Okta Classic Engine release notes (Production)

Version: 2025.10.0

October 2025

Generally Available

Okta Active Directory Password Sync agent, version 1.7.0

This version of the agent includes security enhancements.

New look and feel for delegated flows

On the Delegated flows page, the buttons, modals, and input fields have been redesigned for a better user experience. See Delegated flows.

Euskara (Basque) language translations for end users

In the End-User Dashboard, users can now set the display language to Euskara (Basque). When they select a language, the end-user experience, including when a user signs in, is translated accordingly. See Supported display languages.

New VPN service for enhanced dynamic zones

The SURF_EASY_VPN is now supported as an individual VPN service category in enhanced dynamic zones. See Supported IP service categories.

Error message update

The error message text that appears when activating a group rule that has an invalid expression has been updated to include the reason for the failure, making it easier to troubleshoot.

Create user permission conditions

You can now add conditions to the Create user permission for custom admin roles, applicable to both realm-enabled orgs and those without realms. See Permission conditions.

User status in Okta Expression Language

You can now reference User Status in the Okta expression language. Group Rules can leverage user statuses to drive group membership.

SharePoint On-Premises integration supports SHA-256

SharePoint integrations (WS-Fed) now use SHA-256 for signing the authentication token.

Group Push Linking for Microsoft Office 365

The Group Push feature in the Microsoft Office 365 integration has been enhanced to link existing Okta groups with existing Entra groups.

This change establishes Okta as the single source of truth for group membership. Once linked, the membership changes made in Okta are pushed automatically, ensuring consistency and seamless access control.

Supporting additional attributes in O365's Universal Sync provisioning

To enable seamless access to Kerberos resources through Windows Hello for Business and to help you manage data based on geographies, Okta now supports four additional attributes in O365's Universal Sync provisioning.

  • onPremisesSamAccountName
  • onPremisesDomainName
  • onPremisesUserPrincipalName
  • PreferredDataLocation

Okta Integration IdP type

The Okta Integration IdP allows you to use an Okta org as an external IdP, simplifying configuration and providing secure defaults. See Add an Okta Integration Identity Provider.

Behavior Detections for new ASN

The error message text that appears when activating a group rule that has an invalid expression has been updated to include the reason for the failure, making it easier to troubleshoot.

Early Access

Fixes

  • Sometimes, inactive apps that had provisioning enabled sent deprovisioning calls to downstream apps. (OKTA-930436)

  • Sometimes, users who were assigned an app were unable to view or access the app on their End-User Dashboard. (OKTA-985663)

  • SAML assertions were encrypted if they included the oktaAuthPayload parameter even though encryption wasn't enabled on the app. (OKTA-998820)

  • In some orgs with the Unified claims generation for Okta-protected SAML and OIDC custom app integrations early access feature enabled, users were unable to use the dropdown menus in the Attribute Statements > Show legacy configuration section of the app page. (OKTA-1010898)

  • In orgs with Japanese translations, untranslated text appeared on the Active Directory Policy page. (OKTA-1029000)

Okta Integration Network

  • Paychex Online was updated.

  • Ravenna is now available (API Service Integration). Learn more.

  • zkipster was updated.

Doc Updates

Okta Aerial documentation

Documentation for Okta Aerial has been added to Okta Documentation with the following updates:

  • Aerial card added to the home page.
  • Aerial option added to Documentation dropdown list.
  • Aerial release notes added to Release notes dropdown list.

Okta Aerial allows you to manage multiple Okta orgs from a single, centralized account. The Aerial account lives outside of your other orgs and can manage any Production or Preview org that's linked to the Aerial account. Each Aerial account has a dedicated Aerial org where you can invite Aerial admins who can request and be granted access to connected orgs in your environment. See Okta Aerial.

Weekly Updates

2025.10.1: Update 1 started deployment on October 13

Generally Available

Recent searches displayed in search field

Now when you select the Admin Console search field, a list of your recent searches appears. This helps you quickly find the users, apps, and groups that you frequently search for.

New IP service categories supported

There are new IP service categories for network zones supported by Okta. See Supported IP service categories for a complete list.

Fixes

  • When users accessed the Microsoft ADFS app and authenticated with Okta Verify, the System Log didn't show the app name in the Targets column. (OKTA-906244)

  • The System Log didn't display failed authentication attempts when they were initiated from SAML apps with external IdPs. (OKTA-1014150)

  • In orgs with JIT enabled, staged Active Directory (AD) users were prompted to change their password even it wasn't required by their org's AD password policy. (OKTA-1020693)

  • Sometimes multiple duplicate group.user_membership.remove System Log events were fired when a user was removed from a group. (OKTA-1031604)

  • When the AD DirSync feature was enabled but not configured, AD group membership removals weren't reflected in Okta following an incremental import. (OKTA-1040614)

Okta Integration Network

  • Exaforce has a new integration guide and additional use cases.

  • Ravenna is now available (API Service Integration). Learn more.

  • Grafana Labs is now available. Learn more.

  • Realty.com Portal (OIDC) is now available. Learn more.

  • Realty.com Portal (SCIM) is now available. Learn more.

Version: 2025.09.0

September 2025

Generally Available

Office 365 License and Roles Management now supports sync entitlements

Sync entitlements are now supported for the Office 365 License and Roles Management provisioning type in orgs with Identity Governance enabled.

Improved user experience for Access Requests

The access request details page has been improved to provide more visibility on tasks assigned approvers and answers submitted by requesters. If you integrated Slack or Teams with Access Requests, similar changes have been made to the access request message that approvers receive. Additionally, the email notification sender's name and address have been changed. The sender's name is Okta Access Requests and the email address is noreply@at.okta.com.

New versions of Okta Provisioning agent and SDK

Okta Provisioning agent 3.0.3 and Okta Provisioning agent SDK 2.4.0 are now available. These releases contain bug fixes and minor improvements.

Nonce rollout for Content Security Policy

Okta is rolling out nonces for the style-src directive of the Content Security Policy for every endpoint that returns html content. This is a two stage process: first, the nonce is added to the Content-Security-Policy-Report-Only header style-src directive; later, after any unsafe inline instances are identified and fixed, the nonce is added to the Content-Security-Policy header style-src directive. This update will be gradually applied to all endpoints.

These updates will be applied to Okta domains and custom domain pages that aren't customizable by admins (for example, sign-in pages, and error pages on custom domains). See Customize an error page.

Export Admin Console reports in GZIP format

You can now export most Admin Console reports in GZIP format, in addition to the existing CSV format. GZIP exports have a higher row limit (30 million) and a smaller file size.

Breached Credentials Protection

Protect your org from the impact of credentials that have been compromised. If Okta determines that a username and password combination has been compromised after being compared to a third-party curated dataset, the protection response is customizable through password policies, including resetting the user's password, forcing a logout, or calling a delegated Workflow. See Breached credentials protection.

This feature is following a slow rollout process.

IWA agent, version 1.18.0

This version of the agent contains security enhancements. See Okta SSO IWA Web App version history.

Assigning/revoking an admin role is a protected action

Now when an admin assigns or revokes an admin role from a user, they're prompted for additional authentication. See Protected actions in the Admin Console.

Admin Console Realm updates

The hint text for the Realm dropdown on the Add User form has been updated to provide clearer instructions.

Secure Identity Integrations filters in the OIN catalog

The Browse App Integration Catalog page now provides three new Secure Identity Integrations checkboxes: Secure Identity Integrations - Fundamental, Secure Identity Integrations - Advanced, and Secure Identity Integrations - Strategic. When you select one, the OIN catalog displays only the apps with that specific functionality.

LDAP Interface OIDC app

LDAP Interface now has an app sign-in policy that only enforces password. This only applies to Okta orgs without a prior LDAP interface setup. For orgs with an existing LDAP interface setup, global session policies still control LDAP Interface authentication policies. See Set up and manage the LDAP Interface. The session length for OpenID Connect (OIDC) connections is now limited to one hour. After the session expires, a new BIND operation is required to continue performing SEARCH queries on the same connection. You may need to update existing scripts to account for this enforced session length.

Map unknown platform to desktop

Okta now maps unrecognized platform conditions to Other desktop. Previously, unrecognized platform conditions matched correctly only when all six platform conditions (iOS, Android, Other mobile, Windows, macOS, and Other desktop) were selected in the app sign-on policy.

Child Domain Authentication for Office 365 WS-Federation

Office 365 WS-Federation automatic configuration now supports child domain authentication. See Federate multiple Office 365 domains in a single app instance.

App Switcher for Okta first-party apps

The End-User Dashboard, Admin Console, and Workflows Console now have an App Switcher that helps admins quickly navigate between their assigned Okta apps. Note that you must enable the Unified look and feel for Okta Admin Console and Unified look and feel for Okta Dashboard Early Access features for the App Switcher to appear.

Early Access

Anything-as-a-Source for groups and group memberships

Anything-as-a-Source (XaaS) capabilities allow customers to use a custom identity source with Okta. With XaaS, customers can connect custom HR apps or custom databases to source users into Okta's Universal Directory.

This release offers XaaS capabilities with groups and group memberships, allowing customers to start sourcing groups with XaaS. Okta now enables creating and updating users, creating and updating groups, and managing group memberships into Okta's Universal Directory from any identity source using XaaS APIs. See Anything-as-a-Source.

Fixes

  • When a user signed in to a custom domain and then clicked Admin in the App Switcher, they were sometimes presented with the wrong sign-in flow. (OKTA-1014174)

Okta Integration Network

  • AmexGBT Egencia has a new app name, icon, and SAML Integration guide. Learn more.

  • ZAMP (OIDC) has two new redirect URIs. Learn more.

  • Harmony (API Service Integration) is now available. Learn more.

  • Shift Security (API Service Integration) is now available. Learn more.

  • Teem Finance (OIDC) is now available. Learn more.

  • Island (Universal Logout) is now available. Learn more.

  • CloudEagle (API Service Integration) was updated.

  • Bruin was updated.

  • EventNeat (OIDC) is now available. Learn more.

  • AdvancedMD was updated.

  • Nuclei (OIDC) is now available. Learn more.

  • FloQast (SCIM) is now available. Learn more.

  • Astrix Security Monitoring (API Service Integration) is now available. Learn more.

  • Scrut Automation (OIDC) has a new Redirect URI.

  • Canva (SWA) was updated.

  • eSignon (SAML) is now available. Learn more.

  • eSignon (SCIM) is now available. Learn more.

  • AmexGBT Egencia (SCIM) is now available. Learn more.

Weekly Updates

2025.9.1: Update 1 started deployment on September 29

Generally Available

Enhanced protection for Google group imports

A safeguard has been added to prevent accidental data loss during group imports from Google. When a large volume of group deletions is detected, the import is stopped to protect against importing bad data.

Removed delegate self-approval for Access Requests

Delegates can no longer approve requests made on their behalf, ensuring proper separation of duties.

Okta Provisioning agent SDK, version 3.0.3

This release contains security enhancements and support for JDK 17. See Okta Provisioning agent and SDK version history.

New functionality filters in the OIN

The Browse App Integration Catalog page now provides Cross App Access and Privileged Access Management functionality filters. The new filters help admins quickly find Cross App Access- and Privileged Access Management-enabled apps in the OIN.

Fixes

  • If an admin had a browser extension that used the postMessage API, they sometimes saw an error when they performed a protected action. (OKTA-1001437)

  • When a user signed in to a custom domain and then clicked Admin in the App Switcher, they were sometimes presented with the wrong sign-in flow. (OKTA-1014174)

  • Identity Engine upgrade emails weren't translated into the org's display language. (OKTA-1016747)

Okta Integration Network

  • MIND (API Service Integration) is now available. Learn more.

  • Frame Security Platform Connector (API Service Integration) is now available. Learn more.

  • Fabrix Smart Actions (API Service Integration) is now available. Learn more

2025.9.2: Update 2 started deployment on October 6

Okta Provisioning agent SDK, version 3.0.3

This release contains security enhancements and support for JDK 17. See Okta Provisioning agent and SDK version history.

Certificate revocation list is deprecated

The Cache CRL for configuration option has been removed. Okta now manages the certificate revocation list cache for you.

Fixes

  • Sometimes resetting a user name for an app user failed. (OKTA-963368)

  • Some SAML apps with password synchronization enabled didn't appear on the End-User Dashboard. (OKTA-968243)

  • Group push errors sometimes appeared for apps that had provisioning disabled. (OKTA-983336)

  • Okta admins with custom admin roles couldn't confirm the assignment for an imported user. (OKTA-988692)

  • The Profile EditorUsers page didn't render correctly for some users. (OKTA-990194)

  • The System Log entry for Email Domains update operations was missing the change details for username and the domain display name. (OKTA-997246)

  • During AD and LDAP imports, group membership processing missed some updates. (OKTA-1007037)

  • Admins couldn't assign people or groups to PagerDuty when Identity Governance was enabled. (OKTA-1007080)

  • When DirSync was enabled, users located in containers had their common name (CN) changed to an invalid value. (OKTA-1007911)

  • When a user signed in to a custom domain and then clicked Admin in the App Switcher, they were sometimes presented with the wrong sign-in flow. (OKTA-1014174)

  • When Governance Engine was enabled for Zoho Mail + Actions, importing users failed. (OKTA-1015810)

  • The If no match is found option for non-JIT provisioning, account-linking OIDC IdPs was incorrectly labeled as Redirect to Okta sign-in page. (OKTA-961757)

  • Users with custom admin roles saw a Create Token button on the SecurityAPI page, even though they didn't have the required permissions. (OKTA-976743)

  • When an error was encountered during a group push event, the system incorrectly reported that the failed operation would be automatically retried. (OKTA-1017493)

  • In the Profile Editor, the checkbox for an enum property with a default value was displayed as unselected after a page refresh, even when the property's default value had been chosen. (OKTA-1020672)

  • Some users incorrectly received an "Invalid Phone Number" error when they enrolled a phone authenticator. (OKTA-1024021)

Okta Integration Network

  • Employment hero was updated.

  • Notion was updated.

  • Briefly AI has updated the ACS, Audience URLs, and Attribute Statements.

  • Verizon MDM is now available {API Service Integration}. Learn more.

Version: 2025.08.0

August 2025

Generally Available

Sign-In Widget 7.34.0

For details about this release, see the Sign-In Widget Release Notes. For more information about the Widget, see the Okta Sign-In Widget.

Okta On-Prem MFA agent version 1.8.5

This version includes security enhancements.

New password expiration message

The Breached Credentials Protection feature now displays a more intuitive error message to users whose passwords have expired.

Okta Provisioning agent, version 3.0.2

Okta Provisioning agent 3.0.2 is now available. This release of the Okta Provisioning agent uses OAuth 2.0 for authorization and OAuth 2.0 Demonstrating Proof-of-Possession (DPoP) to securely communicate with Okta. Agents are now registered through the OAuth 2.0 device registration flow and operate independently from the account used to register them. This release also uses UTC time as the default for meta.lastModified timestamps and includes security enhancements and bug fixes. See Okta Provisioning agent and SDK version history.

Okta Active Directory agent, version 3.21.0

This release includes general enhancements, branding updates, and bug fixes. See Okta Active Directory agent version history.

OAuth 2.0 provisioning for Org2Org with Autorotation

Admins deploying multi-org architectures (for example Okta hub-and-spoke orgs) need to secure user and group provisioning. Provisioning using OAuth2.0 scoped tokens has several advantages over API tokens, including more access granularity, shorter token lifespans, and automatic key rotation. You can now enable OAuth 2.0 Autorotation for Org2Org app provisioning directly from the Admin Console.

See Integrate Okta Org2Org with Okta.

Define default values for custom user attributes

Admins can now define default values for custom attributes in a user profile. If you set a custom attribute to be unique, then the default value is automatically set to null (as opposed to an empty string). See Add custom attributes to an Okta user profile.

Expanded use of user.getGroups() function in Okta Expression Language

Admins can now use the user.getGroups() function across all features that support Expression Language. See Group functions for more information.

Auto-confirm for CSV imports

When Identity Governance is enabled and admins use CSV Import with entitlements, auto-confirm is enabled on exact email matches.

Identity Governance user entitlements import limit increased

The maximum number of user entitlements that can be imported from CSV has been increased to 25,000. See Import user entitlements from CSV.

License grouping UI improvement

Microsoft O365 licenses are now grouped under Primary Licenses in the assignment tab for users and groups. Licenses are displayed as collapsed dropdown menus with only primary license name visible. Expanding the dropdown menu displays all sub-licenses under it.

New custom attributes for profile sync provisioning

Profile sync provisioning now supports several custom attributes for Office 365. See Supported user profile attributes for Office 365 provisioning.

Custom profile attributes for OIDC apps

Admins can now add custom profile attributes to OIDC apps in JSON format. See Configure profile attributes for OIDC apps.

Web app integrations now mandate the use of the Authorization Code flow

To enhance security, web app integrations now mandate the use of the Authorization Code flow, as the Implicit flow is no longer recommended. See Build a Single Sign-On (SSO) integration.

Early Access

Provisioning for Oracle Human Capital Management

Provisioning is now available for the Oracle Human Capital Management app integration. When you provision the app, you can enable security features like Entitlement Management, Privileged Access, and more. See Oracle Human Capital Management.

Unified claims generation for custom apps

Unified claims generation is a new streamlined interface for managing claims (OIDC) and attribute statements (SAML) for Okta-protected custom app integrations. In addition to group and user profile claims, the following new claim types are available: entitlements (requires OIG), device profile, session ID, and session AMR. See Configure custom claims for app integrations.

Governance delegates

Super admins and users can assign another user as a delegate to complete governance tasks for them. Governance tasks include access certification campaign review items and access request approvals, questions, and other tasks. After a delegate is specified, all future governance tasks (access request approvals and access certification reviews) are assigned to the delegate instead of the original approver or reviewer. This helps ensure that governance processes don't stall when approvers are unavailable or tasks need to be rerouted to a different stakeholder for a long period. It also reduces the time spent in reassigning requests and reviews manually. See Governance delegates.

Multiple active IdP signing certificates

Okta now supports multiple active signing certificates for a single SAML identity provider (IdP), enabling seamless certificate rotation with zero downtime. Admins can upload up to two certificates per IdP connection. This improvement eliminates the need for tightly coordinated swaps with IdP partners and reduces the risk of authentication failures due to expired certificates. The feature is available for both the Admin Console and the IdP Certificates API.

JSON Web Encryption of OIDC ID Tokens

You can now encrypt OIDC ID tokens for Okta-protected custom app integrations using JSON Web Encryption. See Encrypt OIDC ID tokens for app integrations.

App Switcher for Okta first-party apps

The End-User Dashboard, Admin Console, and Workflows Console now have an App Switcher that helps admins quickly navigate between their assigned Okta apps. Note that you must enable the Unified look and feel for Okta Admin Console and Unified look and feel for Okta Dashboard Early Access features for the App Switcher to appear.

Fixes

  • When an admin performed an incremental import using the Okta Provisioning agent, the last.modified timestamp was in the local time zone rather than the expected UTC. (OKTA-908307)

  • Admins couldn't always reactivate an app, even when there were active instances of that same app. (OKTA-944775)

  • After a reviewer approved or revoked a review item, the value for the campaignItemRemediationStatus System Log event incorrectly displayed NONE. (OKTA-950851)

  • When conditions were removed from a groups resource, admins who were assigned the resource set couldn't add groups. (OKTA-961708)

  • On the Edit role page, the Role description field displayed the Role name value. (OKTA-984100)

  • In orgs with the Breached Credentials Protection feature enabled, the wrong password expiration date was displayed to some users. (OKTA-984104)

  • When an admin assigned a group to an app, the resulting System Log event was incomplete. (OKTA-985709)

Weekly Updates

2025.8.1: Update 1 started deployment on August 18

Fixes

  • Sometimes admins could assign themselves as approvers for their own access requests.

  • When an admin edited a resource set, the event didn't appear in the Admin changes section on the Administrators page. (OKTA-817804)

  • Admins couldn't publish customized sign-in and error pages, and some users saw default sign-in and error pages instead of previously published customized ones. (OKTA-838267)

  • An error was intermittently returned when attempting to add a new sign-in redirect URI to an existing OIDC app. (OKTA-892769)

  • Notification emails for AD and LDAP agent upgrades included sections for updated agents when none existed. (OKTA-958346)

  • Okta didn't migrate customer-provided certificates to Okta-managed ones. (OKTA-959003)

  • Custom admins with privileges for customizing domains didn't see the Edit menu item on the Domains tab of a brand page. (OKTA-974191)

  • When LDAP instances were either deactivated or reactivated, the associated LDAP agents remained in their current state. (OKTA-990260)

  • The LDAP interface app showed an Okta IP address instead of the requester's original IP address, leading to authentication failure. (OKTA-991371)

  • Some users were redirected to the wrong IdP after their org's routing rules were updated. (OKTA-992475)

  • Some users who enabled the Early Access feature Unified claims generation for Okta-protected SAML and OIDC custom app integrations saw an error when they tried to add custom claims to an app integration. (OKTA-997102)

  • An error message appeared to super admins when they tried to configure the custom OTP authenticator, and the authenticator didn't appear on the Authenticators page. (OKTA-997916)

Okta Integration Network

  • Prowler (Prowler SaaS) has a new display name.

  • Ethos has a new Redirect URI.

  • Prowler Cloud (SAML) is now available. Learn more.

  • 1VALET was updated.

  • Adobe Enterprise (SWA) was updated.

  • Adobe (SWA) was updated.

  • Apple store for Business (SWA) was updated.

  • Paycor (SWA) was updated

  • National Car Rental (SWA) was updated.

  • Marriott Hotels (SWA) was updated.

  • Desana has a new icon.

  • Console updated with a new redirect URI and icon (OIDC). Learn more.

  • FORA was updated.

  • Approveit (SAML) is now available. Learn more.

  • Bing Webmaster (SWA) was updated.

  • Reward Builder is now available. Learn more.

  • Staircase AI (SCIM) now supports the EU region.

2025.8.2: Update 2 started deployment on August 25

Fixes

  • When an app was deleted, group push rules weren't deleted and would sometimes trigger erroneous System Log entries. This fix will be slowly made available to all orgs. (OKTA-881642)

  • When a group push failed due to a rate limit being exceeded, a System Log event was logged and marked with success instead of an error. (OKTA-952427)

  • App groups weren't fully deleted after a successful DELETE API call and could still be found by their ID. This fix will be slowly made available to all orgs. (OKTA-972614)

  • Custom admins with privileges for customizing domains didn't see the Edit menu item on the Domains tab of a brand page. (OKTA-974191)

  • When an admin triggered a password reset for a user who was concurrently also being provisioned in AD or LDAP, the user's status was discarded. This fix will be slowly made available to all orgs. (OKTA-982286)

  • When multiple signing certificates were configured for an IdP, and the certificates were invalid, the System Log didn't display information about which certificate failed to validate. (OKTA-987881)

  • Some user-provided passwords that didn't meet the configured strength requirements accepted by Okta. (OKTA-988423)

  • On the People page in the Admin Console, the Suspended status was incorrectly categorized as Inactive. (OKTA-990078)

  • Some users were redirected to the wrong IdP after their org's routing rules were updated. (OKTA-992475)

  • Okta couldn't send emails from orgs with custom SMTP server configurations. (OKTA-1003170)

Okta Integration Network

  • Exaforce has a new app icon.

  • DMARCwise (SAML) is now available. Learn more.

  • WMSPanel (OIDC) is now available. Learn more.

  • Giftsenda (SAML) is now available. Learn more.

2025.8.3: Update 3 started deployment on September 2

Fixes

  • When an admin generated a preview of a telephony inline hook request, a default user locale was always returned in the JSON preview, even if the user profile had a different locale. (OKTA-799466)

  • In the Admin Console, the "Active Directory groups in Okta that have been deleted in Active Directory will be removed from Okta only during full imports" text wasn't correctly translated to Japanese. (OKTA-963124)

  • Some group members weren't granted access to the correct group-assigned apps. (OKTA-964259)

  • When an AD or LDAP import failed due to an incorrect result size, the system indicated that a Reset Batch Import (RBI) would re-run, no RBI was performed. (OKTA-986331)

  • Profile sources weren't properly shown in the Realms tab of the Admin Console if Google Workspace was set up as a profile source. (OKTA-991246)

  • When users closed their browser while signed in to Okta as an admin, and then signed back in as an end user, the End User Dashboard still displayed the admin account's email, apps, and the Admin button. (OKTA-992351)

  • When admins tried to add or edit enum attributes in the profile editor, there wasn't an option to skip defining a default value. (OKTA-1002231)

Okta Integration Network

  • Foqal (API Service Integration) is now available. Learn more.

  • Udemy Business (SAML) is now available. Learn more.

  • Salto (Universal Logout) is now available. Learn more.

  • Cerby (Universal Logout) is now available. Learn more.

  • Sansan has an updated description.

  • Template SAML 2.0 App (Deprecated) (SAML) is now available. Learn more.

  • Employment hero was updated.

  • Availity was updated.

  • Overdrive by Mike Albert (OIDC) is now available. Learn more.

  • DraftPilot (OIDC) is now available. Learn more.

  • DraftPilot (SCIM) is now available. Learn more.

  • 1Password Business was updated.

  • Udemy Business (SCIM) is now available. Learn more.

2025.8.4: Update 4 started deployment on September 8

Documentation updates

Changes to the existing Access Certification documentation

The existing Get started with Access Certifications topic and the Review campaigns topic section have been relocated to the Campaigns section.

Fixes

  • Read-only admins with the View roles, resources, and admin assignments custom role permission couldn't run the admin role assignments report. (OKTA-719485)

  • System Logs displayed an incorrect user ID for failed LDAP interface authentication. (OKTA-869548)

  • The number of group push errors displayed on the main dashboard of the Admin Console was different than the number displayed on the Tasks page. (OKTA-885883)

  • Custom email previews didn't display the logo correctly. (OKTA-899903)

  • When an admin performed an incremental import using the Okta Provisioning agent, the last.modified timestamp was in the local time zone rather than the expected UTC. (OKTA-908307)

  • When an admin changed the O365 provisioning from User Sync to Profile Sync, the mail attribute synced data incorrectly. (OKTA-970525)

  • This update includes security enhancements. (OKTA-998757)

  • The search results cleared when users refreshed the resource catalog on the End-User Dashboard after searching for an item. (OKTA-1006498)

Okta Integration Network

  • Iterate now supports IdP-initiated SSO flows.

  • MODocs AI (OIDC) is now available. Learn more.