Okta Classic Engine release notes (Production)

Version: 2025.04.0

April 2025

Generally Available

Secure Identity Integrations

Secure Identity Integrations (SII) provides additional depth for the 50+ most-used enterprise SaaS applications with the inclusion of SSO, SCIM, Apps with entitlement support, Universal Logout, Workflows, and Identity Security Posture Management (ISPM).

New versions of Okta Provisioning agent and SDK

Okta Provisioning agent 2.2.1 and Okta Provisioning agent SDK 2.1.1 are now available. These releases contain bug fixes and minor improvements.

OIN test account information deleted after 30 days

Okta deletes your test account credentials 30 days after you publish your app in OIN Wizard. You must create a new test account and re-enter the required information before submitting the app.

MyAccount Management scopes

The MyAccount Management scopes have been updated to non-system scopes and are now configurable by admins. See Create API access scopes .

Step-up authentication for updating policies

Okta prompts for step-up authentication when admins perform protected actions in the Admin Console, like updating sign-on policies. The changes are only allowed after the admin authenticates successfully. This feature enhances org security by allowing admins to require MFA before performing protected actions. See Protected actions in the Admin Console.

Okta Verified text removed from the OIN

In the OIN catalog, the Okta Verified disclaimer has been removed from the app integration pages.

Early Access

Manage Active Directory accounts in Okta Privileged Access

This feature allows management of Active Directory (AD) account passwords through Okta Privileged Access using the Okta AD Agent. Admins can set discovery rules for accounts in specific organizational units (OUs) and create policies for user access, ensuring passwords are rotated upon check-in or on a schedule. Users with access can view their assigned accounts and retrieve passwords. To enable this feature, contact Okta support. See Manage Active Directory accounts

OAuth 2.0 provisioning for Org2Org with Auto-Rotation

Admins deploying multi-org architectures (for example Okta hub-and-spoke orgs) need to secure user and group provisioning. Provisioning using OAuth2.0 scoped tokens has several advantages over API tokens, including more access granularity, shorter token lifespans, and automatic key rotation. You can now enable OAuth 2.0 Auto-Rotation for Org2Org app provisioning directly from the Admin Console.

See Integrate Okta Org2Org with Okta.

On-prem Connector for SAP Netweaver ABAP supports more attributes

Okta On-prem Connector now supports more user attributes, which enables better integration between Okta and SAP Netweaver ABAP.

Fixes

  • Custom app logos didn't appear on the app's page. (OKTA-655724)

  • This update applied general security fixes. (OKTA-690936)

  • The reported results of an import varied between what was displayed when the import finished, the import summary email, and the values displayed on the Import Monitoring page. (OKTA-739010)

  • The MFA Factor column in the MFA Usage report displayed the name Windows Hello (Web Authentication) for the FIDO2 (WebAuthn) factor.

    (OKTA-848611)

  • The SettingsAPI menu appeared to some admins who didn't have permission to view it. (OKTA-856337)

  • Admins using multiple user types sometimes encountered an internal error when attempting to update an app instance. (OKTA-880825)

  • The Import Monitoring page was viewable by admins who didn't have the necessary permissions. Accessing the page resulted in a 403 error. (OKTA-880835)

  • Sometimes a Null Pointer Exception error occurred when performing a group push to Google Workspace. (OKTA-886861)

  • Admins couldn't disable the Trust claims from this identity provider setting. (OKTA-899883)

  • LDAP agents failed to parse queries when group names had special characters. (OKTA-902231)

Okta Integration Network

  • AppVentory (API Service) is now available. Learn more.
  • Curricula (SAML) has a new integration guide.
  • Fabrix (API Service) is now available. Learn more.
  • GoSearch (SCIM) now supports Group Push.
  • OpenAI by Aquera (SCIM) is now available. Learn more.
  • Peaxy Lifecycle Intelligence (OIDC) is now available. Learn more.
  • Suger (OIDC) is now available. Learn more.
  • Suger (SCIM) is now available. Learn more.
  • Warp Employee Provisioning (API Service) is now available. Learn more.

Weekly Updates

2025.4.1: Update 1 started deployment on April 14

Generally Available

New look and feel in Access Requests

The Access Requests console and Okta Access Requests web app now have a new look and feel, including redesigned side and top navigation menus and the addition of a gray background. Additionally, Dark mode is no longer available for Access Requests.

Fixes

  • In Preview orgs, org admins couldn't edit IdP group assignments when a super admin group was included in the group list. (OKTA-880124)

  • The Edit role screen didn't always display the correct Workflow permissions. (OKTA-886964)

  • Super admins saw an error when they attempted to reset a user's factors. (OKTA-890695)

  • The id_token_hint parameter was exposed in the System Log. (OKTA-890738)

  • When a user interacted with the Graph API in Azure Active Directory PowerShell, the activity was incorrectly logged in Office 365. (OKTA-896032)

  • Users couldn't sign in to the Office 365 GCC High OIN app if it was integrated with WS-Fed. (OKTA-899506)

  • On the Give access to Okta Support page, the Provide Support access for self-assigned cases section sometimes didn't display the correct cases. (OKTA-909308)

Okta Integration Network

  • Adroll by Aquera (SCIM) is now available. Learn more.
  • Hero (API Service) is now available. Learn more.
  • Hyperproof (SCIM) is now available. Learn more.
  • Microsoft Dynamics 365 BC by Aquera (SCIM) is now available. Learn more.
  • ZAMP (OIDC) has additional redirect URIs.

Version: 2025.03.0

March 2025

Generally Available

Sign-In Widget, version 7.28.3 and 7.29.0

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Okta Sign-In Widget Guide.

Okta MFA Credential Provider for Windows, version 1.4.3

This version includes bug fixes and security enhancements. See Okta MFA Credential Provider for Windows version history.

Okta LDAP agent, version 5.23.0

This version of the agent includes security enhancements.

Discover inactive users and review admin access

You can now use preconfigured campaigns to discover inactive users who are assigned to apps and review their admin access. Preconfigured campaigns are a set of ready-to-use campaigns where Okta presets some default settings. See Access Certifications for admin roles.

Update to Access Certification reports availability

The Past Campaign Details and Past Campaign Summary reports are now available for campaigns that govern admin roles even if you're not subscribed to Okta Identity Governance.

Updated Japanese translations

The Admin Dashboard, Administrator pages, and Admin Console search now provide updated Japanese translations.

Improved group search functionality

You can now search for groups whose names or descriptions contain specified text. This makes it easier to find a group when you don't recall its exact name.

Improved user search functionality

You can now search for users whose names, email addresses, or usernames contain specified text, making it easier to do user lookups and add users to groups.

Identity Security Posture Management functionality in the OIN catalog

The Okta Integration Network page now provides Identity Security Posture Management functionality. When you select it, the OIN catalog displays only the apps with Identity Security Posture Management functionality.

Realms for Workforce

Realms allow you to unlock greater flexibility in managing and delegating the management of your distinct user populations within a single Okta org. See Manage realms.

Granular account linking for certain identity providers is GA

When admins link users from SAML and OIDC identity providers, they can now exclude specific users and admins. This improves security by allowing admins to configure granular access control scenarios. See Add a SAML Identity Provider.

OIDC identity providers now support group sync

OpenID Connect identity providers (IdPs) now support full group sync and adding a user to a group that they don't already belong to. A user who authenticates with an external IdP is added to all available groups when Full sync of groups is enabled. The user is added to any groups that they don't already belong to when Add user to missing groups is enabled. This allows you to specify certain groups that users should be added to. See Generic OpenID Connect.

Entitlement management for Microsoft Office 365

The Microsoft Office 365 app now supports entitlement management. See Apps with entitlement support

Early Access

Entitlement support for disconnected apps

Disconnected apps are apps that aren't LCM integrated within Okta. This feature allows you to use CSV files to import users and entitlements into Okta from disconnected apps. This enables consistent governance and compliance across all apps, including those not fully integrated with Okta. See Import user entitlements from CSV.

New look and feel in the Admin Console

The Admin Console now provides a new look and feel, including redesigned side and top navigation menus and the addition of a gray background.

Bypass ASN binding with the Default Exempt IP Zone

The ASN binding feature associates admins with the IP address that they signed in from. If the IP changes during a session, the admin is signed out of Okta, and an event appears in the System Log. To bypass IP and ASN binding, you can add the client IP to the Default Exempt IP Zone. See IP exempt zone.

App Switcher for Okta first-party apps

The End-User Dashboard, Admin Console, and Workflows Console now have an App Switcher that helps admins quickly navigate between their assigned Okta apps. Note that you must enable the Unified look and feel for Okta Admin Console and Unified look and feel for Okta Dashboard Early Access features for the App Switcher to appear.

New look and feel in the End-User Dashboard

The End-User Dashboard now provides a new look and feel, including redesigned side and top navigation menus and the addition of a gray background.

New System Log event

The policy.evaluate_sign_on event has a new DebugData item: IdpVerifiedFactorMode. This new item indicates whether a user authenticated with one or two factors with their identity provider when they signed in through a service provider. See System Log.

Enhancement to a System Log event

The IdpVerifiedFactorMode item has been added to the policy.evaluate_sign_on event. It appears when claims sharing is enabled in the org and indicates whether the identity provider verified the user's authentication factors. See System Log.

New attributes in Universal Sync

The following attributes are now supported in Universal Sync: AuthOrig, DLMemRejectPerms, DLMemSubmitPerms, and UnauthOrig.

Okta-to-Okta claims sharing enhancement

Okta-to-Okta claims sharing now supports the use of the smart card authenticator and Active Directory for Single Sign-On. This removes the need for users to authenticate with a service provider when they've already authenticated to an Okta org. See Add a SAML Identity Provider.

Fixes

  • Some certificates with trailing characters were uploaded successfully despite their invalid format. (OKTA-486406)

  • The consent buttons for the Office 365 and Office 365 GCC High apps didn't render correctly. (OKTA-488281)

  • The Microsoft Office 365 Government - GCC High app integration didn't have the correct metadata tags. (OKTA-509443)

  • Users weren't automatically confirmed when the inline hook updated conflicting appuser values during import. (OKTA-792372)

  • An invalid authentication error sometimes occurred when an admin assigned users to the ShareFile app. (OKTA-850064)

  • Emails intended for an unverified primary or secondary email were dropped when the Audience setting for the template was Admin only. (OKTA-852156)

  • When the Send all admin emails as BCC notification setting was selected, all email recipients were sent to the To field instead of the BCC field for protected actions. (OKTA-856627)

  • Some pages in the End-User Dashboard had a typo in the footer. (OKTA-877065)

  • The Entitlement SAML Assertions and OIDC Claims feature wasn't available in the Settings Features menu for some customers. (OKTA-880967)

  • An error occurred in the Okta Provisioning Agent when trying to import users from on-premises apps through CSV files. (OKTA-880996)

  • Access requests for admin role bundles weren't processed properly. (OKTA-892613)

Okta Integration Network

  • Better Stack (SCIM) is now available. Learn more.
  • Employment Hero by Aquera (SCIM) is now available. Learn more.
  • Harriet (OIDC) is now available. Learn more.
  • Harriet (SCIM) is now available. Learn more.
  • HYCU R-Cloud (OIDC) is now available. Learn more.
  • Kyriba By Aquera (SCIM) is now available. Learn more.
  • MySQL by Aquera (SCIM) is now available. Learn more.
  • ZAMP (SCIM) is now available. Learn more.
  • Zoom (SAML) has updated endpoints.

Weekly Updates

2025.3.1: Update 1 started deployment on March 17

Generally Available

Sign-in Widget 7.18 for Same-Device Enrollment

If you use the Same-Device Enrollment feature in your org, the Sign-In Widget version must be 7.18 or later.

Fixes

  • createdBy and lastUpdatedBy custom attributes couldn't be used in group rules. (OKTA-566492)

  • Some issues occurred during the creation of Devices Assurance settings. (OKTA-603807)

  • Custom admins who were limited to viewing only application group members received incomplete results when using the List All Users API without a search or filter. (OKTA-801592)

  • In some orgs, unnecessary writebacks were made to Workday when a sync was performed from Okta. (OKTA-817160)

  • Users who were excluded from a group rule were displayed incorrectly in the Admin Console. (OKTA-838039)

  • The System Log displayed two usernames in the user.authentication.auth_via_social event when a user signed in to Okta with an identity provider in the same browser as a user who was already signed in. (OKTA-842179)

  • Users authenticating to Microsoft Office 365 on macOS were matched to a rule with a Modern Authentication condition only when using the Edge browser. (OKTA-847605)

  • Admins who were assigned the super admin role through group assignments couldn't run password hash exports or view the reports. (OKTA-851991)

  • The MFA enrollment by user report displayed inaccurate figures for the security question factor. (OKTA-858427)

  • Admins didn't receive the correct notifications when they had both role and admin email notifications selected. (OKTA-876846)

  • When the Unified look and feel for Okta Admin Console feature was enabled, the Settings and Features pages didn't render correctly in the Safari browser. (OKTA-884821)

  • Some users weren't able to sign in with Okta Mobile on iOS devices. (OKTA-892669)

  • Admins couldn't create or edit third-party identity providers in orgs with Okta-to-Okta claims sharing enabled. (OKTA-893483)

Okta Integration Network

  • Better Stack (SAML) has a new integration guide.
  • Bundle by freee (SCIM) is now available. Learn more.
  • Chargebee (SAML) has a new integration guide.
  • Chargebee (SCIM) is now available. Learn more.
  • Lobbipad (SCIM) has updated help text.
  • Marfeel (OIDC) is now available. Learn more.
  • Oracle Cloud Applications by Aquera (SCIM) is now available. Learn more.

2025.3.2: Update 2 started deployment on March 24

Generally Available

Fixes

  • createdBy and lastUpdatedBy custom attributes couldn't be used in group rules. (OKTA-566492)

  • Workday imports sometimes failed when the number of parameters sent in a query exceeded the maximum. (OKTA-819984)

  • Authentication was interrupted or prevented in legacy embedded browsers due to a DNS issue. (OKTA-845120)

  • Changes to the manager attribute in Workday were only reflected in Okta after a full import. (OKTA-846352)

  • The MobilePhone target (the user phone number) wasn't present in the System Log when a telephony inline hook was used. (OKTA-849440)

  • The View Client Credentials permission didn't appear when the App settings for custom admin roles feature was enabled. (OKTA-851994)

  • AWS account federation with SWA was incompatible with the new AWS sign in page. (OKTA-856995)

  • When the Enable Sync Account Information setting was disabled for a custom domain, login.okta.com still loaded iframes. (OKTA-865098)

  • In Dynamic Zones, some IPs were classified incorrectly as anonymous proxies because of a misconfiguration by a third-party provider. (OKTA-867976)

  • Admins couldn't increase the global session policy maximum idle time if they set it to a longer duration than the previously saved maximum session time. (OKTA-891348)

Okta Integration Network

  • Attribute Dashboard (OIDC) is now available. Learn more.
  • Balsamiq (SAML) has a new app name, icon, and integration guide.
  • bob (SCIM, SAML) now supports sandbox environments.
  • Drata (OIDC) has a new icon.
  • Mighty ID (OIDC) is now available. Learn more.
  • Salesloft (SAML) is now available. Learn more.
  • Salesloft (SCIM) is now available. Learn more.

2025.3.3: Update 3 started deployment on March 31

Generally Available

Advanced search using conditioned profile attributes

If you have an admin role with permission conditions to access certain user profile attributes, you can now search for those users with those attributes. Note that the advanced search doesn't support the OR operator. See Permission conditions.

Fixes

  • The wrong data appeared in the debug data field of the policy.rule.update System Log event. (OKTA-846160)

  • Sometimes, Google Workspace licenses couldn't be edited. (OKTA-892397)

  • Admins couldn't create or edit third-party identity providers in orgs with Okta-to-Okta claims sharing enabled. (OKTA-893483)

  • Admins whose role had permission conditions couldn't search for users by first or last name. (OKTA-894392)

  • Some text was misaligned on the Password PolicyAdd rule page. (OKTA-897943)

Okta Integration Network

  • Akitra (OIDC) is now available. Learn more.
  • AppsFlyer By Aquera (SCIM) is now available. Learn more.
  • Braintree (SAML) is now available. Learn more.
  • Braintree (SCIM) is now available. Learn more.
  • ContentHubGPT (SAML) is now available. Learn more.
  • HRBrain (SAML) is now available. Learn more.
  • HRBrain (SCIM) is now available. Learn more.
  • Speeda Business Insights (OIDC) is now available. Learn more.
  • Speeda Startup Insights (OIDC) is now available. Learn more.

Version: 2025.02.0

February 2025

Generally Available

Request expiration and enhanced notifications for Access Requests

To prevent accumulation of stale requests and improve the notification experience, Okta is making the following changes:

  • New requests now automatically expire after 60 consecutive days of inactivity. Completing a task, answering a question, or leaving a message on a request resets the 60-day expiration period. Any requests created before the general availability of this feature expire after 60 days of inactivity (on or around April 7, 2025).

  • Notifications about expiring requests are sent at 30 days, 5 days, and 1 day before the request expires.

  • The user setting to receive daily reminders about overdue tasks and requests is no longer available. It is replaced by the new request expiration notifications.

New look and feel in Access Certifications

In Access Certifications, the Access Certification Reviews app located on your dashboard now has a new look and feel, including a restyled top navigation bar and the addition of a gray background.

New System Log attributes

The PolicyName field was added to the policy.evaluate_sign_on System Log event. This change makes it easier for admins to identify the policy that was involved in user sign-in attempts.

Updated Features page description

The Features page now provides updated information about Okta's Privacy Policy and Free Trial Services.

Delete users with granular deprovisioning in Microsoft Office 365

You can now delete users as part of the deprovisioning process in Office 365. See Deprovisioning options for Office 365.

RADIUS push notifications

The operating system is no longer included in RADIUS push notifications. Customers can contact Okta Support if they need to display this information.

Support for importing Active Directory group descriptions

The descriptions of groups sourced from Active Directory now use their description from AD. These replace any previous descriptions of AD-sourced groups in Okta, which used a pretty-printed version of the distinguished name (DN) instead.

New Hyperdrive agent version

This version includes the Microsoft Edge WebView2 control. See Okta Hyperdrive agent version history.

Polling for Agentless Desktop Single Sign-on and Integrated Windows Authentication

Agentless Desktop Single Sign-on (ADSSO) and Integrated Windows Authentication (IWA) authentication sessions now include polling to reduce the likelihood of service disruptions when bandwidth use peaks. For users authenticating with ADSSO or IWA during peak use periods, this change increases the likelihood that a server will be available to process their authentication request.

Case numbers for impersonation events

When an org grants impersonation for a support case, the case number now appears in the System Log. See Give access to Okta Support.

System Log event for public client app admins

When an admin selects the Automatically assign the super admin role to all newly created public client apps checkbox on the Account page, the System Log now records an event.

ADSSO authentication parameters

When a state token is used, Okta removes the fromURI parameter from the ADSSO authentication POST request.

Improved password reset process for Active Directory-sourced users

The password reset process now sends the password update and verification requests to the same Active Directory agent to avoid replication delay.

Role-based access control now available

As Okta Workflows can make comprehensive changes both inside Okta and out to other connected SaaS apps, access to Workflows was previously restricted to Okta super admins. While this regulation enhanced the security of Okta Workflows, it limited the number of users, restricted the scalability of Okta Workflows, and reduced overall value to customers.

With role-based access control (RBAC), you can now assign Workflows privileges to more users without granting unnecessary access.

To support this feature, three new roles are available:

  • Workflows Administrator: For full-access administration within Okta Workflows only
  • Workflows Auditor: For compliance management with read-only access
  • Connection Manager: For securely handling accounts and credentials

RBAC allows customers to expand the use of Okta Workflows beyond super admins, enabling more team members to build, run, and manage Workflows securely and efficiently.

See Access Control.

There are four new event types that record the RBAC feature activity in the Okta System Log:

  • workflows.user.role.user.add
  • workflows.user.role.user.remove
  • workflows.user.role.group.add
  • workflows.user.role.group.remove

See the Event Types API.

Early Access

Authentication claims sharing between Okta orgs

Authentication claims sharing allows an admin to configure their Okta org to trust claims from IdPs during SSO. Sharing claims also allows Okta to interpret the authentication context from an IdP. This helps eliminate duplicate factor challenges during user authentication and helps improve security posture. See Add a SAML Identity Provider.

On-prem Connector for SAP Netweaver ABAP

On-prem Connector for SAP NetWeaver ABAP provides an out-of-the-box solution that connects SAP on-premises apps with Okta Identity Governance. It enables the discovery, visibility, and management of SAP entitlements (roles) directly in Okta. This integration enhances security, saves time, and simplifies governance by eliminating the need for custom integrations and by streamlining entitlement management. See On-prem Connector for SAP Netweaver ABAP.

Step-up authentication for updating policies

Okta prompts for step-up authentication when admins perform protected actions in the Admin Console, like updating sign-on policies. The changes are only allowed after the admin authenticates successfully. This feature enhances org security by allowing admins to require MFA before performing protected actions. See Protected actions in the Admin Console.

Fixes

  • A warning banner was incorrectly displayed during the WS-Federation setup, even though the setup was completed successfully. (OKTA-807313)

  • In Org2Org configurations where Okta is the source org, passwords weren't synced after the user signed in using a newly reset password. (OKTA-833862)

  • When employees were imported into SuccessFactors, past employment records were imported instead of current records. (OKTA-844570)

  • When a custom domain was deleted or its enrollment was reset, the resulting email confirmation had a broken link and no branding. (OKTA-848261)

  • Users couldn't sign in to their org after certain policies were deleted. (OKTA-856596)

  • Microsoft's MSOL deprecation testing triggered the last remaining MSOL call in Okta's Office 365 provisioning, resulting in a failure to synchronize user attributes. (OKTA-870164)

Okta Integration Network

  • Calendly by Aquera (SCIM) is now available. Learn more.
  • Payflows has an additional SAML attribute.
  • SAP ERP by Aquera (SCIM) is now available. Learn more.
  • SAP HANA Provisioning Connector by Aquera has a new display name.

Weekly Updates

2025.2.1: Update 1 started deployment on February 18

Generally Available

New On-Prem MFA agent version

Version 1.8.1 of the On-Prem MFA agent is now available. This version includes security enhancements.

Device assurance OS version update

The following OS versions are now supported in device assurance policies:

  • Android 12, 13, 14, 15 security patch 2025-02-05
  • iOS 18.3
  • macOS Ventura 13.7.3
  • macOS Sonoma 14.7.3
  • macOS Sequoia 15.3
  • Windows 10 (10.0.17763.6775, 10.0.19044.5371, 10.0.19045.5371)
  • Windows 11 (10.0.22621.4751, 10.0.22631.4751, 10.0.26100.2894)

New System Log event for third-party identity verification

The event type user.identity_verification is triggered when a request is sent to a third-party service for user identity verification as a result of an Okta Account Management Policy (OAMP) evaluation.

Fixes

  • When the third-party admin status was granted or revoked from an admin or group, the System Log didn't record an event. (OKTA-823842)
  • In the Admin Console, updates in the code editor that Okta couldn't parse returned a 500 Internal Server Error. (OKTA-837068)
  • Users whose account had a password expired status couldn't be added as group owners. (OKTA-846195)
  • Admins without proper permissions were able to view the Import Monitoring report. (OKTA-850050)
  • NORDLAYER_VPN was incorrectly announced as a supported IP service category in enhanced dynamic zones. (OKTA-857826)
  • AMR values weren't forwarded to the app when a user signed in and Okta-to-Okta claims sharing was configured. (OKTA-860242)
  • The help link for the Okta-to-Okta claims sharing feature was missing. (OKTA-860321)

Okta Integration Network

  • ADP Recruiting Management by Aquera (SCIM) is now available. Learn more.
  • Console (API Service) is now available. Learn more.
  • Console (OIDC) is now available. Learn more.
  • Dayforce by Aquera (SCIM) now has additional use cases.
  • Microsoft SQL Server by Aquera (SCIM) now has additional use cases.
  • Neowit (SAML) is now available. Learn more.
  • Neowit (SCIM) is now available. Learn more.
  • NordPass (OIDC) is now available. Learn more.
  • QuickBooks Online by Aquera (SCIM) now has additional use cases.
  • Redshift by Aquera (SCIM) now has additional use cases.
  • Subble (API Service) is now available. Learn more.
  • Symantec ZTNA (SAML) is now available. Learn more.
  • Udemy Business (SAML) is now available. Learn more.

2025.2.2: Update 2 started deployment on February 24

Fixes

  • Okta LDAP agent installation failed when using an inactive LDAP instance. (OKTA-467846)

  • When an admin tried to use a feature that wasn't enabled in their org, a long error message appeared instead of a 403. (OKTA-733031)

  • When the third-party admin status was granted to or revoked from an admin or group, the System Log didn't record an event. (OKTA-823842)

  • In orgs with the Okta account management policy enabled, federated users who successfully completed self-service account unlock still couldn't sign in. (OKTA-839418)

  • The contains operator sometimes gave unclear error messages when using less than 3 characters or with other operators. (OKTA-846206)

  • Full imports from LDAP sometimes failed due to a timeout. (OKTA-849200)

  • Users weren't prompted for multifactor authentication when the Sessions API was used to create sessions. (OKTA-858391)

  • Some endpoints didn't block access to external redirect URLs. (OKTA-860388)

  • When the Okta account management policy was enabled, some users who navigated to the End User Settings page were redirected to their Okta Dashboard. (OKTA-864257)

  • Admins couldn't retrieve more than five entitlement SAML assertions and OIDC claims when configuring apps. (OKTA-865900)

  • Users were incorrectly prompted for multifactor authentication in org-to-org chains with the Trust claims from IDP option enabled. (OKTA-866178)

Okta Integration Network

  • AWS S3 by Aquera (SCIM) is now available. Learn more.
  • Clutch Security (API Service) is now available. Learn more.
  • Datadog (SCIM) now supports group push.
  • Oracle Database by Aquera (SCIM) is now available. Learn more.
  • Perimeter 81 (SAML/SCIM) has a new icon, display name, and description.

2025.2.3: Update 3 started deployment on March 3

Fixes

  • In Dynamic Zones, some IPs were classified incorrectly as anonymous proxies because of a misconfiguration by a third-party provider. (OKTA-864349)

  • The System Log didn't display accurate client IP address data for refresh requests from first-party apps. (OKTA-864998)

Okta Integration Network

  • Chaos (OIDC) is now available. Learn more.
  • Chaos (SCIM) is now available. Learn more.
  • Jobvite by Aquera (SCIM) is now available. Learn more.
  • Lifebalance Program (OIDC) has a new Redirect URI.
  • Lobbipad (OIDC) is now available. Learn more.
  • Lobbipad (SCIM) is now available. Learn more.
  • narrativ.ai (OIDC) is now available. Learn more.
  • NordPass (OIDC) has a new Redirect URI.
  • Okta ISPM (API Service) now has the okta.roles.read and okta.factors.read scopes.
  • Relvy AI (OIDC) is now available. Learn more.
  • Zoom (SAML) now has a configurable ACS and Audience URLs.