Production release notes

Current | Upcoming | |
---|---|---|
Production | 2022.05.1 | 2022.05.2 Production release is scheduled to begin deployment on May 23 |
Preview | 2022.05.1 |
2022.05.2 Preview release is scheduled to begin deployment on May 18 |
May 2022
2022.05.0: Monthly Production release began deployment on May 9
* Features may not be available in all Okta Product SKUs.
Generally Available Features
New Features
Okta AD agent, version 3.11.0
This version of the agent contains the following changes:
-
Increased minimum .NET version supported to 4.6.2. If the installer doesn't detect .NET 4.6.2 or higher, it won't be installed.
-
Security enhancements
-
Removed unsupported libraries
Okta ADFS plugin, version 1.7.10
This version of the plugin contains bug fixes and security enhancements. See Okta ADFS Plugin Version History.
Okta RADIUS agent, version 2.17.4
This version of the agent contains bug fixes and security enhancements. See Okta RADIUS Serverエージェントのバージョン履歴.
Okta On-Prem MFA agent, version 1.5.0
This version of the agent contains security enhancements. See Okta On-Prem MFAエージェントのバージョン履歴.
Jira Authenticator, version 3.1.8
This release contains bug fixes. See Okta Jira Authenticator Version History.
Okta Resource Center access
The Okta Resource Center is a collection of product tours, step-by-step guides, and announcements that helps you learn about new features and how to perform tasks within the Admin Console. You can launch the Okta Resource Center by clicking the blue icon from anywhere in the Admin Console. See Okta Resource Center.
Use Okta MFA for Azure AD Conditional Access and Windows Hello for Business Enrollment
You can use Okta MFA to:
- Satisfy Azure AD Conditional Access MFA requirements for your federated Office 365 app instance.
- Enroll end users into Windows Hello for Business.
See Use Okta MFA to satisfy Azure AD MFA requirements for Office 365.
Sign-In Widget enhancements for self-service password reset and default registration page
Okta has enabled the self-service password reset function for embedded authorization on all new and upgraded Identity Engine orgs. For integrations using embedded authentication, client applications can now use a recovery token when launching the Sign-In Widget to start the recovery flow. In addition, a new endpoint at /{orgurl}/signin/register gives you the ability to point your Sign-In Widget directly to the registration page for default applications.
Client secret rotation and key management
Rotating client secrets without service or application downtime is a challenge. Additionally, JSON Web Key management can be cumbersome. To make client secret rotation a seamless process and improve JWK management, you can now create overlapping client secrets and manage JWK key pairs in the Admin Console. You can also create JWK key pairs from the admin console without having to use an external tool. See Manage secrets and keys for OIDC apps.
Personal Identity Verification
Personal Identity Verification is now supported on Okta Identity Engine. See Add a Smart Card IdP.
Okta API access with OAuth 2.0 for Org2Org
Previously, the Org2Org integration only supported token-based access to the Okta API. You can now configure the Org2Org integration to access the Okta API as an OAuth 2.0 client. This increases security by limiting the scope of access and providing a better mechanism to rotate credentials. See Okta Org2OrgとOktaの統合.
Enhancements
Custom help links in the Sign-In Widget
Admins can add a custom help link on the authenticator page of the Sign-In Widget. This link can provide just-in-time help with multifactor authentication and can point to an in-house resource or other location. See サインイン・ページのテキストをカスタマイズする.
PKCE is a verification method for OIDC SPA and Native app integrations
The OIDC App Integration Wizard now identifies that PKCE is not a client authentication method. Instead, for SPA and Native apps, the AIW creates apps listing PKCE as a verification method. See Create OIDC app integrations using AIW.
Add agent permissions to custom admin roles
Custom admins can perform AD agent auto-updates for AD instances they have access to. They can also view the agents dashboard page to see the statuses of all agents associated with app instances they can manage. See Automatically update Okta agents.
Group count tooltip on the Admin Dashboard
On the Admin Dashboard, the Overview section now provides an "Includes only Okta sourced groups and excludes those sourced externally, such as AD groups" tooltip for the Groups count. The new tooltip helps you understand how your groups count is calculated. You can view the tooltip by hovering your cursor over the Groups count on the Overview section. See View your org at a glance.
Okta End-User Dashboard enhancements
-
Unread notifications are more visible to users.
-
The End-User Dashboard Preview function bar has moved to a separate dialog. See Preview an end user's dashboard.
-
The Last sign in link at the bottom of the Okta End-User Dashboard now includes the entire text of the message in the hyperlink.
-
The title of the copy password dialog in the Okta End-User Dashboard is more specific.
System Log enhancements for block zone events
-
The zone.make_blacklist event in the System Log now encompasses two actions: when an admin creates a blocked network zone, and when an admin marks an existing blocked zone as unblocked. Previously, this event was only recorded when a pre-existing network zone was converted into a block list.
-
The zone.remove_blacklist System Log event now encompasses two actions: when a network zone is converted into an allow list, and when an admin deletes a blocked zone. Previously, this event was only recorded when a pre-existing network zone was converted to an allow list.
System Log enhancement for network zone events
A network zone ID is now added as a target for all network zone events in the System Log.
Enhancements to ThreatInsight
ThreatInsight is improved to further protect rate limit consumption from malicious actors. Requests from actors with a high threat level continue to be logged and/or blocked depending on the org's configuration. Now, additional requests that seem malicious but have a lower threat level no longer count towards org rate limits.
Enhancements to multifactor authentication validation in authentication policies
When creating authentication policies, admins can only select authenticators that are enabled in their org and available to the associated group of users.
OIN Catalog enhancements
Integrations in the OIN Catalog help end users address issues across a variety of industries. Okta has added the ability to filter integrations by industry to help both prospective and current Okta users identify the OIN integrations that best meet their needs. Additionally, the OIN Catalog interface has been updated with the following enhancements for improved navigation:
-
The search interface has been updated and popular search terms can now be selected.
-
Details pages for integrations have been updated for usability.
-
Navigation breadcrumbs have been added to the OIN Catalog.
-
Integrations can now be sorted alphabetically and by recently added.
OIN Catalog search functionality and filter updates
-
OIN Catalog search results now prioritize complete word matches from the search phrase.
-
Integrations in the OIN Catalog can now be filtered by RADIUS functionality.
OIN Manager enhancements
The OIN Manager now requires that ISV submissions for SCIM integrations confirm that the integration meets API response timing requirements. See Publish an OIN integration.
Early Access Features
New Features
Trusted Origins for iFrame embedding
You can now choose which origins can embed Okta sign-in pages and Okta End-User Dashboard using Trusted Origins for iFrame embedding. This feature offers a granular control over iFrame embedding compared to the existing embedding option in Customization, which doesn't let you distinguish between secure and non-secure origins. Trusted Origins under Security > API allows you to selectively configure the origins you trust. It also provides enhanced security as it uses a more secure frame-ancestors directive in Content Security Policy that protects your data from web attacks such as clickjacking. See Trusted Origins for iFrame embedding.
New permissions for custom admin roles
Super admins can now assign these new permissions to their custom admin roles:
-
Manage authorization server
-
View authorization server
-
Manage customizations
-
View customizations
The authorization server permissions can be scoped to all or to a subset of the org’s authorization servers. With these new permissions, super admins can now create custom admin roles with more granular permissions for managing their org’s customizations and authorization servers. See ロールの権限について.
Additional resource and entitlements reports
Reports help your Okta org manage and track user access to resources, meet audit and compliance requirements, and monitor organizational security. The following reports are now available:
-
Group Membership report: Lists individual members of a group and how membership was granted.
-
User App Access report: Lists which users can access an application and how access was granted.
Fixes
General Fixes
OKTA-386570
If an LDAP interface bind request failed, subsequent searches failed with an internal server error instead of a permissions denied error.
OKTA-435855
Web and SPA app integrations created with an Authorization code or Interaction code grant type incorrectly returned an error if the Login Initiated By Either Okta or App option was selected.
OKTA-476570
The System Log didn’t display the app name when users entered invalid credentials during an SP-initiated flow.
OKTA-476896
On the Administrators page, deactivated users with assigned admin roles were included in the Individually assigned count.
OKTA-477494
Some invalid EL expressions incorrectly passed validation.
OKTA-477634
Some users experienced delays when searching for an app on the Okta End-User Dashboard.
OKTA-481752
When users tried to enroll in Okta Verify, VoiceOver screen readers didn't highlight the mobile device type correctly or allow users to select a device. It also selected the iPhone option even though the Android option was also available.
OKTA-482266
During PIV authentication where no certificate or an expired certificate was provided, a 404 error was displayed.
OKTA-482435
When admins upgraded an app to SAML 2.0, the SAML 2.0 setup instructions used the org-scoped certificate instead of the app-scoped certificate.
OKTA-483062
Custom application access error pages redirected to the default Okta error page.
OKTA-484366
Admins couldn’t use the objectGuid attribute as a unique identifier when integrating AD LDS LDAP servers with Okta.
OKTA-486141
If an inline hook was registered and in use under a profile enrollment policy, admins could deactivate or delete the hook. This resulted in an error when that policy was used for self-service registration.
OKTA-486974
An internal ID incorrectly appeared in a policy System Log event.
OKTA-488233
Parallel JIT requests for the same username created duplicate users.
OKTA-488234
The sign-in page didn’t load correctly for some orgs after they upgraded to Identity Engine.
OKTA-488428
Some users lost the ability to reveal passwords for an app when the app drawer feature was enabled.
OKTA-488663
When Full Featured Code Editor was enabled, the full screen toggle on the error page code editor didn’t change to a minimize icon.
OKTA-489050
Sometimes an error message was displayed when admins viewed applications in the Admin Console.
OKTA-489448
In SP-initiated flows, the message instructing users to create their accounts was formatted incorrectly.
OKTA-490811
When an unenrolled device attempted to access an app that required device management, the sign-in request didn't fail gracefully.
OKTA-491164
Some admins weren’t assigned the Admin Console when they were added to a group with assigned admin roles.
OKTA-491264
Sometimes when a super admin deleted a custom admin role that contained email notifications, admins couldn’t update their email notification settings.
OKTA-495549
When groups were exposed in the LDAP interface directory information tree, some filters referencing the entryDn attribute returned the incorrect result code if the group wasn’t found.
OKTA-495598
AD-sourced users who reset their passwords in AD had to reset their passwords again when using IWA or ADSSO to sign in to Okta.
App Integration Fix
The following SWA app was not working correctly and is now fixed:
-
NDFR/SDU (OKTA-485335)
Applications
New Integrations
New SCIM Integration Applications
The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:
- Cisco Umbrella User Management: For configuration information, see Cisco Umbrella - Provision Identities from Okta.
- Dialpad: For configuration information, see Dialpad + Okta | SCIM Instructions.
- Heap Analytics: For configuration information, see SCIM Provisioning: Okta.
SAML for the following Okta Verified applications
-
Common Room (OKTA-483683)
-
Datto Workplace (OKTA-487599)
-
Sounding Board (OKTA-489395)
Weekly Updates

Early Access
Introducing the Progressive Enrollment experience
Typically, collecting end-user data during the initial sign-up process creates friction and abandonment. The addition of the Progressive Enrollment feature helps you to capture the minimum user information required to create a profile and then expand and enhance those user profiles during subsequent sign-in operations. Admins can control what information is collected, validate those input values, and trigger inline hooks during the self-service registration and progressive enrollment flows. See エンド・ユーザーの登録.
ChromeOS as a device platform
You can now enable support for ChromeOS as a device platform in the Admin Console. After you enable this feature, you can select ChromeOS as a filter for authentication policies rules. See ChromeOS support.
Fixes
General Fixes
OKTA-468575
Attempting to upload a new or replacement certificate to an existing RADIUS application resulted in an error.
OKTA-478259
When a super admin assigned an admin role to an ineligible group, the resulting error message was unclear.
OKTA-478844
Token endpoint events weren’t logged as expected by the System Log and Splunk.
OKTA-482807
Admins received a ${request.date} is required error when they tried to add a translation for the New Sign-On Notification email template.
OKTA-485981
Admins were able to save a Global Session Policy rule to deny sign-in attempts from specified zones even though no zones were selected.
OKTA-491554
The Client Secret UI didn’t render properly when users switched between authentication methods in an app instance.
OKTA-492337
The Authentication Policy dropdown menu was slow to load large numbers of policies on the Sign-On tab of an app instance.
OKTA-493632
A hyphen was incorrectly added to an app's tooltip when an end user hovered over the app on the End User Dashboard.
OKTA-498263
The Activate/Deactivate button for Password Policy didn’t work.
App Integration Fixes
The following SWA apps were not working correctly and are now fixed:
-
CUES (OKTA-486595)
-
GetFeedback (OKTA-488495)
Applications
New Integrations
New SCIM Integration Applications
The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:
- Britive: For configuration information, see Integrating Okta for Provisioning.
- Uber for Business: For configuration information, see Configuring Okta Provisioning for Uber.
SAML for the following Okta Verified applications:
-
Britive (OKTA-487233)
-
OpsLevel (OKTA-484506)
-
Planview ID (OKTA-487235)
April 2022
2022.04.0: Monthly Production release began deployment on April 4
* Features may not be available in all Okta Product SKUs.
Generally Available Features
New Features
Okta On-Prem MFA Agent, version 1.4.9
This version of the agent contains security enhancements. See Okta On-Prem MFAエージェントのバージョン履歴.
Okta Browser Plugin, version 6.9.0 for all browsers
This version includes the following changes:
- Keyboard navigation didn't work properly when users attempted to switch to a new app list in the plugin popover window. Users were unable to close the plugin popover window with keyboard input.
- Version 6.8.0 of the plugin caused issues for some users when they attempted to sign in to an SWA app in an iframe.
Admin Experience Redesign toggle removed
The toggle that allowed super admins to switch between the Admin Experience Redesign and the old experience has been removed. All Okta admins now benefit from our restyled Okta Admin Dashboard, responsive navigation side bar, and modern look and feel.
Allow or deny custom clients in Office 365 sign-on policy
You can filter specific clients in an Office 365 app sign-on rule to allow or deny them access to Office 365 resources. This filter can be used to deny access to untrusted clients or to only allow trusted clients. See Allow or deny custom clients in Office 365 sign on policy.
Endpoint integrations
The Device Integrations page now includes an Endpoint Security tab, which allows Admins to manage endpoint integrations with Windows Security Center and CrowdStrike. Endpoint Detection and Response (EDR) integration extends device posture evaluation by enabling Okta Verify to capture signals collected by your EDR client running on the same device. See EDR統合.
Okta FastPass enhancement
With Okta FastPass, an error now appears in the Sign-In Widget if User Verification is not provided when it is required.
Improved AD group membership synchronization
The ADAppUser distinguished name field is now updated when a user is added to an Okta group and a matching group exists in AD. When an Okta provisioning request moves a user to a new organizational unit, the change is quickly duplicated in AD. This new functionality helps ensure the accuracy and integrity of AD group membership information. Active Directoryユーザーとグループの管理.
New App Drawer
The updated app settings panel on the Okta End-User Dashboard allows end users to see all app details in a single view without having to expand multiple sections. End users can quickly differentiate between SWA apps where they have set a username and password and SAML / OIDC apps that are admin-managed with no additional user settings. The updated app settings panel also provides accessibility improvements with better screen reader support and color contrast. See View the app settings page.
ShareFile REST OAuth
Admins can now upgrade to the latest version of our ShareFile integration. OAuth provides more secure authentication and will be now used for Provisioning and Imports. See Configure ShareFile OAuth and REST integration. This feature is made available to all orgs.
Enhancements
Recent activity page link for end users
If Recent Activity is enabled, users can click Last sign in in the footer of the left navigation bar to go directly to the Recent Activity page.
Burst rate limits available on Rate Limit Dashboard
The Rate Limit Dashboard, available from the Admin Console, now includes data on burst limits in your Okta org, in addition to rate limit warnings and violations. The Violations dashboard was renamed Events to acknowledge the increase of scope, and includes the ability to filter on timeline as well as the type of event (warning, burst, and violation). Hovering over the burst rates in the graphs provides more detail and links to the system log for individual endpoint calls. The individual Usage graphs provide details on bursts for the individual API. See Rate limit dashboard and Burst rate limits.
New ThreatInsight enforcement action
If you configure ThreatInsight to log and enforce security based on the threat level detected, ThreatInsight can either limit or block authentication requests from suspicious IP addresses. For example, if a specific IP address is suspected of malicious activity but the threat level is considered low, authentication requests from the IP address are not denied access but might be subjected to a rate limit. See Okta ThreatInsightを構成する.
PIV IDP user profile mapping
You can now use idpuser.subjectUid in an Okta user profile when mapping IDP Username for Personal Identity Verification (PIV) IDPs. See Add a Smart Card identity provider.
Default policy updates
The Default Global Session Policy and the default authentication policy now allow access to users with any two factors. See Oktaのサインオン・ポリシー.
Global Session Policy default rule
Admins can now edit the primary factor condition in the default rule of their org’s Default Global Session Policy. See Update a Global Session Policy.
Custom app logo preview
Admins can now preview a custom logo before applying it to an app. See Customize an application logo.
Updated error message for Microsoft Graph API
An error message for Microsoft Graph API has been updated to include more details and a possible workaround.
Debug logging for token exchange
The following fields have been added to the System Log for assistance in debugging OAuth2 token exchange events:
- requested_token_type
- subject_token_type
- actor_token_type
- resource
Updated SAML setup instructions
Setup instructions for SAML 2.0 apps now use per app SHA2 certificate during the app creation.
Change to the number of free SMS messages allowed
To balance growing costs of SMS usage while maintaining a commitment to developer and free trial orgs, Okta is changing the number of free SMS messages these orgs are allowed each month. Beginning April 4, 2022, orgs may send a maximum of 100 messages per month. For more information about this change, visit the Okta Developer Community.
Early Access Features
New Features
Customize Okta to use the telecommunications provider of your choice
While Okta provides out of the box telephony functionality, many customers need the ability to integrate their existing telecommunications provider with Okta to deliver SMS and Voice messages.
The Telephony Inline Hook allows customers to generate one-time passcodes within Okta and then use their existing telecommunications provider to deliver the messages for MFA enrollment/verification, password reset, and account unlock using SMS or Voice. This allows customers to use their existing telephony solution within Okta, due to the time they've already invested in their existing telephony solution, the need to use a specific regional provider, or simply the desire to maintain flexibility. See Customize your telephony service provider.
Enhancement
Splunk available for Log Streaming
Many organizations use third-party systems to monitor, aggregate, and act on the event data in Okta System Log events.
Log Streaming enables Okta admins to more easily and securely send System Log events to a specified system such as the Splunk Cloud in near real time with simple, pre-built connectors. Log streaming scales well even with high event volume, and unlike many existing System Log event collectors, it doesn't require a third-party system to store an Okta Admin API token. See Log Streaming.
Fixes
General Fixes
OKTA-442031
Some Okta Mobile sign-in flows didn’t work for admins when the Okta Admin Console app required step-up authentication.
OKTA-456484
When more than one authenticator appeared on the authenticator enrollment page, the Return to authenticator list link didn’t appear.
OKTA-460284
SAP Litmos imports failed with an unexpected error.
OKTA-467278
If an error occurred in Okta Verify during authentication or if authentication was cancelled, a delay occurred before the user was prompted again to select a security method.
OKTA-472816
When app admins selected the Agents tab, the error message “Error rendering agents monitor table” appeared and no agents were listed.
OKTA-473180
Sometimes AssertionId for SAML1.1 assertions was poorly formatted.
OKTA-475767
Sometimes, in the Groups page Description column, an equals sign (=) replaced the forward slash ( / ) in LDAP-sourced group names.
OKTA-475774
Users could use ADSSO to sign in to Okta when delegated authentication was disabled.
OKTA-478467
Admins who didn’t have permission to view the Agent monitors page received agent auto-update email notifications.
OKTA-478537
When admins searched for an authentication policy, only the first 100 policies were visible. This occurred on both the Applications page and the Authentication policies page.
OKTA-479110
The sender email address on the Customizations > Emails page was inconsistent with the sender email address on individual templates.
OKTA-479701
Admins were shown events that were unrelated to their account in the Security Events section of the Recent Activity page.
OKTA-482086
Some admins saw an error if they tried to run a report using resource sets created more than a year ago.
OKTA-483011
Sometimes, Okta IWA agent authentications failed during deployment when IWA replay attack detection was enabled.
App Integration Fixes
The following SWA apps were not working correctly and are now fixed:
-
MyFonts (OKTA-476809)
-
Quickbooks Time Tracker (OKTA-476695)
Applications
New Integrations
New SCIM Integration Applications
The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:
- Snow Atlas SSO: For configuration information, see Okta as SSO provider.
- Transform: For configuration information, see Configuring Provisioning for Transform.
SAML for the following Okta Verified applications:
-
Atomic Console (OKTA-479344)
-
Intra-mart Accel Platform (OKTA-476864)
-
Mulesoft - Anypoint Platform (OKTA-461170)
-
OfficeTogether (OKTA-476827)
-
QTAKE Cloud (OKTA-480924)
OIDC for the following Okta Verified application:
-
ResoluteAI: For configuration information, see ResoluteAI: Setting up Okta.
Weekly Updates

Generally Available
Fixes
General Fixes
OKTA-476780
If an app’s profile enrollment policy didn’t require email verification, end users who started the sign-up process but abandoned it before setting a password weren’t able to use the Forgot password option when they resumed the process.
OKTA-479171
When admins selected older versions of the Sign-In Widget, messages about the latest version were inconsistently displayed.
OKTA-482299
When a super admin removed all admin role assignments from a user, a time-out error sometimes appeared.
OKTA-482472
Admins with view permissions could see the Edit button in the User Account section of Customizations > Other.
OKTA-483063
After some orgs upgraded to Identity Engine, their users received an internal server error when they attempted to sign in.
OKTA-483335
When users signed in to Salesforce with the OAuth app, they weren't prompted to Allow Access. This only occurred if the Salesforce app was configured and the user already had an active session.
OKTA-483338
When users signed in to Google with the OAuth app, they weren't prompted to Allow Access. This only occurred if the Google app was configured and the user already had an active session.
OKTA-484416
In orgs that included OMM apps, Okta RADIUS agents weren’t able to service authentication requests after restart.
OKTA-484474H
The IdP and ADSSO authentication times weren't reflected in the AuthInstant attribute of SAML assertions, which resulted in a failed SAML app sign-in flow.
OKTA-484971
The Recent Activity section of the Okta End-User Dashboard didn't load properly for Internet Explorer users.
App Integration Fixes
The following SWA apps were not working correctly and are now fixed:
-
A Bead Store (OKTA-481911)
-
Adobe (OKTA-479001)
-
Adobe Stock (OKTA-483342)
-
American Express Business (OKTA-482556)
-
Mutual of Omaha (OKTA-481802)
Applications
New Integrations
New SCIM Integration Applications
The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:
-
fax.plus: For configuration information, see SCIM - OKTA.
-
PubHive Navigator: For configuration information, see PubHive Navigator - Okta Configuration Guide.
-
Tailscale: For configuration information, see User & group provisioning for Okta.
SAML for the following Okta Verified applications:
-
CardinalOps (OKTA-482262)
-
Curator by InterWorks (OKTA-481345)
-
ModernLoop (OKTA-482260)

Generally Available
Fixes
General Fixes
OKTA-389310
The nonce length for WebAuthn challenges didn't have enough characters for the recommended level of entropy.
OKTA-474861
Users couldn’t enroll in Okta Verify Push for recovery even though it was enabled as a primary recovery method.
OKTA-477017, OKTA-486532
When admins added an app to an authentication policy and then searched for an app that didn’t exist, the Add button reappeared by the name of their newly added app.
OKTA-483982
Users could enroll the Phone authenticator even though it was disabled in MFA enrollment policies and wasn’t available as a recovery option.
OKTA-484105
When an end user manually appended their username to the End-User Dashboard URL, their username wasn't relayed as a login_hint to the Sign-In Widget.
OKTA-486672
When SP-initiated SSO requests for Bookmark apps used the app’s embed link, incorrect parameters were passed to the SP.
OKTA-486952
Performance issues occurred for Simple Certificate Enrollment Protocol (SCEP) deployments that used dynamic challenge.
OKTA-488718
The Authentication Policies page failed to load for some orgs.
OKTA-488985
The setup instructions for a manual WS-Federation configuration for Office 365 incorrectly displayed an SHA-2 certificate instead of the SHA-1 org-scoped certificate.
Applications
New Integrations
New SCIM Integration application:
The following partner-built provisioning integration app is now Generally Available in the OIN Catalog as partner-built:
-
Applauz: For configuration information, see Integrating Applauz with Okta.
SAML for the following Okta Verified applications:
-
Axiad Cloud (OKTA-465658)
-
BizLibrary (OKTA-438712)
-
Greene King (OKTA-480468)
-
SendGrid (OKTA-485059)
-
SourceWhale (OKTA-472980)
-
TestRigor (OKTA-486166)

Generally Available
Fixes
General Fixes
OKTA-468644
When a super admin scoped a standard role to a group or app and then saved the resource set, any unsaved role assignments were removed from the Administrator assignment by role page.
OKTA-483742
When admins deleted Okta AD agents, scheduled agent auto-updates continued and caused exception errors.
OKTA-484482
The iframeControlHideCatalog option didn't hide the Add Apps link when the Okta End-User Dashboard was embedded.
OKTA-485860
Admins whose custom admin role contained the Edit users' authenticator operations and Edit users' lifecycle states permissions could create API tokens.
OKTA-487293
SAML inline hooks with an AuthNRequest sometimes failed.
OKTA-487334
The SWA copy password window on the Okta End-User dashboard contained UI issues for Internet Explorer users.
OKTA-487453
Deleted users were reindexed in Elasticsearch when admins deleted user data.
OKTA-488616
The doctype declaration wasn’t displayed in the default template for error pages code editor.
OKTA-495596H
Admins couldn't customize the End-User Dashboard layout.
OKTA-495695H
A Classic Engine org couldn't upgrade to Identity Engine if its users were enrolled in Okta Mobile.
App Integration Fixes
The following SWA apps were not working correctly and are now fixed
-
Carta (OKTA-486196)
-
Chartbeat (OKTA-485773)
-
Rippe and Kingston LMS (OKTA-482602)
Applications
New Integrations
New SCIM Integration Applications
The following partner-built provisioning integration apps are now Generally Available in the OIN catalog as partner-built:
-
Axiad Cloud: For configuration information, see OKTA Axiad Cloud App Document.
-
Loadmill: For configuration information, see Loadmill Okta SSO integration.
-
Torq: For configuration information, see Configure SSO with Okta Open ID from App Catalog.
SAML for the following Okta Verified applications
-
Heap Analytics (OKTA-486230)
-
Secure Code Warrior (OKTA-476859)
March 2022
2022.03.0: Monthly Production release began deployment on March 7
* Features may not be available in all Okta Product SKUs.
Generally Available Features
New Features
Okta Active Directory Password Sync agent, version 1.5.0
This version of the agent includes:
-
Security enhancements.
-
Making .NET Framework 4.6.2 the minimal supported version. Earlier versions are automatically upgraded during agent installation.
-
Okta Military Cloud support.
Okta AD agent, version 3.10.0
This version of the agent contains:
-
Okta Military Cloud support.
-
Bug fixes.
Okta LDAP agent, version 5.12.0
This version of the agent contains support for Okta Military Cloud. See Okta LDAP Agentのバージョン履歴.
Event hooks for custom admin roles
Custom admin role events are now available for use as Event Hooks. This provides more security to admins by ensuring that they have the correct permission to perform tasks. See イベント・フック.
Enforce limit and log per client mode for OAuth 2.0 /authorize and /login/login.htm endpoints
The default client-based rate limit for OAuth 2.0 /authorize and /login/login.htm endpoints is now elevated to Enforce limit and log per client (recommended) mode. This means that if your org’s client-based rate limit was previously set to Do nothing or Log per client, the setting is changed to Enforce limit and log per client (recommended) mode.
Note that based on the email communication sent out on Feb 3, 2022 and Feb 25, 2022, these changes are not applicable to certain orgs. See Default client-based rate limit mode change.
New ThreatInsight enforcement option
ThreatInsight evaluates authentication requests to detect potentially malicious activity from IP addresses exhibiting suspicious behavior. If you enable the Log and enforce security based on threat level option, ThreatInsight can limit or block authentication requests from suspicious IP addresses based on the threat level detected. For example, if a specific IP address is suspected of malicious activity but the threat level is considered low, authentication requests from the IP address are not denied access but might be subjected to a rate limit. The rate limit helps ensure that requests from a suspicious IP address don't overload authentication services and affect legitimate traffic. However, if an IP address is suspected of malicious activity and the threat level detected is high, authentication requests from the IP address are blocked. See Okta ThreatInsightを構成する.
Validation for custom message templates
If you customize the default SMS message template, the Admin Console checks the message to determine whether it contains GSM or non-GSM characters and enforces the GSM or non-GSM character limit before saving the message. This check ensures that you don't create custom SMS messages that exceed the GSM or non-GSM character limit for message segments.
If you change existing custom templates, the new restrictions are enforced if your messages contain non-GSM characters.
For more information about customizing SMS templates, see Configure and use telephony.
Custom Administrator Roles
The standard admin roles available today don’t always meet all the granular delegated administration requirements, which may result in admins having either more or less permissions than they need.
The Custom Administrator Roles feature allows super admins to:
-
Create admin assignments with granular roles, which include specific user, group, and application permissions.
-
Constrain these admin assignments to resource sets.
Use Custom Administrators Roles to:
-
Increase admin productivity.
-
Decentralize the span of access that any one admin has.
-
Grant autonomy to different business units for self-management.
Some important things to note:
-
The Administrators page has been updated with a new, more intuitive interface for managing roles and permissions. See [管理者]ページについて.
-
Your pre-existing roles are referred to as “standard roles”. The standard role functionality is the same as earlier but the UI is different. See 標準ロールを使用する.
-
You can continue using the pre-existing roles and your existing assignments remain the same.
-
You can also assign custom roles to users who have standard roles assigned.
System Log events for group app assignments
When an admin role is assigned to a group, the Okta Admin Console is now assigned to the group members much faster, and an Add assigned application to group event (group.application_assignment.add) appears in the System Log. This helps super admins monitor the event activity in their org. See システム・ログ.
Immutable unique data types for Okta LDAP and AD agent actions
Immutable unique data types can now be used with Okta LDAP and AD agent actions. The use of immutable unique data types lets admins locate users when a username is updated, or when the user is moved to another OU. Immutable unique data type support reduces the time admins spend managing users and makes sure they can always locate user profiles after an update or when a username changes. .
ShareFile REST OAuth
Admins can now upgrade to the latest version of our ShareFile integration. OAuth provides more secure authentication and will be now used for Provisioning and Imports. See Configure ShareFile OAuth and REST integration. This feature is currently available for new orgs only.
Group Push enhancements
Group Push now supports the ability to link to existing groups in NetSuite. You can centrally manage these apps in Okta. This is important because it allows you to set up and push Okta groups into NetSuite instead of recreating them in NetSuite. See グループ・プッシュについて.
Support for additional social Identity Providers
Social login is a form of SSO that uses existing information from a service such as Facebook, Twitter, or Google to sign in, instead of creating a new account specifically for a third-party website. Social Identity Provider (IdP) popularity varies by industry and region. We're making it easy for Okta admins to add new IdPs with out-of-the-box integrations for GitHub, GitLab, Salesforce, and Amazon, with more to come. These integrations add to our existing social IdP catalog in the OIN, allowing users to quickly sign up or sign in to your application without entering their email or creating a new password. See External Identity Providers.
Risk and behavior evaluation
To improve the visibility of risk scoring and behavior detection, all sign-in requests are evaluated for risk factors and changes in behavior. Impacted orgs can view the results of the evaluation in the System Log. See Identity providers.
Enhancements
Sign-In Widget updates for Okta FastPass
The Sign in with Okta FastPass button no longer appears on the Sign-In Widget when users access Android Native apps that use Webview. Webview doesn't support this functionality.
Copy button updates
In the app settings panel of the Okta End-User Dashboard, the copy buttons for the username and password fields are renamed Copy username and Copy password.
Early Access Features
New Features
Group search in the Admin Console
Admins can now use the Search bar to quickly find groups, in addition to users and apps. See 管理コンソールの検索.
Automatically update public keys in the Admin Console
Using private_key_jwt as your app's client authentication method requires that you upload public keys to Okta and then use the private keys to sign the assertion. Then, you must update the client configuration each time you rotate the key pairs. This is time-consuming and error-prone. To seamlessly use key pairs and rotate them frequently, you can now configure private_key_jwt client authentication in the Admin Console for OAuth clients by specifying the URI where you store your public keys. See Manage secrets and keys for OIDC apps.
Two new reports
Monitor and improve the security of your org with the following new reports:
- MFA enrollment by user report
Use this report to view the types and counts of authenticators that users in your org have enrolled. This can improve the security posture of your org by enabling you to understand the adoption of strong authenticators like Okta Verify. See MFA Enrollment by User report. - User accounts report
Use this report to view users with accounts in Okta and their profile information. It helps you manage and track user access to resources, meet audit and compliance requirements, and monitor the security of your org. The report is located in the Entitlements and Access section of the Reports page. See User Accounts report.
Enhancements
Incremental Imports for the Org2Org app
Okta now supports incremental imports for the Org2Org app. Incremental imports improve performance by only importing users that were created, updated, or deleted since your last import. See Okta Org2Org.
Fixes
General Fixes
OKTA-447833
Admins couldn’t set up a custom domain URL with a top-level domain of .inc.
OKTA-455641
The Edit Assignment page for the Box app didn’t handle non-alphabetical characters properly.
OKTA-466022
Admins whose custom role contained the Run imports permission couldn’t view their org’s LDAP integrations.
OKTA-468707
The System Log didn't display ThreatSuspected=false for authentication events when no threat evaluation was done.
OKTA-468751
When Okta Verify was the only enrolled authenticator, time-based one-time password (TOTP) wasn’t automatically selected even though it was the last-used authentication method.
OKTA-471299
When ThreatInsight evaluated sign-in attempts for unknown users, the threat level was incorrectly displayed as threatLevel=UNKNOWN in the System Log.
OKTA-471605H
In SP-initiated flows, users' sessions ended when they closed the browser even if they selected Keep me signed in.
OKTA-471815
Some customers noticed duplicate Windows devices on the Devices page when users re-enrolled with Okta Verify.
OKTA-471605H
In SP-initiated flows, users' sessions ended when they closed the browser even if they selected Keep me signed in.
OKTA-472304H
Group push for some customers resulted in a timeout error after one minute.
OKTA-473512
When the Custom Admin Roles feature was enabled, super admins were called Super Organization Administrators.
App Integration Fixes
The following SWA app were not working correctly and are now fixed
- Asana (OKTA-467306)
- Dashlane Business (OKTA-466333)
- Guardian Insurance (OKTA-470966)
- Loop11 (OKTA-471181)
- Names & Faces (OKTA-468537)
- Nord Layer (OKTA-469771)
- Optum Health Financial (OKTA-465956)
- QuickBooks (OKTA-467864)
- Twitter (OKTA-470889)
Applications
New Integrations
New SCIM Integration Applications
The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:
- ArmorCode: For configuration information, see Armorcode - How to configure Armorcode app on Okta.
- Cognism: For configuration information, see Okta SCIM Configuration setup.
- Indi: For configuration information, see Okta SSO integration with Indi.
- strongDM: For configuration information, see Set up an App in Okta for User & Group Provisioning.
- Trusona: For configuration information, see Integrating Trusona and Okta SCIM.
SAML for the following Okta Verified applications:
-
Happeo (OKTA-461895)
-
ScreenMeet (OKTA-466613)
-
Shortcut (OKTA-461249)
-
Wonderwerk (OKTA-454149)
-
Zero Networks (OKTA-472331)
OIDC for the following Okta Verified applications:
- Artificial: For configuration information, see Using Okta to log in to Artificial.
- strongDM: For configuration information, see SSO with Okta.
Weekly Updates

Generally Available
Fixes
General Fixes
OKTA-374857
When admins searched for groups in the new LDAP interface, results weren’t returned if the search query contained all lowercase characters.
OKTA-440514
Sensitive attributes were exposed when Identity Provider routing rules contained Boolean expressions.
OKTA-452618
Admins whose custom role contained the Edit users' lifecycle states permission but not the View users and their details permission could view the Profile tab on the user page.
OKTA-457354
Updating an access policy rule through the Admin Console sometimes resulted in a browser error. This occurred if the rule was created using the Authorization Server API without an include array in the User Condition object.
OKTA-459720
Some apps that require admin configuration appeared on the App Catalog page of the End-User Dashboard.
OKTA-464002
Admins with two active Okta orgs linked together by the same company name were unable to sign in to the OIN Manager portal.
OKTA-469953
Sometimes, when users signed in with Okta FastPass, Okta Verify continuously requested an authentication factor until they clicked Cancel.
OKTA-470268
If tasks were pending, users experienced slow or unresponsive web browsers after navigating to the Tasks page of the End-User Dashboard.
OKTA-470384
Screen readers didn't properly read text in the App Settings page the when user set focus on Username or Password fields.
OKTA-470541
Sometimes importing from the SuccessFactors app integration failed after timing out.
OKTA-470701
Keyboard navigation and screen readers occasionally lost focus while in the App Settings page of the End-User Dashboard.
OKTA-471668
Button labels were inconsistent on the Global Session Policy page and help links were missing from the Authentication policies page.
OKTA-472593
When the Custom Admin Roles feature was enabled, the Administrator assignment by admin, Edit resources to a standard role, and Edit resource set pages didn’t display group details for imported AD/LDAP groups.
OKTA-472895
When modifying the custom email activation template, an admin could save the template without either of the required verificationLink or verificationToken elements.
OKTA-472928
When modifying the custom email challenge template, an admin could save the template without either of the required emailAuthenticationLink or verificationToken elements.
OKTA-474143
A new public key was displayed in the UI despite the new key generation operation being canceled.
OKTA-476453
Displaying the App Catalog in List View on the End-User Dashboard caused UI errors in Internet Explorer browsers.
OKTA-477943H
Admins couldn’t change the version of the Sign-In Widget for custom domains.
OKTA-478421H
When AD/LDAP users were imported into groups with assigned admin roles, the resulting admin role updates were delayed, and the Grant user privilege event didn’t appear in the System Log.
App Integration Fixes
The following SWA apps were not working correctly and are now fixed
-
Data.ai (OKTA-472317)
-
Google Play (OKTA-470657)
-
Zenefit (OKTA-472199)
Applications
New Integrations
New SCIM Integration Applications
The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:
-
SmartHR: For configuration information, see Okta user provisioning integration with SCIM.
-
Wonderverk: For configuration information, see Wonderverk's Okta documentation.
OIDC for the following Okta Verified applications:
-
ePMX: For configuration information, see Logging in with Single Sign-On (SSO) through Okta.
-
Marvin: For configuration information, see Okta Configuration Guide.
-
Pretaa: For configuration information, see Pretaa Integration with Okta- OpenID Connect.

Generally Available
Fixes
General Fixes
OKTA-414109
Admins who only had the View application and their details permission could see the Self Service section on the Application > Assignments tab.
OKTA-417477
Making valid changes to the device_sso or online_access scopes in the Edit Scope dialog incorrectly returned an error message.
OKTA-441233
When a super admin saved the email notification settings for a role without making any changes, the settings weren’t restored to their default values for existing admins with that role.
OKTA-463551
Lengthy app names weren't fully listed in the search index of the Okta End-User Dashboard.
OKTA-464217
Onboarding guides were still shown to new users after admins disabled the feature in Customizations > Other > Display Options.
OKTA-467278
If an error occurred in Okta Verify during authentication or if authentication was cancelled, a delay occurred before the user was prompted again to select a security method.
OKTA-469449
Admins couldn’t change their custom sign-in page, and the wrong error message was displayed.
OKTA-469451
Send test email failed with a 500 error for some email templates.
OKTA-471120
For profile enrollment using the Sign-In Widget, the field labels for most base attributes weren't localized.
OKTA-471670
The ThreatSuspected field was missing in the user.session.start event for Radius sign-in requests.
OKTA-472914
Self-service password reset resulted in an incorrect exception message when users attempted to set a password that contained a single-space character.
OKTA-473387
Variables didn’t work in the subject lines of some email templates.
OKTA-476019
Unsaved edits appeared in the read-only view of Identity Provider routing rules.
OKTA-476469
On the Authentication policies page, the preset policies didn’t have descriptions.
OKTA-476480
During self-service password resets or account unlocks, users received an internal server error if they provided an invalid username and selected Okta Verify Push. This occurred in orgs with User Enumeration enabled.
OKTA-478605
During OAuth app creation, EC public keys weren't recognized and couldn't be validated.
OKTA-479004
Some Preview orgs experienced Office 365 import failures with the error message, “An error occurred while creating the Azure Active Directory Graph API client.”
App Integration Fixes
The following SWA apps were not working correctly and are now fixed
-
MyAtt (OKTA-473277)
-
Nationwide Financial (OKTA-473149)
Applications
New Integrations
New SCIM Integration application:
The following partner-built provisioning integration app is now Generally Available in the OIN Catalog as partner-built:
-
Qapita QapMap: For configuration information, see How to configure SSO between Qapita and Okta.
SAML for the following Okta Verified application:
-
Ashby (OKTA-470597)

Generally Available
Fixes
General Fixes
OKTA-409838
When the Custom Admin Roles feature was enabled, admins without the View users and their details permission could see the Profile tab on the user page.
OKTA-448751
The Admin Dashboard sometimes displayed an inaccurate number of user groups.
OKTA-448946
Updating a Salesforce app username created a new user instead of pushing a profile update.
OKTA-456820
If users authenticated with a custom IdP factor, their client details weren't captured in the System Log.
OKTA-461147
The Remember My Last Used Authenticator functionality didn’t display all available authenticators, and the authenticator that was automatically selected hadn't been previously used.
OKTA-472294
When using Branding or Custom Domain features, admins who clicked a button multiple times received an error even though the action completed successfully.
OKTA-472467
Screen readers couldn't tell whether Password input field was hidden or revealed.
OKTA-474997
The Registration - Email Verification and Registration - Activation email templates didn't support translated text.
OKTA-477938
Using Okta Expression Language in an IdP Username to authenticate with PIV resulted in an "application not assigned" error.
OKTA-477943
Admins couldn’t change the version of the Sign-In Widget for custom domains.
OKTA-479799
When the Custom Admin Roles feature was enabled, some admins couldn’t view groups on the Administrators > Admins tab.
OKTA-479983
The Client Secret page didn't render the UI correctly for orgs with the Client Secrets Management feature enabled.
OKTA-480151
Some Expression Language variables still appeared in automated emails.
App Integration Fixes
The following SWA apps were not working correctly and are now fixed
-
Angie's List (OKTA-477233)
-
FortiCloud (OKTA-478241)
-
Lutron (OKTA-476161)
-
Tableau (OKTA-471013)
Applications
New Integrations
New SCIM Integration applications:
The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:
-
EZOfficeinventory: For configuration information, see Implement User Provisioning via SCIM with EZOfficeInventory and Okta.
-
Qapita QapMap: For configuration information, see How to configure SSO between Qapita and Okta.
SAML for the following Okta Verified application:
-
Perdoo (OKTA-472102)
OIDC for the following Okta Verified application:
-
Jira SAML SSO by miniOrange: For configuration information, see OAuth/OpenID Single Sign On (SSO) into Jira using Okta.

February 2022
2022.02.0: Monthly Production release began deployment on February 7
* Features may not be available in all Okta Product SKUs.
Generally Available Features
New Features
Okta AD agent, version 3.9.0
This version of the agent contains bug fixes. See Okta Active Directoryエージェントのバージョン履歴.
Okta LDAP agent, version 5.11.0
This version of the agent contains:
-
Support for Proxy Authorization Control version 2 (2.16.840.1.113730.3.4.18). Users who are required to change their password after it is reset by an admin are no longer prompted twice for their password when accessing the End-User Dashboard. This new functionality is available only with LDAP services that support Proxy Authorization Control version 2. To enable this feature, contact Okta Support.
-
Internal improvements and bug fixes.
Endpoint integrations
The Device Integrations page now includes an Endpoint Security tab, which allows admins to manage endpoint integrations with Windows Security Center and CrowdStrike. Endpoint Detection and Response (EDR) integration extends device posture evaluation by enabling Okta Verify to capture signals collected by your EDR client running on the same device. See EDR統合.
New Custom OTP Authenticator released on a Limited Availability basis
The Custom OTP Authenticator enables admins to deploy a wide variety of one-time password solutions in their Okta environment. See Configure Custom OTP authenticator.
Sign-In Widget User Identifier
Admins can now customize whether the user’s identifier appears on authentication and enrollment steps of the sign-in page. See サインイン・ページのテキストをカスタマイズする
OIN catalog replaces categories with use cases
Integrations in the OIN catalog address multiple use cases beyond SSO, such as LCM, social login, and identity proofing. Okta helps prospective and current orgs identify the OIN integrations that best meet their needs by highlighting the use cases that the integrations address and the functionality that the integrations use. This information is provided on both the OIN Catalog landing page and the integration details page. Okta also provides calls to action to help users immediately find value with these integrations across the Okta product platform. Use cases and functionalities replace app categories and filters, which were previously used to sort integrations. This feature will be gradually made available to all orgs.
Provisioning to Office 365 now requires Admin Consent for Microsoft Graph API
Admins are now required to grant consent for Okta to call Microsoft Graph API to enable provisioning features for Office 365 app instances. This change prepares Okta to migrate provisioning operations to Microsoft Graph API in 2022, which will improve performance and reliability for Office 365 provisioning operations. It also enhances security for Okta customers by limiting Okta's permissions in the customer's Azure Active Directory to only those operations which are required for provisioning. Okta customers who previously configured provisioning to Office 365 are required to grant admin consent in order to make any changes to their existing provisioning settings. See Provide Microsoft admin consent for Okta.
Configure a custom error page
You can customize the text and the look and feel of error pages using an embedded HTML editor. When used together with a custom URL domain (required) and a custom Okta-hosted sign-in page, this feature offers a fully customized error page. For details, see Configure a custom error page.
Configure a custom Okta-hosted sign-in page
You can customize the text and the look and feel of the Okta-hosted sign-in page using form controls and an embedded HTML editor. When used together with a custom URL domain (required) and a custom Okta-hosted error page, this feature offers a fully customized end user sign-in experience hosted by Okta. For details, see Configure a custom Okta-hosted sign-in page.
Custom domains with Okta-managed certificates
When you customize an Okta URL domain, your Okta-hosted pages are branded with your own URL. Okta-managed certificates automatically renew through a Let’s Encrypt integration, a free certificate authority. Okta-managed certificate renewals lower customer developer maintenance costs and reduce the high risk of a site outage when certificates expire. See Customize the Okta URL domain.
Secondary email option for LDAP-sourced users
Admins can now enable a secondary email option for LDAP-sourced users in new orgs. When the secondary email option is enabled, LDAP-sourced users who haven’t previously provided a secondary email are now prompted to provide it on the Okta Welcome page. The prompt continues to appear until a secondary email is provided.
A secondary email helps reduce support calls by providing LDAP-sourced users with another option to recover their password when their primary email is unavailable. See オプションのユーザー・アカウント・フィールドを構成する.
Password expiry for AD LDS-sourced users
Admins can now expire the passwords of AD Lightweight Directory Services-sourced users. Forcing users to change their password when they next sign in to Okta keeps passwords updated and enhances org security. See AD LDS LDAP統合リファレンス.
Improved password status accuracy for LDAP-sourced users
The status of LDAP-sourced users is now accurately displayed on the user’s profile page. Previously, the user status incorrectly displayed Password Reset when a password was active. This update reduces the time admins need to spend monitoring and managing user passwords. See ユーザー・アカウントのステータスについて.
New features for HealthInsight
- Administrators can now enable end user email notifications when an end user changes or resets their password. See 一般的なセキュリティー and HealthInsight.
- HealthInsight now includes a recommendation for admins to enable Password Changed email notifications if the notification isn't yet enabled for the org. See エンド・ユーザーへのパスワードの変更通知.
- HealthInsight now displays a suspicious sign-in count within the recommendation that users enable ThreatInsight in block mode. See Okta ThreatInsight
Risk scoring improvements
Risk scoring has been improved to detect suspicious sign-in attempts based on additional IP signals. See リスク・スコアリング.
Enhancements
Custom URL domain certificate expiration reminders
Email reminders for custom URL domain certificate expiration are now sent to super admins and org admins only.
Sign-In Widget error messages
If multiple errors occur during a sign-in event, the Sign-In Widget displays all error messages together.
OIN Manager enhancements
Users can now select a maximum of five app categories for ISV submissions. If an app category isn't selected, the app is placed in the all integrations category. See App information.
Email and SMS notification renamed
The New Device Notification email and SMS messages have been renamed New sign-on notification.
App notes
App notes written by an admin are now displayed for users who hover over the app on the Okta End-User Dashboard.
Masking for eight digit phone numbers
The masking algorithm now reveals fewer digits for shorter phone numbers. For example, if the phone number has eight digits, the first five digits are masked and the final three digits are visible.
Early Access Features
New Features
Additional Okta username formats for LDAP-sourced users
Three additional Okta username formats are now available for LDAP-sourced users. In addition to the existing options, admins can now select Employee Number, Common Name, and Choose from schema to form the Okta username. These new options allow admins to use both delegated authentication and Just-In-Time (JIT) provisioning with LDAP directory services. With these new provisioning options, it is now easier for admins to integrate their LDAP servers with Okta. See LDAP統合設定の構成.
Fixes
General Fixes
OKTA-419847
On-Prem MFA API tokens contained scopes beyond what was required for agent operation.
OKTA-433751
End users received errors when accessing SWA apps through the Okta End-User Dashboard if their app passwords contained ampersands.
OKTA-436486
Some orgs couldn’t save email templates containing Velocity variables. This occurred for orgs with Enhanced Email Macros enabled.
OKTA-442296
Some end users received a 400 error after signing in to the Okta End-User Dashboard.
OKTA-443777
Admins couldn’t use the objectGuid attribute as a unique identifier when integrating AD LDS LDAP servers with Okta.
OKTA-451206
When admins enabled LDAP real-time synchronization, the system.agent.ad.realtimesync event erroneously appeared in the System Log.
OKTA-455372
If the information required to evaluate behavior was not available, the System Log displayed BAD_REQUEST for rules that included behavior detection.
OKTA-456046
When upgrading to Identity Engine, orgs received an error stating that they had Sharepoint On-Premises app instances that weren't supported by Identity Engine.
OKTA-459571
In the admin console, the status of RADIUS agents randomly changed from Operational to Disrupted.
OKTA-459778
Customized Sign-In Widgets didn’t match the preview on the Sign-In Widget code editor.
OKTA-460366
On Security > Networks > Add IP Zone, proxy IP addresses weren't explicitly identified as trusted proxy IP addresses.
OKTA-461015
Event information was missing from the Report Suspicious Activity page after users changed their password in the Sign-In Widget.
OKTA-461198
When the Custom Admin Roles feature was enabled, read-only admins could see the Assign to People, Assign to Groups, and Edit User buttons on the Applications page.
OKTA-462025
Admins who refreshed a page in the custom URL domain wizard weren’t returned to the correct step.
OKTA-462114
The ${user.login} variable appeared in default email templates.
OKTA-467470H
When the Okta Browser Plugin was installed, applications opened from the new End-User Dashboard into pop-up windows instead of regular browser tabs. This occurred for Internet Explorer users only.
App Integration Fixes
The following SWA apps were not working correctly and are now fixed
- AppSplit (OKTA-462294)
- Auth0 (OKTA-456042)
- Dockerhub (OKTA-463515)
- FinServ (OKTA-463959)
- LoansPQ (OKTA-462410)
- MeridianLink LoansPQ (OKTA-460940)
- New Relic (OKTA-464710)
- ProtonMail (OKTA-463545)
- Salto Keys (OKTA-464469)
- WePay (OKTA-462296)
- Wikispaces (OKTA-462300)
Applications
New Integrations
New SCIM Integration Applications
The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:
- BrightHire: For configuration information, see Okta SCIM Integration Guide.
- CertCentral: For configuration information, see CertCentral integration with Okta-OpenID.
- Compliance Genie: For configuration information, see Compliance Genie: Setting up SSO with OKTA.
- UniPrint InfinityCloud: For configuration information, see Configuring Okta for InfinityCloud via App Catalog.
- VidCruiter: For configuration information, see Configuring SCIM with Okta.
SAML for the following Okta Verified applications:
-
Compliance Genie (OKTA-456834)
-
SecureCodeWarrior (OKTA-455728)
OIDC for the following Okta Verified application:
- Atomic Console: For configuration information, see Atomic Console OKTA OIN App Configuration Guide.
Weekly Updates

Generally Available
Self-service registration using unverified email
When email is set up as an optional authenticator, end users can complete the self-service registration process without verifying their email address. They can also use the unverified email to reset their password, if required. However, they still must verify the email if it's used for authentication. You can configure this setting in the profile enrollment policy. See プロファイル登録ポリシーを管理する
Fixes
General Fixes
OKTA-422710
When the Custom Admin Roles feature was enabled, admins who didn’t have the Manage groups permission could view the Actions drop-down menu on the Groups > Rules tab.
OKTA-425072
When a user’s session expired, they weren’t returned to the app sign-in page.
OKTA-439826
Windows Server 2008 R2 was identified as a supported operating system on the Set Up Active Directory page.
OKTA-452937
Admins experienced page scrolling errors when approving requests for Salesforce apps.
OKTA-455572
End users were unable to see their existing password when editing sign-in information for an SWA app.
OKTA-456429
On the App Access Locked page, the contact your administrator link was broken.
OKTA-458310
The Groups page displayed the Admin roles tab for non-AD/LDAP groups. This occurred for orgs with the Custom Admin Roles feature enabled.
OKTA-460374
When a default application was configured for the Sign-In Widget, no banner indicated to users which app they were signing in to.
OKTA-460647
UI elements for app settings on the Okta End-User Dashboard were inconsistent for admins and end users.
OKTA-460719
The Add Log Stream and Add Identity Provider pages were improperly rendered in Internet Explorer 11.
OKTA-461134
Tooltips didn't wrap properly on the Okta End-User Dashboard.
OKTA-461604
The Username field was missing for admins in the self-service app request workflow.
OKTA-462025
Admins who refreshed a page in the custom URL domain wizard weren’t returned to the correct step.
OKTA-462639
Some international SMS messages had the wrong country code displayed in the System Log.
OKTA-463010
Users who were migrated with a Password Import Inline Hook couldn't reset their passwords through self-service.
OKTA-463346
In Internet Explorer 11, apps on the Okta End-User Dashboard displayed incorrect titles.
OKTA-463622H
Self-service email verification failed if the email contained a redirect to the Okta Dashboard and the user already had an active session.
OKTA-463905
Super admins didn't receive an error if they saved the Administrator assignment by resource set or Administrator assignment by role page without selecting a resource set/role. This occurred for orgs with the Custom Admin Role feature enabled.
OKTA-465050
The app settings drawer incorrectly displayed a password field for SAML apps.
OKTA-466901
Custom attributes identified as cn (Common Name) were automatically mapped as username in Okta.
OKTA-471193H
Group push from Okta to Office 365 didn’t work.
App Integration Fixes
The following SWA apps were not working correctly and are now fixed:
- Schwab Retirement Plan Center (OKTA-464739)
- SquareSpace (OKTA-466252)
Applications
New Integrations
New SCIM Integration Applications
The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:
-
Happeo: For configuration information, see Configuring Okta Provisioning for Happeo.
-
Orca Security: For configuration information, see Okta SSO Configuration SCIM 2.0.
-
Perimeter 81: For configuration information, see Okta (SCIM).
-
Rolebot: For configuration information, see How to configure Single Sign On (OIDC) with Okta.
-
SafeGuard Cyber: For configuration information, see SafeGuard Cyber Okta Configuration Guide.
SAML for the following Okta Verified application:
- CloudAlly (OKTA-453596)

Generally Available
Remember my last-used MFA authenticator
Okta now remembers which MFA authenticator the user selected the last time they successfully signed in. On subsequent sign-in attempts, if the last-used authenticator is WebAuthn, Okta Verify Push, or Okta Verify FastPass, that authenticator appears in the list on the Sign-In Widget. Otherwise, the last-used authenticator is automatically selected by default. Users can still select another authenticator by clicking Verify with something else.
Fixes
General Fixes
OKTA-449722
There was a spelling error in the Help link (Optional) section of the Settings > Account > End User Information page.
OKTA-456339
Admins whose custom admin role contained the Run imports permission couldn't click Back to Applications on the Applications page.
OKTA-465665
End users saw a blank page if they signed in to the Okta End-User Dashboard with a custom domain that ended with com.com.
OKTA-466301
The following issues occurred in the OIN App Catalog on Internet Explorer 11:
- The app details page wasn’t shown when an app was selected from the Browse Integration Catalog search results.
- App details pages didn’t render correctly.
- Users weren't able to use the up and down arrow keys to navigate search results.
OKTA-466425
On the Okta End-User Dashboard, the app setting drawer's Reveal password wasn't accessible by keyboard commands.
OKTA-466790
Landing on the Reset Password page from /signin/forgot-password URL and clicking the Back to sign in link did not take the user back to the sign-in page.
OKTA-468607
When the Custom Admin Roles feature was enabled, newly added admins didn’t always appear on the Administrators page.
OKTA-469099
When orgs enabled both Branding and Custom Domain URL, the default domain displayed customized error pages.
OKTA-471196H
Some end users were unable to reset their password for an embedded flow using the self-service password reset process.

January 2022
2022.01.0: Monthly Production release began deployment on January 10
* Features may not be available in all Okta Product SKUs.
Generally Available Features
New Features
Okta On-Prem MFA agent, version 1.4.8
This version of the agent contains security fixes. See Okta On-Prem MFAエージェントのバージョン履歴.
Okta Active Directory agent, version 3.8.0
This version of the agent contains:
- Agent auto-update support
- Improved logging functionality to assist with issue resolution
- Bug fixes
Okta RADIUS Server agent, version 2.17.2
This version of the agent contains security fixes. See Okta RADIUS Serverエージェントのバージョン履歴.
Admin Console user interface changes
On the Device Integrations page, the Endpoint Management tab now includes an Activate/Deactivate action for legacy Device Trust desktop configurations. It also includes a warning message if an admin attempts to deactivate Device Trust when their Identity Engine app sign-on policy is not configured correctly for devices that are not trusted.
Delivery status of SMS messages in the System Log
Administrators can now view the delivery status for SMS messages in the System Log. For information about the new event type, see Configure and use telephony.
Feature name change: New Sign-On Notification
The New Device Notification functionality is renamed to New Sign-On Notification in the Admin Dashboard, the email notification title, and elsewhere. It refers to the email notification a user receives when there’s a sign-in event from an unrecognized device.
New permissions for custom admin roles
The following new permissions can now be assigned to a custom admin role:
-
Activate users
-
Deactivate users
-
Suspend users
-
Unsuspend user
-
Delete users
-
Unlock users
-
Clear user sessions
-
Reset users' authenticators
-
Reset users' passwords
-
Set users' temporary password
-
Run imports.
The new permissions give super admins more granular control over their delegated org permissions. See ロールの権限について.
YubiKey OTP authentication now available
YubiKey one-time-password (OTP) mode authentication is now available to Okta Identity Engine users. See Configure YubiKey for one-time passwords
Service Principal Name functionality improvement
New Service Principal Name (SPN) functionality allows Agentless Desktop Single Sign-on (ADSSO) authentication to continue without interruption when an SPN is updated. A service account and an SPN are required for ADSSO Kerberos authentication. With this change, you can now update the SPN frequently as an additional security precaution. See サービス・アカウントを作成して、サービス・プリンシパル名を構成する.
OAuth Dynamic Issuer option
An authorization server’s issuer URL can be used to validate whether tokens are issued by the correct authorization server. You can configure the issuer URL to be either the Okta subdomain (such as company.okta.com) or a custom domain (such as sso.company.com). See .
When there are applications that use Okta’s subdomain and other applications that use the custom domain, the issuer validation breaks because the value is hard-coded to one domain or the other.
With Dynamic Issuer Mode, the issuer value in minted tokens is dynamically updated based on the URL that is used to initiate the original authorize request.
For example, if the authorize request is https://sso.company.com/api/v1/authorize, the issuer value is https://sso.company.com.
Dynamic Issuer Mode helps with:
-
Split deployment use cases
-
Migration use cases when customers migrate from the Okta domain to a custom domain
-
Support with multiple custom domains
Rate limit dashboard
The new rate limit dashboard helps you investigate the cause of rate limit warnings and violations. You can also use it to view historical data and top consumers by their IP address.
This helps you:
-
Isolate outliers
-
Prevent issues in response to alerts
-
Find and address the root cause of rate limit violations
You can access the dashboard using the link provided in the rate limit violation event in the System Log. See Rate limit dashboard.
You can also open the dashboard in the Admin Console to monitor API usage over a period of time, change rate limit settings, and customize the warning threshold. See Rate limit monitoring.
Error response updated for malicious IP address sign-in requests
If you block suspicious traffic and ThreatInsight detects that a sign-in request comes from a malicious IP address, Okta automatically denies the user access to the organization. The user receives an error in response to the request. From the user’s perspective, the blocked request can’t be identified as the result of ThreatInsight having identified the IP address as malicious.
Make Okta the source for Group Push groups
Admins can now make Okta the profile source for all members of a group that is used for Group Push. When this feature is enabled, integrated apps can't change app group memberships. This functionality allows admins to maintain the accuracy of app group membership and prevents changes to group membership after a push. See グループ・プッシュを管理する.
Password change notifications for LDAP-sourced users
Password change email notifications may now be sent to LDAP-sourced users.
LDAP-sourced users secondary email prompt on first sign in
Admins now have the option to prompt LDAP-sourced users for a secondary email when they sign in to Okta for the first time. When a secondary email is provided, password reset and activation notifications are sent to the user’s primary and secondary email addresses. Duplicating these notifications increases the likelihood they are seen by users and reduces support requests. See オプションのユーザー・アカウント・フィールドを構成する.
Directory Debugger for Okta AD and LDAP agents
Admins can now enable the Directory Debugger to provide Okta Support with access to Okta AD and LDAP agent diagnostic data. This new diagnostic and troubleshooting tool accelerates issue resolution by eliminating delays collecting data and improves communication between orgs and Okta. See Enable the Directories Debugger.
Enhancements
Improved SIW error messages
The Sign-In Widget now has improved JIT error messages.
OIN Manager enhancements
The OIN Manager includes the following updates for ISV submissions:
-
It clarifies that OID and SAML integrations must support multi-tenancy.
-
It clarifies that only one OIDC mode can be selected for an OID integration.
-
It allows the format ${app.domain}/redirect_url for URIs.
-
It no longer allows ISV submissions for the Social Login and Log Streaming categories. See OIN App Integration Catalog.
-
It allows the use of app instance properties when configuring single logout (SLO) for SAML app integrations.
-
It requires that ISV submissions specify one or more use cases. Existing submissions may need to be updated to change from previous categories to the new use cases.
SHA type displayed for SAML certificates
SHA type is now displayed for SAML certificates in the Admin Console.
Early Access Features
New Feature
Okta AD Agent automatic update support
Admins can now initiate or schedule automatic updates to Okta AD agents from the Admin Console. With agent auto-update functionality, admins no longer need to manually uninstall and then reinstall Okta AD agents when a new agent version is released. Agent auto-updates keep your agents up to date and compliant with the Okta support policy, and help ensure your org has the latest Okta features and functionality. Single or multiple agents can be updated on demand, or updates can be scheduled to occur outside of business hours to reduce downtime and disruption to users. See Automatically update Okta agents.
Fixes
General Fixes
OKTA-420065
Launch on sign-in apps on the Okta End-User Dashboard launched multiple times after the user signed in.
OKTA-448006
Some branded pages used an org’s previously uploaded logo rather than their new theme logo.
OKTA-452612
User context wasn’t included in some orgs' token inline hook request data.
OKTA-453969
Some Duo users were unable to authenticate after upgrading to Okta Identity Engine.
OKTA-454206
Some admins without super admin permissions could view a link to the Admin role assignments report. This occurred for orgs with the Custom Admin Roles feature enabled.
App Integration Fixes
The following SWA apps were not working correctly and are now fixed:
-
Bendigo Bank (OKTA-454211)
-
EdgeCast (OKTA-453148)
-
Maxwell Health (OKTA-454213)
-
My T-Mobile (OKTA-455732)
-
Redis (OKTA-454218)
Applications
New Integrations
New SCIM Integration Applications
The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:
- Javelo: For configuration information, see Okta SCIM - Javelo App.
- Workstream: For configuration information, see Configuring SCIM for Workstream.
SAML for the following Okta Verified application:
-
Regal Voice (OKTA-448791)
Weekly Updates

Fixes
General Fixes
OKTA-443601
In the User Accounts section of the Customizations page, the incorrect term User Identity Master was used instead of User Identity Source.
OKTA-450647
When the Custom Admin Roles feature was enabled, the Admin role assignments report included deactivated admins.
OKTA-454965
Admins couldn’t unsubscribe from Okta AD agent auto-update email notifications because the Agent auto-update notifications: AD agent checkbox wasn’t available in the System notifications area of the Settings page.
OKTA-458760H
When the New Social Identity Provider integrations feature was enabled, IdP profiles weren't always saved and the Redirect Domain field wasn't available.
App Integration Fixes
The following SWA apps were not working correctly and are now fixed:
-
Circulation (OKTA-456780)
-
CWT (OKTA-455733)
-
Key Bank (OKTA-455731)
-
MyFitnessPal (OKTA-455735)
-
Shutterstock (OKTA-456777)
-
The Hartford EBC (OKTA-454220)
-
TimeLog (OKTA-457372)
-
Verizon Wireless Business (OKTA-455729)
-
Xfinity (OKTA-457369)
Applications
New Integrations
SAML for the following Okta Verified applications:
-
Blingby Live (OKTA-455293)
-
BrightHire (OKTA-456906)
-
Jones (OKTA-453595)
-
TrackJS (OKTA-456630)

Generally Available
Fixes
General Fixes
OKTA-288443
Links from an expired session didn't redirect users to the Okta End-User Dashboard when they signed in.
OKTA-332414
The All apps filter in the Okta End-User Dashboard catalog was incorrectly translated.
OKTA-414419
Admins with the View application and their details permission could view the Push Status drop-down menu and the Push Groups, Refresh App Groups, and Bulk Edit buttons on the Application > Push Groups tab. This occurred for orgs with the Custom Admin Roles feature enabled.
OKTA-416052
The Sort Apps button and its drop-down menu were covered by the left navigation bar on mobile devices.
OKTA-419846
RADIUS agent API tokens contained scopes beyond what was required for agent operation.
OKTA-441218
When the Custom Admin Roles feature was enabled, third-party admins could view their admin email notification settings.
OKTA-443467
Admins were unable to sign in to the Admin Console if they had first signed in with a non-admin user account.
OKTA-443980
Admins couldn’t select a new Default Application for Sign-In Widget if the app they’d previously used was deleted.
OKTA-446224, OKTA-455268
New admins weren’t always provisioned for Salesforce Help Center.
OKTA-446449
Memberships to Salesforce Public Groups were removed from Salesforce when group memberships were updated in Okta.
OKTA-447069
Some users were unable to access their bookmark apps after migrating to the new Okta End-User Dashboard.
OKTA-447114
Okta sent MFA reset email notifications even though the factor deactivation didn’t take effect.
OKTA-447813
Sometimes, admins were unable to remove apps from the Create a resource set page. This occurred for orgs with the Custom Admin Roles feature enabled.
OKTA-454385
Password change email notifications were incorrectly sent to end users in orgs with URLs containing api/v1/user.
OKTA-457225
Users who entered their username incorrectly during enrollment in Okta Verify were shown Internal server error instead of a descriptive error message.
OKTA-457233
The default zone name for legacy IP zones was hardcoded in English and displayed in the Admin Console as a text string that could not be localized.
OKTA-457592
On the Admin assignment by admin and Admin assignment by role pages, an error sometimes appeared when the admin removed an existing standard role from the assignment and replaced it with another role. This occurred for orgs with the Custom Admin Roles feature enabled.
OKTA-459977
When a user accessed some SAML apps, the sign-in flow was initiated twice.
OKTA-460597
When the Custom Admin Roles and CSV Directory features were enabled, admins with the Manage applications permission couldn’t access the Directory Integrations page.
OKTA-460636
When the Custom Admin Roles and Application Entitlement Policy features were enabled, admins with the Edit application's user assignments permission couldn’t assign apps to users.
OKTA-460767
Admins could click Finish multiple times after adding or updating a custom domain certificate. This resulted in duplicate API calls.
OKTA-460908
Some lengthy app names caused UI errors on the Okta End-User Dashboard.
OKTA-462342
When a user copied their username in the app drawer, they were incorrectly notified that the app's password was copied to the clipboard.
OKTA-466809H
A script error occurred when users with an embedded Internet Explorer browser attempted to sign in to Okta.
App Integration Fixes
The following SWA apps were not working correctly and are now fixed:
-
Allegra (OKTA-449137)
-
Clio (OKTA-458076)
-
DocuSign (OKTA-456094)
-
Expedia (OKTA-455734)
-
FreeAgent (OKTA-454216)
-
Go to Connect (OKTA-454638)
-
QuickBooks (OKTA-457705)
-
SuccessFactors (OKTA-449132)
-
TeamPassword (OKTA-456778)
Applications
New Integrations
New SCIM Integration Applications
The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:
- Almanac: For configuration information, see Almanac - Okta SCIM Configuration.
- Dashworks: For configuration information, see Dashworks Integration with Okta- OpenID Connect.
- Offishall: For configuration information, see User provisioning with Okta.
- Opal: For configuration information, see Setting up Opal's Okta SCIM Integration.
- Xakia: For configuration information, see Okta App SCIM Configuration Guide.
SAML for the following Okta Verified applications:
-
Almanac (OKTA-456412)
-
Observe (OKTA-455308)
-
ReviewInc (OKTA-457711)
-
Spherexx (OKTA-453592)
-
Transform (OKTA-457712)
-
VidCruiter (OKTA-461233)
OIDC for the following Okta Verified applications:
- Atomic Dashboard: For configuration information, see Atomic Dashboard OKTA OIN App Configuration Guide.
- Fellow.app: For configuration information, see Fellow Okta Integration Guide (SSO).

December 2021
2021.12.0: Monthly Production release began deployment on December 13
* Features may not be available in all Okta Product SKUs.
Choose client types for Office 365 sign-on policy
When creating app sign-on policy rules to manage access to Office 365 apps, you can now specify client types such as web browser, modern auth, or Exchange ActiveSync. This allows you to apply Office 365 sign-on policies to granular use-cases. See Office 365 sign-on rules options.
Branding now available in the Admin Console
This UI release provides admins and developers with an Admin Console UI to upload brand assets to customize their Okta-hosted pages. The Customizations tab in the Admin Console is also now moved to a top-level menu item in the left-hand navigation, and Branding-related controls have all been moved under it. The Settings > Appearance tab has also been removed, and functionality moved under the Customizations tab for ease of use. See ブランディング.
Admin Experience Redesign toggle removed
The toggle that allowed super admins to switch between the Admin Experience Redesign and the old experience has been removed. All Okta admins now benefit from our restyled Okta Admin Dashboard, responsive navigation side bar, and modern look and feel. If you need more time to adapt to the new user experience, you can revert to the old experience by contacting Okta Support until April 2022.
Upload Logo for org deprecated
The Upload Logo for Org endpoint (api/v1/org/logo) is deprecated. Use the Upload Theme Logo (/api/v1/brands/${brandId}/themes/${themeId}/logo) endpoint instead.
Salesforce Federated ID REST OAuth
Admins can now upgrade to the latest version of our Salesforce Federated ID integration. OAuth provides enhanced security and is now used for Provisioning and Imports authentication. This feature is currently available for new orgs only. See Configure OAuth and REST integration.
Okta MFA Credential Provider for Windows, version 1.3.5
This version of the agent contains:
-
Security enhancements
-
Internal fixes
Okta On-Prem MFA agent, version 1.4.6
This version of the agent contains updates for certain security vulnerabilities.
Okta RADIUS Server agent, version 2.17.0
This version of the agent contains updates for certain security vulnerabilities.
Enhancements
Improved text on the Get started with Okta page
On the Get started with Okta page, several heading and button labels now provide more accurate and helpful text:
-
Select MFA factors is now Select Authenticators.
-
Select the MFA factors you'd like your organization to use is now Select the Authenticators you'd like your organization to use.
-
The Enable Factors button is now labeled Enable Authenticators.
Org setting to disable device token binding
For compatibility purposes, orgs can now disable device binding. Device binding ensures that state tokens are used only by the actor who initiated the authentication flow. See 一般的なセキュリティー.
Sign-In Widget error message
An error message now appears on the Sign-In Widget if an end user needs to open their laptop lid to use biometrics.
Early Access Features
Enhancement
Admins may now enable the Recent Activity feature
The Recent Activity functionality may now be enabled or disabled by admins. Recent Activity displays recent sign-in events and associated security events so admins can track suspicious activity and keep their environment safe. See Recent Activity.
Fixes
General Fixes
OKTA-393284
UI errors occurred when users hovered over a locked app on the Okta End-User Dashboard.
OKTA-439327
Applying admin-managed tabs to end users occasionally completed much later, after the changes were initially made.
OKTA-441168
Users were directed to the wrong step of the Log Stream creation wizard when they clicked a link to create a specific type of Log Stream.
OKTA-442241
If a SWA app's profile enrollment policy contained a newly added required attribute, users were prompted for it twice.
OKTA-443459
Some users who accessed the Okta End-User Dashboard saw a blank screen.
OKTA-443607
An incorrect name appeared for the YubiKey Authenticator on the Add Authenticators page.
OKTA-449400
The text field for an app’s alternative name was missing from the app drawer.
OKTA-450543
Users weren't prompted to correct their device’s time if their device was behind the server’s time by more than five minutes or ahead by more than 65 minutes.
OKTA-450927
Two scrollbars were displayed for mobile users.
OKTA-453065H
Admins encountered an error when trying to assign an app back to the default profile enrollment policy.
App Integration Fixes
The following SWA apps were not working correctly and are now fixed
-
Amplitude (OKTA-449138)
-
Australian Financial Review (OKTA-450189)
-
Boxed (OKTA-449140)
-
Google Tag Manager (OKTA-448703)
-
HireFire (OKTA-448711)
-
Instacart Canada (OKTA-442943)
-
International SOS Assistance (OKTA-447156)
-
LinkedIn (OKTA-443788)
-
Mural (OKTA-443063)
-
Payroll Relief (OKTA-447159)
-
Safari Online Learning (OKTA-448707)
-
The Hartford EBC (OKTA-448956)
-
Twitter (OKTA-448961)
-
XpertHR (OKTA-449721)
Applications
Application Update
The Jive application integration is rebranded as Go To Connect.
New Integrations
New SCIM Integration Applications
The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:
- ContractS CLM: For configuration information, see ContractS CLM SCIM provisioning configuration with Okta.
- MURAL: For configuration information, see Configuring Provisioning for MURAL.
SAML for the following Okta Verified applications:
-
Chatwork (OKTA-449761)
-
ContractS CLM (OKTA-446453)
-
Elate (OKTA-448860)
-
WAN-Sign (OKTA-448922)
OIDC for the following Okta Verified applications:
- Ashby: For configuration information, see Configure an OIDC connection to Ashby.
-
Drata: For configuration information, see Connecting Okta to Drata (Note: you need to sign in to Drata to view this documentation).
-
TripleBlind: For configuration information, see Okta Configuration Guide.
Weekly Updates

Fixes
General Fixes
OKTA-328461
The footer in some email templates contained an incorrect link to Okta.
OKTA-410446
DebugData in the System Log didn’t include ClientSecret information.
OKTA-434725
Admins could deactivate apps that were used as the default redirect for the Sign-In Widget.
OKTA-440608
Some admins couldn't view groups that were assigned to an app, even though their custom role had permission to view them.
OKTA-446499, OKTA-446506, OKTA-446511
The user’s status wasn’t synchronized with Active Directory when they deleted their account from Okta Verify or toggled to a different biometric authenticator.
OKTA-447471
Duplicate reactivation requests for the Org2Org app caused 400 errors in the System Log.
OKTA-448321
When the Custom Admin Roles feature was enabled, groups with “#” in the group name couldn’t be assigned to a role.
OKTA-449563
Activating the Allow Web and Modern Auth policy (the default) for Microsoft Office 365 caused a lock to appear on Office 365 apps on the End-User Dashboard.
OKTA-449880
The text in some default email templates was incorrect.
OKTA-451868
In new developer orgs, admins weren’t provisioned for Salesforce Help.
OKTA-452041
Attempts to sign in to the Admin Console using Safari on an iOS device were prevented by the popup blocker.
OKTA-452099
The QR verification form in the device authentication flow wasn’t pre-filled with the user code.
OKTA-454767H
Some app labels were missing in the redesigned OIN App Catalog.
App Integration Fix
The following SWA app was not working correctly and is now fixed:
-
GoDaddy (OKTA-449141)
Applications
New Integrations
New SCIM Integration Applications
The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:
-
Keepabl: For configuration information, see Set up SSO with Okta.
-
ValidSoft VoiceID: For configuration information, see the Validsoft VoiceID Provisioning Configuration Guide.

Fixes
General Fixes
OKTA-441896
Group attribute statements added in a SAML 2.0 integration app (AIW) didn’t appear in the Preview the SAML Assertion section.
OKTA-444246
Some SAML doc links in the Admin Console didn’t work.
OKTA-447069
End-users encountered a 403 error when accessing a bookmark app after being migrated to the new Okta End-User Dashboard.
OKTA-447885
When adding a custom domain, admins received the wrong error message if they left the Domain field blank.
OKTA-448560
New users received an activation email with Velocity macros instead of their name. This occurred if the org’s profile enrollment policy didn’t require first and last names.
OKTA-448936
The Create a new resource set page couldn't display groups with & in the group name. This occurred for orgs with the Custom Admin Roles feature enabled.
OKTA-448940
The Edit resources to a standard role page displayed an error when admins searched for a group. This occurred for orgs with the Custom Admin Roles feature enabled.
OKTA-451345
The Velocity parsing engine failed when email templates contained a variable that was followed by (.
OKTA-452680
Application usage reports created asynchronously for specific groups included users that didn’t belong to the groups selected for the reports.
OKTA-453668
Duplicate enrollments caused authentication issues.
OKTA-453892
Orgs with a large number of users experienced timeouts during user Enhanced Email Macros queries.
OKTA-454197
On the Add domain page, the Next, Remove, and Verify DNS buttons were clickable while the addition was in progress.
OKTA-454655H
The Keep me signed in option for Google Authenticator was not honored.
OKTA-456383H
CSV imports failed when using Okta Provisioning Agent, version 2.0.6. For this fix, download Okta Provisioning Agent, version 2.0.7.
OKTA-458089H
Some Netsuite imports into Okta failed with the following error failure: A SOAP message cannot contain entity references because it must not have a DTD.
Applications
New Integrations
New SCIM Integration Applications
The following partner-built provisioning integration app is now Generally Available in the OIN Catalog as partner-built:
- Regal Voice: For configuration information, see Okta SCIM: Manage Regal Voice users from your Okta organization.
SAML for the following Okta Verified applications:
-
Imprivata Privileged Access Management (OKTA-450222)
-
Lucca (OKTA-450219)
-
PowerDMS (OKTA-454504)
-
Rybbon (OKTA-451438)


Enhancement
New Device Trust error
An error message now appears if an admin attempts to delete a Device Trust (Classic Engine) configuration without correctly configuring app sign-on policies for devices that are not trusted.
Fixes
General Fixes
OKTA-414394
On the Applications page, some admins with a custom role could view the buttons for actions that they didn’t have permission to perform.
OKTA-418245
The Mobile tab incorrectly appeared on the App Integrations page. Okta Mobile isn't supported in Identity Engine.
OKTA-419443
Users were able to enroll in Okta Verify and access their dashboard and apps even though their account was locked out or suspended.
OKTA-419491
Push notifications appeared repeatedly to users after they had already approved them.
OKTA-431945
Sometimes when a third-party admin role was assigned though the public API, the admin's status didn't change in the Okta Help Center.
OKTA-433439
Push Profile updates sometimes failed due to a missing Effective Date value.
OKTA-434556
In Try Okta Free orgs, the Days left in your trial banner didn’t always display the correct number of days.
OKTA-434789
When Veeva Vault was provisioned, the authentication rate limit was incorrectly applied to bulk operations.
OKTA-438657
When a custom admin role had the View application and their details permission, admins with that role couldn’t access OIDC applications.
OKTA-439081
No messages or warnings were displayed when admins set up factor requirements in an Okta sign-on policy rule.
OKTA-441340
user.session.start and user.session.stop
events didn’t include app context.
OKTA-442991
When the Custom admin roles feature was enabled, the Administrator assignment by admin and Administrator assignment by role pages displayed the Edit button for admin roles that couldn’t be constrained to a resource.
OKTA-444028, OKTA-444242, OKTA-448506
Sign-In Widget lifecycle errors for some device states and following silent probing were incorrect or misleading.
OKTA-444459
App sign-on policies weren’t deleted when their associated apps were deleted.
OKTA-445826
The help link was incorrect for Settings > Customization > Configure a custom URL domain.
OKTA-447296
If an admin canceled deactivation for a device, and then clicked Deactivate again, no confirmation dialog appeared.
OKTA-453535H
An older library for the RSA and RADIUS agents caused potential security issues in certain situations.
App Integration Fixes
The following SWA apps were not working correctly and are now fixed:
-
American Funds Advisor Client Login (OKTA-442550)
-
Bank of America CashPro (OKTA-444481)
-
M&T Bank - Commercial Services (OKTA-447154)
-
Nimble (OKTA-444703)
-
The Trade Desk (OKTA-445291)
Applications
New Integrations
New SCIM Integration Applications
The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:
-
Aerofiler: For configuration information, see AEROFILER SINGLE-SIGN ON GUIDE.
-
Clearwage: For configuration information, see Single Sign-On configuration guide.
-
NeuraLegion: For configuration information, see Enabling SCIM Provisioning between Okta and NeuraLegion.
-
ValueCloud by DecisionLink: For configuration information, see Configuring Okta Provisioning for ValueCloud.
SAML for the following Okta Verified applications:
-
ParkOffice (OKTA-445142)
-
SecZetta (OKTA-446467)

Enhancement
New warning for deleted devices
A warning message now appears when an admin attempts to delete a device from the Devices page.
Fixes
General Fixes
OKTA-428017
When the Custom Admin Roles feature was enabled and an admin searched for a group to assign to a role, the list of groups didn’t display their respective app logos.
OKTA-436016
In orgs with deleted groups, admins couldn't run the Admin role assignments report.
OKTA-438793
On the Admin Dashboard, the Overview section displayed an incorrect Updated at time between 12:00 AM and 1:00 AM.
OKTA-441161
When a super admin edited the User Account customization settings, an error occurred after they verified their password.
App Integration Fixes
The following SWA apps were not working correctly and are now fixed
-
HelpSpot Userscape (OKTA-440296)
-
Instacart Canada (OKTA-442946)
-
Moffi (OKTA-442915)
Applications
New Integrations
SAML for the following Okta Verified applications:
-
Autodesk (OKTA-425911)
-
YesWeHack (OKTA-443624)
OIDC for the following Okta Verified applications:
- Autodesk: For configuration information, see Okta SCIM Setup.
- Clearwage: For configuration information, see Single Sign-On configuration guide.
- Moqups: For configuration information, see Set up SCIM for Okta.
- Profit.co: For configuration information, see Configure OKTA User Provisioning for Profit.co.

Generally Available
AD Del Auth users can add secondary email
AD Delegated Authentication users can now add secondary email during their first sign in. See Active Directoryでの委任認証について.
New option on the Okta Sign-On Policy Add Rule dialog
AND Identity provider is option enables you to specify which Identity Provider end users can use to sign in to Okta. You can specify Any, Okta, or Specific IdP. The Specific IdP option presents a list of Identity Providers that have been set up in your org. See Oktaサインオン・ポリシー・ルールを追加する.
Fixes
General Fixes
OKTA-429081
When an admin deleted an app with Federation Broker Mode enabled, users could continue to sign in to the app.
OKTA-429782
Sometimes when the app group membership for a user was deactivated, any role assignments that were revoked from that user still appeared on the Administrators page.
OKTA-429868
API tokens for group admins didn't have the role displayed in the Security > API > Token section.
OKTA-432269
If Sign-up was enabled in an org’s profile enrollment policy, and that org reverted back to Classic Engine, end users who had already started the sign-up process received an error when they clicked their activation link.
OKTA-433617
App-sign on policies weren't evaluated for SAML 1.1 template apps.
OKTA-435527
Sometimes users were prompted to re-enter their password when switching between apps.
OKTA-439047
Sometimes, the System Log displayed Grant user privilege success events for admins when there were no changes to their privileges.
OKTA-441222
When a super admin changed the role notification settings for an admin, some third-party admins with that role were included in the notification subscription.
OKTA-441434
The View Setup Instructions link was broken on the Add Identity Provider page.
OKTA-441763
When admins created a new profile enrollment policy with Sign-up enabled, the link didn’t appear on the Sign-In Widget.
OKTA-444012
Branding features weren’t visible in the navigation menu of the legacy Admin Console.
App Integration Fixes
The following SWA apps were not working correctly and are now fixed:
-
Alibaba Cloud (Aliyun) (OKTA-439430)
-
Apple Store for Business (OKTA-439233)
-
ID90 Travel (OKTA-435212)
-
MessageBird (NL) (OKTA-440295)
-
Screen Leap (OKTA-440292)
-
TD Ameritrade (OKTA-436146)
Applications
New Integrations
SAML for the following Okta Verified applications:
-
Agencyzoom (OKTA-436124)
-
Altruistiq (OKTA-440339)
-
Auvik (OKTA-435860)
-
Ceresa (OKTA-437597)
-
Clumio (OKTA-440285)
-
Workstream (OKTA-441160)
SWA for the following Okta Verified application:
-
Greene King (OKTA-441236)
OIDC for the following Okta Verified application:
-
Luma Brighter Learning: For configuration information, see Okta/Luma SSO.

November 2021
2021.11.0: Monthly Production release began deployment on November 8
* Features may not be available in all Okta Product SKUs.
Generally Available Features
New Features
Okta LDAP agent, version 5.10.0
This version of the agent contains:
-
Range attribute retrieval for group membership attributes (full support will be available in a future release)
-
Real-time synchronization for user profiles, groups, and group memberships (full support will be available in a future release)
-
Expired password reset support for the eDirectory LDAP service (Okta Identity Engine)
-
Bug fixes
Okta RADIUS Server agent, version 2.16.0
This version of the agent contains:
-
Government Community Cloud support
-
Internal and security fixes
Okta MFA Credential Provider for Windows, version 1.3.4
This version of the agent contains:
-
Government Community Cloud support
-
Internal fixes
Okta On-Prem MFA agent, version 1.4.5
This version of the agent contains:
-
Government Community Cloud support
-
Internal fixes
Brands API support for auto-detecting contrast colors
The Brands API Theme object properties primaryColorContrastHex
and secondaryColorContrastHex
automatically optimize the contrast between font color and the background or button color. The auto-detection feature can be disabled by updating either property value with an accepted contrast hex value. See Brands.
New error page macros for themed templates
Custom error page templates include new macros to customize the URL (href) in addition to the button text for themed templates. See Use macros.
Custom domain SSL certification expiration warnings
To prevent service disruptions, Okta now sends admins a warning email 30, 15, and 7 days before their custom domain’s SSL certificate expires. If no action is taken, an expiration notice is sent when the certificate expires.
See カスタムURLドメインを構成する .
Token-based SSO between native apps
Single Sign-On (SSO) between browser-based web applications is achieved by leveraging shared cookies. Unlike web applications, native applications can’t use web cookies. With Native SSO, Okta offers a token-based approach to achieve SSO between native applications.
Native SSO allows you to protect native OpenID Connect applications, such as desktop apps and mobile apps, and achieve SSO and Single Logout (SLO) between these applications. See Configure SSO for native apps.
Asynchronous Application Reports
When enabled, this feature turns the generation of the Application Usage and the Application Password Health reports into an asynchronous process. Okta generates a report with the results and sends an email to the admin containing a download link for the CSV file. This enhancement is ideal for orgs with large amounts of user activity, as the generated reports can cover a greater range without timing out. See アプリケーション使用状況レポート and アプリのパスワードの健全性のレポート.
Risk scoring improvements
Risk scoring improvements are being slowly deployed to all organizations. See リスク・スコアリング.
Password expiry warning for LDAP group password policies
You can now configure an LDAP group password policy to provide users with a password expiry warning when their LDAP password is about to expire. Providing a password expiry warning in advance prevents users from losing access to shared resources and reduces the likelihood that you’ll need to reset passwords. See Configure a password policy.
Litmos supports Advanced Custom Attributes
We’ve enriched our Litmos integration to support Advanced Custom Attributes for the user profile. This allows you to add fields into the Okta user profile. See Litmos Provisioning Guide.
Enhancements
New System Log events for custom domain setup
The following events are added to the System Log:
system.custom_url_domain.cert_renew 3
system.custom_url_domain.delete
Existing events now include CustomDomainCertificateSourceType
.
OIN App Catalog user interface changes
The following text has been updated for consistency:
-
FILTERS is now Capabilities
-
Apps is now All Integrations
-
Featured is now Featured Integrations
-
OpenID Connect is now OIDC
-
Secure Web Authentication is now SWA
Hash marks added to hex code fields
On the Branding page, hash marks are automatically added to the hex codes in the Primary color and Secondary color fields.
Event Hooks daily limit
The maximum allowable daily limit of Event Hooks for all orgs has increased from 100,000 to 200,000. A higher daily allocation of Event Hooks reduces the likelihood orgs will exceed their daily limits. See Workflows system limits.
Improved Branding preview
Branding previews now display correct text colors.
Sign-In Widget button colors standardized
To comply with accessibility contrast ratios, the default variant colors for buttons on Okta sign-in and error page have been standardized to use the Okta design system.
Admins can save Profile Enrollment settings with errors
If Profile Enrollment settings contain errors in externally sourced attributes, the Admin Console displays a warning but allows the admin to save.
CAPTCHA messages translated
CAPTCHA verification error messages are now translated in the Sign-In Widget.
Upgrade validation check for customAPPLoginURL
A new validation check prevent orgs from upgrading to Okta Identity Engine if they have a customAppLoginURL enabled.
Okta Verify can’t be deactivated
Okta Verify can’t be deactivated if any app sign-on policies require it.
Early Access Features
New Features
Log Streaming
While Okta captures and stores its System Log events, many organizations use third-party systems to monitor, aggregate, and act on event data.
Log Streaming enables Okta admins to more easily and securely send System Log events to a specified system such as Amazon Eventbridge in real time with simple, pre-built connectors. They can easily scale without worrying about rate limits, and no admin API token is required. See Log Streaming.
Windows Autopilot integration with Okta
You can now use Okta to secure and streamline the Windows Autopilot flow on end-user devices. Before this integration, if you were using Okta Device Trust or Okta FastPass, it prohibited the enrollment of a new device through Windows Autopilot. The new integration now allows you to accommodate Not Trusted devices with Windows Autopilot while continuing to use Okta Device Trust and Okta FastPass for Trusted devices. It also allows you to add a sign-on policy rule in Okta that requires MFA when enrolling a device through Windows Autopilot. This increases security without compromising the user experience and ensures that the right person gets the access to the device. See Typical workflow for using Okta with Windows Autopilot.
Enhancements
Edit resource assignments for standard roles
Super admins can now quickly and easily search for, add, and remove the resource assignments for a standard role. See Edit resources for a standard role assignment.
Manage email notifications for custom admin roles
Super admins can configure the system notifications and Okta communications for custom admin roles. Configuring the email notifications helps ensure admins receive all of the communications that are relevant to their role. See Configure email notifications for an admin role.
New Velocity email templates
Orgs with Enhanced Email Macros enabled can now customize Factor Reset and Factor Enrollment email templates with Velocity Template Language. See メール・テンプレートをカスタマイズする.
Fixes
General Fixes
OKTA-418219
Sometimes when a super admin assigned several standard roles to a group at a time, some of those roles didn’t appear on the Groups page.
OKTA-420608
When users outside of an AD OU attempted to sign in to Okta using ADSSO, an Unable to complete your request error message appeared instead of the expected sign in dialog.
OKTA-425318
Admins weren't able to use the Expression Language to compare a user's status to a string.
OKTA-425375
FastPass was rejected for signing in when the user’s laptop was closed even though FastPass was enrolled with user verification enabled.
OKTA-430675
When the super org admin role was revoked from a user, the resulting email notification didn’t include the org name or URL.
OKTA-431057
Apple Safari browser version 15.0 on macOS 10.15.7 on orgs that were rolled back to Okta Classic Engine froze when users tried to delete an authenticator from their Settings page.
OKTA-434792
The user.session.start System Log event incorrectly displayed a result of SUCCESS when users were denied access by a policy.
OKTA-436651
Okta Verify and FastPass appeared as unknown authenticators on the Recent Activity page even though Okta Verify and FastPass were enabled.
OKTA-437001
During sign-in, the authenticator enrollment process displayed authenticators that were disabled in multifactor authentication, and allowed users to enroll in them.
OKTA-437011
Users who weren’t enrolled in Okta Verify in orgs that had app sign-on policies that required the use of hardware-protected authenticators received the “Unable to sign in” error message instead of being prompted to enroll in Okta Verify.
OKTA-437764
In orgs with a self-hosted Sign-In Widget and interaction code enabled, users couldn’t sign in with a social IdP.
OKTA-438981
The HealthInsight report incorrectly described newly created policies as missing required authenticators, even though those policies were configured with at least one required authenticator.
OKTA-440618
For some orgs with Branding enabled, the theme was reset after an admin’s role changed.
OKTA-440695
Some users saw an error when signing in to the new End-User Dashboard or OIDC apps for the first time.
App Integration Fixes
The following SAML app was not working correctly and is now fixed
-
Cloze (OKTA-440336)
Applications
Application Updates
-
The configuration guide for the Vable SCIM integration is updated: Okta Users Provisioning For The Vable Platform.
-
The American Express Work was a duplicate integration and has been removed from the OIN Catalog. Customers should use the American Express - Work integration.
New Integrations
New SCIM Integration Application:
The following partner-built provisioning integration app is now Generally Available in the OIN as partner-built:
- Blue Ocean Brain: For configuration information, see Configuring Provisioning for BlueOceanBrain.
OIDC for the following Okta Verified applications:
-
AIB Inc: For configuration information, see How do I use Okta to log in to AIB?
-
FortifyData: For configuration information, see FortifyData documentation here (you'll need a FortifyData account).
-
Sonarapp: For configuration information, see Okta Single Sign-On configuration guide.
-
WordPress OAuth Single Sign-On (SSO) by miniOrange: For configuration information, see Okta Single Sign-On (SSO) WordPress OAuth| Okta SSO Login.
Weekly Updates

Generally Available
AD Del Auth users can add secondary email
AD Delegated Authentication users can now add secondary email during their first sign in. See Active Directoryでの委任認証について.
New option on the Okta Sign-On Policy Add Rule dialog
AND Identity provider is option enables you to specify which Identity Provider end users can use to sign in to Okta. You can specify Any, Okta, or Specific IdP. The Specific IdP option presents a list of Identity Providers that have been set up in your org. See Oktaサインオン・ポリシー・ルールを追加する.
Fixes
General Fixes
OKTA-429081
When an admin deleted an app with Federation Broker Mode enabled, users could continue to sign in to the app.
OKTA-429782
Sometimes when the app group membership for a user was deactivated, any role assignments that were revoked from that user still appeared on the Administrators page.
OKTA-429868
API tokens for group admins didn't have the role displayed in the Security > API > Token section.
OKTA-432269
If Sign-up was enabled in an org’s profile enrollment policy, and that org reverted back to Classic Engine, end users who had already started the sign-up process received an error when they clicked their activation link.
OKTA-433617
App-sign on policies weren't evaluated for SAML 1.1 template apps.
OKTA-435527
Sometimes users were prompted to re-enter their password when switching between apps.
OKTA-439047
Sometimes, the System Log displayed Grant user privilege success events for admins when there were no changes to their privileges.
OKTA-441222
When a super admin changed the role notification settings for an admin, some third-party admins with that role were included in the notification subscription.
OKTA-441434
The View Setup Instructions link was broken on the Add Identity Provider page.
OKTA-441763
When admins created a new profile enrollment policy with Sign-up enabled, the link didn’t appear on the Sign-In Widget.
OKTA-444012
Branding features weren’t visible in the navigation menu of the legacy Admin Console.
App Integration Fixes
The following SWA apps were not working correctly and are now fixed:
-
Alibaba Cloud (Aliyun) (OKTA-439430)
-
Apple Store for Business (OKTA-439233)
-
ID90 Travel (OKTA-435212)
-
MessageBird (NL) (OKTA-440295)
-
Screen Leap (OKTA-440292)
-
TD Ameritrade (OKTA-436146)
Applications
New Integrations
SAML for the following Okta Verified applications:
-
Agencyzoom (OKTA-436124)
-
Altruistiq (OKTA-440339)
-
Auvik (OKTA-435860)
-
Ceresa (OKTA-437597)
-
Clumio (OKTA-440285)
-
Workstream (OKTA-441160)
SWA for the following Okta Verified application:
-
Greene King (OKTA-441236)
OIDC for the following Okta Verified application:
-
Luma Brighter Learning: For configuration information, see Okta/Luma SSO.

Enhancement
New warning for deleted devices
A warning message now appears when an admin attempts to delete a device from the Devices page.
Fixes
General Fixes
OKTA-428017
When the Custom Admin Roles feature was enabled and an admin searched for a group to assign to a role, the list of groups didn’t display their respective app logos.
OKTA-436016
In orgs with deleted groups, admins couldn't run the Admin role assignments report.
OKTA-438793
On the Admin Dashboard, the Overview section displayed an incorrect Updated at time between 12:00 AM and 1:00 AM.
OKTA-441161
When a super admin edited the User Account customization settings, an error occurred after they verified their password.
App Integration Fixes
The following SWA apps were not working correctly and are now fixed
-
HelpSpot Userscape (OKTA-440296)
-
Instacart Canada (OKTA-442946)
-
Moffi (OKTA-442915)
Applications
New Integrations
SAML for the following Okta Verified applications:
-
Autodesk (OKTA-425911)
-
YesWeHack (OKTA-443624)
OIDC for the following Okta Verified applications:
- Autodesk: For configuration information, see Okta SCIM Setup.
- Clearwage: For configuration information, see Single Sign-On configuration guide.
- Moqups: For configuration information, see Set up SCIM for Okta.
- Profit.co: For configuration information, see Configure OKTA User Provisioning for Profit.co.

Enhancement
New Device Trust error
An error message now appears if an admin attempts to delete a Device Trust (Classic Engine) configuration without correctly configuring app sign-on policies for devices that are not trusted.
Fixes
General Fixes
OKTA-414394
On the Applications page, some admins with a custom role could view the buttons for actions that they didn’t have permission to perform.
OKTA-418245
The Mobile tab incorrectly appeared on the App Integrations page. Okta Mobile isn't supported in Identity Engine.
OKTA-419443
Users were able to enroll in Okta Verify and access their dashboard and apps even though their account was locked out or suspended.
OKTA-419491
Push notifications appeared repeatedly to users after they had already approved them.
OKTA-431945
Sometimes when a third-party admin role was assigned though the public API, the admin's status didn't change in the Okta Help Center.
OKTA-433439
Push Profile updates sometimes failed due to a missing Effective Date value.
OKTA-434556
In Try Okta Free orgs, the Days left in your trial banner didn’t always display the correct number of days.
OKTA-434789
When Veeva Vault was provisioned, the authentication rate limit was incorrectly applied to bulk operations.
OKTA-438657
When a custom admin role had the View application and their details permission, admins with that role couldn’t access OIDC applications.
OKTA-439081
No messages or warnings were displayed when admins set up factor requirements in an Okta sign-on policy rule.
OKTA-441340
user.session.start and user.session.stop
events didn’t include app context.
OKTA-442991
When the Custom admin roles feature was enabled, the Administrator assignment by admin and Administrator assignment by role pages displayed the Edit button for admin roles that couldn’t be constrained to a resource.
OKTA-444028, OKTA-444242, OKTA-448506
Sign-In Widget lifecycle errors for some device states and following silent probing were incorrect or misleading.
OKTA-444459
App sign-on policies weren’t deleted when their associated apps were deleted.
OKTA-445826
The help link was incorrect for Settings > Customization > Configure a custom URL domain.
OKTA-447296
If an admin canceled deactivation for a device, and then clicked Deactivate again, no confirmation dialog appeared.
OKTA-453535H
An older library for the RSA and RADIUS agents caused potential security issues in certain situations.
App Integration Fixes
The following SWA apps were not working correctly and are now fixed:
-
American Funds Advisor Client Login (OKTA-442550)
-
Bank of America CashPro (OKTA-444481)
-
M&T Bank - Commercial Services (OKTA-447154)
-
Nimble (OKTA-444703)
-
The Trade Desk (OKTA-445291)
Applications
New Integrations
New SCIM Integration Applications
The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:
-
Aerofiler: For configuration information, see AEROFILER SINGLE-SIGN ON GUIDE.
-
Clearwage: For configuration information, see Single Sign-On configuration guide.
-
NeuraLegion: For configuration information, see Enabling SCIM Provisioning between Okta and NeuraLegion.
-
ValueCloud by DecisionLink: For configuration information, see Configuring Okta Provisioning for ValueCloud.
SAML for the following Okta Verified applications:
-
ParkOffice (OKTA-445142)
-
SecZetta (OKTA-446467)

Enhancements
New option to display Keep me signed in checkbox
Admins can now hide the Keep me signed in checkbox on the Sign-In Widget. Disabling this feature prevents Identity Engine from remembering a user session and authenticators after the browser is closed. See 一般的なセキュリティー.
Users can select a language for voice-based authentication and recovery
Individual users can select the language used for the voice message they receive to verify their identity. If they authenticate using a phone call after changing the language setting, they will hear the voice message in their selected language. See エンド・ユーザーの設定 and Select your display language.
Support for UTF-8 characters in Okta Verify
A user can now enroll a device in Okta Verify if the device name contains emojis or other 4-byte UTF-8 characters.
No support for SharePoint upgrade to Okta Identity Engine
Upgrades to Okta Identity Engine aren't supported for orgs with Sharepoint on premises apps.
Fixes
General Fixes
OKTA-329002
The Custom Administrator Roles Early Access feature wasn’t available for Developer orgs.
OKTA-373041
If a password policy was created by API and it didn't allow password reset or account unlock, users were prompted to enroll in authenticators that were disabled in the enrollment policy.
OKTA-419163
Some admins who were assigned a custom role could convert app assignments for users they weren’t constrained to.
OKTA-425798
The endUserDashboardTouchPointVariant property on the Brands API Theme object didn’t include a variant for LOGO_ON_FULL_WHITE_BACKGROUND.
OKTA-428329
Some admins who were assigned more than one custom role could manage the app assignments for users and groups they weren’t constrained to.
OKTA-429116
The OIE Upgrade Change banner appeared on the Security > Authenticators > Password page when the Authenticator Enrollment Policy feature wasn't turned on.
OKTA-429879
Some users who tried to sign in to a custom sign-in page with an IdP received a 500
error.
OKTA-430972
The System Log failure message for invalid passwords was inconsistent with the message used for the Okta Classic Engine.
OKTA-431879
If admins edited their Branding theme after it had been applied to an Okta page, the changes weren’t applied until they performed a hard refresh.
OKTA-432829
With Enhanced Email Macros enabled, email templates that were previously customized or translated with Expression Language (EL) couldn’t be edited and saved due to invalid EL expressions.
OKTA-434610
Admins received a loading error when they attempted to access Recent Activity on an End-User Dashboard.
OKTA-434889
Office 365 org-level policies with a security question MFA failed.
OKTA-435293
After Branding was enabled, admins couldn’t use their org logo on a white background for the End-User Dashboard.
OKTA-435772
When orgs upgraded to Okta Identity Engine, some users who were enrolled in Okta Verify TOTP were unenrolled from the authentication method after the upgrade.
OKTA-436329
An operation rate limit violation event was incorrectly added to the System Log when AD-sourced users signed in to Okta multiple times and they were within the user profile reload threshold.
OKTA-436513
After Branding was enabled, some orgs were unable to update their existing subdomain names.
OKTA-436732
After the MFA Factor Enrolled email template was customized with Enhanced Email Macros, its default template continued to be sent to users.
App Integration Fixes
The following SWA apps were not working correctly and are now fixed
-
Alabama Power (OKTA-437660)
-
Ally Bank (OKTA-435214)
-
American Express - Work (OKTA-438301)
-
Azure Portal Login (OKTA-436740)
-
Booking Admin (OKTA-436792)
-
Cat SIS (OKTA-436148)
-
Cronitor (OKTA-438303)
-
Exact Online (OKTA-435209)
-
Grove (OKTA-438304)
-
Key Bank (OKTA-438305)
-
Redis Labs (OKTA-436147)
-
SiteGround (OKTA-437897)
-
UBS (OKTA-436149)
-
Vitality (OKTA-436145)
Applications
New Integrations
New SCIM Integration Applications
The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:
-
Deel: For configuration information, see SCIM Provisioning of Users with OKTA.
-
embed signage: For configuration information, see Single Sign-On & User provisioning with Okta.
-
Parkable: For configuration information, see SCIM configuration.
-
SecureFlag: For configuration information, see Okta Single Sign-On Integration.
-
Smarp: For configuration information, see Manage users with SCIM provisioning.
SAML for the following Okta Verified applications
-
Level AI (OKTA-435557)
-
Loom (OKTA-398082)
-
Pima.app (OKTA-435601)
-
Polytomic (OKTA-435605)
-
Smarp (OKTA-415875)
OIDC for the following Okta Verified applications
-
Deepnote: For configuration information, see Okta SSO.
-
Inbox Monster: For configuration information, see Okta Single Sign On Integration.
-
TextUs: For configuration information, see TextUs Next + Okta SSO Process.
-
Waiter.com: For configuration information, see Okta Integration.

Generally Available
Enhancements
New default enrollment setting for new authenticators
The default enrollment setting when adding a new authenticator is now Optional.
Email template improvements
User enrollment and authentication email template variables have been changed to facilitate upgrade from the Okta Classic Engine.
Fixes
General Fixes
OKTA-383501
When a custom admin role was assigned to an existing group with standard roles, the System Log displayed duplicate Grant user privilege events for the members of the group.
OKTA-399667
Provisioning to Zendesk failed when a user with the same email already existed in Zendesk.
OKTA-414295
For orgs with Custom Administrator Roles enabled, the page filters on the Roles, Resources, and Admins tabs of the Administrators page were labeled incorrectly.
OKTA-414339
Org2Org Push Groups sometimes failed.
OKTA-423420
After Branding was enabled, admins could still navigate to original Settings > Customization pages.
OKTA-426540
Some admins were locked out when a Profile Enrollment policy was set up for the Admin Console app.
OKTA-426692
Provisioning (create/update) users to NetSuite failed with a Null Pointer Exception (NPE).
OKTA-429996
Orgs were able to change their custom Sign-In Widget to an unsupported version.
OKTA-432405
User-verification authenticators didn’t satisfy assurance requirements for a two-factor app sign-on policy when Security Question was allowed for authentication.
OKTA-433981
When an admin role was constrained to a group, users with that role sometimes experienced time-out errors on the People page.
Applications
Application Updates
-
The Airtable SCIM app is updated to support Group Push and Import Groups.
-
The configuration guide for the Acronis Cyber Cloud SCIM integration is updated: Acronis Cyber Cloud SCIM configuration guide for Okta.
New Integrations
New SCIM Integration Application:
The following partner-built provisioning integration app is now Generally Available in the OIN Catalog as partner-built:
- Loom: For configuration information, see Configuring Okta provisioning for Loom.
SAML for the following Okta Verified applications:
-
Docutrax (OKTA-433521)
-
Testsigma (OKTA-405606)
OIDC for the following Okta Verified applications:
- KeepTruckin: For configuration information, see KeepTruckin SSO Guide.
- Sora: For configuration information, see [Okta] Sora configuration guide.

October 2021
2021.10.0: Monthly Production release began deployment on October 11
* Features may not be available in all Okta Product SKUs.
Generally Available Features
New Features
Org Under Attack for ThreatInsight
Okta ThreatInsight now has enhanced attack detection capability. “Org under attack” establishes a base line traffic pattern and adjusts based on legitimate changes in traffic patterns. When a threat is detected, the algorithms are optimized to block all malicious requests while creating a System Log event to alert on the attack. After the attack subsides, threatInsight returns into its normal mode of operation. This capability enables quick blocking action during an attack. See Okta ThreatInsightについて. This feature will be gradually made available to all orgs.
Enhancements
Custom footer enhancement
With Branding enabled, admins can now hide the Powered by Okta message in the footer of their Okta-hosted sign-in page and End-User Dashboard. See 組織のフッターを構成する.
Log per client mode for client-based rate limits
Client-based rate limits are now in Log per client mode for all orgs for both OAuth 2.0 /authorize
and /login/login.htm
endpoints. This offers additional isolation to prevent frequent rate limit violations.
Hidden password for dynamic SCEP URL
When you generate a dynamic SCEP URL to integrate Okta with your device management provider, or when you reset the dynamic SCEP password, the password is hidden for enhanced security. To reveal or copy the password, click Show password.
See Microsoft Intuneを使用して、Windowsの委任済みSCEPチャレンジを使用するCAとしてOktaを構成する and Jamf Proを使用して、macOSの動的SCEPチャレンジを使用するCAとしてOktaを構成する
Early Access features from this release are now Generally Available.
Fixes
General Fixes
OKTA-325592
When LDAP delegated authentication was enabled, an incorrect event type was used to process user profile updates.
OKTA-346989
Global redirect URIs weren’t maintained after an upgrade to Okta Identity Engine from Classic Engine.
OKTA-353822
If an Okta Classic Engine org had an app sign-on policy rule configured for all six platforms and then migrated to Okta Identity Engine, the app sign-on policy rule for AND Device Platform is wasn't marked as Any platform.
OKTA-361609
Non-active users were able to sign in to the Office 365 app using Silent Activation.
OKTA-413405
During enrollment, a check mark didn’t appear correctly beside required authenticators on the Set up multifactor authentication page.
OKTA-419156
During phone MFA setup, users weren’t able to request another one-time passcode after entering the first one incorrectly.
OKTA-422719
A warning message appeared when users attempted to open the URL of an app that wasn’t assigned to them, and then when they clicked Sign in with Okta FastPass or signed in by entering the same username, an error message with the same information was appended to the warning message.
OKTA-423103
When selecting an authenticator for sign-in, users sometimes saw an unclear error message.
OKTA-427932
When Branding was enabled, the Sign-In Widget was distorted on custom sign-in pages.
OKTA-428268
When an LDAP interface (LDAPi) client had Custom Admin Roles enabled, time-out errors sometimes occurred during group member queries.
OKTA-429894
When a user entered an incorrect password in the Sign-In Widget and then refreshed the browser for another password attempt, the Expecting credential field warning still appeared.
OKTA-431349
Translated versions of AD and LDAP configuration validation messages weren’t provided.
OKTA-431757
The User is not assigned to this application message appeared as an INFO error rather than a WARNING.
OKTA-431868
In the UI for the SuccessFactors app, options for Active User Statuses weren't displayed.
OKTA-435586H
Some users were unable to sign in if their org's default app was deactivated or deleted.
App Integration Fixes
The following SWA app was not working correctly and is now fixed
-
Amplitute (OKTA-429432)
Applications
Updates
-
The configuration guide for the Asana SCIM integration is updated: Asana SCIM configuration guide for Okta.
-
The following attributes are added to the KnowBe4 SCIM app:
-
customDate1
-
customDate2
-
New Integrations
New SCIM Integration Applications
The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:
- Lucca: For configuration information, see Synchronize Lucca users and groups with Okta.
-
Seculio: For configuration information, see Okta user provisioning and SCIM integration.
OIDC for the following Okta Verified application:
- Extole: For configuration information see Okta Instructions.

Enhancements
Sign-In Widget requirements
Okta Identity Engine now requires Sign-In Widget version 5.11 or later.
Remember user on sign in
Admins can now enable Remember user on sign in for their orgs. When this feature is enabled, usernames are pre-populated on the Sign-In Widget. See 一般的なセキュリティー.
Error message for Profile Enrollment policies
A new error message appears when a Profile Enrollment policy contains an externally sourced attribute.
New display mode of recovery authenticators
When you fetch the MFA Policy Settings, authenticators used for recovery are now displayed in addition to other authenticator types.
Fixes
General Fixes
OKTA-327544
An HTTP 500 Internal Server Error message appeared when users attempted to sign in to Okta and their username included an asterisk (*).
OKTA-408731
Admins couldn’t save a Profile Enrollment policy if the email field was inherited from an external source.
OKTA-415339
The sign-on policy evaluation method failed to provide an evaluation result to the System Log.
OKTA-423192
Users were allowed to access apps without re-authentication after signing out of the Okta Dashboard.
OKTA-423578
Admins could create ADSSO IdP routing rules when ADSSO functionality was enabled and then disabled.
OKTA-427145
When the Admin role assignments report was filtered by a group, it didn’t include group membership admins who were constrained to that group.
OKTA-429396
When setting up the SMS security method, some new users received a Resend code warning before 30 seconds had passed.
OKTA-430140
When Okta failed to issue a certificate, the logged event didn’t specify the reason for the failure.
App Integration Fixes
The following SWA apps were not working correctly and are now fixed
- Autotask (OKTA-429728)
- Contract Express (OKTA-429434)
- DocsCorp Support (OKTA-425176)
- Google Play Developer Console (OKTA-425775)
- SAP Concur Solutions (OKTA-427469)
- Shipwire (OKTA-426103)
- Twitter (OKTA-430242)
Applications
New Integrations
New SCIM Integration Application
The following partner-built provisioning integration app is now Generally Available in the OIN Catalog as partner-built:
- Productiv: For configuration information, see Okta SSO Provisioning Setup Guide.
SAML for the following Okta Verified applications
- Jooto (OKTA-429135)
- Merge (OKTA-430337)
OIDC for the following Okta Verified applications
- Cami.AI: For configuration information, see Okta Integration with Cami.AI.
- Provarity: For configuration information, see Okta configuration guide.
- Recollective: For configuration information, see Okta Integration (Identity Provider).
- Upward Agent: For configuration information, see SSO with Okta.

Enhancements
New account-unlock email
Users requesting self-service unlock now receive an informational email with no OTP or magic link if the user isn't actually locked out.
New way to display available authenticators in End-User Settings
The End-User Settings page only shows the authenticators that the end user is allowed to enroll in.
Fixes
General Fixes
OKTA-391670
Users sometimes saw duplicate options to use email as an alternative authenticator for MFA.
OKTA-396616
LDAP users were sometimes prompted to reset their password after completing self-service password reset.
OKTA-408043
When changing the profile enrollment policy applied to an app, admins saw a blank screen if they clicked View all profile enroll policies.
OKTA-417160
When users signed out from the End-User Dashboard and then signed back in from the same browser tab, the URL was incorrect.
OKTA-419837
When Branding was enabled, custom code editor pages displayed an incorrect warning.
OKTA-423481
The app sign-on policy rule for Okta FastPass displayed that user verification (biometrics) was required when biometrics wasn’t configured as a possession factor constraint.
OKTA-423586
Function names that include blank spaces didn’t work with Enhanced Email Macros.
OKTA-425232
When Branding was enabled, the Go to Homepage button on the Okta error page didn’t use the default Okta variant color.
OKTA-426446
When a third-party admin role was assigned, the admin's status didn't change in Salesforce and the Exclude admin from receiving all admin-related communications rule wasn't enforced.
OKTA-430127
When Branding was enabled and later disabled, the sign-in and error pages that were customized with HTML code editors during the enabled period could be reset to their defaults.
OKTA-430524
The default password policy was sometimes being evaluated for users instead of the configured password policy.
App Integration Fixes
The following SWA apps were not working correctly and are now fixed
-
Frame.io (OKTA-427018)
-
Google Play Developer Console (OKTA-425775)
-
PNC Borrower Insight (OKTA-426061)
-
Tech Data (OKTA-427022)
Applications
New Integrations
SAML for the following Okta Verified applications
-
Blue Ocean Brain (OKTA-426050)
-
Kintone.com (OKTA-421223)
-
Skypher (OKTA-426992)
OIDC for the following Okta Verified applications
-
APIsec: For configuration information, see How to Configure OKTA SSO for APISec.
-
Entromy: For configuration information, see Entromy Okta SSO Integration.
-
TRUCE: For configuration information, see TRUCE & Okta SSO Integration Guide.

Fixes
General Fixes
OKTA-291631
AD-sourced users with a staged status weren't automatically activated when they used ADSSO with JIT provisioning to sign in to Okta.
OKTA-368709
In newly migrated Okta Identity Engine orgs, users were able to reset their passwords with only a Security Question.
OKTA-414089
Admins with the Manage Applications custom admin permission couldn’t access the Profile Editor, Directory Integrations, or Profile Sources pages.
OKTA-418013
Sign-in hints weren't provided for users signing in by way of SAML IdP authentication.
OKTA-419733
Password Reset emails were sent to both primary and secondary email addresses after the Secondary Email option had been disabled.
OKTA-420154
If client-based rate limiting was enabled, end users were sometimes presented with a 429 error instead of the sign-in page when their session expired or they signed out.
OKTA-423419
When Enhanced Email Macros was enabled, using required variables without brackets resulted in a validation error.
OKTA-423470
Org logos on the new Okta End-User Dashboard were sometimes oversized.
OKTA-423795
Externally sourced users whose accounts were created through inbound federation could edit their profiles after the re-authentication window had expired.
OKTA-427137
DocuSign deprovisioning sometimes failed with the following error: “Adding entity to http method DELETE is not supported.”
App Integration Fixes
The following SWA apps were not working correctly and are now fixed
-
3Rivers (OKTA-424892)
-
Adobe Enterprise (OKTA-424893)
-
CallTower (OKTA-424894)
-
Parse.ly (OKTA-422625)
Applications
New Integrations
New SCIM Integration Applications
The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:
-
KnowBe4: For configuration information, see here (you need to sign in to KnowBe4 to access their documentation).
-
Verint Community: For configuration information, see How Do I Setup User Provisioning Using SCIM?
SAML for the following Okta Verified application
-
Code Climate Velocity (OKTA-424882)
OIDC for the following Okta Verified applications
-
Auditrunner: For configuration information, see Auditrunner: How to Configure SSO between Auditrunner and Okta.
-
Verint Community: For configuration information, see How Do I Setup User Provisioning Using SCIM?
-
Workrunner: For configuration information, see Workrunner: How to Configure SSO between Workrunner and Okta.

Fixes
General Fixes
OKTA-376916
Users encountered enrollment error messages when signing in if their orgs were migrated from Okta Classic Engine to Okta Identity Engine, used custom Sign-In Widgets, and required multifactor authentication.
OKTA-416892
In Settings > Customization, inactive applications were visible in the Default Application for Sign-In Widget list.
OKTA-417450
LDAP-sourced users weren’t able to sign in to the Okta Admin Console when their passwords expired and a password policy allowed passwords to be updated.
OKTA-417507
Users whose orgs required a password plus a WebAuthn authenticator to satisfy knowledge and possession assurance requirements were also prompted with a Security Question.
OKTA-418421
End users received a 404 error when they attempted to self-register with a social login.
Applications
New Integrations
New SCIM Integration Application
The following partner-built provisioning integration app is now Generally Available in the OIN Catalog as partner-built:
-
Pop: For configuration information, see Pop: Okta Integration.
SAML for the following Okta Verified application:
-
Wiz (OKTA-422626)

September 2021
2021.09.0: Monthly Production release began deployment on September 7
* Features may not be available in all Okta Product SKUs.
Okta as a certificate authority
New CA functionality
Okta supports additional certificate authority (CA) functionality for admins:
-
When you use Okta as a CA, Okta now revokes device certificates that were issued but not used for successful authentication within 90 days.
-
Okta now supports certificate revocation when you provide your own CA. Only certificate revocation list (CRL) endpoints that use the HTTP or HTTPS protocol are supported. CRLs must be signed by the same intermediate certificate that the admin uploaded, and the client certificate should include the certificate distribution point URI. See 認証局を構成する
Support for dynamic SCEP
Okta now supports dynamic Simple Certificate Enrollment Protocol (SCEP) for macOS using Jamf Pro. See Jamf Proを使用して、macOSの動的SCEPチャレンジを使用するCAとしてOktaを構成する
New System Log events
The following System Log events are new:
-
The pki.cert.issue event indicates that a certificate was issued to a device.
-
The pki.cert.bind event indicates that a certificate was bound to a device.
-
The pki.cert.lifecycle.suspend event indicates that a certificate was suspended because an admin deactivated the device that it was bound to.
-
The pki.cert.lifecycle.delete event indicates that a certificate was deleted because an admin deleted the device that it was bound to.
-
The pki.cert.lifecycle.revoke event indicates that a certificate was revoked and placed on the certificate revocation list (CRL).
-
The pki.cert.lifecycle.hold event indicates that a certificate was placed on temporary hold and placed on the CRL.
-
The pki.cert.lifecycle.activate event indicates that a certificate was removed from temporary hold, and removed from the CRL.
Enhancements
ThreatInsight default mode for new orgs
For new orgs, the default mode for ThreatInsight is now set to Audit mode. Previously, with no mode set by default, events weren't logged unless Audit mode or Block mode was enabled manually. Now with Audit mode set by default for new orgs, the security.threat.detected event is logged once a malicious request is detected. See Okta ThreatInsight.
Profile Enrollment policy changes
AppUser attributes that are required in a user schema are no longer checked by Profile Enrollment policies. See プロファイル登録ポリシーを管理する .
New System Log event for successful user sign-in
Admins will now see the user.authentication.verify event in the System Log. This event is triggered when a user successfully signs in to their account.
Admin Console UI changes
In the Admin Console, the Device Management page (accessed from Security > Device Integrations) was renamed Device Integrations.
Sign-in Widget clarification
In the Sign-In Widget, the message for email verification now instructs the user to either click the email magic link or enter the one-time password (OTP) code for verification.
Account recovery clarification
After successful account recovery, screen messaging that instructs users to return to the original sign-in browser tab is now more descriptive.
Early Access Features
New macros for email templates
App name, app ID, and app label macros are now available for use with Enhanced Email Macros enabled. See メール・テンプレートをカスタマイズする.
Fixes
General Fixes
OKTA-391032
Custom admins with Manage group permissions could view the Add Rule button on the Groups > Rules tab.
OKTA-412278
After a self-service account unlock error, users saw duplicate Back to the sign in links.
OKTA-417463
The Username field in the Sign-In Widget wasn’t pre-populated with the config.username value.
OKTA-419565
The magic link for self-service password reset directed users to the sign-in page if an active session for another user was present in the browser.
OKTA-419713
The error message wasn't clear when a user tried to claim email account recovery links multiple times.
OKTA-421801
Some users with a custom domain URL couldn't add or edit resource sets for custom admin roles.
OKTA-422155
Users received a multifactor reset email in addition to the multifactor enrollment email when they enrolled in Okta FastPass.
OKTA-422158
Some legacy Universal 2nd Factor (U2F) users weren't able to use their YubiKey devices to authenticate after their org was upgraded to Okta Identity Engine.
App Integration Fixes
The following SWA apps were not working correctly and are now fixed:
-
Avalara (OKTA-415081)
-
Fisher Scientific (OKTA-422646)
-
Microsoft Volume Licensing (OKTA-420160)
-
Quadient Cloud (OKTA-422635)
-
RescueAssist (OKTA-422643)
-
WeWork (OKTA-423570)
Applications
New Integrations
New SCIM Integration Applications
The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:
- Acronis Cyber Cloud: For configuration information, see Configuring Provisioning.
- LoopVoc: For configuration information, see Okta (Enterprise version only).
- Qooling: For configuration information, see Configuring SCIM in OKTA for Qooling.
SAML for the following Okta Verified applications:
-
Anomalo (OKTA-421527)
-
Paradime (OKTA-420444)
OIDC for the following Okta Verified application:
- Statsig: For configuration information, see Single Sign-On With Okta.

Enhancement
New app sign-on policy option: Identity Provider
Okta users may now use their Identity Provider credentials to sign in to apps through the Okta End-User Dashboard.
Fixes
General Fixes
OKTA-373673
If an Identity Engine org disabled Push authentication in its MFA enrollment policy before rolling back to Okta Classic, its users were still prompted for Push authentication.
OKTA-418039
Enhanced email macros didn’t work with Branding.
OKTA-419440
Internal server and NullPointerException (NPE) errors were returned when Active Directory-sourced users attempted to reset expired passwords.
OKTA-420077
The Security Checklist couldn’t update new device notifications in Org Settings.
OKTA-421010
The Sign-In Widget didn't consistently time out when the end user failed to respond to an out-of-band authenticator challenge.
App Integration Fixes
The following SWA app was not working correctly and is now fixed:
-
Vitality (OKTA-420790)
Applications
Application Update
The following integrations are deprecated from the OIN Catalog:
-
Hiveed
-
BenXcel
-
FIS Global
-
Nanigans
New Integrations
SAML for the following Okta Verified applications:
-
Blingby Programmatic (OKTA-421181)
-
Perimeter 81 (OKTA-415079)
-
Snackmagic (OKTA-419393)
-
Suveryapp (OKTA-420053)
SWA for the following Okta Verified application:
-
Integromat (OKTA-420293)
OIDC for the following Okta Verified application:
-
Hone: For configuration information, see Logging in with Okta single sign-on.

Enhancement
Changes to default sign-on policy for new app instances
The default sign-on policy for new apps now requires a password or Identity Provider instead of the previous default — any 1 factor type.
Fixes
General Fixes
OKTA-288910
When signing into Okta with Microsoft as a service provider, the Okta sign-on page wasn’t auto-filled with the user’s sign-on information.
OKTA-387939
The Just In Time Provisioning section of the Admin Console Customization page didn’t include Lightweight Directory Access Protocol (LDAP) as an available authentication method.
OKTA-406616
Sometimes after admins manually activated users, the users received errors when trying to enroll authenticators.
OKTA-416160
When admins re-selected the Okta FastPass (All platforms) checkbox after getting a "You can't disable Okta FastPass because..." error, the same error appeared unless they refreshed the page.
OKTA-419526
When users accessed Okta from Internet Explorer 11 that was running on Microsoft Windows 10, they only saw one authenticator on the Add Authenticator page even when multiple authenticators were available.
App Integration Fixes
The following SWA apps were not working correctly and are now fixed:
-
Alerus (OKTA-418805)
-
BenXcel (OKTA-418794)
-
Inbox by Gmail (OKTA-412080)
-
IBM MaaS360 (OKTA-418799)
-
Redis Labs (OKTA-418789)
Applications
Application Updates
-
We have added the
userType
attribute to the Slab SCIM schema. For details see the Slab Okta SCIM Integration Guide. -
The FIS Global Client integration is deprecated from the OIN Catalog.
New Integrations
New SCIM Integration Applications
The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:
- Documo: For configuration information, see Okta Scim Configuration Guide.
- DocuSign CLM UAT: For configuration information, see Okta SCIM and SAML Integration.
SAML for the following Okta Verified applications:
-
Blingby Inline (OKTA-410691)
-
Panzura Data Services (OKTA-419287)
-
RudderStack (OKTA-413572)
OIDC for the following Okta Verified applications:
-
EZGIT: For configuration information, see Logging in with Okta single sign-on.
-
Joyous: For configuration information, see Okta Single Sign-On.
-
XY Sense: For configuration information, see How to add SSO Okta integration.

Enhancement
Expression language (EL) improvements
Okta expression language (EL) attributes now include rule validation. See About custom expressions for devices.
Fixes
General Fixes
OKTA-405664
Routing rules that were configured with a User matches condition incorrectly allowed users to choose from multiple IdPs.
OKTA-412443
Admins couldn't add samAccountName as an attribute in the Active Directory Password Reset email template.
OKTA-414646
Some users were unable to sign in with authenticators they'd successfully used before.
OKTA-415713
If user enumeration prevention was enabled in their org, users incorrectly saw error messages when they attempted self-service password resets.
App Integration Fixes
The following SWA apps were not working correctly and are now fixed
-
Fannie Mae Desktop Underwriter (OKTA-416904)
-
Frame.io (OKTA-416896)
-
i-Ready (OKTA-416899)
-
InternationalSOS (OKTA-415410)
-
LifeLock (OKTA-413854)
-
Milestone Xprotect Smart Client (OKTA-416893)
-
SDGE (OKTA-416903)
-
ShipStation (OKTA-416897)
-
Simple Sales Tracking (OKTA-416906)
-
Washington Post (OKTA-416908)
-
Yodeck (OKTA-415411)
Applications
New Integrations
New SCIM Integration Applications
The following partner-built provisioning integration apps are now Generally Available in the OIN catalog as partner-built:
- GitHub AE: For configuration information, see Configuring Provisioning for GitHub AE.
- LoopVoc: For configuration information, see Single Sign On (SSO): Okta (Enterprise version only).
- MaestroQA: For configuration information, see MaestroQA/Okta SCIM configuration guide.
- MaestroQA-Enterprise: For configuration information, see MaestroQA-Enterprise/Okta SCIM configuration guide.
- Sentry: For configuration information, see Okta SCIM Provisioning.
SAML for the following Okta Verified application
-
Hiretual (OKTA-413861)
OIDC for the following Okta Verified application
-
Seamless.AI: For configuration information, see Connecting and Setting up Okta SSO.

August 2021
2021.08.0: Monthly Production release began deployment on August 9
* Features may not be available in all Okta Product SKUs.
Generally Available Features
New Features
Polling support for ADSSO and IWA authentication sessions
Agentless Desktop Single Sign-on (ADSSO) and Integrated Windows Authentication (IWA) authentication sessions now include polling to reduce the likelihood customers will receive 429 Too Many Requests
errors when they are trying to access Okta during peak periods. Rather than immediately denying an authentication request, the server is continually polled for 30 seconds until the user can be authenticated. With this change, authentication requests are more likely to be successful and wait times are reduced. See Active Directoryデスクトップ・シングル・サインオン.
Name change: Authenticator is now called Security Method
The term Authenticator has been replaced with Security Method everywhere that multifactor authentication methods are displayed to end users. The term hasn't changed in the Admin Console.
New session behavior
Users who sign in from the same browser they used to enroll in Okta Verify won't have to verify their authenticators again unless they've exceeded their org's policy reauthentication time limit.
LDAP agent, version 5.8.0
This version of the agent contains:
-
Password expiry warning support for Oracle Directory Server Enterprise Edition (ODSEE), Oracle Unified Directory (OUD), OpenDJ, and SunOne 5.2 LDAP directory services
Enhancements
New warning for excessive IP addresses
A warning now appears if a gateway or proxy has an IP range with more than 5 million addresses. See IPゾーンの作成.
Start time and end time of rate limit windows
The Rate Limit Dashboard now displays the start time and end time of the rate limit window for each data point. This helps you analyze each data point with more granularity. See Rate limit dashboard.
Okta Mobile removed from the Admin Console
Links to Okta Mobile for iOS and Okta Mobile for Android have been removed from the Mobile Apps section of the Settings > Downloads page. Okta Mobile settings have been hidden from the Security > General page. Okta Mobile isn't available for Identity Engine.
Removal of new experience settings for enabled environments
Settings to enable the new end-user experience won't be shown to orgs that have enabled the feature and removed access to the old experience.
UI Change for Okta Verify Users
The Sign in using Okta Verify on this device button has been changed to Sign in with Okta FastPass.
Early Access Features
New Features
Third-Party Risk
Okta Risk Eco-System API / Third-Party Risk enables security teams to integrate IP-based risk signals to analyze and orchestrate risk-based access using the authentication layer. Practitioners can step up, reduce friction or block the user based on risk signals across the customer’s security stack. Apart from improving security efficacy, this feature also enhances the user experience by reducing friction for good users based on positive user signals. See リスク・スコアリング.
Fixes
General Fixes
OKTA-381874
On the Agents page, admins couldn't remove deleted RADIUS agents or hide the ones that weren't in use.
OKTA-405384
Users who enrolled in platform authenticators, such as Okta Verify Desktop or WebAuthn, and tried to authenticate on a different device or enroll Okta Verify on their mobile device were unable to authenticate.
OKTA-407918
The custom sign-out page URL didn’t match the address configured in Customization Settings.
OKTA-408448
Users didn’t receive an error message when they reached the rate limit for submitting OTP codes.
OKTA-408851
The OAuth scope consent page sometimes displayed incorrect messages.
OKTA-410951
Just-in-Time provisioning didn't automatically initiate self-service unlock for AD or LDAP-sourced users who were locked out of Okta but not out of their AD or LDAP accounts.

Content
Generally Available Features
Okta solution visible in footer
To help admins identify their Okta solution, the version number in the footer of the Admin Console is now appended with C for Classic Engine orgs and E for Identity Engine orgs. See Oktaソリューションを特定する .
UI Change for Okta Verify Users
The Sign in using Okta Verify on this device button has been changed to Sign in with Okta FastPass.
Okta FastPass configuration messages
Admins are provided with more descriptive messages during Okta FastPass configuration. The messages help admins configure the correct Push notification (Android and iOS only) and Okta FastPass (all platforms) verification options.
UI changes for Device Management
Security > Device Management is now Security > Device Integrations and the Device Management screen is now named Device Integrations. Actions on the Device integrations screen are provided as a drop-down list, and the Device Management tab is now named Endpoint Management.
Authenticator is now Security Methods
The term Authenticator has been replaced with Security Method everywhere that multifactor authentication methods are displayed to end users. The term has not changed in the Admin Console.
New and updated System Log events
In the System Log, the user.session.end event, which indicates that a user signed out from a session that was authenticated using a device, was updated to include device information.
The following System Log events are new:
-
The device.lifecycle.activate event log indicates that the status of a device is now set to active. The user can access protected resources from an active device if permitted by the App Sign-On policies applied to the resources.
-
The device.lifecycle.deactivate event log indicates that the status of a device is now set to deactivated. Once deactivated, no user can access company resources on this device. All user access on the device is revoked. You can reactivate the device, but users are required to re-enroll before they can get access.
-
The device.lifecycle.suspend event indicates that the status of a device is now set to suspended. The user can't use the device.
-
The device.lifecycle.unsuspend event indicates that the status of a device is now active. Users can access protected resources from the device.
-
The device.lifecycle.delete event indicates that the device was deleted. The device no longer appears in the Admin Console.
-
The device.user.add event indicates that a user added a new account in Okta Verify.
-
The device.user.remove event indicates that the association between a user and a device is removed. The user can no longer use the device.
-
The pki.ca.add event indicates that a third-party certificate authority (CA) was added to the Admin Console. The CA is now available to the org.
-
The pki.ca.delete event indicates that a third-party certificate authority (CA) was removed from the Admin Console. The CA is no longer available to the org.
-
The device.platform.add event indicates that a device management platform was added to the org.
-
The device.platform.update event indicates that changes were made to the device management platform configuration.
-
The device.platform.delete event indicates that a device management platform was removed from the org.
Fixes
OKTA-390329
Notification messages weren't displayed when users enrolled or removed authenticators from their profiles.
OKTA-398165
Admins who selected the Users Locked Out task on the Admin Dashboard were redirected to the Reset Password page instead of the Unlock People page.
OKTA-399274, OKTA-404732
The "Signing in to Okta Dashboard" message and the Okta spinner icon weren’t configurable for custom orgs.
OKTA-402014
For AD-sourced users, admins weren’t able to add samAccountName as an attribute in email messages sent during account unlock.
OKTA-405384
Users who were enrolled in Okta Verify Desktop, security key, or biometric authenticators couldn't complete multifactor authentication from a different device.
OKTA-406399
When a custom domain and sign-in page were enabled, some users received a server error if they accessed a bookmark app with OAuth consent enabled.
OKTA-406759
After their sessions expired, users who signed in to Okta through an IdP weren't prompted for password reauthentication when they attempted to re-launch an app.
OKTA-410907
Active Directory users who were enrolled in Okta Verify and the Duo authenticator were unable to initiate self-service account unlock using the Unlock with Okta Verify Push notification method.
OKTA-411633
Admins were unable to remove the last MFA authenticator from the list of authenticators even though no policies required multifactor authentication.
OKTA-412606
Active Directory-sourced users were deactivated when their username was changed in Active Directory and their user profile was updated in Okta.
OKTA-413683
After entering an invalid username, users who clicked Forgot password? more than once were returned to the sign-in page.
OKTA-413703
For some orgs, the More Integrations section of the Okta App Catalog appeared empty.

Generally Available Features
LDAP Delegated Authentication
Delegated authentication allows users to sign in to Okta by entering credentials for their organization's Active Directory (AD), Windows-networked single sign-on (SSO), or user stores that employ the Lightweight Directory Access Protocol (LDAP). See LDAP統合を開始する .
JIT users from AD
Just-In-Time (JIT) provisioning enables automatic user account creation in Okta the first time a user authenticates with Active Directory (AD) delegated authentication, Lightweight Directory Access Protocol (LDAP) delegated authentication, or Desktop SSO. JIT account creation and activation only works for users who aren't already Okta users. This means that users who are confirmed on the import results page, regardless of whether or not they were subsequently activated, aren't eligible for JIT activation. When JIT is enabled, users don't receive activation emails. See Active Directoryのジャストインタイム・プロビジョニングでユーザーを追加および更新する and LDAP のジャストインタイム・プロビジョニングでユーザーを追加および更新する.
Agentless Desktop Single Sign On
With Agentless Desktop Single Sign-on (DSSO), you don't need to deploy IWA agents in your Active Directory domains to implement DSSO functionality. This reduces or eliminates the maintenance overhead and provides high availability as Okta assumes responsibility for Kerberos validation. See Active Directoryデスクトップ・シングル・サインオン.
Configure multiple Identity Providers as a part of a routing rule
With the Okta Identity Engine, you can configure multiple Identity Providers to be returned as part of a successful evaluation of a routing rule. This feature enables end-users to select any social login provider (for example, Okta, LinkedIn, Apple, or Google) of their choice in the sign-in flow. Organizations can even add additional context (for example, Device or IP) in deciding acceptable social login providers. See IDプロバイダーのルーティング・ルール.
Sign in with a magic link
Email authenticator allows users to authenticate successfully with a token that is sent to their primary email address. Users can click the link containing the embedded token or use the six digit one-time code. Email authenticator enables convenient one-click passwordless sign-in experiences. See メール・オーセンティケーターの構成.
Bring your own CAPTCHA
Bring your own CAPTCHA enables you to leverage your existing captcha provider (reCAPTCHA or hCAPTCHA) to add additional layers of protection against bots and other fraudulent activity. You can set up CAPTCHA verification on your sign-up, authentication, and self-service password reset flows. End users could be prompted to solve a CAPTCHA challenge if the provider you use detects potentially fraudulent activity. See and Developer Documentation.
Flexible account recovery
Okta Identity engine introduces more flexible self-service password, and account recovery flows. For the primary factor - In addition to using email, voice call, and SMS for the primary factor, users can trigger self-service recovery with Okta Verify Push (requires specific SKU). Admins can leverage any enabled factor for the secondary factor. Self-service recovery offers an improved end-user experience with a strengthened security posture. See セルフサービスのアカウント復旧.
Authenticators
Authenticators are credentials owned or controlled by an end-user which are verified during Okta policy evaluation. Authenticator examples include password, Okta Verify, and phone (SMS or voice call). Authenticators allow admins to associate credentials that are bundled together (for example, Okta Verify Time-based One-Time Password (TOTP) and push credentials on the same mobile device). Authenticator methods are labeled with factor type (for example, possession, knowledge, or biometric) and optional characteristics (for example, hardware-protected or phishing-resistant). Admins can combine authenticator characteristics with an authentication policy to meet security and useability requirements. See オーセンティケーターの構成 and Developer Documentation.
More granular app sign-on policies
App sign-on policies allow organizations to model security outcomes for access based on industry-accepted digital identity best practices (outlined by NIST) and enforce end-user authentication requirements (such as, 2-factor types or phishing-resistant) based on the context of the requested application. Leverage a user's location, risk, device context, and behaviors against the app-level policy's group membership and authentication criteria. App sign-on policies enable elevated security postures for sensitive applications. See アプリのサインオン・ポリシー and the following Developer Documentation:
SDKs, Sample Apps, and Guides
Harness the power of Okta Identity Engine through SDKs and Widgets. These SDKs/Widgets create abstractions that allow developers to make direct calls and absorb dynamic remediation in their applications for future compatibility. The SDKs also have Sample Apps and Step by Step Guides to walk you through common scenarios and implement them. These capabilities increase developer efficiency and enable the critical identity-driven capability for your applications. See the following Developer Documentation:
Office 365 Silent Activation
Okta silent activation for Microsoft Office 365 provides a seamless experience for accessing Microsoft Office on shared workstations or VDI environments. When Okta is used as an identity provider, your end users can sign in to a domain-joined Windows machine and are automatically signed in to Office 365 applications. See Office 365 Silent Activation: New Implementations.
Early Access Features
Okta FastPass
Okta FastPass enables passwordless authentication into anything you need to get your work done, on any device. Utilize Okta FastPass to minimize end user friction when accessing corporate resources, while still enforcing Okta’s adaptive policy checks. See Okta FastPassを構成する .
Allow or deny custom clients in Office 365 sign on policy
You can filter specific clients in an Office 365 app sign-on rule to allow or deny them access to Office 365 resources. This filter is especially useful if you want to deny access to certain clients that you don't support or trust. Alternatively, you can use this filter to only allow clients you trust. It gives you a more granular control over the clients that get access to your Office 365 app. See Allow or deny custom clients in Office 365 sign on policy.
Use Okta MFA to satisfy Azure AD MFA requirements for Office 365
You can use Okta multifactor authentication (MFA) to satisfy the Azure AD MFA requirements for your WS-Federation Office 365 app instance. See Use Okta MFA to satisfy Azure AD MFA requirements for Office 365.