Okta Production – Release 2017.05 Skip to main content
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Okta Production – Release 2017.05
Published: Mar 1, 2017   -   Updated: Jun 22, 2018

Okta Preview Sandbox (oktapreview.com) features from 2017.03, 2017.04, and 2017.05 releases have been combined and pushed to Okta Production release 2017.05 (okta.com). This deployment began on February 28. For the latest information on our release schedule, see Current Release Status.

Check the version number at the bottom of your Okta Administrator page to see your current version. Clicking the version number takes you directly to the folder containing the release notes.

User-added image

Version numbers usually indicate the year and week of the year when releases are pushed to orgs. For example, release 2017.02 was pushed the second week of 2017. The week numbers follow the ISO Week Date convention. 

Special Announcements

EOL for Okta support of Apple mobile OS version

With the releases of Okta Mobile 5.2.0 and Okta Verify 3.2.0, Okta no longer supports iOS 8. Users attempting new installations on iOS 8 will see a notice stating that their OS version is no longer supported. Currently, Okta supports iOS versions 9.x and 10.x. For details, see Okta Support for Mobile Operating System Versions.

Browser plugin phased rollout

On February 20, 2017, Okta began a phased Generally Available (GA) release of Okta browser plugin version 5.11.x for all supported browsers. The rollout is targeted to end on March 7, 2017. This version provides security enhancements. Okta strongly recommends that you install the plugin when prompted to do so. If you have any questions or concerns following the upgrade, contact Okta Support. For version history, see Browser Plugin Version History.

New Okta Sign-In Experience to be enabled for all remaining Production orgs

We've postponed our plan to automatically enable by February 15, 2017 the New Okta Sign-In Experience for the remaining Production orgs that have not enabled it yet. In the meantime, we still recommend that you enable the feature at your convenience to let your users become familiar with it. If you have any questions, please contact Okta Support.

Apple iOS 10 upgrade impact on Okta Mobility Management Password Sync

Users who have upgraded to iOS 10 should note the following: If you’re using Okta Mobility Management (OMM) to configure Exchange ActiveSync (EAS) profiles, a known issue has been introduced that affects OMM’s ability to perform Password Sync for EAS profile updates on iOS devices. For details and workarounds, see Known Issue: iOS10 upgrade impacts Okta Mobility Management (OMM) Password Sync.

What's New

Unless otherwise noted, these features are available to all Production orgs with release 2017.05:

  • If Okta fails to process an IWA token, you can now redirect end users to a custom error page. This option is useful if you embed Okta into your solution and want to control end-to-end branding to enhance end user experience. For more information, see Login Error Page.

    User-added image

    This is an Early Access (EA) feature; contact Okta Support to enable it.

  • As with Domain local and Global groups, you can now push Universal groups to Active Directory.

    User-added image

  • When creating a new OpenID Connect app and configuring an Implicit grant type, you can now specify whether to include ID Tokens, Access Tokens, or both. 

    User-added image

  • Per SAML standards, we now send Universal Directory (UD) array attributes in SAML 1.1 assertions as multi attribute values.

  • We have enhanced our System Log to now include more granular Microsoft Office 365 events.

  • Radius users—we have developed a Generic Radius App that allows for access control on multiple Radius configurations. This option also provides the ability to create policy and assign Radius authentication to groups of users. For details, see Okta Generic Radius App. This is an Early Access (EA) feature; to enable it, contact Okta Support.
  • An animated transition page now appears when users click chiclets to log into apps:

    User-added image

    This is an Early Access (EA) feature; contact Okta Support to enable it.

  • Okta Verify with Touch ID is now Generally Available (GA). You can configure an end-user fingerprint request that appears after the initial MFA challenge. If the user's device is lost or stolen, no one else can gain access to it. This feature is currently available only for iOS devices. For details, see Okta Verify with Touch ID.

  • We have improved text in the end user Welcome screen and Settings page in the Japanese language.

  • SCIM template apps are now available in Preview.

  • In addition to the index, we now support requesting the SAML ACS Endpoint by URL. For information about allowing apps to request other URLs, see Using the App Integration Wizard

  • You can set an authorization server to manually rotate keys. Keys are rotated automatically by default. For more information, see API Access Management.

    Important: Automatic key rotation is more secure than manual. Use manual key rotation only if you can't use automatic.

  • You can now search on the exact name of an authorization server or resource URI from the Authorization Servers tab (Security > API).

    User-added image

  • We have enhanced the Amazon Web Services SAML SSO to allow setting of a configurable AWS ACS URL and AWS API URL. These fields are optional, and give the you added control over the app configuration. Note that if you already have an Amazon Web Services app configured, it will continue to work as-is. (This feature was hotfixed in Preview Release 2017.02).

Browser Plugin Update

The Okta plugin version 5.9.3 is now Generally Available (GA) for Firefox and Internet Explorer (IE) browsers. This release provides performance and security enhancements and is available to all customers via Settings > Downloads. For version history, see Browser Plugin Version History.

Agent Update

  • The Okta IWA Web App version 1.10.1 is now GA. This release includes internal improvements as well as all the fixes and enhancements contained in EA versions 1.10.0 and 1.10.1. It is available to all customers via Settings > Downloads. For version history, see SSO IWA Web App Version History.
  • The Okta Active Directory Agent version 3.4.5 is now available to EA users. This release fixed an issue in which Okta failed to recognize users' AD group memberships via JIT imports and updates. To obtain this EA release, contact Okta Support. For the version history, see Active Directory Agent Version History.

  • The Okta Radius Server agent version 2.5.0 is now available to EA users. This release supports the Radius Generic App and Amazon Workspace App. To obtain this EA release, contact Okta Support. For the version history, see Okta RADIUS Server Agent Version History.

Platform Release Notes

Changes to the platform for this release are published in the Platform Release Notes on http://developer.okta.com.

Incremental Features Summary

There are no incremental features in this release.

Application Updates

  • We have added email and phone writeback functionality for UltiPro international employees. This is an EA feature, contact Okta Support to enable it. For more information about UltiPro provisioning, see here.

  • We have added the option to send email notifications upon user creation to the JIRA Cloud and JIRA on-premise app integrations:

    User-added image

We've implemented SWA for the following Okta Verified applications:

  • Adjust (OKTA-113618)

  • Apple MyAccess (OKTA-113555)

  • Awesome Screenshot (OKTA-113632)

  • Framer Cloud (OKTA-113964)

  • Google Partner Dash (OKTA-113487)

  • Google Tag Manager (OKTA-113211)

  • Kanbans (OKTA-69763)

  • Predictive Policing (OKTA-111943)

  • Principal Advisor (OKTA-112103)

  • WestNet Learning (OKTA-114255)

We've implemented SAML for the following Okta Verified applications:

  • Duo Network Gateway (OKTA-111954)

  • Honest Buildings (OKTA-112673)

  • Keeper Password Manager and
    Digital Vault (OKTA-112806)

  • LiveRamp Connect (OKTA-113207)

  • MetricStream (OKTA-111284)

  • Qminder (OKTA-112438)

  • RFPIO (OKTA-112823)

  • Velpic (OKTA-113130)

We've implemented SAML for the following Community Created applications:

  • Splunk Cloud (OKTA-96258)


We've added the following Mobile application for use with Okta Mobility Management (OMM):

  • Cornerstone OnDemand (OKTA-114007)

  • MyMWC - GSMA (OKTA-112838)

  • SDGs in Action (OKTA-110663)

  • SDGs in Action (OKTA-110663)

We've changed Signature/Digest algorithms from SHA1 to SHA256 for the following SAML apps:

  • AbsorbLMS (OKTA-114002)

  • ACL GRC (OKTA-112483)

  • ANCILE uAlign (OKTA-112835)

  • BenefitSolver (OKTA-112466)

  • Bright Funds (OKTA-112472)

  • BSwift (OKTA-113982)

  • Changepoint (OKTA-114004)

  • Cisco Spark Platform (OKTA-113962)

  • Corcentric COR360 (OKTA-113989)

  • Corpedia (OKTA-112484)

  • CultureWizard (OKTA-112487)

  • Daptiv (OKTA-112488)

  • Eloqua (OKTA-113985)

  • Everbridge Manager (OKTA-112458)

  • GetThere (OKTA-112490)

  • IBM Global Expense Reporting
    Solutions (GERS) (OKTA-112459)

  • iMeetCentral (OKTA-112477)

  • Information Center (Deprecated)

  • Introhive (OKTA-112491)

  • Intuit Quickbase without SubDomain

  • KnowBe4 (OKTA-112463)

  • LeanKit (OKTA-114001)

  • MyComplianceOffice (OKTA-112493)

  • Novatus (OKTA-113963)

  • Qvidian (OKTA-113995)

  • SAP NetWeaver (OKTA-113987)

  • Schoolzilla (OKTA-112464)

  • Selectica (OKTA-113997)

  • TalentWise (OKTA-112460)

  • Towers Watson Case Management

  • Whitehat Security (OKTA-113977)

  • Zoho (OKTA-112479)

  • ZoomForth (OKTA-112480)

Bug Fixes

Bug numbers ending with an H are hotfixes. Hotfixes are typically deployed after the initial release.

Product Bug Fixes

The following issues are fixed:

  • OKTA-59054 – A non-operational button to globally expire passwords was displayed in error.
  • OKTA-84474 – For end users required to provide MFA, the IWA background image failed to appear during sign on.
  • OKTA-89842 – Users were shown a menu option for which they did not have permissions and received an error page.
  • OKTA-89870 – The Assign Apps option was incorrectly available for the User Admin.
  • OKTA-89874 – Users profile pages did not display assigned applications.
  • OKTA-93556 – An empty email field failed to display the appropriate error message.
  • OKTA-96219 – Users created in downstream applications sometimes had the wrong group level attribute.
  • OKTA-98392 – Mobile setup for Duo MFA failed to scale for mobile devices.
  • OKTA-104954 – Null values for SCIM app custom attributes were not pushed to third-party apps.
  • OKTA-105809 – A 400 Bad Request error was caused when more than thirty users signed in using a single browser.
  • OKTA-105873 – Importing users via a CSV file failed for some types of apps.
  • OKTA-106534 – Box settings changes were saved even after the service account validation failed.
  • OKTA-106579 – Users weren't deactivated in Okta when the option Immediate Termination Reason for a Contingent Worker was set in Workday.
  • OKTA-106902 – Following an AD Import, the Employment Status and Job Information fields were not mapped in BambooHR.
  • OKTA-107388 – In app attribute settings, the Group Priority option Combine values across groups reverted to Use Group Priority after provisioning settings were changed.
  • OKTA-107998 – API-activated users were successfully created and assigned to a group, even when they did not meet the group’s password requirements, but failed at activation.
  • OKTA-108093 – Microsoft Office 365 failed to push null values for the Description in a Distribution List or Security Group.
  • OKTA-108477 – Signing in to ClearCompany from the Okta dashboard failed.
  • OKTA-109159 – Manipulating HTML script tags for use in the Okta MFA security question was prevented, while saving unsafe database additions was allowed.
  • OKTA-110000 – When group memberships in Org2Org were updated, members were removed, then re-added. In some cases this caused unwanted deprovisioning.
  • OKTA-110090 – Workday-mastered, imported end-users were intermittently arrested in an activating status.
  • OKTA-111110 – An empty Reports section on the Admin Dashboard was displayed inadvertently.
  • OKTA-111322 – Group Pushes to Slack failed.
  • OKTA-111339 – Salesforce Community provisioning failed for custom Community user profiles.
  • OKTA-111391 – End-users were prompted for MFA more often than the specified, app-specific sign on policy rule.
  • OKTA-111609 – The new System Log did not log User attempted unauthorized access to app events.
  • OKTA-111614 – System Log queries containing the { character failed.
  • OKTA-111662 – Users imported from the RightNow CX app did not have an External ID attribute.
  • OKTA-111832 – Authenticating users failed for apps that use wrappers.
  • OKTA-112707 – The Show More button did not display when filtering the list of OAN applications by Supports Provisioning.
  • OKTA-112713 – Users were prompted twice for credentials: once to access OKTA, and again to access a SAML app.
  • OKTA-113380H – All users were deprovisioned from the EA Success Factors app during scheduled imports.
  • OKTA-113406 – Passcode rules were sent to iOS and Mac OSX devices even though a Simple Passcode policy had not been configured.
  • OKTA-113873 – Okta SMS failed to re-send an authentication code during MFA enrollment.
  • OKTA-114245 – Requesting the SAML ACS endpoint by URL failed for some existing apps.
  • OKTA-114296H – Users of Firefox browser version 51.0 and later were prompted to install the Okta browser plugin even though it was already installed and functional.
  • OKTA-114334H – In our support for multiple ACS URLs, SAML responses contained incorrect recipient and destination URLs.
  • OKTA-114885H – Attempting to clear a group provisioning error by changing a user's samAccountName via the Task page failed.
  • OKTA-116085H – Updating app profiles for a large number of assignments failed in some circumstances.
  • OKTA-116211H – Group rules were not processed in some circumstances.

App Integrations Fixes

The following SWA apps were not working correctly and are now fixed:

  • Account Research Manager (OKTA-112001)

  • Becker CPA Exam Review

  • Club OS (OKTA-113777)

  • DataSafe (OKTA-113471)

  • Dell Member Purchase Program (MPP)

  • Engage (OKTA-113764)

  • Engrade (OKTA-112825)

  • FidelityPSW (OKTA-111625)

  • FlightStats (OKTA-113795)

  • Glassdoor (OKTA-112826)

  • IFTTT (OKTA-113794)

  • IMDB Pro (OKTA-113491)

  • J.P. Morgan ACCESS (OKTA-112816)

  • MassMutual RetireSmart

  • Mastermind (OKTA-112358)

  • Netatmo Channel (OKTA-113603)

  • PaperHost (OKTA-113602)

  • Practising Law Institute (OKTA-112812)

  • Redis Labs (OKTA-113422)

  • ROI Solutions (OKTA-113762)

  • ShipStation (OKTA-112293)

  • Site5 (OKTA-113790)

  • Stack Overflow Careers (OKTA-114146)

  • StatusCake (OKTA-114162)

  • The Hartford EBC (OKTA-113160)

  • The Institutes (OKTA-112814)

  • Ticketmaster ONE (OKTA-112819)

  • TriCare (OKTA-113402)

  • VerizonWireless (OKTA-112811)

  • ZipRecruiter (OKTA-112810)

  • Microsoft Hotmail (OKTA-113181)