can select ChromeOS as a filter for authentication policies rules. See ChromeOS support.

Fixes

General Fixes

OKTA-468575

Attempting to upload a new or replacement certificate to an existing RADIUS application resulted in an error.

OKTA-478259

When a super admin assigned an admin role to an ineligible group, the resulting error message was unclear.

OKTA-478844

Token endpoint events weren’t logged as expected by the System Log and Splunk.

OKTA-482807

Admins received a ${request.date} is required error when they tried to add a translation for the New Sign-On Notification email template.

OKTA-485981

Admins were able to save a Global Session Policy rule to deny sign-in attempts from specified zones even though no zones were selected.

OKTA-491554

The Client Secret UI didn’t render properly when users switched between authentication methods in an app instance.

OKTA-492337

The Authentication Policy dropdown menu was slow to load large numbers of policies on the Sign-On tab of an app instance.

OKTA-493632

A hyphen was incorrectly added to an app's tooltip when an end user hovered over the app on the End User Dashboard.

OKTA-498263

The Activate/Deactivate button for Password Policy didn’t work.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed:

  • CUES (OKTA-486595)

  • GetFeedback (OKTA-488495)

Applications

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:

SAML for the following Okta Verified applications:

  • Britive (OKTA-487233)

  • OpsLevel (OKTA-484506)

  • Planview ID (OKTA-487235)

April 2022

2022.04.0: Monthly Production release began deployment on April 4

* Features may not be available in all Okta Product SKUs.

Content

Generally Available Features

New Features

Okta On-Prem MFA Agent, version 1.4.9

This version of the agent contains security enhancements. See Okta On-Prem MFAエージェントのバージョン履歴.

Okta Browser Plugin, version 6.9.0 for all browsers

This version includes the following changes:

  • Keyboard navigation didn't work properly when users attempted to switch to a new app list in the plugin popover window. Users were unable to close the plugin popover window with keyboard input.
  • Version 6.8.0 of the plugin caused issues for some users when they attempted to sign in to an SWA app in an iframe.

See Okta Browser Pluginのバージョン履歴 .

Admin Experience Redesign toggle removed

The toggle that allowed super admins to switch between the Admin Experience Redesign and the old experience has been removed. All Okta admins now benefit from our restyled Okta Admin Dashboard, responsive navigation side bar, and modern look and feel.

Allow or deny custom clients in Office 365 sign-on policy

You can filter specific clients in an Office 365 app sign-on rule to allow or deny them access to Office 365 resources. This filter can be used to deny access to untrusted clients or to only allow trusted clients. See Allow or deny custom clients in Office 365 sign on policy.

Endpoint integrations

The Device Integrations page now includes an Endpoint Security tab, which allows Admins to manage endpoint integrations with Windows Security Center and CrowdStrike. Endpoint Detection and Response (EDR) integration extends device posture evaluation by enabling Okta Verify to capture signals collected by your EDR client running on the same device. See EDR統合.

Okta FastPass enhancement

With Okta FastPass, an error now appears in the Sign-In Widget if User Verification is not provided when it is required.

Improved AD group membership synchronization

The ADAppUser distinguished name field is now updated when a user is added to an Okta group and a matching group exists in AD. When an Okta provisioning request moves a user to a new organizational unit, the change is quickly duplicated in AD. This new functionality helps ensure the accuracy and integrity of AD group membership information. Active Directoryユーザーとグループの管理.

New App Drawer

The updated app settings panel on the Okta End-User Dashboard allows end users to see all app details in a single view without having to expand multiple sections. End users can quickly differentiate between SWA apps where they have set a username and password and SAML / OIDC apps that are admin-managed with no additional user settings. The updated app settings panel also provides accessibility improvements with better screen reader support and color contrast. See View the app settings page.

ShareFile REST OAuth

Admins can now upgrade to the latest version of our ShareFile integration. OAuth provides more secure authentication and will be now used for Provisioning and Imports. See Configure ShareFile OAuth and REST integration. This feature is made available to all orgs.

Enhancements

Recent activity page link for end users

If Recent Activity is enabled, users can click Last sign in in the footer of the left navigation bar to go directly to the Recent Activity page.

Burst rate limits available on Rate Limit Dashboard

The Rate Limit Dashboard, available from the Admin Console, now includes data on burst limits in your Okta org, in addition to rate limit warnings and violations. The Violations dashboard was renamed Events to acknowledge the increase of scope, and includes the ability to filter on timeline as well as the type of event (warning, burst, and violation). Hovering over the burst rates in the graphs provides more detail and links to the system log for individual endpoint calls. The individual Usage graphs provide details on bursts for the individual API. See Rate limit dashboard and Burst rate limits.

New ThreatInsight enforcement action

If you configure ThreatInsight to log and enforce security based on the threat level detected, ThreatInsight can either limit or block authentication requests from suspicious IP addresses. For example, if a specific IP address is suspected of malicious activity but the threat level is considered low, authentication requests from the IP address are not denied access but might be subjected to a rate limit. See Okta ThreatInsightを構成する.

PIV IDP user profile mapping

You can now use idpuser.subjectUid in an Okta user profile when mapping IDP Username for Personal Identity Verification (PIV) IDPs. See Add a Smart Card identity provider.

Default policy updates

The Default Global Session Policy and the default authentication policy now allow access to users with any two factors. See Oktaのサインオン・ポリシー.

Global Session Policy default rule

Admins can now edit the primary factor condition in the default rule of their org’s Default Global Session Policy. See Update a Global Session Policy.

Custom app logo preview

Admins can now preview a custom logo before applying it to an app. See Customize an application logo.

Updated error message for Microsoft Graph API

An error message for Microsoft Graph API has been updated to include more details and a possible workaround.

Debug logging for token exchange

The following fields have been added to the System Log for assistance in debugging OAuth2 token exchange events:

  • requested_token_type
  • subject_token_type
  • actor_token_type
  • resource

Updated SAML setup instructions

Setup instructions for SAML 2.0 apps now use per app SHA2 certificate during the app creation.

Change to the number of free SMS messages allowed

To balance growing costs of SMS usage while maintaining a commitment to developer and free trial orgs, Okta is changing the number of free SMS messages these orgs are allowed each month. Beginning April 4, 2022, orgs may send a maximum of 100 messages per month. For more information about this change, visit the Okta Developer Community.

Early Access Features

New Features

Customize Okta to use the telecommunications provider of your choice

While Okta provides out of the box telephony functionality, many customers need the ability to integrate their existing telecommunications provider with Okta to deliver SMS and Voice messages.

The Telephony Inline Hook allows customers to generate one-time passcodes within Okta and then use their existing telecommunications provider to deliver the messages for MFA enrollment/verification, password reset, and account unlock using SMS or Voice. This allows customers to use their existing telephony solution within Okta, due to the time they've already invested in their existing telephony solution, the need to use a specific regional provider, or simply the desire to maintain flexibility. See Customize your telephony service provider.

Enhancement

Splunk available for Log Streaming

Many organizations use third-party systems to monitor, aggregate, and act on the event data in Okta System Log events.

Log Streaming enables Okta admins to more easily and securely send System Log events to a specified system such as the Splunk Cloud in near real time with simple, pre-built connectors. Log streaming scales well even with high event volume, and unlike many existing System Log event collectors, it doesn't require a third-party system to store an Okta Admin API token. See Log Streaming.

Fixes

General Fixes

OKTA-442031

Some Okta Mobile sign-in flows didn’t work for admins when the Okta Admin Console app required step-up authentication.

OKTA-456484

When more than one authenticator appeared on the authenticator enrollment page, the Return to authenticator list link didn’t appear.

OKTA-460284

SAP Litmos imports failed with an unexpected error.

OKTA-467278

If an error occurred in Okta Verify during authentication or if authentication was cancelled, a delay occurred before the user was prompted again to select a security method.

OKTA-472816

When app admins selected the Agents tab, the error message “Error rendering agents monitor table” appeared and no agents were listed.

OKTA-473180

Sometimes AssertionId for SAML1.1 assertions was poorly formatted.

OKTA-475767

Sometimes, in the Groups page Description column, an equals sign (=) replaced the forward slash ( / ) in LDAP-sourced group names.

OKTA-475774

Users could use ADSSO to sign in to Okta when delegated authentication was disabled.

OKTA-478467

Admins who didn’t have permission to view the Agent monitors page received agent auto-update email notifications.

OKTA-478537

When admins searched for an authentication policy, only the first 100 policies were visible. This occurred on both the Applications page and the Authentication policies page.

OKTA-479110

The sender email address on the Customizations > Emails page was inconsistent with the sender email address on individual templates.

OKTA-479701

Admins were shown events that were unrelated to their account in the Security Events section of the Recent Activity page.

OKTA-482086

Some admins saw an error if they tried to run a report using resource sets created more than a year ago.

OKTA-483011

Sometimes, Okta IWA agent authentications failed during deployment when IWA replay attack detection was enabled.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed:

  • MyFonts (OKTA-476809)

  • Quickbooks Time Tracker (OKTA-476695)

Applications

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:

SAML for the following Okta Verified applications:

  • Atomic Console (OKTA-479344)

  • Intra-mart Accel Platform (OKTA-476864)

  • Mulesoft - Anypoint Platform (OKTA-461170)

  • OfficeTogether (OKTA-476827)

  • QTAKE Cloud (OKTA-480924)

OIDC for the following Okta Verified application:

Weekly Updates

Generally Available

Fixes

General Fixes

OKTA-476780

If an app’s profile enrollment policy didn’t require email verification, end users who started the sign-up process but abandoned it before setting a password weren’t able to use the Forgot password option when they resumed the process.

OKTA-479171

When admins selected older versions of the Sign-In Widget, messages about the latest version were inconsistently displayed.

OKTA-482299

When a super admin removed all admin role assignments from a user, a time-out error sometimes appeared.

OKTA-482472

Admins with view permissions could see the Edit button in the User Account section of Customizations > Other.

OKTA-483063

After some orgs upgraded to Identity Engine, their users received an internal server error when they attempted to sign in.

OKTA-483335

When users signed in to Salesforce with the OAuth app, they weren't prompted to Allow Access. This only occurred if the Salesforce app was configured and the user already had an active session.

OKTA-483338

When users signed in to Google with the OAuth app, they weren't prompted to Allow Access. This only occurred if the Google app was configured and the user already had an active session.

OKTA-484416

In orgs that included OMM apps, Okta RADIUS agents weren’t able to service authentication requests after restart.

OKTA-484474H

The IdP and ADSSO authentication times weren't reflected in the AuthInstant attribute of SAML assertions, which resulted in a failed SAML app sign-in flow.

OKTA-484971

The Recent Activity section of the Okta End-User Dashboard didn't load properly for Internet Explorer users.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed:

  • A Bead Store (OKTA-481911)

  • Adobe (OKTA-479001)

  • Adobe Stock (OKTA-483342)

  • American Express Business (OKTA-482556)

  • Mutual of Omaha (OKTA-481802)

Applications

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:

SAML for the following Okta Verified applications:

  • CardinalOps (OKTA-482262)

  • Curator by InterWorks (OKTA-481345)

  • ModernLoop (OKTA-482260)

Generally Available

Fixes

General Fixes

OKTA-389310

The nonce length for WebAuthn challenges didn't have enough characters for the recommended level of entropy.

OKTA-474861

Users couldn’t enroll in Okta Verify Push for recovery even though it was enabled as a primary recovery method.

OKTA-477017, OKTA-486532

When admins added an app to an authentication policy and then searched for an app that didn’t exist, the Add button reappeared by the name of their newly added app.

OKTA-483982

Users could enroll the Phone authenticator even though it was disabled in MFA enrollment policies and wasn’t available as a recovery option.

OKTA-484105

When an end user manually appended their username to the End-User Dashboard URL, their username wasn't relayed as a login_hint to the Sign-In Widget.

OKTA-486672

When SP-initiated SSO requests for Bookmark apps used the app’s embed link, incorrect parameters were passed to the SP.

OKTA-486952

Performance issues occurred for Simple Certificate Enrollment Protocol (SCEP) deployments that used dynamic challenge.

OKTA-488718

The Authentication Policies page failed to load for some orgs.

OKTA-488985

The setup instructions for a manual WS-Federation configuration for Office 365 incorrectly displayed an SHA-2 certificate instead of the SHA-1 org-scoped certificate.

Applications

New Integrations

New SCIM Integration application:

The following partner-built provisioning integration app is now Generally Available in the OIN Catalog as partner-built:

SAML for the following Okta Verified applications:

  • Axiad Cloud (OKTA-465658)

  • BizLibrary (OKTA-438712)

  • Greene King (OKTA-480468)

  • SendGrid (OKTA-485059)

  • SourceWhale (OKTA-472980)

  • TestRigor (OKTA-486166)

Generally Available

Fixes

General Fixes

OKTA-468644

When a super admin scoped a standard role to a group or app and then saved the resource set, any unsaved role assignments were removed from the Administrator assignment by role page.

OKTA-483742

When admins deleted Okta AD agents, scheduled agent auto-updates continued and caused exception errors.

OKTA-484482

The iframeControlHideCatalog option didn't hide the Add Apps link when the Okta End-User Dashboard was embedded.

OKTA-485860

Admins whose custom admin role contained the Edit users' authenticator operations and Edit users' lifecycle states permissions could create API tokens.

OKTA-487293

SAML inline hooks with an AuthNRequest sometimes failed.

OKTA-487334

The SWA copy password window on the Okta End-User dashboard contained UI issues for Internet Explorer users.

OKTA-487453

Deleted users were reindexed in Elasticsearch when admins deleted user data.

OKTA-488616

The doctype declaration wasn’t displayed in the default template for error pages code editor.

OKTA-495596H

Admins couldn't customize the End-User Dashboard layout.

OKTA-495695H

A Classic Engine org couldn't upgrade to Identity Engine if its users were enrolled in Okta Mobile.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • Carta (OKTA-486196)

  • Chartbeat (OKTA-485773)

  • Rippe and Kingston LMS (OKTA-482602)

Applications

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN catalog as partner-built:

SAML for the following Okta Verified applications

  • Heap Analytics (OKTA-486230)

  • Secure Code Warrior (OKTA-476859)

March 2022

2022.03.0: Monthly Production release began deployment on March 7

* Features may not be available in all Okta Product SKUs.

Content

Generally Available Features

New Features

Okta Active Directory Password Sync agent, version 1.5.0

This version of the agent includes:

  • Security enhancements.

  • Making .NET Framework 4.6.2 the minimal supported version. Earlier versions are automatically upgraded during agent installation.

  • Okta Military Cloud support.

See Okta Active Directory Password Syncエージェントのバージョン履歴.

Okta AD agent, version 3.10.0

This version of the agent contains:

  • Okta Military Cloud support.

  • Bug fixes.

See Okta Active Directoryエージェントのバージョン履歴.

Okta LDAP agent, version 5.12.0

This version of the agent contains support for Okta Military Cloud. See Okta LDAP Agentのバージョン履歴.

Event hooks for custom admin roles

Custom admin role events are now available for use as Event Hooks. This provides more security to admins by ensuring that they have the correct permission to perform tasks. See イベント・フック.

Enforce limit and log per client mode for OAuth 2.0 /authorize and /login/login.htm endpoints

The default client-based rate limit for OAuth 2.0 /authorize and /login/login.htm endpoints is now elevated to Enforce limit and log per client (recommended) mode. This means that if your org’s client-based rate limit was previously set to Do nothing or Log per client, the setting is changed to Enforce limit and log per client (recommended) mode.

Note that based on the email communication sent out on Feb 3, 2022 and Feb 25, 2022, these changes are not applicable to certain orgs. See Default client-based rate limit mode change.

New ThreatInsight enforcement option

ThreatInsight evaluates authentication requests to detect potentially malicious activity from IP addresses exhibiting suspicious behavior. If you enable the Log and enforce security based on threat level option, ThreatInsight can limit or block authentication requests from suspicious IP addresses based on the threat level detected. For example, if a specific IP address is suspected of malicious activity but the threat level is considered low, authentication requests from the IP address are not denied access but might be subjected to a rate limit. The rate limit helps ensure that requests from a suspicious IP address don't overload authentication services and affect legitimate traffic. However, if an IP address is suspected of malicious activity and the threat level detected is high, authentication requests from the IP address are blocked. See Okta ThreatInsightを構成する.

Validation for custom message templates

If you customize the default SMS message template, the Admin Console checks the message to determine whether it contains GSM or non-GSM characters and enforces the GSM or non-GSM character limit before saving the message. This check ensures that you don't create custom SMS messages that exceed the GSM or non-GSM character limit for message segments.

If you change existing custom templates, the new restrictions are enforced if your messages contain non-GSM characters.

For more information about customizing SMS templates, see Configure and use telephony.

Custom Administrator Roles

The standard admin roles available today don’t always meet all the granular delegated administration requirements, which may result in admins having either more or less permissions than they need.

The Custom Administrator Roles feature allows super admins to:

  • Create admin assignments with granular roles, which include specific user, group, and application permissions.

  • Constrain these admin assignments to resource sets.

Use Custom Administrators Roles to:

  • Increase admin productivity.

  • Decentralize the span of access that any one admin has.

  • Grant autonomy to different business units for self-management.

Some important things to note:

  • The Administrators page has been updated with a new, more intuitive interface for managing roles and permissions. See [管理者]ページについて.

  • Your pre-existing roles are referred to as “standard roles”. The standard role functionality is the same as earlier but the UI is different. See 標準ロールを使用する.

  • You can continue using the pre-existing roles and your existing assignments remain the same.

  • You can also assign custom roles to users who have standard roles assigned.

See カスタム管理者ロール and カスタム・ロールの割り当てを作成するためのベスト・プラクティス.

System Log events for group app assignments

When an admin role is assigned to a group, the Okta Admin Console is now assigned to the group members much faster, and an Add assigned application to group event (group.application_assignment.add) appears in the System Log. This helps super admins monitor the event activity in their org. See システム・ログ.

Immutable unique data types for Okta LDAP and AD agent actions

Immutable unique data types can now be used with Okta LDAP and AD agent actions. The use of immutable unique data types lets admins locate users when a username is updated, or when the user is moved to another OU. Immutable unique data type support reduces the time admins spend managing users and makes sure they can always locate user profiles after an update or when a username changes. . See ディレクトリー統合.

ShareFile REST OAuth

Admins can now upgrade to the latest version of our ShareFile integration. OAuth provides more secure authentication and will be now used for Provisioning and Imports. See Configure ShareFile OAuth and REST integration. This feature is currently available for new orgs only.

Group Push enhancements

Group Push now supports the ability to link to existing groups in NetSuite. You can centrally manage these apps in Okta. This is important because it allows you to set up and push Okta groups into NetSuite instead of recreating them in NetSuite. See グループ・プッシュについて.

Support for additional social Identity Providers

Social login is a form of SSO that uses existing information from a service such as Facebook, Twitter, or Google to sign in, instead of creating a new account specifically for a third-party website. Social Identity Provider (IdP) popularity varies by industry and region. We're making it easy for Okta admins to add new IdPs with out-of-the-box integrations for GitHub, GitLab, Salesforce, and Amazon, with more to come. These integrations add to our existing social IdP catalog in the OIN, allowing users to quickly sign up or sign in to your application without entering their email or creating a new password. See External Identity Providers.

Risk and behavior evaluation

To improve the visibility of risk scoring and behavior detection, all sign-in requests are evaluated for risk factors and changes in behavior. Impacted orgs can view the results of the evaluation in the System Log. See Identity providers.

Enhancements

Sign-In Widget updates for Okta FastPass

The Sign in with Okta FastPass button no longer appears on the Sign-In Widget when users access Android Native apps that use Webview. Webview doesn't support this functionality.

Copy button updates

In the app settings panel of the Okta End-User Dashboard, the copy buttons for the username and password fields are renamed Copy username and Copy password.

Early Access Features

New Features

Group search in the Admin Console

Admins can now use the Search bar to quickly find groups, in addition to users and apps. See 管理コンソールの検索.

Automatically update public keys in the Admin Console

Using private_key_jwt as your app's client authentication method requires that you upload public keys to Okta and then use the private keys to sign the assertion. Then, you must update the client configuration each time you rotate the key pairs. This is time-consuming and error-prone. To seamlessly use key pairs and rotate them frequently, you can now configure private_key_jwt client authentication in the Admin Console for OAuth clients by specifying the URI where you store your public keys. See Manage secrets and keys for OIDC apps.

Two new reports

Monitor and improve the security of your org with the following new reports:

  • MFA enrollment by user report
    Use this report to view the types and counts of authenticators that users in your org have enrolled. This can improve the security posture of your org by enabling you to understand the adoption of strong authenticators like Okta Verify. See MFA Enrollment by User report.
  • User accounts report

    Use this report to view users with accounts in Okta and their profile information. It helps you manage and track user access to resources, meet audit and compliance requirements, and monitor the security of your org. The report is located in the Entitlements and Access section of the Reports page. See User Accounts report.

Enhancements

Incremental Imports for the Org2Org app

Okta now supports incremental imports for the Org2Org app. Incremental imports improve performance by only importing users that were created, updated, or deleted since your last import. See Okta Org2Org.

Fixes

General Fixes

OKTA-447833

Admins couldn’t set up a custom domain URL with a top-level domain of .inc.

OKTA-455641

The Edit Assignment page for the Box app didn’t handle non-alphabetical characters properly.

OKTA-466022

Admins whose custom role contained the Run imports permission couldn’t view their org’s LDAP integrations.

OKTA-468707

The System Log didn't display ThreatSuspected=false for authentication events when no threat evaluation was done.

OKTA-468751

When Okta Verify was the only enrolled authenticator, time-based one-time password (TOTP) wasn’t automatically selected even though it was the last-used authentication method.

OKTA-471299

When ThreatInsight evaluated sign-in attempts for unknown users, the threat level was incorrectly displayed as threatLevel=UNKNOWN in the System Log.

OKTA-471605H

In SP-initiated flows, users' sessions ended when they closed the browser even if they selected Keep me signed in.

OKTA-471815

Some customers noticed duplicate Windows devices on the Devices page when users re-enrolled with Okta Verify.

OKTA-471605H

In SP-initiated flows, users' sessions ended when they closed the browser even if they selected Keep me signed in.

OKTA-472304H

Group push for some customers resulted in a timeout error after one minute.

OKTA-473512

When the Custom Admin Roles feature was enabled, super admins were called Super Organization Administrators.

App Integration Fixes

The following SWA app were not working correctly and are now fixed

  • Asana (OKTA-467306)
  • Dashlane Business (OKTA-466333)
  • Guardian Insurance (OKTA-470966)
  • Loop11 (OKTA-471181)
  • Names & Faces (OKTA-468537)
  • Nord Layer (OKTA-469771)
  • Optum Health Financial (OKTA-465956)
  • QuickBooks (OKTA-467864)
  • Twitter (OKTA-470889)

Applications

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:

SAML for the following Okta Verified applications:

  • Happeo (OKTA-461895)

  • ScreenMeet (OKTA-466613)

  • Shortcut (OKTA-461249)

  • Wonderwerk (OKTA-454149)

  • Zero Networks (OKTA-472331)

OIDC for the following Okta Verified applications:

Weekly Updates

Generally Available

Fixes

General Fixes

OKTA-374857

When admins searched for groups in the new LDAP interface, results weren’t returned if the search query contained all lowercase characters.

OKTA-440514

Sensitive attributes were exposed when Identity Provider routing rules contained Boolean expressions.

OKTA-452618

Admins whose custom role contained the Edit users' lifecycle states permission but not the View users and their details permission could view the Profile tab on the user page.

OKTA-457354

Updating an access policy rule through the Admin Console sometimes resulted in a browser error. This occurred if the rule was created using the Authorization Server API without an include array in the User Condition object.

OKTA-459720

Some apps that require admin configuration appeared on the App Catalog page of the End-User Dashboard.

OKTA-464002

Admins with two active Okta orgs linked together by the same company name were unable to sign in to the OIN Manager portal.

OKTA-469953

Sometimes, when users signed in with Okta FastPass, Okta Verify continuously requested an authentication factor until they clicked Cancel.

OKTA-470268

If tasks were pending, users experienced slow or unresponsive web browsers after navigating to the Tasks page of the End-User Dashboard.

OKTA-470384

Screen readers didn't properly read text in the App Settings page the when user set focus on Username or Password fields.

OKTA-470541

Sometimes importing from the SuccessFactors app integration failed after timing out.

OKTA-470701

Keyboard navigation and screen readers occasionally lost focus while in the App Settings page of the End-User Dashboard.

OKTA-471668

Button labels were inconsistent on the Global Session Policy page and help links were missing from the Authentication policies page.

OKTA-472593

When the Custom Admin Roles feature was enabled, the Administrator assignment by admin, Edit resources to a standard role, and Edit resource set pages didn’t display group details for imported AD/LDAP groups.

OKTA-472895

When modifying the custom email activation template, an admin could save the template without either of the required verificationLink or verificationToken elements.

OKTA-472928

When modifying the custom email challenge template, an admin could save the template without either of the required emailAuthenticationLink or verificationToken elements.

OKTA-474143

A new public key was displayed in the UI despite the new key generation operation being canceled.

OKTA-476453

Displaying the App Catalog in List View on the End-User Dashboard caused UI errors in Internet Explorer browsers.

OKTA-477943H

Admins couldn’t change the version of the Sign-In Widget for custom domains.

OKTA-478421H

When AD/LDAP users were imported into groups with assigned admin roles, the resulting admin role updates were delayed, and the Grant user privilege event didn’t appear in the System Log.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • Data.ai (OKTA-472317)

  • Google Play (OKTA-470657)

  • Zenefit (OKTA-472199)

Applications

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:

OIDC for the following Okta Verified applications:

Generally Available

Fixes

General Fixes

OKTA-414109

Admins who only had the View application and their details permission could see the Self Service section on the Application > Assignments tab.

OKTA-417477

Making valid changes to the device_sso or online_access scopes in the Edit Scope dialog incorrectly returned an error message.

OKTA-441233

When a super admin saved the email notification settings for a role without making any changes, the settings weren’t restored to their default values for existing admins with that role.

OKTA-463551

Lengthy app names weren't fully listed in the search index of the Okta End-User Dashboard.

OKTA-464217

Onboarding guides were still shown to new users after admins disabled the feature in Customizations > Other > Display Options.

OKTA-467278

If an error occurred in Okta Verify during authentication or if authentication was cancelled, a delay occurred before the user was prompted again to select a security method.

OKTA-469449

Admins couldn’t change their custom sign-in page, and the wrong error message was displayed.

OKTA-469451

Send test email failed with a 500 error for some email templates.

OKTA-471120

For profile enrollment using the Sign-In Widget, the field labels for most base attributes weren't localized.

OKTA-471670

The ThreatSuspected field was missing in the user.session.start event for Radius sign-in requests.

OKTA-472914

Self-service password reset resulted in an incorrect exception message when users attempted to set a password that contained a single-space character.

OKTA-473387

Variables didn’t work in the subject lines of some email templates.

OKTA-476019

Unsaved edits appeared in the read-only view of Identity Provider routing rules.

OKTA-476469

On the Authentication policies page, the preset policies didn’t have descriptions.

OKTA-476480

During self-service password resets or account unlocks, users received an internal server error if they provided an invalid username and selected Okta Verify Push. This occurred in orgs with User Enumeration enabled.

OKTA-478605

During OAuth app creation, EC public keys weren't recognized and couldn't be validated.

OKTA-479004

Some Preview orgs experienced Office 365 import failures with the error message, “An error occurred while creating the Azure Active Directory Graph API client.”

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • MyAtt (OKTA-473277)

  • Nationwide Financial (OKTA-473149)

Applications

New Integrations

New SCIM Integration application:

The following partner-built provisioning integration app is now Generally Available in the OIN Catalog as partner-built:

SAML for the following Okta Verified application:

  • Ashby (OKTA-470597)

Generally Available

Fixes

General Fixes

OKTA-409838

When the Custom Admin Roles feature was enabled, admins without the View users and their details permission could see the Profile tab on the user page.

OKTA-448751

The Admin Dashboard sometimes displayed an inaccurate number of user groups.

OKTA-448946

Updating a Salesforce app username created a new user instead of pushing a profile update.

OKTA-456820

If users authenticated with a custom IdP factor, their client details weren't captured in the System Log.

OKTA-461147

The Remember My Last Used Authenticator functionality didn’t display all available authenticators, and the authenticator that was automatically selected hadn't been previously used.

OKTA-472294

When using Branding or Custom Domain features, admins who clicked a button multiple times received an error even though the action completed successfully.

OKTA-472467

Screen readers couldn't tell whether Password input field was hidden or revealed.

OKTA-474997

The Registration - Email Verification and Registration - Activation email templates didn't support translated text.

OKTA-477938

Using Okta Expression Language in an IdP Username to authenticate with PIV resulted in an "application not assigned" error.

OKTA-477943

Admins couldn’t change the version of the Sign-In Widget for custom domains.

OKTA-479799

When the Custom Admin Roles feature was enabled, some admins couldn’t view groups on the Administrators > Admins tab.

OKTA-479983

The Client Secret page didn't render the UI correctly for orgs with the Client Secrets Management feature enabled.

OKTA-480151

Some Expression Language variables still appeared in automated emails.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • Angie's List (OKTA-477233)

  • FortiCloud (OKTA-478241)

  • Lutron (OKTA-476161)

  • Tableau (OKTA-471013)

Applications

New Integrations

New SCIM Integration applications:

The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:

SAML for the following Okta Verified application:

  • Perdoo (OKTA-472102)

OIDC for the following Okta Verified application:

February 2022

2022.02.0: Monthly Production release began deployment on February 7

* Features may not be available in all Okta Product SKUs.

Content

Generally Available Features

New Features

Okta AD agent, version 3.9.0

This version of the agent contains bug fixes. See Okta Active Directoryエージェントのバージョン履歴.

Okta LDAP agent, version 5.11.0

This version of the agent contains:

  • Support for Proxy Authorization Control version 2 (2.16.840.1.113730.3.4.18). Users who are required to change their password after it is reset by an admin are no longer prompted twice for their password when accessing the End-User Dashboard. This new functionality is available only with LDAP services that support Proxy Authorization Control version 2. To enable this feature, contact Okta Support.

  • Internal improvements and bug fixes.

See Okta LDAP Agentのバージョン履歴.

Endpoint integrations

The Device Integrations page now includes an Endpoint Security tab, which allows admins to manage endpoint integrations with Windows Security Center and CrowdStrike. Endpoint Detection and Response (EDR) integration extends device posture evaluation by enabling Okta Verify to capture signals collected by your EDR client running on the same device. See EDR統合.

New Custom OTP Authenticator released on a Limited Availability basis

The Custom OTP Authenticator enables admins to deploy a wide variety of one-time password solutions in their Okta environment. See Configure Custom OTP authenticator.

Sign-In Widget User Identifier

Admins can now customize whether the user’s identifier appears on authentication and enrollment steps of the sign-in page. See サインイン・ページのテキストをカスタマイズする

OIN catalog replaces categories with use cases

Integrations in the OIN catalog address multiple use cases beyond SSO, such as LCM, social login, and identity proofing. Okta helps prospective and current orgs identify the OIN integrations that best meet their needs by highlighting the use cases that the integrations address and the functionality that the integrations use. This information is provided on both the OIN Catalog landing page and the integration details page. Okta also provides calls to action to help users immediately find value with these integrations across the Okta product platform. Use cases and functionalities replace app categories and filters, which were previously used to sort integrations. This feature will be gradually made available to all orgs.

See Add existing app integrations.

Provisioning to Office 365 now requires Admin Consent for Microsoft Graph API

Admins are now required to grant consent for Okta to call Microsoft Graph API to enable provisioning features for Office 365 app instances. This change prepares Okta to migrate provisioning operations to Microsoft Graph API in 2022, which will improve performance and reliability for Office 365 provisioning operations. It also enhances security for Okta customers by limiting Okta's permissions in the customer's Azure Active Directory to only those operations which are required for provisioning. Okta customers who previously configured provisioning to Office 365 are required to grant admin consent in order to make any changes to their existing provisioning settings. See Provide Microsoft admin consent for Okta.

Configure a custom error page

You can customize the text and the look and feel of error pages using an embedded HTML editor. When used together with a custom URL domain (required) and a custom Okta-hosted sign-in page, this feature offers a fully customized error page. For details, see Configure a custom error page.

Configure a custom Okta-hosted sign-in page

You can customize the text and the look and feel of the Okta-hosted sign-in page using form controls and an embedded HTML editor. When used together with a custom URL domain (required) and a custom Okta-hosted error page, this feature offers a fully customized end user sign-in experience hosted by Okta. For details, see Configure a custom Okta-hosted sign-in page.

Custom domains with Okta-managed certificates

When you customize an Okta URL domain, your Okta-hosted pages are branded with your own URL. Okta-managed certificates automatically renew through a Let’s Encrypt integration, a free certificate authority. Okta-managed certificate renewals lower customer developer maintenance costs and reduce the high risk of a site outage when certificates expire. See Customize the Okta URL domain.

Secondary email option for LDAP-sourced users

Admins can now enable a secondary email option for LDAP-sourced users in new orgs. When the secondary email option is enabled, LDAP-sourced users who haven’t previously provided a secondary email are now prompted to provide it on the Okta Welcome page. The prompt continues to appear until a secondary email is provided.

A secondary email helps reduce support calls by providing LDAP-sourced users with another option to recover their password when their primary email is unavailable. See オプションのユーザー・アカウント・フィールドを構成する.

Password expiry for AD LDS-sourced users

Admins can now expire the passwords of AD Lightweight Directory Services-sourced users. Forcing users to change their password when they next sign in to Okta keeps passwords updated and enhances org security. See AD LDS LDAP統合リファレンス.

Improved password status accuracy for LDAP-sourced users

The status of LDAP-sourced users is now accurately displayed on the user’s profile page. Previously, the user status incorrectly displayed Password Reset when a password was active. This update reduces the time admins need to spend monitoring and managing user passwords. See ユーザー・アカウントのステータスについて.

New features for HealthInsight

Risk scoring improvements

Risk scoring has been improved to detect suspicious sign-in attempts based on additional IP signals. See リスク・スコアリング.

Enhancements

Custom URL domain certificate expiration reminders

Email reminders for custom URL domain certificate expiration are now sent to super admins and org admins only.

Sign-In Widget error messages

If multiple errors occur during a sign-in event, the Sign-In Widget displays all error messages together.

OIN Manager enhancements

Users can now select a maximum of five app categories for ISV submissions. If an app category isn't selected, the app is placed in the all integrations category. See App information.

Email and SMS notification renamed

The New Device Notification email and SMS messages have been renamed New sign-on notification.

App notes

App notes written by an admin are now displayed for users who hover over the app on the Okta End-User Dashboard.

Masking for eight digit phone numbers

The masking algorithm now reveals fewer digits for shorter phone numbers. For example, if the phone number has eight digits, the first five digits are masked and the final three digits are visible.

Early Access Features

New Features

Additional Okta username formats for LDAP-sourced users

Three additional Okta username formats are now available for LDAP-sourced users. In addition to the existing options, admins can now select Employee Number, Common Name, and Choose from schema to form the Okta username. These new options allow admins to use both delegated authentication and Just-In-Time (JIT) provisioning with LDAP directory services. With these new provisioning options, it is now easier for admins to integrate their LDAP servers with Okta. See LDAP統合設定の構成.

Fixes

General Fixes

OKTA-419847

On-Prem MFA API tokens contained scopes beyond what was required for agent operation.

OKTA-433751

End users received errors when accessing SWA apps through the Okta End-User Dashboard if their app passwords contained ampersands.

OKTA-436486

Some orgs couldn’t save email templates containing Velocity variables. This occurred for orgs with Enhanced Email Macros enabled.

OKTA-442296

Some end users received a 400 error after signing in to the Okta End-User Dashboard.

OKTA-443777

Admins couldn’t use the objectGuid attribute as a unique identifier when integrating AD LDS LDAP servers with Okta.

OKTA-451206

When admins enabled LDAP real-time synchronization, the system.agent.ad.realtimesync event erroneously appeared in the System Log.

OKTA-455372

If the information required to evaluate behavior was not available, the System Log displayed BAD_REQUEST for rules that included behavior detection.

OKTA-456046

When upgrading to Identity Engine, orgs received an error stating that they had Sharepoint On-Premises app instances that weren't supported by Identity Engine.

OKTA-459571

In the admin console, the status of RADIUS agents randomly changed from Operational to Disrupted.

OKTA-459778

Customized Sign-In Widgets didn’t match the preview on the Sign-In Widget code editor.

OKTA-460366

On Security > Networks > Add IP Zone, proxy IP addresses weren't explicitly identified as trusted proxy IP addresses.

OKTA-461015

Event information was missing from the Report Suspicious Activity page after users changed their password in the Sign-In Widget.

OKTA-461198

When the Custom Admin Roles feature was enabled, read-only admins could see the Assign to People, Assign to Groups, and Edit User buttons on the Applications page.

OKTA-462025

Admins who refreshed a page in the custom URL domain wizard weren’t returned to the correct step.

OKTA-462114

The ${user.login} variable appeared in default email templates.

OKTA-467470H

When the Okta Browser Plugin was installed, applications opened from the new End-User Dashboard into pop-up windows instead of regular browser tabs. This occurred for Internet Explorer users only.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • AppSplit (OKTA-462294)
  • Auth0 (OKTA-456042)
  • Dockerhub (OKTA-463515)
  • FinServ (OKTA-463959)
  • LoansPQ (OKTA-462410)
  • MeridianLink LoansPQ (OKTA-460940)
  • New Relic (OKTA-464710)
  • ProtonMail (OKTA-463545)
  • Salto Keys (OKTA-464469)
  • WePay (OKTA-462296)
  • Wikispaces (OKTA-462300)

Applications

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:

SAML for the following Okta Verified applications:

  • Compliance Genie (OKTA-456834)

  • SecureCodeWarrior (OKTA-455728)

OIDC for the following Okta Verified application:

Weekly Updates

Generally Available

Self-service registration using unverified email

When email is set up as an optional authenticator, end users can complete the self-service registration process without verifying their email address. They can also use the unverified email to reset their password, if required. However, they still must verify the email if it's used for authentication. You can configure this setting in the profile enrollment policy. See プロファイル登録ポリシーを管理する

Fixes

General Fixes

OKTA-422710

When the Custom Admin Roles feature was enabled, admins who didn’t have the Manage groups permission could view the Actions drop-down menu on the Groups > Rules tab.

OKTA-425072

When a user’s session expired, they weren’t returned to the app sign-in page.

OKTA-439826

Windows Server 2008 R2 was identified as a supported operating system on the Set Up Active Directory page.

OKTA-452937

Admins experienced page scrolling errors when approving requests for Salesforce apps.

OKTA-455572

End users were unable to see their existing password when editing sign-in information for an SWA app.

OKTA-456429

On the App Access Locked page, the contact your administrator link was broken.

OKTA-458310

The Groups page displayed the Admin roles tab for non-AD/LDAP groups. This occurred for orgs with the Custom Admin Roles feature enabled.

OKTA-460374

When a default application was configured for the Sign-In Widget, no banner indicated to users which app they were signing in to.

OKTA-460647

UI elements for app settings on the Okta End-User Dashboard were inconsistent for admins and end users.

OKTA-460719

The Add Log Stream and Add Identity Provider pages were improperly rendered in Internet Explorer 11.

OKTA-461134

Tooltips didn't wrap properly on the Okta End-User Dashboard.

OKTA-461604

The Username field was missing for admins in the self-service app request workflow.

OKTA-462025

Admins who refreshed a page in the custom URL domain wizard weren’t returned to the correct step.

OKTA-462639

Some international SMS messages had the wrong country code displayed in the System Log.

OKTA-463010

Users who were migrated with a Password Import Inline Hook couldn't reset their passwords through self-service.

OKTA-463346

In Internet Explorer 11, apps on the Okta End-User Dashboard displayed incorrect titles.

OKTA-463622H

Self-service email verification failed if the email contained a redirect to the Okta Dashboard and the user already had an active session.

OKTA-463905

Super admins didn't receive an error if they saved the Administrator assignment by resource set or Administrator assignment by role page without selecting a resource set/role. This occurred for orgs with the Custom Admin Role feature enabled.

OKTA-465050

The app settings drawer incorrectly displayed a password field for SAML apps.

OKTA-466901

Custom attributes identified as cn (Common Name) were automatically mapped as username in Okta.

OKTA-471193H

Group push from Okta to Office 365 didn’t work.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed:

  • Schwab Retirement Plan Center (OKTA-464739)
  • SquareSpace (OKTA-466252)

Applications

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:

SAML for the following Okta Verified application:

  • CloudAlly (OKTA-453596)

Generally Available

Remember my last-used MFA authenticator

Okta now remembers which MFA authenticator the user selected the last time they successfully signed in. On subsequent sign-in attempts, if the last-used authenticator is WebAuthn, Okta Verify Push, or Okta Verify FastPass, that authenticator appears in the list on the Sign-In Widget. Otherwise, the last-used authenticator is automatically selected by default. Users can still select another authenticator by clicking Verify with something else.

Fixes

General Fixes

OKTA-449722

There was a spelling error in the Help link (Optional) section of the Settings > Account > End User Information page.

OKTA-456339

Admins whose custom admin role contained the Run imports permission couldn't click Back to Applications on the Applications page.

OKTA-465665

End users saw a blank page if they signed in to the Okta End-User Dashboard with a custom domain that ended with com.com.

OKTA-466301

The following issues occurred in the OIN App Catalog on Internet Explorer 11:

  • The app details page wasn’t shown when an app was selected from the Browse Integration Catalog search results.
  • App details pages didn’t render correctly.
  • Users weren't able to use the up and down arrow keys to navigate search results.

OKTA-466425

On the Okta End-User Dashboard, the app setting drawer's Reveal password wasn't accessible by keyboard commands.

OKTA-466790

Landing on the Reset Password page from /signin/forgot-password URL and clicking the Back to sign in link did not take the user back to the sign-in page.

OKTA-468607

When the Custom Admin Roles feature was enabled, newly added admins didn’t always appear on the Administrators page.

OKTA-469099

When orgs enabled both Branding and Custom Domain URL, the default domain displayed customized error pages.

OKTA-471196H

Some end users were unable to reset their password for an embedded flow using the self-service password reset process.

January 2022

2022.01.0: Monthly Production release began deployment on January 10

* Features may not be available in all Okta Product SKUs.

Content

Generally Available Features

New Features

Okta On-Prem MFA agent, version 1.4.8

This version of the agent contains security fixes. See Okta On-Prem MFAエージェントのバージョン履歴.

Okta Active Directory agent, version 3.8.0

This version of the agent contains:

  • Agent auto-update support
  • Improved logging functionality to assist with issue resolution
  • Bug fixes

See Okta Active Directoryエージェントのバージョン履歴.

Okta RADIUS Server agent, version 2.17.2

This version of the agent contains security fixes. See Okta RADIUS Serverエージェントのバージョン履歴.

Admin Console user interface changes

On the Device Integrations page, the Endpoint Management tab now includes an Activate/Deactivate action for legacy Device Trust desktop configurations. It also includes a warning message if an admin attempts to deactivate Device Trust when their Identity Engine app sign-on policy is not configured correctly for devices that are not trusted.

Delivery status of SMS messages in the System Log

Administrators can now view the delivery status for SMS messages in the System Log. For information about the new event type, see Configure and use telephony.

Feature name change: New Sign-On Notification

The New Device Notification functionality is renamed to New Sign-On Notification in the Admin Dashboard, the email notification title, and elsewhere. It refers to the email notification a user receives when there’s a sign-in event from an unrecognized device.

New permissions for custom admin roles

The following new permissions can now be assigned to a custom admin role:

  • Activate users

  • Deactivate users

  • Suspend users

  • Unsuspend user

  • Delete users

  • Unlock users

  • Clear user sessions

  • Reset users' authenticators

  • Reset users' passwords

  • Set users' temporary password

  • Run imports.

The new permissions give super admins more granular control over their delegated org permissions. See ロールの権限について.

YubiKey OTP authentication now available

YubiKey one-time-password (OTP) mode authentication is now available to Okta Identity Engine users. See Configure YubiKey for one-time passwords

Service Principal Name functionality improvement

New Service Principal Name (SPN) functionality allows Agentless Desktop Single Sign-on (ADSSO) authentication to continue without interruption when an SPN is updated. A service account and an SPN are required for ADSSO Kerberos authentication. With this change, you can now update the SPN frequently as an additional security precaution. See サービス・アカウントを作成して、サービス・プリンシパル名を構成する.

OAuth Dynamic Issuer option

An authorization server’s issuer URL can be used to validate whether tokens are issued by the correct authorization server. You can configure the issuer URL to be either the Okta subdomain (such as company.okta.com) or a custom domain (such as sso.company.com). See .

When there are applications that use Okta’s subdomain and other applications that use the custom domain, the issuer validation breaks because the value is hard-coded to one domain or the other.

With Dynamic Issuer Mode, the issuer value in minted tokens is dynamically updated based on the URL that is used to initiate the original authorize request.

For example, if the authorize request is https://sso.company.com/api/v1/authorize, the issuer value is https://sso.company.com.

Dynamic Issuer Mode helps with:

  • Split deployment use cases

  • Migration use cases when customers migrate from the Okta domain to a custom domain

  • Support with multiple custom domains

Rate limit dashboard

The new rate limit dashboard helps you investigate the cause of rate limit warnings and violations. You can also use it to view historical data and top consumers by their IP address.

This helps you:

  • Isolate outliers

  • Prevent issues in response to alerts

  • Find and address the root cause of rate limit violations

You can access the dashboard using the link provided in the rate limit violation event in the System Log. See Rate limit dashboard.

You can also open the dashboard in the Admin Console to monitor API usage over a period of time, change rate limit settings, and customize the warning threshold. See Rate limit monitoring.

Error response updated for malicious IP address sign-in requests

If you block suspicious traffic and ThreatInsight detects that a sign-in request comes from a malicious IP address, Okta automatically denies the user access to the organization. The user receives an error in response to the request. From the user’s perspective, the blocked request can’t be identified as the result of ThreatInsight having identified the IP address as malicious.

Make Okta the source for Group Push groups

Admins can now make Okta the profile source for all members of a group that is used for Group Push. When this feature is enabled, integrated apps can't change app group memberships. This functionality allows admins to maintain the accuracy of app group membership and prevents changes to group membership after a push. See グループ・プッシュを管理する.

Password change notifications for LDAP-sourced users

Password change email notifications may now be sent to LDAP-sourced users.

LDAP-sourced users secondary email prompt on first sign in

Admins now have the option to prompt LDAP-sourced users for a secondary email when they sign in to Okta for the first time. When a secondary email is provided, password reset and activation notifications are sent to the user’s primary and secondary email addresses. Duplicating these notifications increases the likelihood they are seen by users and reduces support requests. See オプションのユーザー・アカウント・フィールドを構成する.

Directory Debugger for Okta AD and LDAP agents

Admins can now enable the Directory Debugger to provide Okta Support with access to Okta AD and LDAP agent diagnostic data. This new diagnostic and troubleshooting tool accelerates issue resolution by eliminating delays collecting data and improves communication between orgs and Okta. See Enable the Directories Debugger.

Enhancements

Improved SIW error messages

The Sign-In Widget now has improved JIT error messages.

OIN Manager enhancements

The OIN Manager includes the following updates for ISV submissions:

  • It clarifies that OID and SAML integrations must support multi-tenancy.

  • It clarifies that only one OIDC mode can be selected for an OID integration.

  • It allows the format ${app.domain}/redirect_url for URIs.

  • It no longer allows ISV submissions for the Social Login and Log Streaming categories. See OIN App Integration Catalog.

  • It allows the use of app instance properties when configuring single logout (SLO) for SAML app integrations.

  • It requires that ISV submissions specify one or more use cases. Existing submissions may need to be updated to change from previous categories to the new use cases.

API token ID displayed in tokens

API token ID is now displayed under API tokens for easy tracking.

SHA type displayed for SAML certificates

SHA type is now displayed for SAML certificates in the Admin Console.

New System Log event

A new policy.mapping.create event is added to the System Log for profile enrollment and app sign-on policies.

Early Access Features

New Feature

Okta AD Agent automatic update support

Admins can now initiate or schedule automatic updates to Okta AD agents from the Admin Console. With agent auto-update functionality, admins no longer need to manually uninstall and then reinstall Okta AD agents when a new agent version is released. Agent auto-updates keep your agents up to date and compliant with the Okta support policy, and help ensure your org has the latest Okta features and functionality. Single or multiple agents can be updated on demand, or updates can be scheduled to occur outside of business hours to reduce downtime and disruption to users. See Automatically update Okta agents.

Fixes

General Fixes

OKTA-420065

Launch on sign-in apps on the Okta End-User Dashboard launched multiple times after the user signed in.

OKTA-448006

Some branded pages used an org’s previously uploaded logo rather than their new theme logo.

OKTA-452612

User context wasn’t included in some orgs' token inline hook request data.

OKTA-453969

Some Duo users were unable to authenticate after upgrading to Okta Identity Engine.

OKTA-454206

Some admins without super admin permissions could view a link to the Admin role assignments report. This occurred for orgs with the Custom Admin Roles feature enabled.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed:

  • Bendigo Bank (OKTA-454211)

  • EdgeCast (OKTA-453148)

  • Maxwell Health (OKTA-454213)

  • My T-Mobile (OKTA-455732)

  • Redis (OKTA-454218)

Applications

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:

SAML for the following Okta Verified application:

  • Regal Voice (OKTA-448791)

Weekly Updates

Fixes

General Fixes

OKTA-443601

In the User Accounts section of the Customizations page, the incorrect term User Identity Master was used instead of User Identity Source.

OKTA-450647

When the Custom Admin Roles feature was enabled, the Admin role assignments report included deactivated admins.

OKTA-454965

Admins couldn’t unsubscribe from Okta AD agent auto-update email notifications because the Agent auto-update notifications: AD agent checkbox wasn’t available in the System notifications area of the Settings page.

OKTA-458760H

When the New Social Identity Provider integrations feature was enabled, IdP profiles weren't always saved and the Redirect Domain field wasn't available.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed:

  • Circulation (OKTA-456780)

  • CWT (OKTA-455733)

  • Key Bank (OKTA-455731)

  • MyFitnessPal (OKTA-455735)

  • Shutterstock (OKTA-456777)

  • The Hartford EBC (OKTA-454220)

  • TimeLog (OKTA-457372)

  • Verizon Wireless Business (OKTA-455729)

  • Xfinity (OKTA-457369)

Applications

New Integrations

SAML for the following Okta Verified applications:

  • Blingby Live (OKTA-455293)

  • BrightHire (OKTA-456906)

  • Jones (OKTA-453595)

  • TrackJS (OKTA-456630)

Generally Available

Fixes

General Fixes

OKTA-288443

Links from an expired session didn't redirect users to the Okta End-User Dashboard when they signed in.

OKTA-332414

The All apps filter in the Okta End-User Dashboard catalog was incorrectly translated.

OKTA-414419

Admins with the View application and their details permission could view the Push Status drop-down menu and the Push Groups, Refresh App Groups, and Bulk Edit buttons on the Application > Push Groups tab. This occurred for orgs with the Custom Admin Roles feature enabled.

OKTA-416052

The Sort Apps button and its drop-down menu were covered by the left navigation bar on mobile devices.

OKTA-419846

RADIUS agent API tokens contained scopes beyond what was required for agent operation.

OKTA-441218

When the Custom Admin Roles feature was enabled, third-party admins could view their admin email notification settings.

OKTA-443467

Admins were unable to sign in to the Admin Console if they had first signed in with a non-admin user account.

OKTA-443980

Admins couldn’t select a new Default Application for Sign-In Widget if the app they’d previously used was deleted.

OKTA-446224, OKTA-455268

New admins weren’t always provisioned for Salesforce Help Center.

OKTA-446449

Memberships to Salesforce Public Groups were removed from Salesforce when group memberships were updated in Okta.

OKTA-447069

Some users were unable to access their bookmark apps after migrating to the new Okta End-User Dashboard.

OKTA-447114

Okta sent MFA reset email notifications even though the factor deactivation didn’t take effect.

OKTA-447813

Sometimes, admins were unable to remove apps from the Create a resource set page. This occurred for orgs with the Custom Admin Roles feature enabled.

OKTA-454385

Password change email notifications were incorrectly sent to end users in orgs with URLs containing api/v1/user.

OKTA-457225

Users who entered their username incorrectly during enrollment in Okta Verify were shown Internal server error instead of a descriptive error message.

OKTA-457233

The default zone name for legacy IP zones was hardcoded in English and displayed in the Admin Console as a text string that could not be localized.

OKTA-457592

On the Admin assignment by admin and Admin assignment by role pages, an error sometimes appeared when the admin removed an existing standard role from the assignment and replaced it with another role. This occurred for orgs with the Custom Admin Roles feature enabled.

OKTA-459977

When a user accessed some SAML apps, the sign-in flow was initiated twice.

OKTA-460597

When the Custom Admin Roles and CSV Directory features were enabled, admins with the Manage applications permission couldn’t access the Directory Integrations page.

OKTA-460636

When the Custom Admin Roles and Application Entitlement Policy features were enabled, admins with the Edit application's user assignments permission couldn’t assign apps to users.

OKTA-460767

Admins could click Finish multiple times after adding or updating a custom domain certificate. This resulted in duplicate API calls.

OKTA-460908

Some lengthy app names caused UI errors on the Okta End-User Dashboard.

OKTA-462342

When a user copied their username in the app drawer, they were incorrectly notified that the app's password was copied to the clipboard.

OKTA-466809H

A script error occurred when users with an embedded Internet Explorer browser attempted to sign in to Okta.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed:

  • Allegra (OKTA-449137)

  • Clio (OKTA-458076)

  • DocuSign (OKTA-456094)

  • Expedia (OKTA-455734)

  • FreeAgent (OKTA-454216)

  • Go to Connect (OKTA-454638)

  • QuickBooks (OKTA-457705)

  • SuccessFactors (OKTA-449132)

  • TeamPassword (OKTA-456778)

Applications

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:

SAML for the following Okta Verified applications:

  • Almanac (OKTA-456412)

  • Observe (OKTA-455308)

  • ReviewInc (OKTA-457711)

  • Spherexx (OKTA-453592)

  • Transform (OKTA-457712)

  • VidCruiter (OKTA-461233)

OIDC for the following Okta Verified applications:

December 2021

2021.12.0: Monthly Production release began deployment on December 13

* Features may not be available in all Okta Product SKUs.

Content

Generally Available Features

New Features

Choose client types for Office 365 sign-on policy

When creating app sign-on policy rules to manage access to Office 365 apps, you can now specify client types such as web browser, modern auth, or Exchange ActiveSync. This allows you to apply Office 365 sign-on policies to granular use-cases. See Office 365 sign-on rules options.

Branding now available in the Admin Console

This UI release provides admins and developers with an Admin Console UI to upload brand assets to customize their Okta-hosted pages. The Customizations tab in the Admin Console is also now moved to a top-level menu item in the left-hand navigation, and Branding-related controls have all been moved under it. The Settings > Appearance tab has also been removed, and functionality moved under the Customizations tab for ease of use. See ブランディング.

Admin Experience Redesign toggle removed

The toggle that allowed super admins to switch between the Admin Experience Redesign and the old experience has been removed. All Okta admins now benefit from our restyled Okta Admin Dashboard, responsive navigation side bar, and modern look and feel. If you need more time to adapt to the new user experience, you can revert to the old experience by contacting Okta Support until April 2022.

Upload Logo for org deprecated

The Upload Logo for Org endpoint (api/v1/org/logo) is deprecated. Use the Upload Theme Logo (/api/v1/brands/${brandId}/themes/${themeId}/logo) endpoint instead.

Salesforce Federated ID REST OAuth

Admins can now upgrade to the latest version of our Salesforce Federated ID integration. OAuth provides enhanced security and is now used for Provisioning and Imports authentication. This feature is currently available for new orgs only. See Configure OAuth and REST integration.

Okta MFA Credential Provider for Windows, version 1.3.5

This version of the agent contains:

  • Security enhancements

  • Internal fixes

See Okta MFA Credential Provider for Windowsのバージョン履歴 .

Okta On-Prem MFA agent, version 1.4.6

This version of the agent contains updates for certain security vulnerabilities.

See Okta On-Prem MFAエージェントのバージョン履歴.

Okta RADIUS Server agent, version 2.17.0

This version of the agent contains updates for certain security vulnerabilities.

See Okta RADIUS Serverエージェントのバージョン履歴.

Enhancements

Improved text on the Get started with Okta page

On the Get started with Okta page, several heading and button labels now provide more accurate and helpful text:

  • Select MFA factors is now Select Authenticators.

  • Select the MFA factors you'd like your organization to use is now Select the Authenticators you'd like your organization to use.

  • The Enable Factors button is now labeled Enable Authenticators.

Org setting to disable device token binding

For compatibility purposes, orgs can now disable device binding. Device binding ensures that state tokens are used only by the actor who initiated the authentication flow. See 一般的なセキュリティー.

Sign-In Widget error message

An error message now appears on the Sign-In Widget if an end user needs to open their laptop lid to use biometrics.

Early Access Features

Enhancement

Admins may now enable the Recent Activity feature

The Recent Activity functionality may now be enabled or disabled by admins. Recent Activity displays recent sign-in events and associated security events so admins can track suspicious activity and keep their environment safe. See Recent Activity.

Fixes

General Fixes

OKTA-393284

UI errors occurred when users hovered over a locked app on the Okta End-User Dashboard.

OKTA-439327

Applying admin-managed tabs to end users occasionally completed much later, after the changes were initially made.

OKTA-441168

Users were directed to the wrong step of the Log Stream creation wizard when they clicked a link to create a specific type of Log Stream.

OKTA-442241

If a SWA app's profile enrollment policy contained a newly added required attribute, users were prompted for it twice.

OKTA-443459

Some users who accessed the Okta End-User Dashboard saw a blank screen.

OKTA-443607

An incorrect name appeared for the YubiKey Authenticator on the Add Authenticators page.

OKTA-449400

The text field for an app’s alternative name was missing from the app drawer.

OKTA-450543

Users weren't prompted to correct their device’s time if their device was behind the server’s time by more than five minutes or ahead by more than 65 minutes.

OKTA-450927

Two scrollbars were displayed for mobile users.

OKTA-453065H

Admins encountered an error when trying to assign an app back to the default profile enrollment policy.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • Amplitude (OKTA-449138)

  • Australian Financial Review (OKTA-450189)

  • Boxed (OKTA-449140)

  • Google Tag Manager (OKTA-448703)

  • HireFire (OKTA-448711)

  • Instacart Canada (OKTA-442943)

  • International SOS Assistance (OKTA-447156)

  • LinkedIn (OKTA-443788)

  • Mural (OKTA-443063)

  • Payroll Relief (OKTA-447159)

  • Safari Online Learning (OKTA-448707)

  • The Hartford EBC (OKTA-448956)

  • Twitter (OKTA-448961)

  • XpertHR (OKTA-449721)

Applications

Application Update

The Jive application integration is rebranded as Go To Connect.

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:

SAML for the following Okta Verified applications:

  • Chatwork (OKTA-449761)

  • ContractS CLM (OKTA-446453)

  • Elate (OKTA-448860)

  • WAN-Sign (OKTA-448922)

OIDC for the following Okta Verified applications:

Weekly Updates

Fixes

General Fixes

OKTA-328461

The footer in some email templates contained an incorrect link to Okta.

OKTA-410446

DebugData in the System Log didn’t include ClientSecret information.

OKTA-434725

Admins could deactivate apps that were used as the default redirect for the Sign-In Widget.

OKTA-440608

Some admins couldn't view groups that were assigned to an app, even though their custom role had permission to view them.

OKTA-446499, OKTA-446506, OKTA-446511

The user’s status wasn’t synchronized with Active Directory when they deleted their account from Okta Verify or toggled to a different biometric authenticator.

OKTA-447471

Duplicate reactivation requests for the Org2Org app caused 400 errors in the System Log.

OKTA-448321

When the Custom Admin Roles feature was enabled, groups with “#” in the group name couldn’t be assigned to a role.

OKTA-449563

Activating the Allow Web and Modern Auth policy (the default) for Microsoft Office 365 caused a lock to appear on Office 365 apps on the End-User Dashboard.

OKTA-449880

The text in some default email templates was incorrect.

OKTA-451868

In new developer orgs, admins weren’t provisioned for Salesforce Help.

OKTA-452041

Attempts to sign in to the Admin Console using Safari on an iOS device were prevented by the popup blocker.

OKTA-452099

The QR verification form in the device authentication flow wasn’t pre-filled with the user code.

OKTA-454767H

Some app labels were missing in the redesigned OIN App Catalog.

App Integration Fix

The following SWA app was not working correctly and is now fixed:

  • GoDaddy (OKTA-449141)

Applications

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:

Fixes

General Fixes

OKTA-441896

Group attribute statements added in a SAML 2.0 integration app (AIW) didn’t appear in the Preview the SAML Assertion section.

OKTA-444246

Some SAML doc links in the Admin Console didn’t work.

OKTA-447069

End-users encountered a 403 error when accessing a bookmark app after being migrated to the new Okta End-User Dashboard.

OKTA-447885

When adding a custom domain, admins received the wrong error message if they left the Domain field blank.

OKTA-448560

New users received an activation email with Velocity macros instead of their name. This occurred if the org’s profile enrollment policy didn’t require first and last names.

OKTA-448936

The Create a new resource set page couldn't display groups with & in the group name. This occurred for orgs with the Custom Admin Roles feature enabled.

OKTA-448940

The Edit resources to a standard role page displayed an error when admins searched for a group. This occurred for orgs with the Custom Admin Roles feature enabled.

OKTA-451345

The Velocity parsing engine failed when email templates contained a variable that was followed by (.

OKTA-452680

Application usage reports created asynchronously for specific groups included users that didn’t belong to the groups selected for the reports.

OKTA-453668

Duplicate enrollments caused authentication issues.

OKTA-453892

Orgs with a large number of users experienced timeouts during user Enhanced Email Macros queries.

OKTA-454197

On the Add domain page, the Next, Remove, and Verify DNS buttons were clickable while the addition was in progress.

OKTA-454655H

The Keep me signed in option for Google Authenticator was not honored.

OKTA-456383H

CSV imports failed when using Okta Provisioning Agent, version 2.0.6. For this fix, download Okta Provisioning Agent, version 2.0.7.

OKTA-458089H

Some Netsuite imports into Okta failed with the following error failure: A SOAP message cannot contain entity references because it must not have a DTD.

Applications

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration app is now Generally Available in the OIN Catalog as partner-built:

SAML for the following Okta Verified applications:

  • Imprivata Privileged Access Management (OKTA-450222)

  • Lucca (OKTA-450219)

  • PowerDMS (OKTA-454504)

  • Rybbon (OKTA-451438)

Enhancement

New Device Trust error

An error message now appears if an admin attempts to delete a Device Trust (Classic Engine) configuration without correctly configuring app sign-on policies for devices that are not trusted.

Fixes

General Fixes

OKTA-414394

On the Applications page, some admins with a custom role could view the buttons for actions that they didn’t have permission to perform.

OKTA-418245

The Mobile tab incorrectly appeared on the App Integrations page. Okta Mobile isn't supported in Identity Engine.

OKTA-419443

Users were able to enroll in Okta Verify and access their dashboard and apps even though their account was locked out or suspended.

OKTA-419491

Push notifications appeared repeatedly to users after they had already approved them.

OKTA-431945

Sometimes when a third-party admin role was assigned though the public API, the admin's status didn't change in the Okta Help Center.

OKTA-433439

Push Profile updates sometimes failed due to a missing Effective Date value.

OKTA-434556

In Try Okta Free orgs, the Days left in your trial banner didn’t always display the correct number of days.

OKTA-434789

When Veeva Vault was provisioned, the authentication rate limit was incorrectly applied to bulk operations.

OKTA-438657

When a custom admin role had the View application and their details permission, admins with that role couldn’t access OIDC applications.

OKTA-439081

No messages or warnings were displayed when admins set up factor requirements in an Okta sign-on policy rule.

OKTA-441340

user.session.start and user.session.stop events didn’t include app context.

OKTA-442991

When the Custom admin roles feature was enabled, the Administrator assignment by admin and Administrator assignment by role pages displayed the Edit button for admin roles that couldn’t be constrained to a resource.

OKTA-444028, OKTA-444242, OKTA-448506

Sign-In Widget lifecycle errors for some device states and following silent probing were incorrect or misleading.

OKTA-444459

App sign-on policies weren’t deleted when their associated apps were deleted.

OKTA-445826

The help link was incorrect for Settings > Customization > Configure a custom URL domain.

OKTA-447296

If an admin canceled deactivation for a device, and then clicked Deactivate again, no confirmation dialog appeared.

OKTA-453535H

An older library for the RSA and RADIUS agents caused potential security issues in certain situations.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed:

  • American Funds Advisor Client Login (OKTA-442550)

  • Bank of America CashPro (OKTA-444481)

  • M&T Bank - Commercial Services (OKTA-447154)

  • Nimble (OKTA-444703)

  • The Trade Desk (OKTA-445291)

Applications

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:

SAML for the following Okta Verified applications:

  • ParkOffice (OKTA-445142)

  • SecZetta (OKTA-446467)

Enhancement

New warning for deleted devices

A warning message now appears when an admin attempts to delete a device from the Devices page.

Fixes

General Fixes

OKTA-428017

When the Custom Admin Roles feature was enabled and an admin searched for a group to assign to a role, the list of groups didn’t display their respective app logos.

OKTA-436016

In orgs with deleted groups, admins couldn't run the Admin role assignments report.

OKTA-438793

On the Admin Dashboard, the Overview section displayed an incorrect Updated at time between 12:00 AM and 1:00 AM.

OKTA-441161

When a super admin edited the User Account customization settings, an error occurred after they verified their password.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • HelpSpot Userscape (OKTA-440296)

  • Instacart Canada (OKTA-442946)

  • Moffi (OKTA-442915)

Applications

New Integrations

SAML for the following Okta Verified applications:

  • Autodesk (OKTA-425911)

  • YesWeHack (OKTA-443624)

OIDC for the following Okta Verified applications:

Generally Available

AD Del Auth users can add secondary email

AD Delegated Authentication users can now add secondary email during their first sign in. See Active Directoryでの委任認証について.

New option on the Okta Sign-On Policy Add Rule dialog

AND Identity provider is option enables you to specify which Identity Provider end users can use to sign in to Okta. You can specify Any, Okta, or Specific IdP. The Specific IdP option presents a list of Identity Providers that have been set up in your org. See Oktaサインオン・ポリシー・ルールを追加する.

System Log change: User login to Okta event reason

In the System Log, the reason for the User login to Okta event has been changed to Login denied when the sign-on policy denies access or the user is unable to satisfy its requirements.

Fixes

General Fixes

OKTA-429081

When an admin deleted an app with Federation Broker Mode enabled, users could continue to sign in to the app.

OKTA-429782

Sometimes when the app group membership for a user was deactivated, any role assignments that were revoked from that user still appeared on the Administrators page.

OKTA-429868

API tokens for group admins didn't have the role displayed in the Security > API > Token section.

OKTA-432269

If Sign-up was enabled in an org’s profile enrollment policy, and that org reverted back to Classic Engine, end users who had already started the sign-up process received an error when they clicked their activation link.

OKTA-433617

App-sign on policies weren't evaluated for SAML 1.1 template apps.

OKTA-435527

Sometimes users were prompted to re-enter their password when switching between apps.

OKTA-439047

Sometimes, the System Log displayed Grant user privilege success events for admins when there were no changes to their privileges.

OKTA-441222

When a super admin changed the role notification settings for an admin, some third-party admins with that role were included in the notification subscription.

OKTA-441434

The View Setup Instructions link was broken on the Add Identity Provider page.

OKTA-441763

When admins created a new profile enrollment policy with Sign-up enabled, the link didn’t appear on the Sign-In Widget.

OKTA-444012

Branding features weren’t visible in the navigation menu of the legacy Admin Console.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed:

  • Alibaba Cloud (Aliyun) (OKTA-439430)

  • Apple Store for Business (OKTA-439233)

  • ID90 Travel (OKTA-435212)

  • MessageBird (NL) (OKTA-440295)

  • Screen Leap (OKTA-440292)

  • TD Ameritrade (OKTA-436146)

Applications

New Integrations

SAML for the following Okta Verified applications:

  • Agencyzoom (OKTA-436124)

  • Altruistiq (OKTA-440339)

  • Auvik (OKTA-435860)

  • Ceresa (OKTA-437597)

  • Clumio (OKTA-440285)

  • Workstream (OKTA-441160)

SWA for the following Okta Verified application:

  • Greene King (OKTA-441236)

OIDC for the following Okta Verified application:

  • Luma Brighter Learning: For configuration information, see Okta/Luma SSO.

November 2021

2021.11.0: Monthly Production release began deployment on November 8

* Features may not be available in all Okta Product SKUs.

Content

Generally Available Features

New Features

Okta LDAP agent, version 5.10.0

This version of the agent contains:

  • Range attribute retrieval for group membership attributes (full support will be available in a future release)

  • Real-time synchronization for user profiles, groups, and group memberships (full support will be available in a future release)

  • Expired password reset support for the eDirectory LDAP service (Okta Identity Engine)

  • Bug fixes

See Okta LDAP Agentのバージョン履歴.

Okta RADIUS Server agent, version 2.16.0

This version of the agent contains:

  • Government Community Cloud support

  • Internal and security fixes

See Okta RADIUS Serverエージェントのバージョン履歴.

Okta MFA Credential Provider for Windows, version 1.3.4

This version of the agent contains:

  • Government Community Cloud support

  • Internal fixes

See Okta MFA Credential Provider for Windowsのバージョン履歴 .

Okta On-Prem MFA agent, version 1.4.5

This version of the agent contains:

  • Government Community Cloud support

  • Internal fixes

See Okta On-Prem MFAエージェントのバージョン履歴.

Brands API support for auto-detecting contrast colors

The Brands API Theme object properties primaryColorContrastHex and secondaryColorContrastHex automatically optimize the contrast between font color and the background or button color. The auto-detection feature can be disabled by updating either property value with an accepted contrast hex value. See Brands.

New error page macros for themed templates

Custom error page templates include new macros to customize the URL (href) in addition to the button text for themed templates. See Use macros.

Custom domain SSL certification expiration warnings

To prevent service disruptions, Okta now sends admins a warning email 30, 15, and 7 days before their custom domain’s SSL certificate expires. If no action is taken, an expiration notice is sent when the certificate expires.

See カスタムURLドメインを構成する .

Token-based SSO between native apps

Single Sign-On (SSO) between browser-based web applications is achieved by leveraging shared cookies. Unlike web applications, native applications can’t use web cookies. With Native SSO, Okta offers a token-based approach to achieve SSO between native applications.

Native SSO allows you to protect native OpenID Connect applications, such as desktop apps and mobile apps, and achieve SSO and Single Logout (SLO) between these applications. See Configure SSO for native apps.

Asynchronous Application Reports

When enabled, this feature turns the generation of the Application Usage and the Application Password Health reports into an asynchronous process. Okta generates a report with the results and sends an email to the admin containing a download link for the CSV file. This enhancement is ideal for orgs with large amounts of user activity, as the generated reports can cover a greater range without timing out. See アプリケーション使用状況レポート and アプリのパスワードの健全性のレポート.

Risk scoring improvements

Risk scoring improvements are being slowly deployed to all organizations. See リスク・スコアリング.

Password expiry warning for LDAP group password policies

You can now configure an LDAP group password policy to provide users with a password expiry warning when their LDAP password is about to expire. Providing a password expiry warning in advance prevents users from losing access to shared resources and reduces the likelihood that you’ll need to reset passwords. See Configure a password policy.

Litmos supports Advanced Custom Attributes

We’ve enriched our Litmos integration to support Advanced Custom Attributes for the user profile. This allows you to add fields into the Okta user profile. See Litmos Provisioning Guide.

Enhancements

New System Log events for custom domain setup

The following events are added to the System Log:

system.custom_url_domain.cert_renew 3

system.custom_url_domain.delete

Existing events now include CustomDomainCertificateSourceType.

OIN App Catalog user interface changes

The following text has been updated for consistency:

  • FILTERS is now Capabilities

  • Apps is now All Integrations

  • Featured is now Featured Integrations

  • OpenID Connect is now OIDC

  • Secure Web Authentication is now SWA

See Add existing app integrations.

Hash marks added to hex code fields

On the Branding page, hash marks are automatically added to the hex codes in the Primary color and Secondary color fields.

Event Hooks daily limit

The maximum allowable daily limit of Event Hooks for all orgs has increased from 100,000 to 200,000. A higher daily allocation of Event Hooks reduces the likelihood orgs will exceed their daily limits. See Workflows system limits.

Improved Branding preview

Branding previews now display correct text colors.

Sign-In Widget button colors standardized

To comply with accessibility contrast ratios, the default variant colors for buttons on Okta sign-in and error page have been standardized to use the Okta design system.

Admins can save Profile Enrollment settings with errors

If Profile Enrollment settings contain errors in externally sourced attributes, the Admin Console displays a warning but allows the admin to save.

CAPTCHA messages translated

CAPTCHA verification error messages are now translated in the Sign-In Widget.

Upgrade validation check for customAPPLoginURL

A new validation check prevent orgs from upgrading to Okta Identity Engine if they have a customAppLoginURL enabled.

Okta Verify can’t be deactivated

Okta Verify can’t be deactivated if any app sign-on policies require it.

Early Access Features

New Features

Log Streaming

While Okta captures and stores its System Log events, many organizations use third-party systems to monitor, aggregate, and act on event data.

Log Streaming enables Okta admins to more easily and securely send System Log events to a specified system such as Amazon Eventbridge in real time with simple, pre-built connectors. They can easily scale without worrying about rate limits, and no admin API token is required. See Log Streaming.

Windows Autopilot integration with Okta

You can now use Okta to secure and streamline the Windows Autopilot flow on end-user devices. Before this integration, if you were using Okta Device Trust or Okta FastPass, it prohibited the enrollment of a new device through Windows Autopilot. The new integration now allows you to accommodate Not Trusted devices with Windows Autopilot while continuing to use Okta Device Trust and Okta FastPass for Trusted devices. It also allows you to add a sign-on policy rule in Okta that requires MFA when enrolling a device through Windows Autopilot. This increases security without compromising the user experience and ensures that the right person gets the access to the device. See Typical workflow for using Okta with Windows Autopilot.

Enhancements

Edit resource assignments for standard roles

Super admins can now quickly and easily search for, add, and remove the resource assignments for a standard role. See Edit resources for a standard role assignment.

Manage email notifications for custom admin roles

Super admins can configure the system notifications and Okta communications for custom admin roles. Configuring the email notifications helps ensure admins receive all of the communications that are relevant to their role. See Configure email notifications for an admin role.

New Velocity email templates

Orgs with Enhanced Email Macros enabled can now customize Factor Reset and Factor Enrollment email templates with Velocity Template Language. See メール・テンプレートをカスタマイズする.

Fixes

General Fixes

OKTA-418219

Sometimes when a super admin assigned several standard roles to a group at a time, some of those roles didn’t appear on the Groups page.

OKTA-420608

When users outside of an AD OU attempted to sign in to Okta using ADSSO, an Unable to complete your request error message appeared instead of the expected sign in dialog.

OKTA-425318

Admins weren't able to use the Expression Language to compare a user's status to a string.

OKTA-425375

FastPass was rejected for signing in when the user’s laptop was closed even though FastPass was enrolled with user verification enabled.

OKTA-430675

When the super org admin role was revoked from a user, the resulting email notification didn’t include the org name or URL.

OKTA-431057

Apple Safari browser version 15.0 on macOS 10.15.7 on orgs that were rolled back to Okta Classic Engine froze when users tried to delete an authenticator from their Settings page.

OKTA-434792

The user.session.start System Log event incorrectly displayed a result of SUCCESS when users were denied access by a policy.

OKTA-436651

Okta Verify and FastPass appeared as unknown authenticators on the Recent Activity page even though Okta Verify and FastPass were enabled.

OKTA-437001

During sign-in, the authenticator enrollment process displayed authenticators that were disabled in multifactor authentication, and allowed users to enroll in them.

OKTA-437011

Users who weren’t enrolled in Okta Verify in orgs that had app sign-on policies that required the use of hardware-protected authenticators received the “Unable to sign in” error message instead of being prompted to enroll in Okta Verify.

OKTA-437764

In orgs with a self-hosted Sign-In Widget and interaction code enabled, users couldn’t sign in with a social IdP.

OKTA-438981

The HealthInsight report incorrectly described newly created policies as missing required authenticators, even though those policies were configured with at least one required authenticator.

OKTA-440618

For some orgs with Branding enabled, the theme was reset after an admin’s role changed.

OKTA-440695

Some users saw an error when signing in to the new End-User Dashboard or OIDC apps for the first time.

App Integration Fixes

The following SAML app was not working correctly and is now fixed

  • Cloze (OKTA-440336)

Applications

Application Updates

  • The configuration guide for the Vable SCIM integration is updated: Okta Users Provisioning For The Vable Platform.

  • The American Express Work was a duplicate integration and has been removed from the OIN Catalog. Customers should use the American Express - Work integration.

New Integrations

New SCIM Integration Application:

The following partner-built provisioning integration app is now Generally Available in the OIN as partner-built:

OIDC for the following Okta Verified applications:

Weekly Updates

Generally Available

AD Del Auth users can add secondary email

AD Delegated Authentication users can now add secondary email during their first sign in. See Active Directoryでの委任認証について.

New option on the Okta Sign-On Policy Add Rule dialog

AND Identity provider is option enables you to specify which Identity Provider end users can use to sign in to Okta. You can specify Any, Okta, or Specific IdP. The Specific IdP option presents a list of Identity Providers that have been set up in your org. See Oktaサインオン・ポリシー・ルールを追加する.

System Log change: User login to Okta event reason

In the System Log, the reason for the User login to Okta event has been changed to Login denied when the sign-on policy denies access or the user is unable to satisfy its requirements.

Fixes

General Fixes

OKTA-429081

When an admin deleted an app with Federation Broker Mode enabled, users could continue to sign in to the app.

OKTA-429782

Sometimes when the app group membership for a user was deactivated, any role assignments that were revoked from that user still appeared on the Administrators page.

OKTA-429868

API tokens for group admins didn't have the role displayed in the Security > API > Token section.

OKTA-432269

If Sign-up was enabled in an org’s profile enrollment policy, and that org reverted back to Classic Engine, end users who had already started the sign-up process received an error when they clicked their activation link.

OKTA-433617

App-sign on policies weren't evaluated for SAML 1.1 template apps.

OKTA-435527

Sometimes users were prompted to re-enter their password when switching between apps.

OKTA-439047

Sometimes, the System Log displayed Grant user privilege success events for admins when there were no changes to their privileges.

OKTA-441222

When a super admin changed the role notification settings for an admin, some third-party admins with that role were included in the notification subscription.

OKTA-441434

The View Setup Instructions link was broken on the Add Identity Provider page.

OKTA-441763

When admins created a new profile enrollment policy with Sign-up enabled, the link didn’t appear on the Sign-In Widget.

OKTA-444012

Branding features weren’t visible in the navigation menu of the legacy Admin Console.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed:

  • Alibaba Cloud (Aliyun) (OKTA-439430)

  • Apple Store for Business (OKTA-439233)

  • ID90 Travel (OKTA-435212)

  • MessageBird (NL) (OKTA-440295)

  • Screen Leap (OKTA-440292)

  • TD Ameritrade (OKTA-436146)

Applications

New Integrations

SAML for the following Okta Verified applications:

  • Agencyzoom (OKTA-436124)

  • Altruistiq (OKTA-440339)

  • Auvik (OKTA-435860)

  • Ceresa (OKTA-437597)

  • Clumio (OKTA-440285)

  • Workstream (OKTA-441160)

SWA for the following Okta Verified application:

  • Greene King (OKTA-441236)

OIDC for the following Okta Verified application:

  • Luma Brighter Learning: For configuration information, see Okta/Luma SSO.

Enhancement

New warning for deleted devices

A warning message now appears when an admin attempts to delete a device from the Devices page.

Fixes

General Fixes

OKTA-428017

When the Custom Admin Roles feature was enabled and an admin searched for a group to assign to a role, the list of groups didn’t display their respective app logos.

OKTA-436016

In orgs with deleted groups, admins couldn't run the Admin role assignments report.

OKTA-438793

On the Admin Dashboard, the Overview section displayed an incorrect Updated at time between 12:00 AM and 1:00 AM.

OKTA-441161

When a super admin edited the User Account customization settings, an error occurred after they verified their password.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • HelpSpot Userscape (OKTA-440296)

  • Instacart Canada (OKTA-442946)

  • Moffi (OKTA-442915)

Applications

New Integrations

SAML for the following Okta Verified applications:

  • Autodesk (OKTA-425911)

  • YesWeHack (OKTA-443624)

OIDC for the following Okta Verified applications:

Enhancement

New Device Trust error

An error message now appears if an admin attempts to delete a Device Trust (Classic Engine) configuration without correctly configuring app sign-on policies for devices that are not trusted.

Fixes

General Fixes

OKTA-414394

On the Applications page, some admins with a custom role could view the buttons for actions that they didn’t have permission to perform.

OKTA-418245

The Mobile tab incorrectly appeared on the App Integrations page. Okta Mobile isn't supported in Identity Engine.

OKTA-419443

Users were able to enroll in Okta Verify and access their dashboard and apps even though their account was locked out or suspended.

OKTA-419491

Push notifications appeared repeatedly to users after they had already approved them.

OKTA-431945

Sometimes when a third-party admin role was assigned though the public API, the admin's status didn't change in the Okta Help Center.

OKTA-433439

Push Profile updates sometimes failed due to a missing Effective Date value.

OKTA-434556

In Try Okta Free orgs, the Days left in your trial banner didn’t always display the correct number of days.

OKTA-434789

When Veeva Vault was provisioned, the authentication rate limit was incorrectly applied to bulk operations.

OKTA-438657

When a custom admin role had the View application and their details permission, admins with that role couldn’t access OIDC applications.

OKTA-439081

No messages or warnings were displayed when admins set up factor requirements in an Okta sign-on policy rule.

OKTA-441340

user.session.start and user.session.stop events didn’t include app context.

OKTA-442991

When the Custom admin roles feature was enabled, the Administrator assignment by admin and Administrator assignment by role pages displayed the Edit button for admin roles that couldn’t be constrained to a resource.

OKTA-444028, OKTA-444242, OKTA-448506

Sign-In Widget lifecycle errors for some device states and following silent probing were incorrect or misleading.

OKTA-444459

App sign-on policies weren’t deleted when their associated apps were deleted.

OKTA-445826

The help link was incorrect for Settings > Customization > Configure a custom URL domain.

OKTA-447296

If an admin canceled deactivation for a device, and then clicked Deactivate again, no confirmation dialog appeared.

OKTA-453535H

An older library for the RSA and RADIUS agents caused potential security issues in certain situations.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed:

  • American Funds Advisor Client Login (OKTA-442550)

  • Bank of America CashPro (OKTA-444481)

  • M&T Bank - Commercial Services (OKTA-447154)

  • Nimble (OKTA-444703)

  • The Trade Desk (OKTA-445291)

Applications

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:

SAML for the following Okta Verified applications:

  • ParkOffice (OKTA-445142)

  • SecZetta (OKTA-446467)

Enhancements

New option to display Keep me signed in checkbox

Admins can now hide the Keep me signed in checkbox on the Sign-In Widget. Disabling this feature prevents Identity Engine from remembering a user session and authenticators after the browser is closed. See 一般的なセキュリティー.

Users can select a language for voice-based authentication and recovery

Individual users can select the language used for the voice message they receive to verify their identity. If they authenticate using a phone call after changing the language setting, they will hear the voice message in their selected language. See エンド・ユーザーの設定 and Select your display language.

Support for UTF-8 characters in Okta Verify

A user can now enroll a device in Okta Verify if the device name contains emojis or other 4-byte UTF-8 characters.

No support for SharePoint upgrade to Okta Identity Engine

Upgrades to Okta Identity Engine aren't supported for orgs with Sharepoint on premises apps.

Fixes

General Fixes

OKTA-329002

The Custom Administrator Roles Early Access feature wasn’t available for Developer orgs.

OKTA-373041

If a password policy was created by API and it didn't allow password reset or account unlock, users were prompted to enroll in authenticators that were disabled in the enrollment policy.

OKTA-419163

Some admins who were assigned a custom role could convert app assignments for users they weren’t constrained to.

OKTA-425798

The endUserDashboardTouchPointVariant property on the Brands API Theme object didn’t include a variant for LOGO_ON_FULL_WHITE_BACKGROUND.

OKTA-428329

Some admins who were assigned more than one custom role could manage the app assignments for users and groups they weren’t constrained to.

OKTA-429116

The OIE Upgrade Change banner appeared on the Security > Authenticators > Password page when the Authenticator Enrollment Policy feature wasn't turned on.

OKTA-429879

Some users who tried to sign in to a custom sign-in page with an IdP received a 500 error.

OKTA-430972

The System Log failure message for invalid passwords was inconsistent with the message used for the Okta Classic Engine.

OKTA-431879

If admins edited their Branding theme after it had been applied to an Okta page, the changes weren’t applied until they performed a hard refresh.

OKTA-432829

With Enhanced Email Macros enabled, email templates that were previously customized or translated with Expression Language (EL) couldn’t be edited and saved due to invalid EL expressions.

OKTA-434610

Admins received a loading error when they attempted to access Recent Activity on an End-User Dashboard.

OKTA-434889

Office 365 org-level policies with a security question MFA failed.

OKTA-435293

After Branding was enabled, admins couldn’t use their org logo on a white background for the End-User Dashboard.

OKTA-435772

When orgs upgraded to Okta Identity Engine, some users who were enrolled in Okta Verify TOTP were unenrolled from the authentication method after the upgrade.

OKTA-436329

An operation rate limit violation event was incorrectly added to the System Log when AD-sourced users signed in to Okta multiple times and they were within the user profile reload threshold.

OKTA-436513

After Branding was enabled, some orgs were unable to update their existing subdomain names.

OKTA-436732

After the MFA Factor Enrolled email template was customized with Enhanced Email Macros, its default template continued to be sent to users.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • Alabama Power (OKTA-437660)

  • Ally Bank (OKTA-435214)

  • American Express - Work (OKTA-438301)

  • Azure Portal Login (OKTA-436740)

  • Booking Admin (OKTA-436792)

  • Cat SIS (OKTA-436148)

  • Cronitor (OKTA-438303)

  • Exact Online (OKTA-435209)

  • Grove (OKTA-438304)

  • Key Bank (OKTA-438305)

  • Redis Labs (OKTA-436147)

  • SiteGround (OKTA-437897)

  • UBS (OKTA-436149)

  • Vitality (OKTA-436145)

Applications

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:

SAML for the following Okta Verified applications

  • Level AI (OKTA-435557)

  • Loom (OKTA-398082)

  • Pima.app (OKTA-435601)

  • Polytomic (OKTA-435605)

  • Smarp (OKTA-415875)

OIDC for the following Okta Verified applications

Generally Available

Enhancements

New default enrollment setting for new authenticators

The default enrollment setting when adding a new authenticator is now Optional.

Email template improvements

User enrollment and authentication email template variables have been changed to facilitate upgrade from the Okta Classic Engine.

Fixes

General Fixes

OKTA-383501

When a custom admin role was assigned to an existing group with standard roles, the System Log displayed duplicate Grant user privilege events for the members of the group.

OKTA-399667

Provisioning to Zendesk failed when a user with the same email already existed in Zendesk.

OKTA-414295

For orgs with Custom Administrator Roles enabled, the page filters on the Roles, Resources, and Admins tabs of the Administrators page were labeled incorrectly.

OKTA-414339

Org2Org Push Groups sometimes failed.

OKTA-423420

After Branding was enabled, admins could still navigate to original Settings > Customization pages.

OKTA-426540

Some admins were locked out when a Profile Enrollment policy was set up for the Admin Console app.

OKTA-426692

Provisioning (create/update) users to NetSuite failed with a Null Pointer Exception (NPE).

OKTA-429996

Orgs were able to change their custom Sign-In Widget to an unsupported version.

OKTA-432405

User-verification authenticators didn’t satisfy assurance requirements for a two-factor app sign-on policy when Security Question was allowed for authentication.

OKTA-433981

When an admin role was constrained to a group, users with that role sometimes experienced time-out errors on the People page.

Applications

Application Updates

New Integrations

New SCIM Integration Application:

The following partner-built provisioning integration app is now Generally Available in the OIN Catalog as partner-built:

SAML for the following Okta Verified applications:

  • Docutrax (OKTA-433521)

  • Testsigma (OKTA-405606)

OIDC for the following Okta Verified applications:

October 2021

2021.10.0: Monthly Production release began deployment on October 11

* Features may not be available in all Okta Product SKUs.

Content

Generally Available Features

New Features

Org Under Attack for ThreatInsight

Okta ThreatInsight now has enhanced attack detection capability. “Org under attack” establishes a base line traffic pattern and adjusts based on legitimate changes in traffic patterns. When a threat is detected, the algorithms are optimized to block all malicious requests while creating a System Log event to alert on the attack. After the attack subsides, threatInsight returns into its normal mode of operation. This capability enables quick blocking action during an attack. See Okta ThreatInsightについて. This feature will be gradually made available to all orgs.

Enhancements

Custom footer enhancement

With Branding enabled, admins can now hide the Powered by Okta message in the footer of their Okta-hosted sign-in page and End-User Dashboard. See 組織のフッターを構成する.

Log per client mode for client-based rate limits

Client-based rate limits are now in Log per client mode for all orgs for both OAuth 2.0 /authorize and /login/login.htm endpoints. This offers additional isolation to prevent frequent rate limit violations.

Hidden password for dynamic SCEP URL

When you generate a dynamic SCEP URL to integrate Okta with your device management provider, or when you reset the dynamic SCEP password, the password is hidden for enhanced security. To reveal or copy the password, click Show password.

See Microsoft Intuneを使用して、Windowsの委任済みSCEPチャレンジを使用するCAとしてOktaを構成する and Jamf Proを使用して、macOSの動的SCEPチャレンジを使用するCAとしてOktaを構成する

Early Access features from this release are now Generally Available.

Fixes

General Fixes

OKTA-325592

When LDAP delegated authentication was enabled, an incorrect event type was used to process user profile updates.

OKTA-346989

Global redirect URIs weren’t maintained after an upgrade to Okta Identity Engine from Classic Engine.

OKTA-353822

If an Okta Classic Engine org had an app sign-on policy rule configured for all six platforms and then migrated to Okta Identity Engine, the app sign-on policy rule for AND Device Platform is wasn't marked as Any platform.

OKTA-361609

Non-active users were able to sign in to the Office 365 app using Silent Activation.

OKTA-413405

During enrollment, a check mark didn’t appear correctly beside required authenticators on the Set up multifactor authentication page.

OKTA-419156

During phone MFA setup, users weren’t able to request another one-time passcode after entering the first one incorrectly.

OKTA-422719

A warning message appeared when users attempted to open the URL of an app that wasn’t assigned to them, and then when they clicked Sign in with Okta FastPass or signed in by entering the same username, an error message with the same information was appended to the warning message.

OKTA-423103

When selecting an authenticator for sign-in, users sometimes saw an unclear error message.

OKTA-427932

When Branding was enabled, the Sign-In Widget was distorted on custom sign-in pages.

OKTA-428268

When an LDAP interface (LDAPi) client had Custom Admin Roles enabled, time-out errors sometimes occurred during group member queries.

OKTA-429894

When a user entered an incorrect password in the Sign-In Widget and then refreshed the browser for another password attempt, the Expecting credential field warning still appeared.

OKTA-431349

Translated versions of AD and LDAP configuration validation messages weren’t provided.

OKTA-431757

The User is not assigned to this application message appeared as an INFO error rather than a WARNING.

OKTA-431868

In the UI for the SuccessFactors app, options for Active User Statuses weren't displayed.

OKTA-435586H

Some users were unable to sign in if their org's default app was deactivated or deleted.

App Integration Fixes

The following SWA app was not working correctly and is now fixed

  • Amplitute (OKTA-429432)

Applications

Updates

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:

OIDC for the following Okta Verified application:

  • Extole: For configuration information see Okta Instructions.

Enhancements

Sign-In Widget requirements

Okta Identity Engine now requires Sign-In Widget version 5.11 or later.

Remember user on sign in

Admins can now enable Remember user on sign in for their orgs. When this feature is enabled, usernames are pre-populated on the Sign-In Widget. See 一般的なセキュリティー.

Error message for Profile Enrollment policies

A new error message appears when a Profile Enrollment policy contains an externally sourced attribute.

New display mode of recovery authenticators

When you fetch the MFA Policy Settings, authenticators used for recovery are now displayed in addition to other authenticator types.

Fixes

General Fixes

OKTA-327544

An HTTP 500 Internal Server Error message appeared when users attempted to sign in to Okta and their username included an asterisk (*).

OKTA-408731

Admins couldn’t save a Profile Enrollment policy if the email field was inherited from an external source.

OKTA-415339

The sign-on policy evaluation method failed to provide an evaluation result to the System Log.

OKTA-423192

Users were allowed to access apps without re-authentication after signing out of the Okta Dashboard.

OKTA-423578

Admins could create ADSSO IdP routing rules when ADSSO functionality was enabled and then disabled.

OKTA-427145

When the Admin role assignments report was filtered by a group, it didn’t include group membership admins who were constrained to that group.

OKTA-429396

When setting up the SMS security method, some new users received a Resend code warning before 30 seconds had passed.

OKTA-430140

When Okta failed to issue a certificate, the logged event didn’t specify the reason for the failure.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • Autotask (OKTA-429728)
  • Contract Express (OKTA-429434)
  • DocsCorp Support (OKTA-425176)
  • Google Play Developer Console (OKTA-425775)
  • SAP Concur Solutions (OKTA-427469)
  • Shipwire (OKTA-426103)
  • Twitter (OKTA-430242)

Applications

New Integrations

New SCIM Integration Application

The following partner-built provisioning integration app is now Generally Available in the OIN Catalog as partner-built:

SAML for the following Okta Verified applications

  • Jooto (OKTA-429135)
  • Merge (OKTA-430337)

OIDC for the following Okta Verified applications

Enhancements

New account-unlock email

Users requesting self-service unlock now receive an informational email with no OTP or magic link if the user isn't actually locked out.

New way to display available authenticators in End-User Settings

The End-User Settings page only shows the authenticators that the end user is allowed to enroll in.

Fixes

General Fixes

OKTA-391670

Users sometimes saw duplicate options to use email as an alternative authenticator for MFA.

OKTA-396616

LDAP users were sometimes prompted to reset their password after completing self-service password reset.

OKTA-408043

When changing the profile enrollment policy applied to an app, admins saw a blank screen if they clicked View all profile enroll policies.

OKTA-417160

When users signed out from the End-User Dashboard and then signed back in from the same browser tab, the URL was incorrect.

OKTA-419837

When Branding was enabled, custom code editor pages displayed an incorrect warning.

OKTA-423481

The app sign-on policy rule for Okta FastPass displayed that user verification (biometrics) was required when biometrics wasn’t configured as a possession factor constraint.

OKTA-423586

Function names that include blank spaces didn’t work with Enhanced Email Macros.

OKTA-425232

When Branding was enabled, the Go to Homepage button on the Okta error page didn’t use the default Okta variant color.

OKTA-426446

When a third-party admin role was assigned, the admin's status didn't change in Salesforce and the Exclude admin from receiving all admin-related communications rule wasn't enforced.

OKTA-430127

When Branding was enabled and later disabled, the sign-in and error pages that were customized with HTML code editors during the enabled period could be reset to their defaults.

OKTA-430524

The default password policy was sometimes being evaluated for users instead of the configured password policy.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • Frame.io (OKTA-427018)

  • Google Play Developer Console (OKTA-425775)

  • PNC Borrower Insight (OKTA-426061)

  • Tech Data (OKTA-427022)

Applications

New Integrations

SAML for the following Okta Verified applications

  • Blue Ocean Brain (OKTA-426050)

  • Kintone.com (OKTA-421223)

  • Skypher (OKTA-426992)

OIDC for the following Okta Verified applications

Fixes

General Fixes

OKTA-291631

AD-sourced users with a staged status weren't automatically activated when they used ADSSO with JIT provisioning to sign in to Okta.

OKTA-368709

In newly migrated Okta Identity Engine orgs, users were able to reset their passwords with only a Security Question.

OKTA-414089

Admins with the Manage Applications custom admin permission couldn’t access the Profile Editor, Directory Integrations, or Profile Sources pages.

OKTA-418013

Sign-in hints weren't provided for users signing in by way of SAML IdP authentication.

OKTA-419733

Password Reset emails were sent to both primary and secondary email addresses after the Secondary Email option had been disabled.

OKTA-420154

If client-based rate limiting was enabled, end users were sometimes presented with a 429 error instead of the sign-in page when their session expired or they signed out.

OKTA-423419

When Enhanced Email Macros was enabled, using required variables without brackets resulted in a validation error.

OKTA-423470

Org logos on the new Okta End-User Dashboard were sometimes oversized.

OKTA-423795

Externally sourced users whose accounts were created through inbound federation could edit their profiles after the re-authentication window had expired.

OKTA-427137

DocuSign deprovisioning sometimes failed with the following error: “Adding entity to http method DELETE is not supported.”

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • 3Rivers (OKTA-424892)

  • Adobe Enterprise (OKTA-424893)

  • CallTower (OKTA-424894)

  • Parse.ly (OKTA-422625)

Applications

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:

  • KnowBe4: For configuration information, see here (you need to sign in to KnowBe4 to access their documentation).

SAML for the following Okta Verified application

  • Code Climate Velocity (OKTA-424882)

OIDC for the following Okta Verified applications

Fixes

General Fixes

OKTA-376916

Users encountered enrollment error messages when signing in if their orgs were migrated from Okta Classic Engine to Okta Identity Engine, used custom Sign-In Widgets, and required multifactor authentication.

OKTA-416892

In Settings > Customization, inactive applications were visible in the Default Application for Sign-In Widget list.

OKTA-417450

LDAP-sourced users weren’t able to sign in to the Okta Admin Console when their passwords expired and a password policy allowed passwords to be updated.

OKTA-417507

Users whose orgs required a password plus a WebAuthn authenticator to satisfy knowledge and possession assurance requirements were also prompted with a Security Question.

OKTA-418421

End users received a 404 error when they attempted to self-register with a social login.

Applications

New Integrations

New SCIM Integration Application

The following partner-built provisioning integration app is now Generally Available in the OIN Catalog as partner-built:

SAML for the following Okta Verified application:

  • Wiz (OKTA-422626)

September 2021

2021.09.0: Monthly Production release began deployment on September 7

* Features may not be available in all Okta Product SKUs.

Content

Generally Available Features

New Features

Okta as a certificate authority

New CA functionality

Okta supports additional certificate authority (CA) functionality for admins:

  • When you use Okta as a CA, Okta now revokes device certificates that were issued but not used for successful authentication within 90 days.

  • Okta now supports certificate revocation when you provide your own CA. Only certificate revocation list (CRL) endpoints that use the HTTP or HTTPS protocol are supported. CRLs must be signed by the same intermediate certificate that the admin uploaded, and the client certificate should include the certificate distribution point URI. See 認証局を構成する

Support for dynamic SCEP

Okta now supports dynamic Simple Certificate Enrollment Protocol (SCEP) for macOS using Jamf Pro. See Jamf Proを使用して、macOSの動的SCEPチャレンジを使用するCAとしてOktaを構成する

New System Log events

The following System Log events are new:

  • The pki.cert.issue event indicates that a certificate was issued to a device.

  • The pki.cert.bind event indicates that a certificate was bound to a device.

  • The pki.cert.lifecycle.suspend event indicates that a certificate was suspended because an admin deactivated the device that it was bound to.

  • The pki.cert.lifecycle.delete event indicates that a certificate was deleted because an admin deleted the device that it was bound to.

  • The pki.cert.lifecycle.revoke event indicates that a certificate was revoked and placed on the certificate revocation list (CRL).

  • The pki.cert.lifecycle.hold event indicates that a certificate was placed on temporary hold and placed on the CRL.

  • The pki.cert.lifecycle.activate event indicates that a certificate was removed from temporary hold, and removed from the CRL.

Enhancements

ThreatInsight default mode for new orgs

For new orgs, the default mode for ThreatInsight is now set to Audit mode. Previously, with no mode set by default, events weren't logged unless Audit mode or Block mode was enabled manually. Now with Audit mode set by default for new orgs, the security.threat.detected event is logged once a malicious request is detected. See Okta ThreatInsight.

Profile Enrollment policy changes

AppUser attributes that are required in a user schema are no longer checked by Profile Enrollment policies. See プロファイル登録ポリシーを管理する .

New System Log event for successful user sign-in

Admins will now see the user.authentication.verify event in the System Log. This event is triggered when a user successfully signs in to their account.

Admin Console UI changes

In the Admin Console, the Device Management page (accessed from Security > Device Integrations) was renamed Device Integrations.

Sign-in Widget clarification

In the Sign-In Widget, the message for email verification now instructs the user to either click the email magic link or enter the one-time password (OTP) code for verification.

Account recovery clarification

After successful account recovery, screen messaging that instructs users to return to the original sign-in browser tab is now more descriptive.

Early Access Features

New macros for email templates

App name, app ID, and app label macros are now available for use with Enhanced Email Macros enabled. See メール・テンプレートをカスタマイズする.

Fixes

General Fixes

OKTA-391032

Custom admins with Manage group permissions could view the Add Rule button on the Groups > Rules tab.

OKTA-412278

After a self-service account unlock error, users saw duplicate Back to the sign in links.

OKTA-417463

The Username field in the Sign-In Widget wasn’t pre-populated with the config.username value.

OKTA-419565

The magic link for self-service password reset directed users to the sign-in page if an active session for another user was present in the browser.

OKTA-419713

The error message wasn't clear when a user tried to claim email account recovery links multiple times.

OKTA-421801

Some users with a custom domain URL couldn't add or edit resource sets for custom admin roles.

OKTA-422155

Users received a multifactor reset email in addition to the multifactor enrollment email when they enrolled in Okta FastPass.

OKTA-422158

Some legacy Universal 2nd Factor (U2F) users weren't able to use their YubiKey devices to authenticate after their org was upgraded to Okta Identity Engine.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed:

  • Avalara (OKTA-415081)

  • Fisher Scientific (OKTA-422646)

  • Microsoft Volume Licensing (OKTA-420160)

  • Quadient Cloud (OKTA-422635)

  • RescueAssist (OKTA-422643)

  • WeWork (OKTA-423570)

Applications

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:

SAML for the following Okta Verified applications:

  • Anomalo (OKTA-421527)

  • Paradime (OKTA-420444)

OIDC for the following Okta Verified application:

Enhancement

New app sign-on policy option: Identity Provider

Okta users may now use their Identity Provider credentials to sign in to apps through the Okta End-User Dashboard.

Fixes

General Fixes

OKTA-373673

If an Identity Engine org disabled Push authentication in its MFA enrollment policy before rolling back to Okta Classic, its users were still prompted for Push authentication.

OKTA-418039

Enhanced email macros didn’t work with Branding.

OKTA-419440

Internal server and NullPointerException (NPE) errors were returned when Active Directory-sourced users attempted to reset expired passwords.

OKTA-420077

The Security Checklist couldn’t update new device notifications in Org Settings.

OKTA-421010

The Sign-In Widget didn't consistently time out when the end user failed to respond to an out-of-band authenticator challenge.

App Integration Fixes

The following SWA app was not working correctly and is now fixed:

  • Vitality (OKTA-420790)

Applications

Application Update

The following integrations are deprecated from the OIN Catalog: 

  • Hiveed

  • BenXcel

  • FIS Global

  • Nanigans

New Integrations

SAML for the following Okta Verified applications:

  • Blingby Programmatic (OKTA-421181)

  • Perimeter 81 (OKTA-415079)

  • Snackmagic (OKTA-419393)

  • Suveryapp (OKTA-420053)

SWA for the following Okta Verified application:

  • Integromat (OKTA-420293)

OIDC for the following Okta Verified application:

Enhancement

Changes to default sign-on policy for new app instances

The default sign-on policy for new apps now requires a password or Identity Provider instead of the previous default — any 1 factor type.

Fixes

General Fixes

OKTA-288910

When signing into Okta with Microsoft as a service provider, the Okta sign-on page wasn’t auto-filled with the user’s sign-on information.

OKTA-387939

The Just In Time Provisioning section of the Admin Console Customization page didn’t include Lightweight Directory Access Protocol (LDAP) as an available authentication method.

OKTA-406616

Sometimes after admins manually activated users, the users received errors when trying to enroll authenticators.

OKTA-416160

When admins re-selected the Okta FastPass (All platforms) checkbox after getting a "You can't disable Okta FastPass because..." error, the same error appeared unless they refreshed the page.

OKTA-419526

When users accessed Okta from Internet Explorer 11 that was running on Microsoft Windows 10, they only saw one authenticator on the Add Authenticator page even when multiple authenticators were available.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed:

  • Alerus (OKTA-418805)

  • BenXcel (OKTA-418794)

  • Inbox by Gmail (OKTA-412080)

  • IBM MaaS360 (OKTA-418799)

  • Redis Labs (OKTA-418789)

Applications

Application Updates

  • We have added the userType attribute to the Slab SCIM schema. For details see the Slab Okta SCIM Integration Guide.

  • The FIS Global Client integration is deprecated from the OIN Catalog.

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:

SAML for the following Okta Verified applications:

  • Blingby Inline (OKTA-410691)

  • Panzura Data Services (OKTA-419287)

  • RudderStack (OKTA-413572)

OIDC for the following Okta Verified applications:

Enhancement

Expression language (EL) improvements

Okta expression language (EL) attributes now include rule validation. See About custom expressions for devices.

Fixes

General Fixes

OKTA-405664

Routing rules that were configured with a User matches condition incorrectly allowed users to choose from multiple IdPs.

OKTA-412443

Admins couldn't add samAccountName as an attribute in the Active Directory Password Reset email template.

OKTA-414646

Some users were unable to sign in with authenticators they'd successfully used before.

OKTA-415713

If user enumeration prevention was enabled in their org, users incorrectly saw error messages when they attempted self-service password resets.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • Fannie Mae Desktop Underwriter (OKTA-416904)

  • Frame.io (OKTA-416896)

  • i-Ready (OKTA-416899)

  • InternationalSOS (OKTA-415410)

  • LifeLock (OKTA-413854)

  • Milestone Xprotect Smart Client (OKTA-416893)

  • SDGE (OKTA-416903)

  • ShipStation (OKTA-416897)

  • Simple Sales Tracking (OKTA-416906)

  • Washington Post (OKTA-416908)

  • Yodeck (OKTA-415411)

Applications

New Integrations

New SCIM Integration Applications

The following partner-built provisioning integration apps are now Generally Available in the OIN catalog as partner-built:

SAML for the following Okta Verified application

  • Hiretual (OKTA-413861)

OIDC for the following Okta Verified application

August 2021

2021.08.0: Monthly Production release began deployment on August 9

* Features may not be available in all Okta Product SKUs.

Content

Generally Available Features

New Features

Polling support for ADSSO and IWA authentication sessions

Agentless Desktop Single Sign-on (ADSSO) and Integrated Windows Authentication (IWA) authentication sessions now include polling to reduce the likelihood customers will receive 429 Too Many Requests errors when they are trying to access Okta during peak periods. Rather than immediately denying an authentication request, the server is continually polled for 30 seconds until the user can be authenticated. With this change, authentication requests are more likely to be successful and wait times are reduced. See Active Directoryデスクトップ・シングル・サインオン.

Name change: Authenticator is now called Security Method

The term Authenticator has been replaced with Security Method everywhere that multifactor authentication methods are displayed to end users. The term hasn't changed in the Admin Console.

New session behavior

Users who sign in from the same browser they used to enroll in Okta Verify won't have to verify their authenticators again unless they've exceeded their org's policy reauthentication time limit.

LDAP agent, version 5.8.0

This version of the agent contains:

  • Password expiry warning support for Oracle Directory Server Enterprise Edition (ODSEE), Oracle Unified Directory (OUD), OpenDJ, and SunOne 5.2 LDAP directory services

See Okta LDAP Agentのバージョン履歴.

Enhancements

New warning for excessive IP addresses

A warning now appears if a gateway or proxy has an IP range with more than 5 million addresses. See IPゾーンの作成.

Start time and end time of rate limit windows

The Rate Limit Dashboard now displays the start time and end time of the rate limit window for each data point. This helps you analyze each data point with more granularity. See Rate limit dashboard.

Okta Mobile removed from the Admin Console

Links to Okta Mobile for iOS and Okta Mobile for Android have been removed from the Mobile Apps section of the Settings > Downloads page. Okta Mobile settings have been hidden from the Security > General page. Okta Mobile isn't available for Identity Engine.

Removal of new experience settings for enabled environments

Settings to enable the new end-user experience won't be shown to orgs that have enabled the feature and removed access to the old experience.

UI Change for Okta Verify Users

The Sign in using Okta Verify on this device button has been changed to Sign in with Okta FastPass.

Early Access Features

New Features

Third-Party Risk

Okta Risk Eco-System API / Third-Party Risk enables security teams to integrate IP-based risk signals to analyze and orchestrate risk-based access using the authentication layer. Practitioners can step up, reduce friction or block the user based on risk signals across the customer’s security stack. Apart from improving security efficacy, this feature also enhances the user experience by reducing friction for good users based on positive user signals. See リスク・スコアリング.

Fixes

General Fixes

OKTA-381874

On the Agents page, admins couldn't remove deleted RADIUS agents or hide the ones that weren't in use.

OKTA-405384

Users who enrolled in platform authenticators, such as Okta Verify Desktop or WebAuthn, and tried to authenticate on a different device or enroll Okta Verify on their mobile device were unable to authenticate.

OKTA-407918

The custom sign-out page URL didn’t match the address configured in Customization Settings.

OKTA-408448

Users didn’t receive an error message when they reached the rate limit for submitting OTP codes.

OKTA-408851

The OAuth scope consent page sometimes displayed incorrect messages.

OKTA-410951

Just-in-Time provisioning didn't automatically initiate self-service unlock for AD or LDAP-sourced users who were locked out of Okta but not out of their AD or LDAP accounts.

Content

Generally Available Features

Okta solution visible in footer

To help admins identify their Okta solution, the version number in the footer of the Admin Console is now appended with C for Classic Engine orgs and E for Identity Engine orgs. See Oktaソリューションを特定する .

UI Change for Okta Verify Users

The Sign in using Okta Verify on this device button has been changed to Sign in with Okta FastPass.

Okta FastPass configuration messages

Admins are provided with more descriptive messages during Okta FastPass configuration. The messages help admins configure the correct Push notification (Android and iOS only) and Okta FastPass (all platforms) verification options.

UI changes for Device Management

Security > Device Management is now Security > Device Integrations and the Device Management screen is now named Device Integrations. Actions on the Device integrations screen are provided as a drop-down list, and the Device Management tab is now named Endpoint Management.

Authenticator is now Security Methods

The term Authenticator has been replaced with Security Method everywhere that multifactor authentication methods are displayed to end users. The term has not changed in the Admin Console.

New and updated System Log events

In the System Log, the user.session.end event, which indicates that a user signed out from a session that was authenticated using a device, was updated to include device information.

The following System Log events are new:

  • The device.lifecycle.activate event log indicates that the status of a device is now set to active. The user can access protected resources from an active device if permitted by the App Sign-On policies applied to the resources.

  • The device.lifecycle.deactivate event log indicates that the status of a device is now set to deactivated. Once deactivated, no user can access company resources on this device. All user access on the device is revoked. You can reactivate the device, but users are required to re-enroll before they can get access.

  • The device.lifecycle.suspend event indicates that the status of a device is now set to suspended. The user can't use the device.

  • The device.lifecycle.unsuspend event indicates that the status of a device is now active. Users can access protected resources from the device.

  • The device.lifecycle.delete event indicates that the device was deleted. The device no longer appears in the Admin Console.

  • The device.user.add event indicates that a user added a new account in Okta Verify.

  • The device.user.remove event indicates that the association between a user and a device is removed. The user can no longer use the device.

  • The pki.ca.add event indicates that a third-party certificate authority (CA) was added to the Admin Console. The CA is now available to the org.

  • The pki.ca.delete event indicates that a third-party certificate authority (CA) was removed from the Admin Console. The CA is no longer available to the org.

  • The device.platform.add event indicates that a device management platform was added to the org.

  • The device.platform.update event indicates that changes were made to the device management platform configuration.

  • The device.platform.delete event indicates that a device management platform was removed from the org.

Fixes

OKTA-390329

Notification messages weren't displayed when users enrolled or removed authenticators from their profiles.

OKTA-398165

Admins who selected the Users Locked Out task on the Admin Dashboard were redirected to the Reset Password page instead of the Unlock People page.

OKTA-399274, OKTA-404732

The "Signing in to Okta Dashboard" message and the Okta spinner icon weren’t configurable for custom orgs.

OKTA-402014

For AD-sourced users, admins weren’t able to add samAccountName as an attribute in email messages sent during account unlock.

OKTA-405384

Users who were enrolled in Okta Verify Desktop, security key, or biometric authenticators couldn't complete multifactor authentication from a different device.

OKTA-406399

When a custom domain and sign-in page were enabled, some users received a server error if they accessed a bookmark app with OAuth consent enabled.

OKTA-406759

After their sessions expired, users who signed in to Okta through an IdP weren't prompted for password reauthentication when they attempted to re-launch an app.

OKTA-410907

Active Directory users who were enrolled in Okta Verify and the Duo authenticator were unable to initiate self-service account unlock using the Unlock with Okta Verify Push notification method.

OKTA-411633

Admins were unable to remove the last MFA authenticator from the list of authenticators even though no policies required multifactor authentication.

OKTA-412606

Active Directory-sourced users were deactivated when their username was changed in Active Directory and their user profile was updated in Okta.

OKTA-413683

After entering an invalid username, users who clicked Forgot password? more than once were returned to the sign-in page.

OKTA-413703

For some orgs, the More Integrations section of the Okta App Catalog appeared empty.

Content

Generally Available Features

LDAP Delegated Authentication

Delegated authentication allows users to sign in to Okta by entering credentials for their organization's Active Directory (AD), Windows-networked single sign-on (SSO), or user stores that employ the Lightweight Directory Access Protocol (LDAP). See LDAP統合を開始する .

JIT users from AD

Just-In-Time (JIT) provisioning enables automatic user account creation in Okta the first time a user authenticates with Active Directory (AD) delegated authentication, Lightweight Directory Access Protocol (LDAP) delegated authentication, or Desktop SSO. JIT account creation and activation only works for users who aren't already Okta users. This means that users who are confirmed on the import results page, regardless of whether or not they were subsequently activated, aren't eligible for JIT activation. When JIT is enabled, users don't receive activation emails. See Active Directoryのジャストインタイム・プロビジョニングでユーザーを追加および更新する and LDAP のジャストインタイム・プロビジョニングでユーザーを追加および更新する.

Agentless Desktop Single Sign On

With Agentless Desktop Single Sign-on (DSSO), you don't need to deploy IWA agents in your Active Directory domains to implement DSSO functionality. This reduces or eliminates the maintenance overhead and provides high availability as Okta assumes responsibility for Kerberos validation. See Active Directoryデスクトップ・シングル・サインオン.

Configure multiple Identity Providers as a part of a routing rule

With the Okta Identity Engine, you can configure multiple Identity Providers to be returned as part of a successful evaluation of a routing rule. This feature enables end-users to select any social login provider (for example, Okta, LinkedIn, Apple, or Google) of their choice in the sign-in flow. Organizations can even add additional context (for example, Device or IP) in deciding acceptable social login providers. See IDプロバイダーのルーティング・ルール.

Sign in with a magic link

Email authenticator allows users to authenticate successfully with a token that is sent to their primary email address. Users can click the link containing the embedded token or use the six digit one-time code. Email authenticator enables convenient one-click passwordless sign-in experiences. See メール・オーセンティケーターの構成.

Bring your own CAPTCHA

Bring your own CAPTCHA enables you to leverage your existing captcha provider (reCAPTCHA or hCAPTCHA) to add additional layers of protection against bots and other fraudulent activity. You can set up CAPTCHA verification on your sign-up, authentication, and self-service password reset flows. End users could be prompted to solve a CAPTCHA challenge if the provider you use detects potentially fraudulent activity. See and Developer Documentation.

Flexible account recovery

Okta Identity engine introduces more flexible self-service password, and account recovery flows. For the primary factor - In addition to using email, voice call, and SMS for the primary factor, users can trigger self-service recovery with Okta Verify Push (requires specific SKU). Admins can leverage any enabled factor for the secondary factor. Self-service recovery offers an improved end-user experience with a strengthened security posture. See セルフサービスのアカウント復旧.

Authenticators

Authenticators are credentials owned or controlled by an end-user which are verified during Okta policy evaluation. Authenticator examples include password, Okta Verify, and phone (SMS or voice call). Authenticators allow admins to associate credentials that are bundled together (for example, Okta Verify Time-based One-Time Password (TOTP) and push credentials on the same mobile device). Authenticator methods are labeled with factor type (for example, possession, knowledge, or biometric) and optional characteristics (for example, hardware-protected or phishing-resistant). Admins can combine authenticator characteristics with an authentication policy to meet security and useability requirements. See オーセンティケーターの構成 and Developer Documentation.

More granular app sign-on policies

App sign-on policies allow organizations to model security outcomes for access based on industry-accepted digital identity best practices (outlined by NIST) and enforce end-user authentication requirements (such as, 2-factor types or phishing-resistant) based on the context of the requested application. Leverage a user's location, risk, device context, and behaviors against the app-level policy's group membership and authentication criteria. App sign-on policies enable elevated security postures for sensitive applications. See アプリのサインオン・ポリシー and the following Developer Documentation:

SDKs, Sample Apps, and Guides

Harness the power of Okta Identity Engine through SDKs and Widgets. These SDKs/Widgets create abstractions that allow developers to make direct calls and absorb dynamic remediation in their applications for future compatibility. The SDKs also have Sample Apps and Step by Step Guides to walk you through common scenarios and implement them. These capabilities increase developer efficiency and enable the critical identity-driven capability for your applications. See the following Developer Documentation:

Office 365 Silent Activation

Okta silent activation for Microsoft Office 365 provides a seamless experience for accessing Microsoft Office on shared workstations or VDI environments. When Okta is used as an identity provider, your end users can sign in to a domain-joined Windows machine and are automatically signed in to Office 365 applications. See Office 365 Silent Activation: New Implementations.

Early Access Features

Okta FastPass

Okta FastPass enables passwordless authentication into anything you need to get your work done, on any device. Utilize Okta FastPass to minimize end user friction when accessing corporate resources, while still enforcing Okta’s adaptive policy checks. See Okta FastPassを構成する .

Allow or deny custom clients in Office 365 sign on policy

You can filter specific clients in an Office 365 app sign-on rule to allow or deny them access to Office 365 resources. This filter is especially useful if you want to deny access to certain clients that you don't support or trust. Alternatively, you can use this filter to only allow clients you trust. It gives you a more granular control over the clients that get access to your Office 365 app. See Allow or deny custom clients in Office 365 sign on policy.

Use Okta MFA to satisfy Azure AD MFA requirements for Office 365

You can use Okta multifactor authentication (MFA) to satisfy the Azure AD MFA requirements for your WS-Federation Office 365 app instance. See Use Okta MFA to satisfy Azure AD MFA requirements for Office 365.