Okta Help Center - Blogs Skip to main content
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.

Improved Submission Process for Your Product Ideas

Dec 27, 2017 | by Ellen Tiano in Administration

Some of Okta’s best features have been the result of suggestions from our community. Recently, much of that feedback pertained to how we solicit your input on our products in the first place. Our Ideas page wasn’t the user-friendly experience it could be, nor did it allow us to share our pipeline of changes with you. That has changed.


Our new Ideas page features a streamlined form, revamped categorization, and most importantly, efficient communication with our product team. Have an Idea you want to submit? Let’s walk you through the process.

Step one: writing a title

User-added image

Once you’ve signed into the Ideas page as an Okta partner or customer, this is where you start.


As you summarize your idea into a succinct headline, incorporate keywords that others may have used to submit similar requests. An example could be something like, “Problem with Mobile Device Access.”


Note: If you need more help streamlining your proposal, refer to our Ideas FAQ.

Step two: checking for similar ideas

User-added image

The next step is to check for ideas that are close to your own. In order for Okta to effectively respond to each person’s request, we compile similar ideas together. If several users are requesting similar improvements in one of our products, it will likely be prioritized. An example of an entry similar to “Problem with Mobile Device Access” could be, “Slow Connection on Mobile Device.”


If you find another idea that resembles yours, we highly recommend commenting on it with your own remarks and concerns, rather than creating another one from scratch. This helps streamline the process and make sure common requests get addressed efficiently. Each comment and vote earns ten points for the idea, pushing it further to the top of the list.


If no one else has submitted the same idea as yours, continue to step three.

Step three: finishing your idea

User-added image


The final step is to add more information about your idea. As long as it relates to our products, it can be submitted and will be reviewed. As you expand on your idea, consider the following questions: What are your use cases? What environment is it for? What is the business impact?


The more detail you provide, the faster our team can address it, without any excess back-and-forth communication.


Finally, select a relevant category from the dropdown, and then submit your idea. Once its posted, you can still edit it with further changes or delete it altogether at any time. Our team has committed to reviewing all ideas within 90 days of their submission.


Your feedback to our previous Ideas page is a great example of how much we can learn from you. We’re excited to be launching this new version – and we can’t wait to hear from you.


Do you have additional questions about submitting your idea? Or do you want to inquire about other products at Okta? Visit the Okta Help Center to learn more.

Configure the Help Desk Administrator Role

Sep 26, 2017 | by Lauren Berry in Administration

This is an Early Access feature. To enable it, please contact Okta Support.

The Help Desk Administrator can perform common help desk actions. This role has a reduced set of permissions and promotes good security practices by not granting unnecessary permissions to help desk personnel.

You cannot selectively assign permissions to the Help Desk Administrator role. Instead, it has these fixed permissions:

· Reset Password

· Reset Multifactor Authentication

· Unlock Account

· Clear User Session

· View user profiles: only users in the groups to which the admin has been assigned.

The Help Desk Administrator role does not have the following permissions:

  • Create and activate users
  • Suspend and delete users
  • Assign users to apps or groups
  • Initiate Okta directory specific actions
  • View or modify users outside the assigned group(s)
  • Create API tokens

The Help Desk Administrator can perform these actions on all users or on select groups of users. This provides granular administrative control. The Help Desk Administrator cannot view or modify users outside of the selected group. Delegated administration allows you to spread administrative duties and, more importantly, segregate duties so that no administrator has too much control.

Note: While the Help Desk Administrator can't create API tokens, you can create an API token for this role's privileges for any given Help Desk admin. For example, you may implement a Reset MFA button in an application using Okta APIs and API tokens. For more information about API tokens, see API tokens. For information about Okta APIs, see Getting started with the Okta API.

Help Desk Administrator scenarios

The Help Desk Administrator role may be useful in these scenarios:

  • You have a single Help Desk that does not need excessive permissions to perform the role.
  • You have a Tier 1 IT that handles high volume account transactions such as password resets.
  • Your organization has branches, brands, or franchises that have separate IT teams.
  • You have business units that need to perform actions on just their own users.
  • You have outsourced service vendors that need to perform actions on just their own users.

Configure the Help Desk administrator role

Only Super Org Administrators may assign the Help Desk Administrator role to a user and optionally apply a group scope.

To create and configure the Help Desk Administrator role, do the following:

  1. From the Administrative Dashboard, go to Security > Administrators.

  2. Click the Add Administrator button.

In the resulting dialog box, do the following

  1. Type an administrator name into the Grant Administrator Role to field.

  2. Select the Help Desk Administrator role.

  3. Select Can administer user in specific groups (recommended).

  4. Type in the group name of the Okta group(s) the admin will control. Note that only Okta groups appear.

Additional configuration for AD users

If you want your Help Desk Administrator to perform operations on users that delegate authentication to AD, you’ll also have to configure the AD policy:

  1. From the Administrative Dashboard, go to Security > Policies.

  2. Select Active Directory Policy.

  3. Edit the Legacy Rule to indicate that the user can change passwords.
  4. Click Update Rule.

Perform Actions as Help Desk Administrator
  1. Log into Okta with an account that’s been designated a Help Desk Administrator.
  2. Navigate to Directory> People.
  3. Select a user account
  4. To reset a user’s password, click Reset Password.
  5. To perform any of the other options, click More Actions.

Guidance on Structuring Okta Groups

Groups have not fundamentally changed within Okta, but they are more useful and powerful when used with the Help Desk Administrator role. Getting the most out of delegated administration requires careful selection of Okta groups. The group(s) you choose should reflect your organization's structure or boundaries of control.

For example, an organation shares Okta-protected resources with two business units, A and B, each with their own users and separate IT teams who manage those users. It is important for the organization to maintain strict boundaries of control within Okta. A's IT team should only be able to view and manage A's users in Okta. Similarly, B's IT team should only be able to view and manage B's users in Okta. The organization can accomplish this by::

  • Giving A and B separate Help Desk Administrators roles in Okta
  • Scoping A's Help Desk Administrator role to Group A, which consists only of A's users
  • Scoping B's Help Desk Administrator role to Group B, which consists only of B's users

Rogue Account Report -- Now in EA

Sep 26, 2017 | by Lauren Berry in Administration

The Rogue Accounts report compares assignments in Okta to accounts that exist in a specified app and lists the discrepancies. You can find the accounts that were created directly in the application without going through Okta and correct them to ensure all access to the app is managed through Okta. Once corrected, you will only have to look in one place to see who has access and what type of access for all the applications that you manage.

The rogue accounts report provides the following two lists of users:

  • Users that exist only in the app and do not exist in Okta. These accounts were created in the app and were not assigned in Okta.
  • Users that exist only in Okta and do not exist in the app. These accounts were assigned in Okta, but were not created in the app.

You can correct the discrepancy by either assigning the app to the user in Okta or by deprovisioning the user in the app.

The report is visible in Okta and can also be downloaded in a comma-separated values (CSV) file. Lengthy reports are only available in CSV format.

Run the Report

You can launch the report from the Reports page in the App Access Audit section or from the main page for an application.

  • If you launch the report from the Reports menu, you must specify the app for comparison.
  • If you launch the report from an application, the application name is already filled in.

When the application name is filled in, click Run Report to create the report. The report takes a few minutes to run.

Note: If the application does not support API-based comparison, see Compare users with a CSV filebelow.

View the Output

The report shows users in two categories: Only in [App] and Only in Okta. You can toggle between these two lists by clicking the desired category under App Account Status on the left of the report body.

Note: If there are more that 100 results to display, only the first 100 results are shown with a message in the 101st row that indicates that you must download the output in CSV format to see the full results.

Download the Output

Click the Download CSV button to create a CSV format of the report.

The CSV file contains the following information:

  • The Only in Okta portion of the report always contains the columns titled oktaFirstNameoktaLastName, and oktaUsername.
  • If the report was from an automatic download, the Only in App portion of the report contains columns titled appUserNameappFirstName, and appLastName.
  • If the report was from an uploaded CSV file, described in the next section, the Only in App portion of the report contains one column containing the attribute to match. The column title can vary.

Compare users with a CSV file

For applications where the comparison is not available through the provisioning connector, the Run Report button opens a screen for uploading a data file in CSV format, shown below. This CSV file should contain all active accounts in the application, and can be obtained by exporting the accounts from the application. The CSV file must have headers and at least one unique identifier column.


Link the App Users with Okta Users

Once a file has been correctly uploaded, you are prompted to specify how the rows should map to unique user accounts. In the screen shown below, choose fields for both the app and for Okta that map.


When done, click Run Report. The output is the same as shown above.

Oktane17: Product Announcements

Aug 30, 2017 | by Mike Paiko

Oktane17 has just ended and there were so many exciting product announcements to share, I thought it would be useful to bring together all the great product advances our teams are working on into one blog post.  These enhancements will help you and your organization strengthen the way you approach identity and accelerate your organization’s digital transformation.  

The general guideline is that all features announced will at least be in beta 3 months post-Oktane, many are available in EA today. If you are an Okta customer and would like to track a specific feature, visit the Okta community and look for the new roadmap tab.

Managing & Securing The Extended Enterprise

The scope of what an IT department manages today is changing rapidly and the definition of the users that they need to serve has also expanded. In addition to employees, IT has to secure and manage access for contractors, partners, suppliers and contingent workers. At Oktane, we announced several investments that will help IT embrace the cloud and provide a bridge to their on-premises infrastructure and provide new ways to better manage the user population outside of their employee base.

  • LDAP Authentication for Universal Directory:  To bridge the past and become the go-forward directory for our customers, we’ve added new capabilities to our cloud-first Okta Universal Directory so on-premises applications can authenticate directly to Universal Directory – eliminating the need for expensive on-premises LDAP servers for large enterprises. For younger companies, it removes one of the last barriers to a 100% cloud approach for all of their directory needs, no more on-premises AD or LDAP required.
  • Going Beyond Applications with the Okta Integration Network: Okta has a tremendous track record with the Okta Application Network and we are extending the power of that network to new types of integrations that go beyond applications to include vendors for networking and security, analytics and API Gateways.  To reflect the broader scope, we have renamed that network to the Okta Integration Network.  We are excited about extending the reach and value of our technology ecosystem – including partners like Palo Alto Networks, F5, IBM QRadar and Sumo Logic – to address the breadth of ways that IT departments can unlock the value of the entire Okta product portfolio.
  • Lifecycle Management for Every Person in the Extended Enterprise: We’ve created new self-service registration and Okta Lifecycle Management policies to provide a turnkey, out-of-the-box way for enterprises to create a highly customized and simple registration experience for partners and contractors – enabling them to easily and securely connect this broader set of users that make up their extended enterprise.
  • Improved Delegation, Security and Self-Service for Okta Admins: A new Help Desk Admin role allows Okta Admins to delegate tasks like password or MFA reset, and a new set of reports can help with troubleshooting access issues. To improve the security around admin access, MFA can be required for all Okta admins logging into the admin console. Okta is also removing the requirement to contact support to enable EA features, by allowing Okta admins to self-service through a new EA feature manager.

People are the Perimeter

In today’s perimeter-less world, the proliferation of people, applications and devices makes identity the only way to control who has access to what information, and when.  To mitigate potential threats, we are rolling out a number of enhancements:

Expanding Adaptive MFA from Cloud to Ground

  • Cover everything in the cloud and on-premise:  Adaptive MFA can now be used for RDP, LDAP, other SSO products, ADFS, custom web apps and RADIUS. 
  • Start Anywhere: Start with Adaptive MFA before beginning your SSO journey, or add Adaptive MFA to your existing Okta Identity Cloud service.

Enhanced Contextual Access management: 

  • API Access Management: We are extending our contextual access management architecture from users accessing applications to application and things accessing APIs.
  • Restrict Access from Unmanaged Devices: Within an application's sign-on policy, admins can enforce that only a trusted device (MDM managed for mobile and AD domain joined for Windows) prior to accessing cloud applications. 

Security for Everyone

  • Basic Okta MFA Comes Standard:   Effective immediately, every Okta customer can make their users more secure by adding multi-factor authentication with Okta’s time-based, one-time password app.  This is a first for the industry – strong authentication for everyone! 
  • IP Blacklisting:  Your information security program is likely to have a set of IP addresses that are blacklisted across your network and end points, and now you can add those IP addresses to a blacklist zone within Okta to protect against DDoS lockouts and brute force attacks.
  • Common Password Detection: We’re fully aware that people are terrible at selecting passwords. To combat this, we’re rolling out a common password detection feature which will prevent users from using thought-provoking passwords such as ‘password’ or ‘password123’. 
  • TouchID for Okta Mobile: Allow mobile users to use Touch ID as an alternative to their unlock code when accessing Okta Mobile. 
  • Passwordless authentication for iOS applications: Once a user has logged into Okta Mobile, they can authenticate into native mobile apps without having to enter username and password.  

Transforming the Customer Experience

Organizations big or small and across all industries are building mobile, web, and API-driven applications to transform their customers’ experience.  Over the past year we have worked hard to make it easy for any organization to use Okta as their customer facing identity layer.  We are going to continue to innovate so you can delight and engage your customers, while also keeping their information secure. 

  • Self-Service Registration: Developers can now easily add a registration flow, using the new self-service registration widget, registration APIs and SDKs. This include support for common workflows like email verification or password reset. Development teams can also choose to host the entire sign-in and registration process on the Okta service. 
  • Use your Brand: Everything Okta powers for your application is completely customizable.
    Custom email and URL domains, and the ability to use your own SMS provider.
  • API Access Management: IT teams can centralize policy and security for application development, allowing developers to connect to company resources with pre-defined access agreements – enabling organizations to connect microservices to partner and other external developers securely through simple access protocols.
  • Developer Centric Okta Dashboard: A new admin interface built specifically for developers that dramatically improves the developer experience by making it easy to create and manage Okta apps, API tokens, and API Access Management concerns.
  • Developer Experience: Okta is building best-in-class SDKs based on Stormpath's experiences with SDKs. We are shipping rock solid, tested, and idiomatic SDKs that make it easy to integrate Okta into your weekend project and are solid enough to work in the harshest production environments.

Transparent Communications

  • Public Roadmaps For All Products: We are super excited to announce public facing roadmaps for all of our products.  This will serve as a graet jumping off point to our ideas community to encourage a two way dialogue about what we should be building at Okta.
  • Self-Service Feature Manager: Equally exciting, this public roadmap will be connected to your Okta instance and enable your Administrators to turn on new features and try them in your environment.

Don’t miss these blog posts for more:


New Beta Feature: Scheduled Suspension

Aug 22, 2017 | by Aaron Yee in Lifecycle Management

Okta admins can now schedule the suspension of an Okta mastered account on a specific date (down to the second). On the configured date, Okta will automatically suspend the user's Okta account, preventing the user from authenticating to Okta. Note that suspending a user is different from deactivating a user, which removes access to the app and triggers deprovisioning flows (if configured).  

This feature enables Okta admins to better manage the lifecycle of non-employee accounts, such as contractors. Unlike employee accounts whose lifecycles are tightly governed & mastered by an authoritative source such as AD or HR, non-employee accounts generally have fewer controls. Specifically, their onboarding and offboarding processes aren't managed by the same authoritative source(s). Consequently, it's common for non-employee accounts to get created and persist long after they're needed. This feature solves that problem by cutting access on a specific date (e.g. on the last day of the contract). 

User-added image

Disclaimer: Any customer can evaluate this feature during beta. However, when it progresses to Early Access/General Availability, only customers who have bought Universal Directory will be able to use it.

Other Capabilities

  • Admins can schedule suspension dates by importing a CSV (useful for batch scheduling)
  • Admins can view upcoming suspensions within the next 30 days
  • The System Log captures event details when 1) a suspension is scheduled and 2) a suspension occurs

  • Only works on Okta accounts that are not mastered by authoritative sources (AD, LDAP, HR, etc.) 
  • Okta guarantees that the account will be suspended within an hour of the scheduled date/time

I'm in! How do I get started?

Currently, only Okta PREVIEW environments (*.oktapreview.com) are eligible for this feature. If you do not have a preview environment, you can sign up for a free developer tenant at https://www.okta.com/developer/signup/.

To enroll in this program, please sign up here: https://support.okta.com/help/OktaBetaProgramHome