Okta Production Release 2017.09. began deployment began on March 6. For the latest information on our release schedule, see Current Release Status.
Check the version number at the bottom of your Okta Administrator page to see your current version. Clicking the version number takes you directly to the folder containing the release notes.
Version numbers usually indicate the year and week of the year when releases are pushed to orgs. For example, release 2017.02 was pushed the second week of 2017. The week numbers follow the ISO Week Date convention.
Advance Notice: API Rate Limit Improvements
We are making org-wide rate limits more granular, and treating authenticated end user interactions separately. More granular rate limits will further lessen the likelihood of calls to one URI impacting another. Treating authenticated end user interactions separately will lessen the chances of one user’s impacting another. We’re also providing a transition period so you can see what these changes will look like in your Okta system log before enforcing them:
Shortly after February 28, 2017, we provided system log alerts to let you know if you exceeded any of these new API rate limits.
Sometime in March, 2017, we’ll treat authenticated end user interactions on a per-user basis. Interactions like SSO after login won’t apply to your orgwide API rate limits.
Shortly after March 31, 2017, we will enforce the new, more granular rate limits. At that point, the warnings in the System Log will change to error notifications.
Of course, as each change is released, we’ll announce the change in the Platform Release Notes on http://developer.okta.com.
For a full description of the rate limit changes, see API Rate Limit Improvements.
EOL for Okta support of Apple mobile OS version
With the releases of Okta Mobile 5.2.0 and Okta Verify 3.2.0, Okta no longer supports iOS 8. Users attempting new installations on iOS 8 will see a notice stating that their OS version is no longer supported. Currently, Okta supports iOS versions 9.x and 10.x. For details, see Okta Support for Mobile Operating System Versions.
Browser plugin phased rollout
On February 20, 2017, Okta began a phased Generally Available (GA) release of Okta browser plugin version 5.11.x for all supported browsers. The rollout is targeted to end on March 7, 2017. This version provides security enhancements. Okta strongly recommends that you install the plugin when prompted to do so. If you have any questions or concerns following the upgrade, contact Okta Support. For version history, see Browser Plugin Version History.
New Okta Sign-In Experience to be enabled for all remaining Production orgs
We've postponed our plan to automatically enable the New Okta Sign-In Experience by February 15, 2017 for the remaining Production orgs that have not enabled it yet. Our new target is April 1. In the meantime, it is still recommended that you enable the feature at your convenience to let your users become familiar with it. If you have any questions, please contact Okta Support.
Apple iOS 10 upgrade impact on Okta Mobility Management Password Sync
Users who have upgraded to iOS 10 should note the following: If you’re using Okta Mobility Management (OMM) to configure Exchange ActiveSync (EAS) profiles, a known issue has been introduced that affects OMM’s ability to perform Password Sync for EAS profile updates on iOS devices. For details and workarounds, see Known Issue: iOS10 upgrade impacts Okta Mobility Management (OMM) Password Sync.
Unless otherwise noted, these features are available to all Production orgs with release 2017.09:
Admins can now reset passwords for AD-mastered users with the same easy process already in place for Okta-mastered users. For details, see Resetting Passwords for AD-mastered Users. This is an Early Access (EA) feature; contact Okta Support to enable it.
Our Universal Directory-enabled provisioning integrations for British Telecom (BT) Cloud Phone Production and BT Cloud Phone User Acceptance Testing (UAT) environments are now Generally Available (GA) (note that the UAT app is available in Preview orgs only). The BT Cloud Phone applications support attribute-level mastering, which allows BT Cloud Phone to act as a master for users' direct and extension numbers while other attributes are mastered by a different source, such as Active Directory (AD). For details, see British Telecom Cloud Phone Provisioning Guide.
Our Universal Directory-enabled provisioning integrations for RingCentral Office @ Hand for AT&T Production and RingCentral Office @ Hand for AT&T User Acceptance Testing (UAT) environments are now GA (note that the UAT app is available in Preview orgs only). The RingCentral Office @ Hand for AT&T applications support attribute-level mastering, which allows Office @ Hand for AT&T to act as a master for users' direct and extension numbers while other attributes are mastered by a different source, such as Active Directory. For details, see RingCentral Office @ Hand for AT&T Provisioning Guide.
We are pleased to introduce a new ServiceNow app with the ability to provision custom attributes to ServiceNow with schema discovery. If you would like to use this EA app, ask Okta Support to assign the ServiceNow UD app to your org. See the ServiceNow (EA) Provisioning Guide for details.
This feature will not be added to existing ServiceNow app instances, so you’ll need to add a new ServiceNow UD app instance to your org in order to use it.
We have enhanced deprovisioning for Dropbox Business to include off-boarding features. When deprovisioning users, you can now do the following:
The Okta Mobile Safari Extension allows Okta Mobile to share a session with Safari. Essentially, an end user can sign into SAML apps without re-entering their Okta credentials on their mobile device. This feature can be disabled if you’d rather not allow seamless SAML access to Safari. For details, see Okta Mobile Safari Extension.
- We've simplified our Android for Work setup wizard by removing the dependency on G Suite accounts. For details, see Setting Up Android for Work. This is an EA feature; contact Okta Support to enable it.
We have added a new, customizable email template that alerts your end-users when someone connects to their Okta account from a new device. This EA feature protects against silent access to an end-user's account. For details see Unknown device notification email on the General page.
We have added a new option to our current list of VPN profiles via OMM. Admins can now provision Pulse Connect Secure as a VPN client. This feature is currently only available for iOS devices. For details, see Configuring VPN Profiles.
The cell in which your org is running now appears at the bottom of the page. A cell is an independent collection of multi-tiered, redundant hardware and software designed to effectively manage service traffic and requests for a subset of Okta tenants. Okta is comprised of multiple cells strategically deployed across several geographic regions. You may be asked to provide your cell number whenever you contact Okta Support.
As part of Okta's 508 Compliance, input text fields are now illuminated when they're in focus. For more information about focus changes, see here.
Browser Plugin Updates
The Okta plugin for the Firefox, Internet Explorer, and Safari browsers is updated to version 5.11.0 for EA users. This version provides performance and security enhancements. To obtain it, contact Okta Support. For version history, see Browser Plugin Version History.
Platform Release Notes
Changes to the platform for this release are published in the Platform Release Notes on http://developer.okta.com.
Incremental Features Summary
There are no incremental features in this release.
We've implemented SWA for the following Okta Verified application:
We've implemented SAML for the following Okta Verified applications:
We've changed Signature/Digest algorithms from SHA1 to SHA256 for the following SAML apps:
Bug numbers ending with an H are hotfixes. Hotfixes are typically deployed after the initial release.
Product Bug Fixes
The following issues are fixed:
- OKTA-26128 – The maximum length of a string in a password policy could not be validated under certain circumstances.
- OKTA-90569 – Permission errors were thrown when attempting to send messages to end users.
- OKTA-93556 – An error message was not received after entering a blank email when unlocking a user account.
- OKTA-93953 – The password field accepted only two digits instead of three when configuring password attempts.
- OKTA-107621 – The System Log incorrectly showed a Zone as OFF_NETWORK, even though it was correctly processed as ON_NETWORK.
- OKTA-108000 – In the SAML Settings section of the App Integration Wizard, the Custom Field Mappings Expressions dialog box rendered incorrectly.
- OKTA-108219 – The Okta browser plugin's auto-login feature failed for a custom SWA app in certain circumstances.
- OKTA-110347 – The legacy EventType was missing from the downloadable System Log report.
- OKTA-110623 – Custom attributes with Read-Write user permission added to the Okta user profile did not appear in end user Personal Information settings unless the admin added an attribute value.
- OKTA-111332 – Deactivated users were not returned in user searches.
- OKTA-111339 – Users from Salesforce who have a custom profile in the EA Salesforce Community and Portal feature could not be imported.
- OKTA-111394 – When the group password policy or password policy Softlock features were enabled, users could not unlock AD accounts with self-service unlock.
- OKTA-111945 – Mobile phone information was not written to the correct location in the Facebook@Work app.
- OKTA-112045 – Reset MFA was unavailable on the Admin Dashboard when Prompt for Factor was not selected in the security policy.
- OKTA-113380 – All users were deprovisioned from the SuccessFactors app (EA) during scheduled imports in certain circumstances.
- OKTA-113485 – Some Group Push rules could not be deleted.
- OKTA-113524 – The Pending Task Notification banner displayed for some apps when there were no pending tasks.
- OKTA-113961 – No error message was displayed when attempting to delete a user marked as a billing or technical contact.
- OKTA-114101 – When trying to reset a password using SMS, sending the code failed on the first attempt.
- OKTA-114592 – Timezone and Locale user attributes were not saved correctly in the Salesforce app.
- OKTA-114983 – Deleting API tokens failed when the admin who created the token was deleted.
- OKTA-115769 – No error message displayed when admins with insufficient permissions tried to assign users to a group.
- OKTA-117646H – In the Active Directory Import tab, a message in the Import Results screen reported that some number of imported users needed review but no user records were listed in the main table.
- OKTA-117757H – A language other than the configured language was displayed after signing in to Okta from a new device or from a browser not previously used to sign in to Okta.
- OKTA-118132H – The Okta service was temporarily unavailable for HTTP requests with invalid region values.
App Integrations Fixes
The following SWA apps were not working correctly and are now fixed:
Google Merchant Center
Mango Languages (OKTA-114618)
Newport Group (OKTA-114608)
Nextiva NextOS 3.0 (OKTA-113038)
SAP NetWeaver Application Server