Production release notes

Help us improve our release notes by filling out this short survey.

Current release status

Current Upcoming
Production 2023.11.0 2023.11.1 Production release is scheduled to begin deployment on December 4
Preview 2023.11.0 2023.11.1 Preview release is scheduled to begin deployment on November 29

November 2023

2023.11.0: Monthly Production release began deployment on November 13

* Features may not be available in all Okta Product SKUs.

Generally Available Features

Widget, version 7.12.0

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Okta Sign-In Widget Guide.

Improved Behavior Detection

Okta now stores additional information about successful requests. This ensures that more behaviors are recognized during subsequent sign-in events. See Behavior Detection and evaluation.

Redesigned admin role pages

The Create a role and Edit role pages for custom admin-role configuration now provide a simpler, more intuitive user experience. See Create a role.

Okta LDAP Agent automatic update support

Admins can now initiate or schedule automatic updates to Okta LDAP agents from the Admin Console. With agent auto-update functionality, admins no longer need to manually uninstall and then reinstall Okta LDAP agents when a new agent version is released. Agent auto-updates keep your agents up to date and compliant with the Okta support policy, and help ensure your org has the latest Okta features and functionality. Single or multiple agents can be updated on demand, or updates can be scheduled to occur outside of business hours to reduce downtime and disruption to users. See Automatically update Okta LDAP agents.

Lockout Prevention

This feature adds the ability to block suspicious sign-in attempts from unknown devices. Users who sign in to Okta with devices they’ve used before aren’t locked out when unknown devices cause lockouts.

FIPS compliance for iOS or Android devices

Federal Information Processing Standards (FIPS) compliance is now available for iOS or Android devices. FIPS can be enabled on the Okta Verify configuration page. When FIPS compliance is enabled, admins can be confident that only FIPS-compliant software is used.

See Configure Okta Verify options.

Third-generation Sign-In Widget

The third-generation Sign-In Widget is more accessible and uses modern frameworks that provide a better end user and developer experience. Okta built the experience from the ground up for Identity Engine, which allows for better velocity, customization, accessibility, and globalization. See Sign-In Widget (third generation).

Custom email domain updates

The Custom email domain wizard now includes an optional Mail subdomain field. See Configure a custom domain.

Improved LDAP provisioning settings error message

During validation of LDAP provisioning settings, an incorrect syntax results in an error message. An LDAP search query isn't sent if there is an incorrect syntax.

Additional data to support debugging user authentication

When the user.authentication.auth_unconfigured_identifier event is triggered, the Okta username and email are added to the event. This helps orgs find who to communicate with about the changes.

Modified System Log event for Autonomous System Number (ASN) changes

When an admin is signed out of Okta because their ASN changed during their session, the System Log now displays a security.session.detect_client_roaming event instead of a user.session.context.change event.

OIN Manager notice

The integration estimated-verification-time notice has been updated in the OIN Manager.

Early Access Features

Granular permissions to manage directories

This feature enables you to assign permissions to view and manage directories as part of a customized admin role. Admins without universal application administrator permissions can handle directory-specific tasks.

Make email optional authenticator

This feature allows you to upgrade your org to Identity Engine without updating your email factor settings. If you already have an Identity Engine org, it gives you and your end users more control over the email authenticator. See Skip auto-enrolling email authenticator and Make email an optional authenticator.

New app settings permissions for custom admin roles

Super admins can now assign permissions for custom admin roles to manage all app settings, or only general app settings. This enables super admins to provide more granular permissions to the admins they create, resulting in better control over org security. See Application permissions.


  • OKTA-566962

    Some text strings on the Global Session Policy page weren't translated.

  • OKTA-633313

    A user with a custom admin role couldn't create federated users due to misplaced permissions.

  • OKTA-633789

    When an Okta group name contained $, the push group feature either removed $ or caused the sAMAccountName to fail validation when populating the Active Directory group.

  • OKTA-637612

    In orgs with the Email as an Optional Authenticator feature enabled, some users could skip enrolling their email even when it was required by the policy.

  • OKTA-644131

    The Google Authenticator enrollment process didn't work properly during the password reset flow.

  • OKTA-645728

    Users who weren't eligible for self-service account recovery could view the Unlock Account page.

  • OKTA-649810

    The Add Resource dialog box sometimes displayed duplicate group names.

  • OKTA-653657

    Some text strings in the Sign-In Widget weren't translated.

  • OKTA-653756

    When many apps were added to routing rules through the API, system performance was degraded.

  • OKTA-657359

    When a partial set of AMRs was passed in an IdP-initiated flow, Okta redirected the user to the IdP instead of challenging for remaining factors.

  • OKTA-666396

    When the display language was set to Japanese, the Global Session Policy page displayed a translation error instead of the Everyone group name.

Okta Integration Network

App updates

  • The RFPIO app integration has been rebranded as Responsive. The app has a new logo and integration guide link.
  • The YardiOne Dashboard app integration has been rebranded as YardiOne. The app has a new logo and new integration guide links, as well as Just-In-Time (JIT) provisioning support for SAML integrations.

New Okta Verified app integrations

October 2023

2023.10.0: Monthly Production release began deployment on October 16

* Features may not be available in all Okta Product SKUs.

Generally Available Features

Widget, version 7.11.0

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Sign-In Widget Guide.

SharePoint People Picker, version

SharePoint People Picker is now available for download. See Configure Okta SharePoint People Picker agent.

Custom email domain

You can configure a custom domain so that email Okta sends to your end users appears to come from an address that you specify instead of the default Okta sender This allows you to present a more branded experience to your end users. See Configure a custom email address. This feature is being re-released.

OpenLDAP support for Auxiliary Object classes

You can now input a comma-separated list of auxiliary object classes when importing users from LDAP. See LDAP integration. This feature is being re-released.

New custom admin role permission

Super admins can now assign View delegated flow permission to their custom admin roles. See About role permissions.

Configure management attestation for mobile devices with pre-existing security key

You can now use a pre-existing secret key when you configure Device Management for mobile devices. If you upgrade from Classic Engine, you can reuse your secret key in Identity Engine. See Configure Device Management for mobile devices.

Desktop MFA

Desktop MFA allows you to secure users' desktops with MFA. With this solution, you can customize the sign-in flow so that users are prompted for MFA methods after they enter a Windows password. See Desktop MFA for Windows.

Desktop Password Sync for macOS

Desktop Password Sync for macOS allows users to access their macOS device with their Okta password. This solution lets users maintain a consistent password across devices and web resources. If strong password policies are set in Okta, Desktop Password Sync gives confidence that users also have a strong password for their macOS device. See Desktop Password Sync for macOS.

FastPass phishing resistance for unmanaged iOS devices

While Okta FastPass can protect users against most phishing attacks, it can’t secure authentication on unmanaged iOS devices. To close this gap, Okta is rolling out phishing resistance for Okta FastPass on unmanaged iOS devices. With this change, users who authenticate with Okta FastPass on their personal or unmanaged iOS devices are protected from phishing attacks. See About MFA authenticators.

Additional resource and entitlements reports

Reports help your Okta org manage and track user access to resources, meet audit and compliance requirements, and monitor organizational security. The following reports are now available:

  • Group Membership report: Lists individual members of a group and how membership was granted.
  • User App Access report: Lists which users can access an application and how access was granted.
  • User accounts report: Lists users with accounts in Okta and their profile information.

See Entitlements and Access Reports.

MFA enrollment by user report

Use this report to view the types and counts of authenticators that users in your org have enrolled. This can improve the security posture of your org by enabling you to understand the adoption of strong authenticators like Okta Verify. See MFA Enrollment by User report.

Updates to profile enrollment policy

This feature delivers parity for upgraded orgs who used the Self-Service Registration (SSR) feature in Classic Engine. Previously in Identity Engine, SSR was combined with profile enrollment. Users were unable to sign in after the upgrade if their org used read-only or hidden attributes for SSR in Classic Engine. Identity Engine now separates SSR and profile enrollment, and turns off progressive profiling by default. This ensures that no admins are locked out and users can sign in to their orgs even if they have special attributes. See Collect profile information and register users.

requirements for new devices

Users are now prompted for MFA each time they sign in when an authentication policy rule requires MFA for new devices.

IdP lifecycle event hooks

IdP lifecycle events are now eligible for use as event hooks. See Event Types.

Toggle between 2nd and 3rd generations of the Sign-In Widget

Admins can switch their orgs between the second and third generation of the Sign-In Widget using a new toggle switch. See Sign-In Widget (third generation).

Early Access Features

Workday writeback enhancement

When this feature is enabled, Okta makes separate calls to update work and home contact information. This feature requires the Home Contact Change and Work Contact Change business process security policy permissions in Workday.

Use your own email provider

You can now use an external email provider to send email notifications in Okta. By default, email notifications such as the welcome email or an account recovery email are sent through an Okta-managed SMTP server. However, you can configure a third-party email provider in Okta and send these emails through it. Adding a custom email provider gives you more control over your email delivery. See email-provider-main.


  • OKTA-398711

    Text on the Administrator assignment by admin page was misaligned.

  • OKTA-575513

    Super admins that tried to open the Okta Workflows console received an error, and {0} appeared as the app name, when their account wasn't assigned to the Workflows app.

  • OKTA-616574

    Some System Log events included non-English text.

  • OKTA-619175

    UI elements didn't work properly on the Global Session Policy and Authentication Policies pages.

  • OKTA-619223

    Content was displayed incorrectly on the Change User Type page.

  • OKTA-620144

    For some users, logos for imported app groups didn't appear in the Admin Console.

  • OKTA-620771

    When a group was pushed from Okta, a blank app icon appeared for some users and clicking the icon resulted in an error.

  • OKTA-621526

    The MFA Usage Report didn't display the correct PIV/Smart Card label.

  • OKTA-631952

    The Sign-In Widget didn’t display the correct validation error message for the Username field.

  • OKTA-635926

    Some users were directed to an unintended page when enrolling in Okta Verify by sign-in URL.

  • OKTA-636864

    Org navigation elements were hidden when authentication settings were changed for orgs embedded in an iFrame or that redirected to an iFrame.

  • OKTA-639089

    When a user was moved from one AD domain to another, their original group app assignments were retained.

  • OKTA-642630

    Users received an error when they entered an OTP from an SMS message after the org was upgraded to Identity Engine.

  • OKTA-643148

    The Tasks page didn’t indicate when each task was assigned.

  • OKTA-643598

    The Secure Web Authentication (SWA) module failed to sign users in to PagerDuty.

  • OKTA-646978

    Updating the profile enrollment policy in the Admin Console failed when invalid profile attributes were present.

  • OKTA-649240

    Super admins couldn’t edit the scoped resources that were assigned to an Application admin.

  • OKTA-650511

    Inconsistent AD agent verion formatting appeared on the Agent Monitor page during on-demand auto updates.

  • OKTA-654506

    The writeback enhancement failed to push profile information to Workday when a user's profile was empty.

  • OKTA-655148

    The SAMLResponse field in the HTML response couldn't be retrieved for some clients.

Okta Integration Network

New Okta Verified app integrations

App integration fixes

  • 1Password Business (SWA) (OKTA-646676)
  • Canva (SWA) (OKTA-642049)
  • concur-solutions (SWA) (OKTA-649651)
  • Dice (SWA) (OKTA-645005)
  • mySE: My Schneider Electric (SWA) (OKTA-644927)
  • PagerDuty (SWA) (OKTA-643598)

Weekly Updates

September 2023

2023.09.0: Monthly Production release began deployment on September 18

* Features may not be available in all Okta Product SKUs.

Generally Available Features

Widget, version 7.10.0

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Okta Sign-In Widget Guide.

Okta LDAP agent, version 5.18.0

This version of the agent contains security enhancements.

Note: In Windows, the LDAP Agent auto-update feature isn't capable of deploying all security enhancements that are introduced in version 5.18. To completely deploy all security enhancements from this release, all LDAP agents running version 5.17 or earlier must be uninstalled, and version 5.18 must be manually installed. See Install the Okta LDAP Agent.

Okta MFA Credential Provider for Windows, version 1.3.9

This release includes bug fixes, security enhancements, and support for an additional top-level domain. See Okta MFA Credential Provider for Windows Version History.

Chrome Device Trust connector integration

With the introduction of the Chrome Device Trust Connector integration for Device Assurance, administrators can create policies that ensure compliance with specific device requirements prior to accessing resources protected by Okta. This integration between Okta and Google facilitates access policies that receive device posture signals directly from a Google API backend, eliminating the need for any agent deployment. As a result, users logging in to a ChromeOS device, or managed Chrome browser, benefit from enhanced authentication security through device security signals.

Authentication challenge for redirects

Users now receive an authentication challenge for each redirect sent to an Identity Provider with Factor only configured, even if the IdP session is active.

Access Testing tool

With the Access Testing tool you can quickly and easily test policies and validate whether your desired security outcomes will be achieved. This tool allows you to simulate user access attributes, such as IP address, device, risk, and so on, to test whether the user will be granted access to the specified application. The tool helps you identify potential security risks and compliance issues before you implement a policy. See Access Testing Tool.

Custom Identity Source app available

The Custom Identity Source app is now available in Okta Integration Network.

Count summary added to report

The User accounts report now displays the total number of records returned for the report.

Product Offers dashboard widget

A Product Offers widget now displays on the Admin Dashboard for super and org admins. The widget provides a cost- and commitment-free way for admins to explore and test the capabilities of various Okta products. When a new free trial is available, admins can click Get started to activate it, or Not interested to dismiss the widget.

Okta Verify requirements for self-service upgrades

Orgs with incorrect Okta Verify enrollment settings are now notified of configuration requirements before they upgrade to Identity Engine.

Automatically assign the super admin role to an app

Admins can now automatically assign the super admin role to all of their newly created public client apps. See Work with the admin component.

Device attributes label update

Some device attribute labels are renamed for clarity and to accommodate the new Chrome Device Trust connector.

Okta apps and plugin no longer available to certain users

Beta users of the PingFederate MFA plugin can no longer create Okta apps or download the plugin.

Early Access Features

Custom admin roles with device permissions

You can now create custom admin roles with permissions to view and manage devices. You can add the Devices to your resource set and then specify device permissions for your custom admin. See Create a resource set and Devices permissions.

Okta FastPass and Smart Card options on Sign-in page

Currently, if you configured both the Sign in with Okta FastPass option and Smart Card as an authenticator, users only see the Okta FastPass option when they sign in. With this feature, you can make both options available for your users during the sign-in process. See Configure the Smart Card authenticator.

Enhanced security of Okta Verify enrollments

To ensure users enroll in Okta Verify in a phishing-resistant manner, a Higher security methods option now appears on the authenticator configuration page. With this option, users can't enroll with QR code, email, or SMS link. See Configure Okta Verify options.


  • OKTA-570804

    The RADIUS Server Agent installer for versions 1.3.7 and 1.3.8 didn't prompt users to install missing C++ runtime libraries on Microsoft Windows servers.

  • OKTA-574216

    Reconciling group memberships sometimes failed for large groups.

  • OKTA-578184

    The inbound delegated authentication endpoint didn't correctly handle errors when the authentication request wasn't associated with an org.

  • OKTA-592745

    Full and incremental imports of Workday users took longer than expected.

  • OKTA-605996

    A token inline hook secured by an OAuth 2.0 private key returned an error for all users except super admins.

  • OKTA-616604

    The password requirements list on the Sign-In Widget contained a grammatical error.

  • OKTA-616905

    Events weren't automatically triggered for Add assigned application to group, Remove assigned group from application, and Update Assign application group event hooks.

  • OKTA-618302

    Application users weren't created when a required application user attribute was missing.

  • OKTA-619102

    Invalid text sometimes appeared in attribute names.

  • OKTA-619179

    A timeout error occurred when accessing a custom report for UKG Pro (formerly UltiPro).

  • OKTA-619419

    Group admins could see their org’s app sign-in data.

  • OKTA-624387

    Sometimes attempting to change an app's username failed due to a timeout.

  • OKTA-627559

    Access policy evaluation for custom authorization servers was inconsistent when default scopes were used.

  • OKTA-628944

    Email notifications from Okta Verify were sent from the default domain address instead of the email address configured for the brand.

  • OKTA-631621

    Read-only admins couldn't review the details of IdP configurations.

  • OKTA-633431

    When an Okta Org2Org integration encountered an API failure, the resulting error message was displayed in Japanese.

  • OKTA-634308

    Group app assignment ordering for Office 365 apps couldn't be changed.

  • OKTA-636839

    Smart Card IdP users couldn't set a password after signing in for the first time.

  • OKTA-637259

    An error occurred when importing users from Solarwinds Service Desk.

  • OKTA-641062

    The link to Slack configuration documentation was invalid.

  • OKTA-641447

    Super admins couldn’t save new custom admin roles.

  • OKTA-648092

    New admins didn't get the Support app in their End-User Dashboard.

Okta Integration Network

App updates

  • The CoRise app integration has been rebranded as Uplimit.

New Okta Verified app integrations

App integration fixes

  • American Express Online (OKTA-637925)
  • hoovers_level3 (OKTA-637274)
  • MSCI ESG Manager (OKTA-637624)
  • PartnerXchange (OKTA-632251)
  • Staples Advantage (OKTA-639141)

Weekly Updates