Okta Preview Release 2016.17 began deployment on April 27. For the latest information on our release schedule, see Current Release Status.
Check the version number at the bottom of your Okta Administrator page to see your current version. Clicking the version number takes you directly to the folder containing the release notes.
Migrating Orgs with Federated Profiles (AD Integrations)
Beginning April 21, 2016 for Preview orgs and May 4, 2016 for Production orgs, Okta automatically will migrate all orgs that use the Active Directory (AD) Federated Profiles option to the Okta enhanced AD integration. Enhanced integration combines the best features of our Classic Imports and Federated Profiles options into a single, simplified, more robust offering. For more details, see About Okta's Enhanced Active Directory Integration.
To help ensure a successful migration, note the following:
- Some features of Enhanced AD Integration require that all Okta AD Agents be upgraded to version 3.3.5. Otherwise, changes you make to Group OU settings will not take effect for JIT Provisioning until you restart your agents. (The agent upgrade requires a complete uninstallation and reinstallation; see Installing and Configuring the Active Directory Agent.)
- By default, Enhanced AD Integration synchronizes groups on a daily basis (you can change the import frequency in Import and Account settings.) Your integration settings for user imports is preserved. This means that if your org is not configured to run scheduled imports, your users continue to be imported and/or updated via Just In Time provisioning (JIT).
New Product Features
- Okta has added a new MFA option, Voice Call Authentication. End users enter a generated security token that is sent to them through a phone call from a mobile device or landline phone. For details, see Configuring Multifactor Authentication. Voice call is an Early Access (EA) feature; please contact Okta Support to enable it.
- Okta has developed a richer provisioning experience for admins managing Google Apps. Google licenses and deprovisioning actions can now be centrally and granularly managed within Okta. This includes the ability to automatically release the license when an Okta user is deprovisioned or deactivated. For more details on this feature, see Configuring Google License Management. This is an EA feature; please contact Okta Support to enable it.
- Okta Verify now features Touch ID, providing an additional security layer. Admins can configure an end-user fingerprint request, which appears after the initial MFA challenge. If the user's device is lost or stolen, no one else can gain access to it. This feature is currently only available for iOS devices. For details, see Okta Verify with Touch ID. Touch ID is an EA feature; please contact Okta Support to enable it.
If Okta is configured to sign outgoing SAML authorization requests, we now include the SAML destination attribute automatically if none is specified. For more information, see Configuring Inbound SAML with Universal Directory Options. Previously, this feature was available only for new organizations.
Okta offers authentication whitelisting and blacklisting based on zones. IP Zones are sets of IP address ranges and Geolocations are named geographic locations defined by an admin. These features are used in policies, application sign-in rules, and VPN Notifications. This feature expands the use of Gateway IP Addresses. For more information, see Defining IP Zones.
Note: IP Zones and Geolocation are separate EA features; please contact Okta Support to enable them. You cannot enable Geolocation without IP Zones.
The Okta Confluence toolkit version 1.0.13 is confirmed to support Confluence on-prem versions 5.9.1 and 5.9.8. For more information, see the Current Confluence Jar Version History.
Okta strongly recommends that customers download and upgrade the latest SAML toolkit and the necessary Jira or Confluence authenticators. You can access all of these tools from the Okta Downloads page (from the Dashboard select Settings > Downloads).
New Platform Features
You can find platform documentation and other developer resources at http://developer.okta.com
Oauth 2.0 Access Token Endpoint Accepts Login Short Names
Requests to /oauth2/v1/token
with the password
grant type now support login short names.
Address Claim for OpenID Connect Apps
You can use the address
claim for OpenID Connect applications.
Incremental Features Summary
The following table summarizes features that are enabled incrementally. Links in the Feature column point to additional documentation for that feature, if available. After the feature is fully released, it is no longer tracked in this table. For release history of all features, see Features by Release.
|LDAP Reset Password SMS||2016.16||2016.17||2016.16||2016.17|
|Password Policy (Softlock)||2016.15||2016.17-2016.18||2016.15||2016.17-2016.18|
|SAML Destination Attribute||2015.52||2015.52||2016.16-1016.18||2016.16-2016.18|
We've implemented SAML for the following Okta Verified applications:
We've implemented SWA for the following Okta Verified applications:
We've added the following Mobile applications for use with Okta Mobility Management (OMM):
Bug numbers ending with an H are hotfixes. Hotfixes are generally deployed after the initial release.
Product Bug Fixes
The following issues are fixed:
- OKTA-80226 – In some cases, save password banners continued to display even though the browser plugin setting Block browsers from saving passwords for Okta apps was enabled.
- OKTA-83967 – During account recovery for Active Directory accounts, the complexity requirement for the security answer was not enforced.
- OKTA-85719 – When the New Okta Sign-in Experience is enabled, users attempting to change an AD password did not receive relevant error messages.
- OKTA-85892 – App logos (web clips) were replaced by the Okta logo when Safari users accessed Okta-managed apps from iOS mobile devices.
- OKTA-86395 – Unable to view users who are exempt from MFA policies if the number of exempt users exceeded 20.
- OKTA-86866 – The externalId Profile mapping appeared in the SYSTEM section instead of BASE. The SYSTEM section has been removed.
- OKTA-87091 – When using Workday as a master, the automatic profile push from Okta to Workday failed for contingent workers.
- OKTA-87875 – Two-factor authentication failed for some AD-mastered users using RADIUS in 2FA mode.
Platform Bug Fixes
The following issues are fixed
- OKTA-62160 – Some permission checks on the IDP transaction APIs behaved incorrectly.
- OKTA-86425 – If a request includes the HTTP accept-encoding header, not all API responses were compressed. Note: This fix is available on Preview orgs, and is expected on Production orgs in a few weeks.
- OKTA-86552 – Some OpenID Connect recovery tokens were incorrectly timed out after 10 minutes.
- OKTA-86647 – In the Java SDK, intermittent API call failures were due to the Apache HTTP client.
- OKTA-87015 – The auth_time claim in the OpenID Connect ID token, returned from the /api/v1/token endpoint, was incorrect.
Apps Integrations Fixed
The following SWA apps were not working correctly and are now fixed:
Baystate Benefits - Employee
Campaign Monitor (OKTA-87261)
Globality ReadMe.io (OKTA-87187)
Schwab Equity Award Center