Okta Production – Release 2016.17 Skip to main content
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Okta Production – Release 2016.17
Published: May 4, 2016   -   Updated: Jun 22, 2018
Okta Preview Sandbox (oktapreview.com) features from 2016.16 and 2016. 17 have been combined and pushed to Production (okta.com). This deployment began on May 3. For the latest information on our release schedule, see Current Release Status.

Check the version number at the bottom of your Okta Administrator page to see your current version. Clicking the version number takes you directly to the folder containing the release notes.

User-added image

Migrating Orgs with Federated Profiles (AD Integrations)

Beginning April 21, 2016 for Preview orgs and May 4, 2016 for Production orgs, Okta automatically will migrate all orgs that use the Active Directory (AD) Federated Profiles option to the Okta enhanced AD integration. Enhanced integration combines the best features of our Classic Imports and Federated Profiles options into a single, simplified, more robust offering. For more details, see About Okta's Enhanced Active Directory Integration.

To help ensure a successful migration, note the following:

  • Some features of Enhanced AD Integration require that all Okta AD Agents be upgraded to version 3.3.5.  Otherwise, changes you make to Group OU settings will not take effect for JIT Provisioning until you restart your agents. (The agent upgrade requires a complete uninstallation and reinstallation; see Installing and Configuring the Active Directory Agent.)
  • By default, Enhanced AD Integration synchronizes groups on a daily basis (you can change the import frequency in Import and Account settings.) Your integration settings for user imports is preserved. This means that if your org is not configured to run scheduled imports, your users continue to be imported and/or updated via Just In Time provisioning (JIT).

New Product Features​

  • Okta has added a new MFA option, Voice Call Authentication. End users enter a generated security token that is sent to them through a phone call from a mobile device or landline phone. For details, see Configuring Multifactor Authentication. Voice call is an Early Access (EA) feature; please contact Okta Support to enable it.
  • Okta has developed a richer provisioning experience for admins managing Google Apps. Google licenses and deprovisioning actions can now be centrally and granularly managed within Okta. This includes the ability to automatically release the license when an Okta user is deprovisioned or deactivated. For more details on this feature, see Configuring Google License Management. This is an EA feature; please contact Okta Support to enable it.
  • Okta Verify now features Touch ID, providing an additional security layer. Admins can configure an end-user fingerprint request, which appears after the initial MFA challenge. If the user's device is lost or stolen, no one else can gain access to it. This feature is currently only available for iOS devices. For details, see Okta Verify with Touch ID. Touch ID is an EA feature; please contact Okta Support to enable it.
  • If Okta is configured to sign outgoing SAML authorization requests, we now include the SAML destination attribute automatically if none is specified. For more information, see Configuring Inbound SAML with Universal Directory Options. Previously, this feature was available only for new organizations.

  • Okta offers authentication whitelisting and blacklisting based on zones. IP Zones are sets of IP address ranges and Geolocations are named geographic locations defined by an admin. These features are used in policies, application sign-in rules, and VPN Notifications. This feature expands the use of Gateway IP Addresses. For more information, see Defining IP Zones.

    User-added image

    Note: IP Zones and Geolocation are separate EA features; please contact Okta Support to enable them. You cannot enable Geolocation without IP Zones.

Toolkit Update

The Okta Confluence toolkit version 1.0.13 is confirmed to support Confluence on-prem versions 5.9.1 and 5.9.8. For more information, see the Current Confluence Jar Version History.

Okta strongly recommends that customers download and upgrade the latest SAML toolkit and the necessary Jira or Confluence authenticators. You can access all of these tools from the Okta Downloads page (from the Dashboard select Settings > Downloads).

New Platform Features

Note: You can find platform documentation and other developer resources at http://developer.okta.com.

Oauth 2.0 Access Token Endpoint Accepts Login Short Names

Requests to /oauth2/v1/token with the password grant type now support login short names.

Address Claim for OpenID Connect Apps

You can use the address claim for OpenID Connect applications.

Incremental Features Summary

The following table summarizes features that are enabled incrementally. Links in the Feature column point to additional documentation for that feature, if available. After the feature is fully released, it is no longer tracked in this table. For release history of all features, see Features by Release.

New Orgs
New Orgs
Existing Orgs
Existing Orgs
LDAP Reset Password SMS2016.162016.172016.162016.17
Password Policy (Softlock)2016.152016.17-2016.182016.152016.17-2016.18
SAML Destination Attribute2015.522015.522016.16-1016.182016.16-2016.18

Application Updates


We've implemented SAML for the following Okta Verified applications:

  • Biztera (OKTA-86979)

  • Engagedly (OKTA-85027)

  • Spoke (OKTA-86076)

  • Xpand (OKTA-87106)

We've implemented SWA for the following Okta Verified applications:

  • BookingBug (OKTA-86372)

  • CastleGarde (OKTA-86377)

  • Centralpoint (OKTA-87697)

  • Coolblue (OKTA-87713)

  • HireFire (OKTA-86374)

  • SignUpGenius (OKTA-86375)

  • Simple (OKTA-87034)

  • Solutionary (OKTA-87075)

  • Visible Equity (OKTA-86379)

  • Windstream Online (OKTA-86370)

  • Zazzle (OKTA-86376)

We've added the following Mobile applications for use with Okta Mobility Management (OMM):

  • Facebook at Work (OKTA-83619)

  • RememberTheMilk (OKTA-87278)

  • Trip Advisor (OKTA-86367)

  • Voya - Retirement Plan Participants

Bug Fixes

Bug numbers ending with an H are hotfixes. Hotfixes are generally deployed after the initial release.

Product Bug Fixes

The following issues are fixed:

  • OKTA-79514 – Some admins occasionally experienced slow responses or couldn't access the Admin Dashboard and received Internal Server Error messages.
  • OKTA-80198 – When authenticating with Duo for Box, some customers saw an out-of-date user interface.
  • OKTA-80226 – In some cases, save password banners continued to display even though the browser plugin setting Block browsers from saving passwords for Okta apps was enabled.
  • OKTA-82297 – Some error messages on the General tab for OIDC apps were difficult to understand. 
  • OKTA-83669 – Some users were unable to find the Workday app on iOS devices.
  • OKTA-83967 – During account recovery for Active Directory accounts, the complexity requirement for the security answer was not enforced.
  • OKTA-85719 – When the New Okta Sign-in Experience is enabled, users attempting to change an AD password did not receive relevant error messages.
  • OKTA-85747 – The iOS enrollment page for OMM was not dynamically resized based on device size/orientation.
  • OKTA-85892 – App logos (web clips) were replaced by the Okta logo when Safari users accessed Okta-managed apps from iOS mobile devices.
  • OKTA-86282 – End users were unable to reach the Okta Sign In page using Windows Internet Explorer 9 in IWA environments with the New Okta Sign-In Experience enabled.
  • OKTA-86395 – Unable to view users who are exempt from MFA policies if the number of exempt users exceeded 20.
  • OKTA-86816 – The error message in the system log about account link restrictions did not display the incoming subject.
  • OKTA-86866 – Note: Reported in 2016.17 Preview, but won't be fixed until 2016.18 Preview. 
  • OKTA-87091 – When using Workday as a master, the automatic profile push from Okta to Workday failed for contingent workers.
  • OKTA-87875 – Two-factor authentication failed for some AD-mastered users using RADIUS in 2FA mode.

Platform Bug Fixes

The following issues are fixed:
  • OKTA-62160 – Some permission checks on the IDP transaction APIs behaved incorrectly.
  • OKTA-86194 – The characters % (percent), \ (backslash), and _ (underscore) weren't escaped in queries to /api/v1/users and /api/v1/apps/{id}/catalog/users. This behavior made it difficult to find results that contained these characters. You may want to review any queries that depend on such results.
  • OKTA-86425 – If a request includes the HTTP accept-encoding header, not all API responses were compressed. Note: This fix is available on Preview orgs, and is expected on Production orgs in a few weeks.
  • OKTA-86552 – Some OpenID Connect recovery tokens were incorrectly timed out after 10 minutes.
  • OKTA-86647 – In the Java SDK, intermittent API call failures were due to the Apache HTTP client.
  • OKTA-87015 – The auth_time claim in the OpenID Connect ID token, returned from the /api/v1/token endpoint, was incorrect.
  • OKTA-87218(h) – For GET /oauth2/v1/authorize, the parameter nonce is required. 

Apps Integrations Fixed

The following SWA apps were not working correctly and are now fixed:

  • Adobe EchoSign (OKTA-86635)

  • Baystate Benefits - Employee (OKTA-87266)

  • CallTower (OKTA-86253)

  • Campaign Monitor (OKTA-87261)

  • CSI - WatchDOG Elite (OKTA-86634)

  • Curalate (OKTA-86630)

  • Empire Blue Cross (OKTA-86244)

  • eStara On Demand Webcare (OKTA-86621)

  • FirstBank Online Banking (OKTA-86622)

  • Globality ReadMe.io (OKTA-87187)

  • Harvest (OKTA-87269)

  • LawRoom (OKTA-87267)

  • myKASTLE (OKTA-87469)

  • MyResourceLibrary (OKTA-86627)

  • Pivotal Academy (OKTA-84347)

  • RememberTheMilk (OKTA-87272)

  • Schwab Equity Award Center

  • Silkroad RedCarpet (OKTA-82898)

  • SteadyBudget (OKTA-86831)

  • The Toll Roads (OKTA-86623)

  • Unity Ads (OKTA-86942)

  • Voya - Retirement Plan Participants

  • Webfilings (OKTA-86633)

The following SAML apps were not working correctly and are now fixed:

  • Datadog (OKTA-86000)