Okta Identity Engine release notes (Preview)

Current release
Preview org features

Version: 2026.05.0

May 2026

Generally Available

Workday entitlement management

Admins can now manage entitlements for Workday app instances on Okta. This feature allows for the discovery and governance of user-based security groups to enable automated access requests and certifications.

Report exports

You can now choose between CSV and GZIP export formats when generating the following reports:

Okta usage
Application usage
MFA usage

Secure SaaS and Okta Service Accounts

Manage and secure passwords for SaaS app service accounts and Okta service accounts with Okta Privileged Access. You can now assign new Service Accounts permissions to custom roles to delegate service account management duties to non-super admins. See Manage service accounts and Role permissions.

Add access request condition descriptions

You can now add descriptions to access request conditions for apps, collections, and Okta admin role bundles. These descriptions appear alongside the condition's name on the Access Requests tab, making it easier for you to understand the specific purpose of each condition. See Create an access request condition.

Slack resource server connector

You can now use the Slack resource server connector to create resource connections between Slack and an AI agent. See Configure resource server connectors.

Session retention after user password changes

When users change their password and select Sign me out of all other devices, Okta now retains their current session after their other active sessions are revoked.

System Log event for unconfigured identifiers

When JIT is enabled for Active Directory and a user authenticates with an unconfigured identifier, the event now appears in the System Log.

CSV report of AD migration progress now available

You can now download a CSV report to view the password migration of specific users. This report provides a detailed breakdown of each user's migration status, such as whether their password was successfully migrated or if a specific error occurred. See Monitor a password migration.

System Log event for DirSync imports

When Active Directory agent compatibility is verified for DirSync-based imports, the event now appears in the System Log.

New System Log fields for matched network zones

Okta now includes richer network zone match information in System Log events. When a request is blocked by a network zone (security.request.blocked) or evaluated against a sign-on policy (policy.evaluate_sign_on), the System Log now surfaces the names and IDs of all matched network zones, across IP zones, Dynamic Network Zones (DNZ), and Enhanced Dynamic Network Zones (EDNZ), through new ZoneIdMatch and ZoneNameMatch fields. Up to 10 matched zones are reported per event.

These new fields provide more granular and structured network zone context than the existing Client.Zone field. This gives admins and security teams precise, actionable detail for blocked requests and policy evaluations, making SIEM investigations and audit reviews significantly easier. See Troubleshoot network zone issues using System Log.

SHA-256 digest algorithm support

Okta now supports the SHA-256 digest algorithm when hashing SAML AuthnRequests that are sent to external IdPs.

Updated default settings for Passkey (FIDO2 WebAuthn) authenticator

The configuration for WebAuthn authenticators defaults to preferred user verification for all orgs and defaults to passkeys for new orgs. These updates reduce manual configuration, ensure a seamless enrollment process, and provide a more reliable sign-in experience for users across various devices.

User password migration from AD to Okta

Seamlessly migrate user passwords from AD to Okta without disrupting your users or operations. This establishes Okta as the source of truth for user passwords, enabling it to handle user authentication and eliminating the need for delegated authentication. See Password migration from AD to Okta.

DirSync group imports for Active Directory

For Active Directory (AD) integrations, the Provisioning tab now provides an Enable imports with AD using DirSync checkbox. When you enable the checkbox, admins can perform incremental group imports using DirSync. See Configure Active Directory import and account settings.

Early Access

Global Token Revocation for third-party and Org2Org IdPs

Okta now supports Global Token Revocation (GTR) for third-party and Org2Org identity providers (IdPs). This feature allows external IdPs to securely trigger Universal Logout, instantly revoking all user sessions and tokens across your entire app ecosystem. See Configure Universal Logout for supported apps.

Redirect federated users to IdPs for reauthentication

Reauthentication to an IdP helps Okta admins secure federated identities by redirecting federated users to their source SAML, OIDC, or Org2Org IdP when a policy requires them to reauthenticate. By forcing reauthentication at the source IdP, admins can close security gaps from long-lived sessions and remove the need to configure duplicate MFA enrollment in Okta. See Redirect federated users to IdPs for re-authentication.

Email auto-enrollment and recovery management

Administrators can control the automatic enrollment of email as an authenticator and configure email-based password recovery, unlock, and change where email is not an authenticator.

Managed app assurance for Android

The new Device Profile Restriction condition in device assurance policies ensures that Android users can only access protected apps from the same managed work profile where Okta Verify is installed. This prevents access from personal profiles, which reduces the risk of data leaks and improves security posture. See Add a device assurance policy.

Platform SSO password integration with Device-Bound SSO

The Platform SSO password authentication method now integrates with Device-Bound SSO. When a user signs in at the macOS sign-in window, Okta verifies the password factor and creates a device-bound session. Users can then access Okta-protected apps in their browser without additional password prompts. Documentation for this EA feature will be available after the release of Okta Verify app for macOS 9.63.

Secure Enclave key support for Platform SSO

Platform SSO now supports a Secure Enclave key-based authentication method that integrates with Device-Bound SSO. When a user authenticates at the macOS sign-in window with their password, the authentication unlocks a hardware-bound cryptographic key stored in the Secure Enclave. Okta uses the key to create a device-bound session that satisfies any authentication policy that requires Okta FastPass with user verification, without repeated MFA prompts. Documentation for this EA feature will be available after the release of Okta Verify app for macOS 9.63.

Detect and discover AI agents

Use the Security Access Monitor browser plugin and Okta Identity Security Posture Management (ISPM) to get visibility into any new OAuth grants to apps and the consequent shadow AI agent usage for your org. The plugin monitors managed browsers for any new OAuth grants to apps and AI agents. ISPM captures OAuth grant telemetry, analyzes the data, and provides you with the visibility you need to identify every third-party app that your users authorize. This helps you mitigate risks related to shadow OAuth grants and AI agents. After you configure the plugin, you can find all new OAuth grants across your org by going to NHIs and AI agentsBrowser OAuth Grants page in the ISPM console. See Discover and assess AI agents.

Fixes

After deactivating an AD Agent, an incorrect format of the version for the agent was displayed. (OKTA-1117122)
Some users couldn't sign in if the global session policy that applied to them was deleted. (OKTA-1131197)
After a user.session.context.change event, some global session and app sign-in policy rules configured with In any network zone defined in Okta failed to match during ITP policy re-evaluation. (OKTA-1151868)
The Sign-In Widget displayed an error after users completed a self-service password reset when the app authentication policy had the Keep Me Signed In prompt enabled. (OKTA-1152243)
AMR claim updates weren't applied to the Salesforce (Federated ID) app integration. (OKTA-1164030)
On the Administrator assignment by role page, the Preview role pane displayed "L10N_ERROR[okta.apps.clientCredentials.read.name.code]" instead of the View client credentials permission. (OKTA-1166616)

Okta Integration Network

Asset Integrity for Pipelines (OIDC) is now available. Learn more.
CJ Affiliate (OIDC) is now available. Learn more.
Conduit Security (OIDC) is now available. Learn more.
Form (OIDC) is now available. Learn more.
Harmony (SAML) is now available. Learn more.
Harmony (SCIM) is now available. Learn more.
Haystack (SCIM) is now available. Learn more.
JumpCloud (OIDC) is now available. See JumpCloud.
LinkedIn Sales Navigator (SCIM) is now available. Learn more.
Magnite Streamr (OIDC) is now available. Learn more.
Matik (SAML) is now available. Learn more.
Matik (SCIM) is now available. Learn more.
Syndio (OIDC) is now available. Learn more.
Tandem Health (OIDC) is now available. Learn more.
Ternary (OIDC) is now available. Learn more.
ThoughtSpot (OIDC) is now available. See Create ThoughtSpot OIDC integration.
TOPdesk Operator by FuseLogic (Entitlements Management) is now available. Learn more.
Truepic Vision (OIDC) is now available. Learn more.
WideField Security - Detect and Remediate (API integration) is now available. Learn more.
YipitData Agent (OIDC) is now available. Learn more.
Yunu (OIDC) is now available. Learn more.
Console (API Service) has a new icon and description.
Console (OIDC) has a new app description.
Sastrufy has a new app name and a new configuration guide.
Software Analytics (OIDC) has a new app name (Antenna), icon, description, new Redirect URIs, and integration guide. Learn more.
Suger (OIDC) has a new Redirect URI.
Matik (Basic Auth) was updated.
Metlife MyBenefits (SWA) was updated.
TOPdesk Operator by FuseLogic (SCIM) was updated.

Preview Features

Secure SaaS and Okta Service Accounts

CSV report of AD migration progress now available

New System Log fields for matched network zones

SHA-256 digest algorithm support

Okta now supports the SHA-256 digest algorithm when hashing SAML AuthnRequests that are sent to external IdPs.

Skip counts for authenticator enrollment grace periods

This feature allows admins to define a number of skips end users can defer enrollment into an authenticator, as well as customizations to the prompt when end users see the grace period. See Authenticator enrollment policies.

Release controls for Okta Verify on Windows

With the new release controls feature, admins can configure whether to allow, pause, or restrict automatic updates to Okta Verify on Windows. This provides greater flexibility for meeting enterprise change management requirements and managing version rollouts across Windows endpoints. See Configure Okta Verify release controls.

Passkeys rebrand

The FIDO2 (WebAuthn) authenticator is being rebranded to Passkeys (FIDO2 WebAuthn), and Okta is introducing enhanced administrative controls and a streamlined user experience. This update centralizes passkey management through a consolidated settings page, allows for customized authenticator naming, and introduces a dedicated Sign in with a passkey button within the Sign-In Widget. These enhancements simplify the authentication journey and provide users with a more intuitive sign-in process with the Sign in with a passkey button. See Configure the Passkeys (FIDO2 WebAuthn) authenticator.

User password migration from AD to Okta

DirSync group imports for Active Directory

Workday supports incremental imports

Workday now has the ability to run immediate, incremental imports. Incremental imports are much faster than full imports. However, they don't detect when users only have changes to custom attributes, so you must periodically run a full import to capture these changes. See Incremental imports

Network zone residential proxy detection

This feature adds new zones associated with Enhanced Dynamic Network Zones beyond anonymous proxies and VPNs. Customers can use service categories such as ZSCALER_PROXY, PERIMETER_81, and more. See Supported IP service categories.

IP Exempt Zone

OIE: Use this feature to allow traffic from specific gateway IPs irrespective of Okta ThreatInsight configurations, blocked network zones, or IP change events within Identity Threat Protection with Okta AI. See IP exempt zone. Classic: Use this feature to allow traffic from specific gateway IPs irrespective of Okta ThreatInsight configurations or blocked network zones. See IP exempt zone.

Same-device enrollment for Okta FastPass

On orgs with Okta FastPass, the Okta Verify enrollment process has been streamlined:

Users can initiate and complete enrollment on the device they're currently using. Previously, two different devices were required to set up an account.
Users no longer need to enter their org URL during enrollment.
The enrollment flow has fewer steps.

This feature is supported on Android, iOS, and macOS devices.

Prevent new single-factor access to the Admin Console

This feature prevents admins from configuring any new single-factor access to the Admin Console. This feature is currently available to new orgs only.

Application Entitlement Policy

Admins can now override attribute mapping when assigning apps to individuals or groups. You can also revert attributes to their default mappings. See Override application attribute mapping. This feature will be gradually made available to all orgs.

Direct End-User Settings access

Users may now access their Settings page through a direct URL in addition to the End-User Dashboard. This feature provides convenience and security for users, gives admins greater flexibility when working with End-User Dashboard access control scenarios, and includes accessibility and UX improvements. See End-User Settings.

End-user setting for nicknaming factors

End users can now nickname their phone, WebAuthn, and Okta Verify factors. If they have enrolled multiple instances of a factor, giving nicknames helps them identify the factors quickly (for example, "My personal cellphone" or "My office MacBook TouchID"). See the end-user documentation. This is a self-service feature.

Descriptive System Log events

When Okta identifies a security threat, the resulting security.threat.detected System Log entry now provides a descriptive reason for the event. See System Log.

New flexible LDAP

A new LDAP schema allows flexibility by moving email to the custom schema and making first name, last name, username, and UID optional. This avoids error scenarios when an LDAP schema doesn't include specific attributes.

ThreatInsight coverage on core Okta API endpoints

Okta ThreatInsight coverage is now available for core Okta API endpoints:

Based on heuristics and machine learning models, Okta ThreatInsight maintains an evolving list of IP addresses that consistently show malicious activity across Okta's customer base. Requests from these bad IP addresses can be blocked or elevated for further analysis when Okta ThreatInsight is enabled for an Okta org. Previously, Okta ThreatInsight coverage only applied to Okta authentication endpoints (including enrollment and recovery endpoints). With this release, enhanced attack patterns are detected for authentication endpoints and limited attack patterns are also detected for non-authentication endpoints. There are no changes to the existing Okta ThreatInsight configuration. You can still enable Okta ThreatInsight with log and block mode, log mode, and exempt network zones. A new Negative IP Reputation reason is available for high security.threat.detected events. See System Log events for Okta ThreatInsight.

SSO apps dashboard widget

The new SSO apps widget displays the number of user sign-in events across each of your org's apps over a selected period of time. You can use it to see which apps are used most frequently and to easily monitor the authentication activity across your org.

Improvements to the self-service unlock process

Earlier versions of the self-service unlock (SSU) flow created unnecessary friction in the end user experience. The newly enhanced SSU feature introduces a seamless magic link experience in emails sent out to unlock accounts. Users no longer need to provide consent when using the same browser. In addition, after successfully unlocking their account, clicking the email magic link counts towards the app's assurance policy. After the assurance requirements are met, the user is signed directly in to the app.

Improvements to the self-service registration experience

Earlier versions of the self-service registration (SSR) flow used a complicated array of templates to send activation emails to end users. The simplified SSR flow reduces this to only two email templates with customized welcome messages. If your app requires immediate verification of the end user's email address, Okta uses the Registration - Activation template. This template includes a magic link for a smoother sign-in experience. If email verification isn't immediately required to sign in to the app, Okta uses the Registration - Email Verification template. This template includes a link for end users to complete email verification at any time after they successfully sign in to the app.

Device Authorization grant type

Advancements in internet technology have seen an explosion of smart devices and the Internet of Things. Consumers need to sign in to apps that run on these devices, but the devices either lack support for a web browser or have limited ability for input, such as smart TVs, car consoles, and thermostats. As a result, users resort to insecure authentication solutions that are error prone and time consuming.

The Device Authorization grant feature is an OAuth 2.0 grant type that allows users to sign in to input-constrained devices and also to devices that lack web browsers. This feature enables users to use a secondary device, such as a laptop or mobile phone, to sign-in to apps that run on such devices.