Production release notes

Current | Upcoming | |
---|---|---|
Production | 2023.01.2 | 2023.02.0 Production release is scheduled to begin deployment on February 13 |
Preview | 2023.01.2 |
2023.02.0 Preview release is scheduled to begin deployment on February 8 |
January 2023
2023.01.0: Monthly Production release began deployment on January 17
* Features may not be available in all Okta Product SKUs.
Generally Available Features
New Features
Improvements to the self-service registration experience
Earlier versions of the self-service registration (SSR) flow used a complicated array of templates to send activation emails to end users. The simplified SSR flow reduces this to only two email templates with customized welcome messages. If your application requires immediate verification of the end user’s email address, Okta uses the Registration - Activation template. This template includes a magic link for a smoother sign-in experience. If email verification isn't immediately required to sign in to the application, Okta uses the Registration - Email Verification template. This template includes a link for end users to complete email verification at any time after they successfully sign in to the application. See Customize email notifications and the Okta email (magic link/OTP) integration guide. This feature is currently enabled by default for new orgs only.
Revoke user sessions
Admins can end all Okta sessions for an end user when resetting their password. This option protects the user account from unauthorized access. If policy allows, Okta-sourced end users can choose to sign themselves out of all other devices when performing self-service password reset or resetting their passwords in Settings. See Revoke all user sessions. This feature is now enabled by default for all orgs.
Directory Debugger for Okta AD and LDAP agents
Admins can now enable the Directory Debugger to provide Okta Support with access to Okta AD and LDAP agent diagnostic data. This new diagnostic and troubleshooting tool accelerates issue resolution by eliminating delays collecting data and improves communication between orgs and Okta. See Enable the Directories Debugger. This feature is being re-released.
Non-associated RADIUS agents deprecated
Access for RADIUS agents that have not been associated with an application has now been disabled. See RADIUS integrations.
Unusual telephony requests blocked by machine-learning measures
SMS and voice requests are now blocked if an internal machine-learning-based toll fraud and abuse-detection model considers the requests unusual. Telephony requests that are blocked by the machine-learning model have a DENY status in the System Log.
Enhancements
View last update info for app integrations and AD/LDAP directories
Admins can view the date an app integration was last updated by going to Applications > Applications and selecting the integration. They can view the date an AD/LDAP directory integration was last updated by going to Directory > Directory Integrations and selecting the integration.
Internet Explorer 11 no longer supported
A new banner has been added on the End-User Dashboard to notify the Internet Explorer 11 users that the browser is no longer supported.
MFA report column selection
In the MFA Enrollment by User report, you can now choose which columns to hide or show in the data table. See MFA Enrollment by User report.
Early Access Features
New Features
Enhanced Admin Console search
The Admin Console search now displays your search results in a user-friendly drop-down list. The list provides Top results, People, Apps, and Groups filters so you can quickly and easily find what you’re looking for. See Admin Console search.
Optional consent settings for OAuth 2.0 scopes
OAuth 2.0 Optional Consent provides an Optional setting that enables a user to opt in or out of an app's requested OAuth scopes. When Optional is set to true, the user can skip consent for that scope. See Create API access scopes .
Enhancements
AWS region support for EventBridge Log Streaming
EventBridge Log Streaming now supports all commercial AWS regions.
Fixes
General Fixes
OKTA-437264
The HEC Token field wasn't displayed correctly in the Splunk Cloud Log Stream settings.
OKTA-454996
Some users were able to access apps on non-managed devices.
OKTA-519198
Groups and apps counts displayed on the Admin Dashboard weren't always correct.
OKTA-543969
Accented characters were replaced with question marks in log streams to Splunk Cloud.
OKTA-548780
Custom domain settings were deleted during editing if the admin chose the option Bring your own certificate.
OKTA-553006
When authenticated users attempted to access an app they weren’t assigned to, they were redirected to a sign-in page with a permission error.
OKTA-553364
The Custom Authenticator allowed Android users to sign in without biometric verification even though user verification was required.
OKTA-557762
In some cases when Okta Verify wasn’t active, users couldn’t access apps if the authentication policy had OS version conditions for device assurance.
OKTA-559571
The Help link on the Administrators page directed users to the wrong URL.
OKTA-561259
On the Edit role page, the previously selected permission types weren’t retained.
OKTA-561309
A misleading error message appeared when the authentication policy rule’s possession requirements required an unavailable authenticator.
OKTA-564264
Notifications for adding or renewing fingerprint authentication were sometimes not managed correctly.
Applications
Application Update
New GitHub Teams API URL: In response to GitHub's plan to sunset deprecated Teams API endpoints over the coming months, our GitHub integration has been updated to use the new /organizations/:org_id/team/:team_id path. No action needed for Okta admins.
New Integrations
OIDC for the following Okta Verified applications:
-
Infra: For configuration information, see Infra Configuration Guide.
-
Kanbina AI: For configuration information, see the Kanbina AI Documentation.
-
Riot Single Sign-on: For configuration information, see Logging in with Single Sign-On (SSO) through Okta.
-
Tracxn: For configuration information, see Configure SSO between Tracxn and Okta.
Weekly Updates

Fixes
General Fixes
OKTA-394045
The End-User Dashboard wasn't aligned correctly when viewed on mobile browsers.
OKTA-460054
Office 365 nested security groups sometimes failed to synchronize correctly from Okta.
OKTA-522922
Not all users deactivated in an Org2Org spoke tenant were deprovisioned in the hub tenant.
OKTA-534291
Samanage/SolarWinds schema discovery didn't display custom attributes.
OKTA-544943
When a user was deactivated in Okta, the Okta Workflows and Okta Workflows OAuth app integrations weren't removed from the user's assigned app integrations.
OKTA-547756
An incorrect error message was displayed during self-service registration when an email address that exceeded the maximum length allowed was entered.
OKTA-547978
If an admin account was deleted, certificate authorities uploaded by the admin account didn’t load on the Device Integrations page.
OKTA-548390
Enabling Agentless DSSO didn't create a default routing rule if no routing rules existed.
OKTA-549213
User's weren't able to activate Windows Hello after enrolling in Okta Verify for Microsoft Windows.
OKTA-550739
Users could request that one-time passwords for SMS, Voice, and Email activation be resent more times than allowed by the rate limit.
OKTA-556056
Group claims failed if a user who belonged to more than 100 groups appeared in the group claims expression results.
OKTA-558840
Some users were unable to complete self-service password resets and received an error.
OKTA-561264
Admins received an error when they used an internal URL to configure user help for device assurance policies.
OKTA-564242
Access tokens for some users didn’t match the lifetime specified in the access policy rule.
OKTA-565041
Group filtering failed when more than 100 groups appeared in the list of results.
OKTA-565899
An incorrect error message appeared when users saved an empty Website URL field in their on the fly app settings.
OKTA-566372
Users were sometimes unable to sign in to several Office 365 apps from Okta.
OKTA-567711
In some orgs, Email Change Confirmed Notification emails were sent unexpectedly. Admins should verify that the recipients lists audience settings are accurate for Change Email Confirmation and Email Change Confirmed Notification.
OKTA-567970
When users were created using the API (/users/${userId}/factors/questions), a null custom security question and answer were included in the response.
Applications
New Integrations
New SCIM Integration application:
The following partner-built provisioning integration app is now Generally Available in the OIN Catalog as partner-built:
- Verona: For configuration information, see Configuring Provisioning for Verona.
SAML for the following Okta Verified applications:
-
Alibaba Cloud CloudSSO (OKTA-531834)
-
DoControl (OKTA-556624)
-
EasyLlama (OKTA-547466)
-
Extracker (OKTA-555971)
-
Saleo (OKTA-552314)
-
Verona (OKTA-551188)
-
Viewst (OKTA-555217)
-
WOVN.io (OKTA-551752)
OIDC for the following Okta Verified application:
- Sharry: For configuration information, see the Sharry OKTA CONFIGURATION GUIDE.

Generally Available
Content Security Policy enhancements
Over the next few months we are gradually releasing enhancements to our Content Security Policy (CSP) headers. During this time you may notice an increase in header sizes.
Fixes
General Fixes
OKTA-532840
Users created using Just-In-Time provisioning weren't assigned to a group when a group rule existed.
OKTA-537944
AD-sourced users received an error when resetting passwords while an Okta session was active in the browser.
OKTA-545918
Admin roles that were granted to a user through group membership sometimes didn't appear on the user's
tab.OKTA-551921
When a large number of profile mappings were associated with a user type, updates to the user type could time out.
OKTA-552273
Users who signed in to the End User Dashboard using a federated sign-in flow without a factor verification were shown an incorrect last sign-in time.
OKTA-552566
Users were sometimes asked to re-authenticate during an active session even though the authentication policy re-authentication frequency was set to Never re-authenticate if the session is active.
OKTA-553201
Users who scanned a Google Authenticator one-time passcode with Okta Verify received an error message and couldn't enroll in the authenticator.
OKTA-554013
Batch federation of multiple Microsoft Azure domains failed if the batch contained any child domains.
OKTA-557337
Users with apps provisioned with password sync enabled weren't challenged for multifactor authentication when they signed in from new IP addresses or a new city even though the Global Session Policy required re-authentication under those conditions.
OKTA-559661
Some org upgrades failed when a single sign-on factor was required for Admin Dashboard access and only the YubiKey, Duo Security, and Symantec VIP MFA factors were enabled but not recognized for migration.
OKTA-564420
Users couldn’t sign in to their org subdomain from okta.com if Captcha was enabled.
OKTA-566285
A threading issue caused directory imports to fail intermittently.
OKTA-566682
When an admin configured an IdP routing rule that allowed users to access certain apps, the list of available apps was blank.
OKTA-566824
Sometimes super admins encountered a timeout when listing admin users on the Administrators page in the Admin Console.
OKTA-567707
A security issue is fixed, which requires RADIUS agent version 2.18.0.
OKTA-567972
An unclear error message was returned when a group rules API call (create, update, or activate) was made to assign users to read-only groups (for example, Everyone ).
OKTA-567979
Last update information was displayed for API Service Apps and OIDC clients.
OKTA-571393
Users couldn’t enroll YubiKeys with the FIDO2 (WebAuthn) authenticator and received an error message on Firefox and Embedded Edge browsers.
Applications
New Integrations
New SCIM Integration application:
The following partner-built provisioning integration app is now Generally Available in the OIN Catalog as partner-built:
- BizLibrary: For configuration information, see Configuring SCIM with Okta.
SAML for the following Okta Verified applications:
-
Better Stack (OKTA-566261)
-
Mist Cloud (OKTA-559122)
-
Tower (OKTA-567818)
OIDC for the following Okta Verified application:
- Oyster HR: For configuration information, see Okta configuration guide | Oyster.
December 2022
2022.12.0: Monthly Production release began deployment on December 12
* Features may not be available in all Okta Product SKUs.
Generally Available Features
New Features
Okta MFA Credential Provider for Windows, version 1.3.8
This version of the agent contains bug fixes and security enhancements. See Okta MFA Credential Provider for Windows Version History.
Identity Governance
Okta Identity Governance is a SaaS-delivered, converged, and intuitive Identity and Access management platform. Use it to simplify and manage your identity and access lifecycles across multiple systems and improve the overall security of your company.
Use Okta Identity Governance solutions, such as Access Certifications, Access Requests, and Reports to:
-
Efficiently create, protect, and audit access to critical resources.
-
Improve your company’s security. Increase employee productivity.
-
Improve IT efficiency by automating tasks to reduce the time taken and errors associated with manual data entry and provisioning tasks.
See Identity Governance.
Note that Okta Identity Governance is available to customers on a subscription basis. For more information, contact your Account Executive or Customer Success Manager.
Preview the token inline hook
Before implementing a token inline hook, you can now preview the hook request and the external-service response in the Admin Console. This feature aids in the development and testing of inline hooks before releasing to a production environment. See Preview an inline hook and Preview and test the token inline hook.
IE and Edge Legacy plugins
You can no longer download the Internet Explorer (IE) and Edge Legacy browser plugins from the Downloads page. These plugins aren't supported.
Improvements to the sign-in experience
When users create an account using the Sign Up link in the Sign-In Widget, they enter their first and family names along with their email address on the first page. The Sign-In Widget then displays the authenticators page, where users enter a password and configure any other mandatory authenticators. To streamline the sign-up process, the Self-Service Registration with Password feature allows you to show the password entry on the first page of the enrollment form instead. See Collect profile information and register users.
Manage embedded widget sign-in support
Okta provides the Okta Sign-In Widget out of the box so that customers can authenticate users by simply redirecting them to the widget. For customers who need a customized sign-in experience, Okta also provides a widget SDK that developers can embed within their applications. This embedded widget uses a custom authorization mode called the Interaction Code grant type to authenticate users. The Embedded widget sign-in support toggle allows super admins to disable the embedded sign-in option across all applications and authorization servers. This helps to create consistency and improves the security posture of your applications. See Configure embedded sign-in support.
Security enhancement of Okta Verify push notifications
To help users recognize and prevent phishing attacks, Okta Verify push notifications on mobile devices and Apple Watch include the name of the app to be accessed and the org URL.
ChromeOS as a device platform
You can now select ChromeOS as a device platform in authentication policy rules or identity provider routing rules. This enables you to configure how users access Okta-protected resources from ChromeOS devices. See Add an authentication policy rule and Configure identity provider routing rules
Authentication policy rules:
Identity provider routing rules:
Certificate chain builder for Smart Card IdP
Admins can now upload individual certificate files to build a certificate chain for a Smart Card IdP. This eliminates the requirement to manually create a file that contains the certificate chain. See Add a Smart Card Identity Provider.
Telephony usage report
The Telephony usage report displays data about an org’s telephony events over time. The report can be filtered by voice or SMS events and helps admins quickly understand usage trends and troubleshoot deliverability or request issues. See Telephony usage report.
Email deliverability events in the System Log
Admins can now view the following email deliverability event types in the System Log:
- Delivered
- Deferred
- Dropped
- Bounce
This helps admins better monitor the email deliverability activity in their org. See System Log.
Enhancements
Single sign-out changes for custom domains
If an admin signs out from a custom domain, their Admin domain and subdomain sessions now remain active. If they sign out from the Admin domain or subdomain, their custom domain session is ended.
People page improvements
People page filter results are improved as follows:
-
Status > Password reset filter results now include users with both Password expired and Password reset status.
-
Status > Active filter results return only users with an active status.
Early Access Features
New Features
Transactional verification with CIBA
Organizations are constantly looking for ways to offer a frictionless user experience without compromising security. It becomes even more challenging when the users try to perform sensitive transactions. Okta uses Client-initiated Backchannel Authentication (CIBA) to provide customers with a simple and secure transaction verification solution.
CIBA extends OIDC to define a decoupled flow where the authentication or transaction flow is initiated on one device and verified on another. The device in which the transaction is initiated by the OIDC application is called the consumption device and the device where the user verifies the transaction is called the authentication device. See Create OIDC app integrations.
Fixes
General Fixes
OKTA-508888
Some orgs were unable to configure their global session policies to display the password-first Sign-In Widget.
OKTA-509453
Staged and provisioned user accounts received different error messages when they clicked Forgot password? on the Sign-In Widget. This occurred in orgs with User Enumeration Prevention turned on.
OKTA-527215
Routing rules incorrectly redirected some users to an IdP before they could enter their username.
OKTA-532720
Some YubiKeys didn't work for authentication even though they were successfully enrolled.
OKTA-534595
Admins with a custom role couldn’t edit the users in a group if the group was assigned to an app with profile sourcing enabled.
OKTA-536037
When a DELETE request to the /api/v1/authorizationServers/<authServerID>/clients/<clientID>/tokens endpoint was called for large scale operations, an HTTP 500 error was returned.
OKTA-538402
Some admins weren't able to delete network zones after they upgraded to Identity Engine.
OKTA-541442
Errors during federation sometimes didn't display the cause of the error.
OKTA-542472
The authn_request_id information was missing from the user.authentication.auth_via_mfa System Log event for Okta Verify Push verifications.
OKTA-544783
The Norwegian translation of the end-user settings and preferences menu was incorrect.
OKTA-546310
Admin roles that were constrained to a group with group rules couldn't be assigned to a user or group.
OKTA-547525
The Welcome page, SMS reminder prompt, and security image prompt weren’t displayed for users accessing Okta using AD SSO in incognito mode.
OKTA-549174
After upgrading to Identity Engine, orgs with custom domains couldn’t use getRequestContext in the Sign-in page code editor.
OKTA-549537
The Box integration provisioning menu didn’t display the correct settings.
OKTA-549886
Using an Agentless DSSO test endpoint without any routing rules configured to use ADSSO resulted in a 404 error.
OKTA-550773
Some orgs didn’t correctly recognize a sign-in attempt using a smart card.
OKTA-550789
Provisioning new users from Okta to Office 365 failed.
OKTA-551130
The Email Authenticator challenge lifetime was sometimes set to five minutes regardless of its value in the authenticator settings.
OKTA-552637
Users were sometimes signed out of Okta right after signing in if the tokens returned were too large.
OKTA-552810
Customized sign-in pages for orgs using a custom domain didn’t render properly.
OKTA-553284
When the full-featured code editor was enabled, updates to email customizations, custom error pages, and the sign-in page didn't trigger System Log events.
OKTA-557858
Internet Explorer 11 users were blocked from signing in to orgs that used custom domains.
App Integration Fixes
The following SWA apps were not working correctly and are now fixed
-
Chase (OKTA-549904)
-
iAuditor (OKTA-549658)
-
MeridianLink Consumer (OKTA-541626)
-
Office 365 Dynamics (OKTA-549978)
-
Quickbooks (OKTA-549905)
Applications
Application Update
The Update user attributes feature is added to the Lucca Provisioning integration.
New Integrations
New SCIM Integration applications
The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:
- Alibaba Cloud: For configuration information, see Synchronize users or groups in Okta by using SCIM.
- Condeco Software SCIM: For configuration information, see How to configure SCIM provisioning for Okta.
- Couchdrop: For configuration information, see Setup User provisioning between Couchdrop and Okta.
- Crewmojo: For configuration information, see Crewmojo Help.
- Greenhouse Recruiting: For configuration information, see Configuring Provisioning for Greenhouse Recruiting.
- Intercom: For configuration information, see Configure SCIM Provisioning with Okta.
- Totango: For configuration information, see Enable SCIM Integration in Totango.
- Zoominfo: For configuration information, contact Zoominfo.
SAML for the following Okta Verified applications:
-
Brex (OKTA-540264)
-
Loom (OKTA-551214)
-
NeuralLegion (OKTA-545950)
-
RudderStack (OKTA-552363)
-
ZoomInfo (OKTA-543975)
OIDC for the following Okta Verified applications:
- Aon Inpoint ClaimsMonitor: For configuration information, see Aon Inpoint ClaimsMonitor application and Okta Single sign-on Integration Guide.
- CoRise: For configuration information, see Logging in to CoRise with Single Sign-On (SSO) through Okta.
- FlexDesk: For configuration information, see How-to: Setup Single Sign-On through Okta.
- Ortto: For configuration information, see Add and configure the Ortto app in Okta.
- Sastrify: For configuration information, see Okta Configuration Guide.
Weekly Updates

Generally Available
Fixes
General Fixes
OKTA-508227
Admins could save a routing rule with an inactive IdP.
OKTA-534930
Some orgs had an identifier-first sign-in page despite setting up a password-first flow in their global session policy.
OKTA-537583
The System Log didn’t display the policy.rule.update event when new condition types were added to a policy rule.
OKTA-537600
Email notifications were sent to users' secondary email address.
OKTA-537805
Deactivated users weren't displayed on the People page if their Username started with their user ID.
OKTA-540795
An error occurred when an admin searched for an ineligible group on the Edit resources to a standard role page.
OKTA-541582
The Custom OTP authenticator disappeared from the list of additional factor types in the authentication policy rule preview when Exclude phone and email authenticators was selected. Additionally, the Device bound characteristic wasn't displayed for the Custom OTP authenticator in Authenticators > Setup.
OKTA-549212
When a custom app used the /sso/idps/{idpId} endpoint for IdP routing with a login_hint parameter, the login_hint was ignored.
OKTA-549434
Admins couldn't update the username for an app.
OKTA-549687
Reimporting a CSV directory failed if the Deactivation field and Deactivation value were removed after the initial import.
Applications
New Integrations
New SCIM Integration applications:
The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:
- GLS OnDemand SCIM Provisioning: For configuration information, see GLS OnDemand Okta SCIM Provisioning Integration.
SAML for the following Okta Verified applications:
-
Inclusivv (OKTA-534561)
-
Remote.It (OKTA-550812)
-
Silo (OKTA-543573)
OIDC for the following Okta Verified applications:
- babelforce.com: For configuration information, see SSO for Okta.
- Darzin: For configuration information, see Darzin Okta SSO.
- Openli: For configuration information, see ow to set up Okta Single Sign-On integration.
- Testfully: For configuration information, see Okta x Testfully.

Fixes
General Fixes
OKTA-476668
Sign-in redirect URIs couldn’t be edited when their character limit was reached.
OKTA-534847
When users edited their sign-in methods from the User Settings page in a custom domain, the Back to settings link didn't appear.
OKTA-539174
The image icon for groups sourced from Slack was displayed as a broken link.
OKTA-539424
After an update was pushed from Okta, the Phone Number attribute wasn’t removed from Workplace by Facebook as expected.
OKTA-548256
Groups assigned by group rules couldn’t be removed from deactivated users.
OKTA-550088
New users didn’t see the optional authenticators page during self-service registration if Show password field on the first page of the enrollment form was selected in a profile enrollment policy.
OKTA-550600
The Custom Authenticator didn't automatically send push verifications.
OKTA-551632
In Preview orgs, attempts to save sign-in page edits sometimes failed when using the full-feature code editor.
OKTA-553024
The Edit resources to a standard role page didn’t indicate that only the first 5 groups or 10 apps appear when you search for a resource.
OKTA-555812
Super admins couldn’t open the Edit resource set page for admin roles that were constrained to a deleted workflow or authorization server.
OKTA-558105
Authentication policies that required hardware protection as a possession factor constraint didn't correctly evaluate YubiKey OTP authenticators.
OKTA-558264
Authentication policies that used possession factor restraints required all active authenticators to support all constraints.
OKTA-558878
Incremental imports for Jabil didn’t switch to full imports when there were large number of changes.
Applications
New Integrations
New SCIM Integration applications
The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:
- babelforce.com: For configuration information, see Configuring SCIM.
- Bitwarden: For configuration information, see Bitwarden Okta SCIM integration.
- Pendo: For configuration information, see Pendo Configuration Guide (you'll need to sign in).
SAML for the following Okta Verified applications:
-
Flow of Work Co (OKTA-542871)
-
Quortex I/O (OKTA-542825)

Fixes
General Fixes
OKTA-527930
The Custom Authenticator couldn't disable user verification when the Okta Verify authenticator's user verification setting was set to required.
OKTA-528185
The admin reset password flow showed the New password field instead of the Enter code field when entering a phone/SMS code after enrolling a phone authenticator.
OKTA-550600
The Custom Authenticator didn't send push notifications even though the Send push automatically option was selected.
OKTA-554308
Selecting Sign out from all other devices/sessions on the End-User Dashboard didn’t work for AD/LDAP users.
OKTA-559113
Users whose orgs were upgraded to Identity Engine received an invalid credential error after successfully authenticating with the Okta Verify number challenge method.
Applications
New Integrations
SAML for the following Okta Verified application:
-
Please Share (OKTA-557897)
OIDC for the following Okta Verified applications:
- Kanbina AI: For configuration information, see Kanbina AI Documentation.
- LeadLander: For configuration information, see LeadLander Okta configuration guide.
- Riot Single Sign-on: For configuration information, see Logging in with Single Sign-On (SSO) through Okta.
- Tracxn: For configuration information, see Configure SSO between Tracxn and Okta.
November 2022
2022.11.0: Monthly Production release began deployment on November 14
* Features may not be available in all Okta Product SKUs.
Generally Available Features
New Features
Okta AD Agent, version 3.13.0
This version of the agent contains the following changes:
- Health check of auto update service before auto update process is started
- Web proxy support for agent auto update feature
- Updated log category for existing logs from DEBUG to INFO
- Security fixes
Okta RADIUS Server agent, version 2.17.7
This version of the agent contains security fixes and resolves a memory leak that occurred when agents were configured for EAP-TTLS. See Okta RADIUS Server Agent Version History.
Improvements to the self-service password reset experience
Previously, the self-service password reset (SSPR) flow created unnecessary friction in the user experience. The newly enhanced SSPR feature introduces a seamless magic link experience for password reset emails. Users no longer need to provide consent when using the same browser. After a successful password reset where the password meets the application’s assurance policy, the user is signed directly to the app. See Configure the Email authenticator. This feature is currently enabled by default for new orgs only.
Improvements to the self-service unlock process
Earlier versions of the self-service unlock (SSU) flow created unnecessary friction in the end user experience. The newly enhanced SSU feature introduces a seamless magic link experience in emails sent out to unlock accounts. Users no longer need to provide consent when using the same browser. In addition, after successfully unlocking their account, clicking the email magic link counts towards the application's assurance policy. After the assurance requirements are met, the user is signed directly in to the application. See Configure the Email authenticator. This feature is currently enabled by default for new orgs only.
New permissions for custom admin roles
Super admins can now assign these new permissions to their custom admin roles:
- Manage authorization server
- View authorization server
- Manage customizations
- View customizations
The authorization server permissions can be scoped to all or to a subset of the org’s authorization servers. With these new permissions, super admins can now create custom admin roles with more granular permissions for managing their org’s customizations and authorization servers. See About role permissions.
New HealthInsight tasks
Two new HealthInsight tasks help admins improve the security of their global session policies. HealthInsight now provides guidance for increasing the required authentication frequency for specific resources, and for requiring high-risk users to provide MFA every time they sign in. See Change the authentication frequency and Evaluate a risk score for each request.
Event hooks for consent revocation
Consent revocation events are now selectable for use with event hooks. See Add an event hook . See Event Types for a list of events that can be used with event hooks.
Agentless Desktop Single Sign-on
With Agentless Desktop Single Sign-on (DSSO), you don't need to deploy IWA agents in your Active Directory domains to implement DSSO functionality. This reduces or eliminates the maintenance overhead and provides high availability as Okta assumes responsibility for Kerberos validation. See Active Directory Desktop Single Sign-on.
Polling support for Agentless Desktop Single Sign-on and Integrated Windows Authentication sessions
Agentless Desktop Single Sign-on (ADSSO) and Integrated Windows Authentication (IWA) authentication sessions now include polling to reduce the likelihood of service disruptions during periods of high bandwidth use. For users authenticating with ADSSO or IWA during peak periods, this change increases the likelihood that a server will be available to process their authentication request. See Active Directory Desktop Single Sign-on.
Agentless Desktop Single Sign-on authentication progress updates
Agentless Desktop Single Sign-on (ADSSO) authentication progress pages have been updated to make authorization and verification progress more visible and improve the user experience. See Configure agentless Desktop Single Sign-on.
Password expiration settings for Active Directory
You can specify the password expiration policies for Active Directory for all preview organizations to set the maximum password age in days and the number of days before password expiration when the user receives a warning.
JIT users from Active Directory
Just-In-Time (JIT) provisioning enables automatic user account creation in Okta the first time a user authenticates with Active Directory (AD) delegated authentication, Lightweight Directory Access Protocol (LDAP) delegated authentication, or Desktop SSO. JIT account creation and activation only works for users who aren't already Okta users. This means that users who are confirmed on the import results page, regardless of whether or not they were subsequently activated, aren't eligible for JIT activation. When JIT is enabled, users don't receive activation emails. See Add and update users with Active Directory Just-In-Time provisioning and Add and update users with LDAP Just-In-Time provisioning.
Service Principal Name functionality improvement
New Service Principal Name (SPN) functionality allows Agentless Desktop Single Sign-on (ADSSO) authentication to continue without interruption when an SPN is updated. A service account and an SPN are required for ADSSO Kerberos authentication. With this change, you can now update the SPN frequently as an additional security precaution. See Create a service account and configure a Service Principal Name.
Enhanced Okta LDAP integrations with Universal Directory
Okta LDAP integrations now feature custom mapping, schema discovery, and a fully extensible attribute schema that allows you to import or update any attribute stored in LDAP. With these enhancements, Okta LDAP matches the schema functionality already available to Active Directory integrations. See Profile Editor.
OpenLDAP support for Auxiliary Object classes
You can now input a comma-separated list of auxiliary object classes when importing users from LDAP. See Configuring Your LDAP Settings.
New rate limits dashboard filter
You can now filter the APIs listed on the rate limits dashboard by their rate limit multiplier eligibility status. See Rate limit monitoring.
Enhancements
Eligible authenticators in Security Methods list
The Security Methods list on the Settings page now displays only those authenticators that a user may enroll in as determined by the configuration of the org's authenticator enrollment policy. This improves the user experience by ensuring that users are only presented with options that lead to successful authenticator enrollment.
ISV Portal email address updated
The email address for ISV Portal communications is now oanapp@okta.com.
Invalid phone numbers rejected
Okta now rejects attempts to enroll a toll-free, premium, fixed-line (SMS), or any other invalid or unrecognized phone number. This ensures that only valid phone numbers are used for multifactor authentication or device enrollment. See Configure and use telephony.
Enhancement to System Log event
The USER_AUTHENTICATION_AUTH_VIA_MFA System Log event has been enhanced. It now records the URL and IP address of a suspicious website and the mismatched origin header from the HTTP request when Okta detects and blocks a phishing attempt. This enhancement enables admins to track patterns of suspicious activity.
Early Access Features
New Features
Phishing-resistant authenticator requirement
To enhance security, admins may now require users to authenticate using a phishing-resistant authenticator when enrolling additional authenticators. This feature protects the authenticator enrollment process from phishing attempts. See Require phishing-resistant authenticator to enroll additional authenticators.
API Service Integrations
Using a more secure OAuth 2.0 connection than access tokens, this integration type uses the Core Okta API to access or modify resources like System Logs, apps, sessions, and policies. See API Service Integrations.
Enhancements
Log Stream event structure update
For consistency the report structure for Log Stream events is now the same as that for System Log events. The following fields are changed and might need updating for any monitoring scripts in use:
-
Under devices, osPlatform is now platform.
-
The ipChain array is now correctly nested under request instead of client.
-
The extraneous field insertionTimestamp is removed.
Fixes
General Fixes
OKTA-476449
Admins could create resource sets that contained duplicate resources.
OKTA-512927
Two different Okta users could be linked to the same AD user through provisioning.
OKTA-515733
Users were sometimes signed out of Okta right after signing in if the tokens returned were too large.
OKTA-523330
Okta Provisioning Agent (x64 RPM) and Okta Provisioning Agent (Windows x64) were incorrectly swapped.
OKTA-526726
When admins deleted a property in an implicit app user schema, a property with the same name couldn't be recreated after the deletion.
OKTA-529966
Users couldn’t enroll a Voice Call Authentication (MFA) factor if Twilio was used as the provider and the phone number had a comma in its extension.
OKTA-530843
Parallel JIT requests for the same username created duplicate users.
OKTA-532898
A long text string was displayed outside of the General Settings page in OIN Manager.
OKTA-532900
The Enter your Post Logout Redirect URI field for OIDC settings in OIN Manager didn’t accept all valid URLs.
OKTA-533309
When signing in to a RADIUS app, users were sometimes shown the incorrect operating system in Okta Verify push messages.
OKTA-533753
Admins couldn’t add more than 10 translations of a customized email template.
OKTA-533897
Google background service users received unrequested Okta Verify Push notifications.
OKTA-544628
Some orgs experienced internal server errors during outbound SAML federation.
Applications
New Integrations
New SCIM Integration application:
The following partner-built provisioning integration app is now Generally Available in the OIN Catalog as partner-built:
- Zkipster: For configuration information, see Zkipster SCIM Configuration Guide.
SAML for the following Okta Verified applications:
-
Legl (OKTA-525334)
-
WorkOS (OKTA-527211)
OIDC for the following Okta Verified applications:
- Clearwave Scheduling: For configuration information, see Logging in with Single Sign-On (SSO) through Okta.
- Cvent: For configuration information, see the Cvent Okta Configuration Guide.
Weekly Updates

Fixes
General Fixes
OKTA-489101
Some orgs that performed multifactor authentication with the Custom OTP, Okta On-Prem MFA agent, or YubiKey OTP authenticators experienced internal server errors during outbound SAML and OAuth 2.0 authorization flows.
OKTA-513763
The Groups page showed an error when sorted with an invalid cursor.
OKTA-513767
Groups pagination incorrectly displayed a Next link when the remaining groups weren’t visible due to permissions.
OKTA-521116
The End-User Dashboard Preferences didn't include appropriate accessibility values for the heading and subheading sections.
OKTA-522269
Delegated authentication was automatically checked after reenabling AD integration.
OKTA-528841
System log events for dropped emails didn’t include the AppContextName.
OKTA-529450
Super admins could revoke their own admin role membership by removing a role from a group.
OKTA-538350
The Agentless Desktop Single Sign-on (DSSO) feature was incorrectly unavailable for some Okta SKUs.
OKTA-539418
Okta sign-in page didn't detect the locale correctly for Traditional Chinese (Hong Kong).
OKTA-541483
The authn_request_id field was missing from some System Log events for various authentication flows.
OKTA-542666
Admins could select an unsupported version of the Sign-In Widget on the Settings tab of Branding > Sign-in page.
OKTA-543716
Admins couldn’t view the authorization server public clients that they had permission to view.
OKTA-544652
Admins couldn’t enable User Enumeration Prevention when at least one Global Session Policy rule was using an Authentication Sequence.
OKTA-545007
Admins weren't able to save authentication enrollment policies that included the YubiKey authenticator in one-time password (OTP) mode.
OKTA-545162
When an end user sent an email request from the End-User Dashboard to add an app integration, the email template contained a link to a deprecated Okta Support email (support@okta.com).
OKTA-545242
For reports and the System Log, a field was improperly labeled Country rather than Country/Region.
OKTA-547483
The instructions to customize an access denied error message stated incorrectly that admins could use HTML to add links.
OKTA-554344
iFrame elements were visible on some custom sign-in pages.
App Integration Fixes
The following SWA apps were not working correctly and are now fixed:
-
Blue Shield CA (OKTA-544492)
-
Calendly (OKTA-542578)
-
Certify (OKTA-544699)
-
EmployeeNavigator (OKTA-541613)
-
OpenAir (OKTA-545505)
-
Zoom (OKTA-543469)
Applications
Application Update
The GitHub Enterprise Managed User Provisioning integration is updated:
-
The SCIM roles attribute has a new Restricted User value.
New Integrations
New SCIM Integration applications:
The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:
- Aon Inpoint ClaimsMonitor: For configuration information, see Aon Inpoint ClaimsMonitor application and Okta SCIM Integration Guide.
- FireHydrant: For configuration information, see User provisioning with SCIM.
- Mursion: For configuration information, see Configuring Provisioning with Okta.
- Profiles: For configuration information, see How to Configure Okta SCIM Provisioning for Profiles.
- Rootly: For configuration information, see Rootly Integrations: SCIM.
- Streamline AI: For configuration information, see How to Configure SCIM for Streamline AI.
SWA for the following Okta Verified application:
- ManageEngine SupportCenter Plus (OKTA-538460)
OIDC for the following Okta Verified applications:
- ChatFunnels: For configuration information, see Logging in with Single Sign-On (SSO) through Okta.
- Praetorian - Chariot: For configuration information, see Chariot SSO Integration: Okta Configuration Guide.
- Streamline AI: For configuration information, see How to Configure OIDC for Streamine AI.