Okta Identity Engine release notes (Production)

February
January
December

Version: 2026.02.0

February 2026

Generally Available

Sign-In Widget, versions 7.40.0, 7.41.0, 7.42.0, 7.43.0

For details about these releases, see the Sign-In Widget release notes. For more information about the Sign-In Widget, see the Okta Sign-In Widget.

Group push for Zoho Mail

Group push is now available for the Zoho Mail app integration. See Zoho Mail supported features.

Okta Provisioning agent, version 3.0.7

Okta Provisioning agent 3.0.7 is now available. This release contains the following updates:

The Generic Database Connector now supports Base64 encoded path parameters.
Root ownership and permissions for the /var/run directory are restored in the OPP agent RPM build.

Access revoked notifications

For access requests that are managed by conditions, requesters now get notified when their access to a resource expires. Requesters are notified by email, Slack, or Microsoft Teams depending on your configurations.

Admin Console French translation

Now when you set your display language to French, the Admin Console is also translated. See Supported display languages.

Device assurance OS version update

The following OS versions are now supported in device assurance policies:

iOS 26.2.1
iOS 18.7.4

The following versions are no longer supported:

Windows 11 (10.0.22621.0, 10.0.22621.6060)

Updated Sign-In Widget instructions for Chrome 145

The remediation instructions in the Sign-In Widget now reflect Chrome 145 permission changes that differentiate between local and loopback networks. This update describes the permission as Access other apps and services on this device, rather than Look for and connect to any device on your local network. The updated instructions ensure that users see accurate guidance when prompted to allow Okta Verify to communicate with the browser. See Chrome device permissions.

Agents page description

The Agents page now provides a helpful description so admins can quickly understand the scope and purpose of the page. See View your org agents' status.

Protected action notifications removed

For orgs that have migrated to OIDC, toast notifications no longer appear when an admin performs a protected action. See Protected actions in the Admin Console. This update is following a slow rollout process.

UI improvements to the User profile risk tab

Columns of the table on the User profile risk tab have been reordered for better visibility, and context change events have been replaced with policy violation events.

LDAP Bidirectional Group Management

Bidirectional Group Management for Lightweight Directory Access Protocol (LDAP) allows you to manage LDAP groups from within Okta. You can add or remove users from groups based on their identity and access requirements. This ensures that changes made to user access in Okta are reflected in LDAP.

Okta can only manage group memberships for users and groups imported into Okta using the LDAP or Active Directory (AD) integration. It isn't possible to manage users and groups that weren't imported through LDAP or AD integration or are outside the organizational unit's scope for the integration using this feature.

Radius Agent version 2.26

This version includes internal improvements and fixes.

WS-Trust 1.3 support for Windows Transport

Windows Transport now supports WS-Trust 1.3 protocol. This enables Silent Activation for newer Microsoft Office clients, eliminating the need for users to manually enter their credentials.

Custom FIDO2 AAGUID

Customers can add non-FIDO Metadata Service (MDS) security keys and other authenticators and have more granular control over them. This extends FIDO2 (WebAuthn) authenticator support to a wider range of security keys and other authenticators, which gives customers greater flexibility and control over the security in their environment.

Early Access

Device-Bound Single Sign-On

Device-Bound Single Sign-On initiates a hardware-protected session for seamless access to apps after users sign in to Okta-joined macOS and Windows devices. This feature provides session replay protection and a streamlined authentication experience. See Device-Bound Single Sign-On.

Okta FastPass using SSO extension now supports Chrome on macOS

You can now enable the SSO extension support for Chrome on macOS option to support use of the SSO extension on Chrome 145 or later. This ensures seamless authentication for users on the latest browser versions on macOS.

Okta as a fallback identity provider

This feature redirects users to Okta to authenticate if the primary identity provider can't establish their identity. This can happen because of explicit rejections, like invalid credentials and MFA failures, or if an existing user session can't be silently verified, such as during a prompt=none OIDC request or IsPassive=true SAML request. See Configure identity provider routing rules.

Authentication Activity report

The Authentication Activity report provides detailed authentication insights including Okta FastPass usage, complementing the MFA Activity report. You can view activity filtered by device type (Android, iOS, macOS, Windows), management state (managed, unmanaged), registration status (registered, unregistered), and verification method (TOTP, Push, Okta FastPass). See Authentication Activity report.

OAuth 2.0 support for custom email providers

You can now configure custom email providers with OAuth 2.0 authentication. You can choose between two OAuth 2.0 client configurations to fetch access tokens and use those access tokens to authenticate with your email provider's SMTP server. See Use your own email provider.

Detect and discover AI agents

Use the Security Access Monitor browser plugin and Okta Identity Security Posture Management (ISPM) to get visibility into any new OAuth grants to apps and the consequent shadow AI agent usage for your org. The plugin monitors managed browsers for any new OAuth grants to apps and AI agents. ISPM captures OAuth grant telemetry, analyzes the data, and provides you with the visibility you need to identify every third-party app that your users authorize. This helps you mitigate risks related to shadow OAuth grants and AI agents. After you configure the plugin, you can find all new OAuth grants across your org by going to NHIs and AI agents > Browser OAuth Grants page in the ISPM console. See Detect and discover AI agents.

On-premises connector for Generic Databases

The new on-premises connector for Generic Databases allows admins to manage users and entitlements in on-premises databases using the Okta On-Prem SCIM Server. This connector supports Oracle, MySQL, PostgreSQL, and Microsoft SQL Server. It enables orgs to apply governance features like Access Requests, Certifications, Lifecycle Management, and Entitlement Management to their database environments. See On-premises Connector for Generic Databases.

Bot protection

Bot protection enables orgs to automatically identify and mitigate bot traffic by configuring remediation actions within the Identity Threat Protection (ITP) landing page. See Bot protection.

Skip counts for authenticator enrollment grace periods

This feature allows admins to define a number of skips end users can defer enrollment into an authenticator, as well as customizations to the prompt when end users see the grace period. See Authenticator enrollment policies.

Passkeys rebrand

The FIDO2 (WebAuthn) authenticator is being rebranded to Passkeys (FIDO2 WebAuthn), and Okta is introducing enhanced administrative controls and a streamlined user experience. This update centralizes passkey management through a consolidated settings page, allows for customized authenticator naming, and introduces a dedicated Sign in with a passkey button within the Sign-In Widget. These enhancements simplify the authentication journey and provide users with a more intuitive sign-in process with the Sign in with a passkey button. See Configure the FIDO2 (WebAuthn) authenticator.

Enhanced breached credentials protection

This feature provides a premium breached credentials detection feed for Okta Customer Identity (OCI) customers with Identity Threat Protection which identifies more compromised credentials sooner. See Breached credentials protection.

User enumeration prevention enhancement

Admins can now configure which authentication methods users are prompted for when they sign in from an unknown device or browser and trigger enumeration prevention. This enhances org security by adding more protection to sign-in attempts. See General Security.

Fixes

When an admin ran a delegated flow from the Admin Console, there was sometimes a delay before the flow was invoked in Workflows. (OKTA-803849)
Downloaded versions of the Session Protection Violation report displayed an outdated report name. (OKTA-945660)
The Okta user status found in Get User API calls was inconsistent with the status in the User Profile page of the Admin Console. (OKTA-998996)
Deprovisioning tasks on the Tasks page contained a grammatical error in the message that stated when the app was unassigned. (OKTA-1049153)
Users who entered an invalid activation code in the Sign-In Widget (third generation) were redirected to an error page and had to restart the sign-in flow. (OKTA-1062744)
On the Authenticator groups page, the Edit option didn't work if the group contained an AAGUID that had been removed from the FIDO Metadata Service (MDS) catalog. (OKTA-1065999)
No policy.rule.update event was recorded in the System Log when the Session Protection Status was changed. (OKTA-1067983)
The CSP allowlist blocked the CAPTCHA script from running on the Agentless Desktop SSO endpoint. (OKTA-1079691)
When importing users from Office 365 using Profile Sync, the mail attribute didn't update the primary email field in the user profile. (OKTA-1080609)
Users were required to sign out twice from the Settings page when both the End User Settings V2 and Device-Bound SSO features were enabled. (OKTA-1082227)
When users clicked the Microsoft Teams tile on the Okta End-User Dashboard, they were directed to an error page stating that "Classic Teams is no longer available." This occurred because the destination URL was outdated following a change by Microsoft. (OKTA-1084267)
The header on the authorization server page sometimes rendered twice. (OKTA-1089098)
For some orgs using ITP, network zone matching failed when policies were re-evaluated during a session. (OKTA-1091799)
Admins could delete authenticators that were used in app sign-in policies. (OKTA-1093364)
Some users saw an infinite redirect loop when they tried to access their account settings using the Safari browser. (OKTA-1093837)

Okta Integration Network

Peaxy Lifecycle Intelligence (OIDC) is now available. Learn more.
HashiCorp Vault (OIDC) is now available. Learn more.
Instagram (SWA) was updated.
Mailchimp (SWA) was updated.
Solarwinds Customer Portal (SWA) was updated.
Peaxy Lifecycle Intelligence (OIDC) has a new app name.

Weekly Updates

2026.02.1: Update 1 started deployment on February 17

Generally Available

Device assurance OS version update

The following OS versions are now supported in device assurance policies:

Android 13, 14, 15, 16 security patch 2026-02-01

To view the latest OS support updates, see Okta Device Assurance: Supported OS levels.

Fixes

Group rules sometimes failed when they were executed immediately after a group rule was deleted. (OKTA-880814)
Group push sometimes failed during deployments. (OKTA-941489)
In orgs with the Enable Custom Admin Roles for Identity Providers Early Access feature enabled, admins with View IdP or Manage IdP custom admin roles couldn't configure existing IdPs, even though they had the right permissions. (OKTA-1091232)
When the display language was set to French, the Agents and API > Tokens pages weren't translated. (OKTA-1104991)
App imports failed with a BeanCreationNotAllowedException error when system deployments interrupted the process. (OKTA-1105164)
When a user's API status was suspended, but their user status differed, their password was incorrectly able to be expired. (OKTA-1108658)

Okta Integration Network

Priverion Platform SSO with SCIM 2.0 (SAML) is now available. Learn more.
Priverion Platform SSO with SCIM 2.0 (SCIM) is now available. Learn more.
Webrix (OIDC) is now available. Learn more.
Webrix (SCIM) is now available. Learn more.
BrandLife (OIDC) is now available. Learn more.
Brava Security (OIDC) is now available. Learn more.
Brava Security now supports Express Configuration.
WideField Security - Detect has a new integration guide.
Druva Data Security Cloud (API) now has the okta.authorizationServers.manage, okta.devices.read, okta.idps.manage, and okta.roles.manage scopes.
Vanta (SAML, SCIM) was updated.

Version: 2026.01.0

January 2026

Generally Available

Sign-In Widget, version 7.39.0

For details about this release, see the Sign-In Widget Release Notes. For more information about the Widget, see the Okta Sign-In Widget.

Device assurance OS version update

The following OS versions are now supported in device assurance policies:

iOS 18.7.3, 26.2
macOS 14.8.3, 15.7.3, 26.2

Updated help doc links on the Recent activity page

The Recent Activity page in the End-User Settings 2.0 has updated help doc links.

Login hint evaluation for non-OIDC apps

The Security > General page of the Admin Console has been updated with a new Login hint evaluation for Non-OIDC Applications setting. This setting controls whether the Sign-In Widget evaluates login hints when provided by an app. See General Security.

JSON Web Encryption of OIDC ID tokens

You can now encrypt OIDC ID tokens for Okta-protected custom app integrations using JSON Web Encryption. See Encrypt OIDC ID tokens for app integrations.

Unified claims generation for custom apps

Unified claims generation is a new streamlined interface for managing claims (OIDC) and attribute statements (SAML) for Okta-protected custom app integrations. In addition to group and user profile claims, the following new claim types are available: entitlements (requires OIG), device profile, session ID, and session AMR. See Configure custom claims for app integrations.

Stay signed in text clarification

The App sign-in policy configuration page has updated text clarifying that the option to stay signed in persists across all apps. See Add an app sign-in policy rule.

New look and feel in the Access Requests email notifications

The Access Requests email notifications have a new look and feel, including updates to the text alignment, colors used, location of the Okta logo, and the addition of a gray background.

Escalate tasks is generally available in Production environments

Access request admins and request assignees can escalate stalled tasks within a request to the task assignee's manager. Requesters can also escalate tasks within their access requests if you've enabled the Allow requesters to escalate tasks toggle on the Settings page. This helps expedite request resolution, prevents bottlenecks, improves productivity, and helps reduce the use of risky workarounds. Task escalation is a secure, auditable, and automated process that helps you adopt time-based access request models by supporting both efficient operations and strong security postures.

See Manage tasks and Allow requesters to escalate tasks.

New custom admin permissions

New custom admin permissions let you read or read and write in app sign-in, global session, and Okta account management policies. This enhances the granularity of admin permissions in your org. See Create a resource set.

Usability enhancements for Office 365 WS-Federation configuration

The WS-Federation configuration interface on the sign-in page has been refined for improved clarity and usability:

The View Setup Instructions button has been relocated to optimize the visual layout.
A new display option has been added to visualize parent and child domain relationships.

Device Assurance for Windows: Virus and threat protection

Admins can now enforce a Device Assurance condition that requires Windows devices using the Chrome browser to have virus and threat protection enabled. This feature strengthens your org's security posture by ensuring that user devices are protected by active antivirus software before granting access.

Local Network Access prompting for Okta FastPass

When signing in to Okta-protected apps, users should allow Local Network Access at the browser prompt. If access is blocked, the Sign-in Widget shows remediation instructions and a link to the help documentation so users can continue to use Okta FastPass.

Enhanced provisioning support for Office 365 GCC High integration

Office 365 GCC High provisioning now supports Universal Sync. This enables admins to synchronize on-premises attributes to Microsoft Entra ID.

Okta account management policy protection for password expiry flows

This feature improves the security posture of customer orgs by protecting the password expiry flow with the Okta account management policy. Password expiry flows now require the assurance defined in an org's Okta account management policy. See Enable password expiry.

Early Access

Okta for AI agents

You can now register, secure, and govern AI agent identities directly within Okta. Designed to secure human-to-agent-to-app connections, Okta for AI agents helps you enforce least privilege access, eliminate standing privileges, and track every agent action using the System Log. It also enables you to allow AI agents to operate as an accountable part of your digital workforce while maintaining a seamless user experience. See Manage AI agents.

Breached credentials protection

Protect your org from the impact of credentials that have been compromised. If Okta determines that a username and password combination has been compromised after being compared to a third-party curated dataset, the protection response is customizable through password policies, including resetting the user's password, forcing a logout, or calling a delegated Workflow. See Breached credentials protection.

Breached credentials protection is now available for Federal customers.

Native to Web SSO

Native to Web SSO creates a seamless, unified authentication experience when a user transitions from an OIDC app (like a native or web app) to a web app (either OIDC or SAML). This feature uses standard, web-based federation protocols like SAML and OpenID Connect that help bridge the gap between two different application environments, using a single-use, one-way interclient trust SSO token. This eliminates repeating already provided sign-on assurances, and simplifies development by reducing authentication complexity. See Configure Native to Web SSO.

Policy Insights Dashboard

The Policy Insights Dashboard gives you a clear view of a policy's impact on your org. You can monitor trends in successful sign-ins, access denials, and authenticator enrollments, and also gain insight into the time users spend signing in and the prevalence of phishing-resistant authentications. The dashboard also tracks the frequency of rule matches and the percentage of successful sign-in attempts. See Use the Policy Insights Dashboard.

Bring your own telephony credentials

You can now connect your own telephony provider using a new simplified setup that doesn't require you to use a telephony inline hook. You can handle usage billing directly with your provider. Okta currently supports Twilio and Telesign. See Configure telephony providers through the Admin Console.

Release controls for Okta Verify on Windows

With the new release controls feature, admins can configure whether to allow, pause, or restrict automatic updates to Okta Verify on Windows. This provides greater flexibility for meeting enterprise change management requirements and managing version rollouts across Windows endpoints. See Configure Okta Verify release controls.

Inline step-up flow for User Verification with Okta Verify

End users can now easily satisfy authentication policies that require higher User Verification (UV) levels, even if their current enrollment is insufficient. This feature proactively guides users through the necessary UV enablement steps. As a result, administrators can confidently implement stricter biometric UV policies to eliminate the risk of user lockouts and reduce support inquiries related to UV mismatches. See User experience based on Okta Verify user verification settings.

Fixes

In orgs with global session policies that required a password, users couldn't authenticate with their password and a security question, even though the org's app sign-in policy allowed that combination of factors. (OKTA-1020729)
When users entered an invalid OTP in the Sign-in Widget too many times and clicked Back to sign in, they were redirected to the wrong page. (OKTA-1038368)
When an authenticator enrollment policy required Okta Verify, some users weren't prompted to enroll it in their desktop browser. (OKTA-1047509)
The following attributes weren't properly being gated as reserved attributes: orgid, activationstatus, apistatus, logintype, initialreconcilecomplete, activationdate, statuschangeddate, apilastupdate, passwordexpirationguess, passwordexpirationcursor, numunlocks, changedstatus. See Review reserved attributes. (OKTA-1049339)
In Preview orgs, admins couldn't see error messages because they were blocked by a banner. (OKTA-1053703)
Sometimes, if users attempted to sign in through JIT during a replication lag, a 500 error occurred. (OKTA-1055324)
In orgs with claims sharing enabled, admins couldn't disable the FastPass authentication method when they tried to change their app sign-in policies. (OKTA-1076241)
In orgs with End-User Settings 2.0 enabled, brand logos didn't display on the My Settings page. (OKTA-1082109)
In orgs with End-User Settings 2.0 enabled, the branding primary color didn't display on the navigation menu of the My Settings page. (OKTA-1082119)
In the Access Testing Tool, the column that explained which conditions matched had a title and text that were sometimes unclear for admins. (OKTA-949568)
The User.Session.Start event wasn't consistently recorded in the System Log when users signed in with TouchID. (OKTA-996730)
Admins encountered an error when they attempted to update the username for an app user. (OKTA-1047716)
When an admin provisioned an LDAP user with a LDAP Generalized Time attribute from Okta to LDAP, the time value was formatted incorrectly. (OKTA-1056428)
Some authentication attempts from computers were incorrectly identified as iOS devices, causing access denials for policies that used a client.device eq "Computer" expression. (OKTA-1060121)
JIT users were redirected to a SP before app assignments were completed, causing an access denied error. (OKTA-1061698)
In orgs with an Okta Org2Org integration, the Sign-In Widget displayed the wrong user email address if the address was changed during authentication. (OKTA-1063332)
Microsoft Office 365 user provisioning failed intermittently with a 429 error. This occurred when the system attempted to provision users who already existed in the Microsoft Entra recycle bin with the same onPremisesImmutableId. (OKTA-1068843)
Some users on unmanaged devices received an internal server error in the Sign-In Widget. This occurred when the users authenticated to orgs that had management attestation enabled but lacked a custom message for the managed device remediation. (OKTA-1079371)
In orgs that disabled certificate-based authentication for Office 365, Windows Autopilot was incorrectly removed from the app sign-in policy. (OKTA-1081329)
Active Directory imports failed with an "Incorrect result size" error when DirSync was enabled. This occurred because creating a new group in Active Directory generated duplicate entries during the import process. (OKTA-1082847)
When users clicked the Microsoft Teams tile on the Okta End-User Dashboard, they were directed to an error page stating that "Classic Teams is no longer available." This occurred because the destination URL was outdated following a change by Microsoft. (OKTA-1084267)

Okta Integration Network

Dokio (SCIM) is now available. Learn more.
Kuranosuke (SAML) is now available. Learn more.
LINE WORKS (SCIM) is now available. Learn more.
SciLeads Portal (OIDC) is now available. Learn more.
SciLeads Portal (SCIM) is now available. Learn more.
ShareCal (SCIM) is now available. Learn more.
ShareCal (SAML) was updated with a new logo.
Humana Military (SWA) was updated.
Xint (OIDC) added new IDP flow.
cmBuilder(OIDC) has a new Redirect URI and a new Post Logout Redirect URI Learn more.
Xurrent IMR (Formerly Zenduty) (SAML) has a new name and new icon.

Weekly Updates

2026.01.1: Update 1 started deployment on January 20

Generally Available

Device assurance OS version update

The following OS versions are now supported in device assurance policies:

Android 13, 14, 15, 16 security patch 2026-01-05

Sign-In Widget, version 7.39.2

For details about this release, see the Sign-In Widget Release Notes. For more information about the Widget, see the Okta Sign-In Widget.

New IP service category

FINE_PROXY is now supported as an IP service category in enhanced dynamic zones. See Supported IP service categories.

Fixes

Admins saw a discrepancy between the user status in the Admin Console and the status that was reported by the API for users authenticating with passwordless email. (OKTA-938801)
An error didn't appear when admins created an authentication policy with authentication method chaining and entered an invalid reauthentication frequency value. (OKTA-954253)
In Org2Org Classic to Identity Engine setups with claims sharing enabled, users were prompted for additional factors when signing in to the Identity Engine org. This occurred even though they entered their password in the Classic org and the Identity Engine org's app sign-in policy was set to Any 1 Factor. (OKTA-1016793)
On the AI Agent page, the Owners and Credentials tabs had inconsistent spacing. (OKTA-1054201)
In some orgs, users saw a 403 error the first time they tried to access their apps. (OKTA-1059737)
There was no maximum character limit when admins added identifiers to user profile policies. (OKTA-1061030)
Admins couldn't configure the password and security question authenticators for an app sign-on policy when the policy was set to Any 2 factor types and included possession factor constraints. (OKTA-1061839)
When the AND Behavior is rule was set to New Device in the global session policy, a message appeared that didn't clearly indicate that users are prompted for MFA at every sign-in. (OKTA-1064096)
Custom logos weren't displayed in the Sign-In Widget for UEP authenticators with multiple enrollments. (OKTA-1069399)
In orgs with End User Settings version 2.0 enabled, some users saw HTML-escaped characters in the password requirements description. (OKTA-1080153)
When an enhanced dynamic zone was configured to block GOOGLE_VPN, requests from GOOGLE_RENDER_PROXY were also blocked. (OKTA-1080379)
In SPA, saving a user profile defaulted all true Boolean properties to false unless they were explicitly updated. (OKTA-1086548)
When an org had more than 20 network zones configured, they weren't all visible in the dropdown menu on the Session Protection page. (OKTA-1089885)
For requests managed by access request conditions, the email and Microsoft Teams notifications for request approvals and denials didn't match the Slack notification UI. (OKTA-1096668)

Early Access

Device-Bound Single Sign-On

Okta Integration Network

Seismic (SCIM) is now available. Learn more .
OX Security (OIDC) is now available. Learn more .
Skedda (SCIM) is now available. Learn more .
Jotform (SCIM) is now available. Learn more .
Planhat (SCIM) is now available. Learn more .
Safety AZ (OIDC) is now available. Learn more .
Exabeam (SAML) is now available. Learn more .
101domain (OIDC) is now available. Learn more .
OX Security (OIDC) now supports Universal Logout.
Skedda (SAML) has a new description, icon, and configuration guide.
Obsidian Security (SAML) has a new configuration guide, attribute, and app description.
Planhat (SAML) has a new integration guide.
Exaforce (API Service) now has the okta.idps.read scope.
Seismic (SAML) has a new logo, app description, and configuration guide.
BridgeBank Business eBanking (SWA) was updated.
Humana Military (SWA) was updated.
Jotform (SAML) was updated.
Scalefusion OneIdP (SCIM) was updated.

2026.01.2: Update 2 started deployment on February 2

Generally Available

Device assurance OS version update

The following OS versions are now supported in device assurance policies:

Windows 10 (10.0.17763.8276, 10.0.19044.6809, 10.0.19045.6809)
Windows 11 (10.0.22631.6491, 10.0.26100.7623, 10.0.26200.7623)

Authenticator enrollment user experience

The user experience for authenticator enrollment on the End User Settings page has been improved. If the authenticator is denied by the authenticator enrollment policy, the user receives an error immediately, and the Set up option is unavailable. This makes the user experience consistent with the error if the user tries to enroll an authenticator but doesn't satisfy the requirements of Okta account management policy.

Sign-In Widget, version 7.39.3

For details about this release, see the Sign-In Widget Release Notes. For more information about the Widget, see the Okta Sign-In Widget.

Fixes

Arbitrary headers could be added to SCIM requests during the On-Premises Provisioning agent integration. (OKTA-1000055)

ONLY DOC AFTER ALL PROD CELLS DEPLOY. REMOVE DNP FOR 2026.02.0
When the app sign-in policy for a Microsoft Entra ID External Authentication Methods app was changed to a shared policy, that shared policy became unavailable for other apps. (OKTA-1049528)
When user enumeration was enabled, locked out users who submitted a valid password incorrectly received remediation steps. (OKTA-1049749)
Some AI agent pages didn't have enough background contrast. (OKTA-1057439)
When creating a group rule, after entering ten groups, admins needed to enter complete or nearly-complete group names to add more groups to the rule, rather than being able to enter a partial name and select from a list. (OKTA-1067501)
The Session Protection Violation report displayed incorrect totals for App logout triggered and Workflow triggered when the risk filter was used. (OKTA-1076281)
After confirming post-authentication Keep me signed in, some users were prompted for MFA when signing in to other apps. (OKTA-1076654)
The Session Protection Violation report displayed incorrect totals for the Actions triggered column of the Apps table when the risk filter was used. (OKTA-1079749)
Some admins experienced discrepancies with their admin roles and permissions. (OKTA-1090144)

ONLY DOC AFTER ALL PROD CELLS DEPLOY. REMOVE DNP FOR 2026.02.0
The true_positive label wasn't visible in System Log when the User Profile Risk Tab Changes feature was enabled. (OKTA-1091235)
When an admin deleted an AI agent, they weren't directed back to the main AI Agents page. (OKTA-1091788)
When admins created a user and chose a realm to assign, the realm wasn't assigned and an error occurred upon save. (OKTA-1091903)
The Policy Insights Dashboard didn't display data from rules with authentication method chaining configured. (OKTA-1094353)
The link to the API reference for Native to Web SSO on the Features page was broken. (OKTA-1094965)
Secure Partner Admins weren't prevented from assigning governance-enabled apps to users. (OKTA-859229)
Admins couldn't revert the default network zone's name back to LegacyIpZone after they'd modified it. (OKTA-1045470)
Upon activation, some users were enrolled in duplicate email authenticators for the same address. (OKTA-1046873)
Users with an active Device-Bound Single-Sign On (SSO) session were unnecessarily prompted for an authentication factor. (OKTA-1076417)
Desktop MFA events were missing the deviceSessionId when users signed in with Device-Bound SSO. (OKTA-1078496)
When an admin created, activated, deactivated, or deleted credentials for an AI agent, the event didn't appear in the System Log. (OKTA-1082695)
The user.device_session.end event failed to appear in the System Log when a user was suspended or deactivated during an active Device-Bound SSO session. (OKTA-1091226)
The Targets and DisplayName fields were missing from the System Log for user.device_session.start and user.device_session.end events. (OKTA-1095753)
Active Directory imports failed with a ProcessMembershipsAndDeletedObjectsJob: null error. (OKTA-1098885)

Okta Integration Network

SparrowDesk (SAML) is now available. Learn more.
Eon.io (SAML) is now available. Learn more.
NoClick (SAML) is now available. Learn more.
Druva Data Security Cloud (API) is now available. Learn more.
SimCorp Dimension (SAML) is now available. Learn more.
Falcon Shield (API Service Integration) has a new scope. Learn more.
Rubrik Security Cloud (API Service Integration) has a new integration guide. Learn more.
SimCorp Dimension (SCIM) has a new SCIM configuration guide URL and a new app description.
AWS IAM Identity Center (SAML) has multiple ACS URLs support.
ShareCal (SAML) has an updated App Instance Property & Configuration Guide link.
ClickUp (SAML) has a new configuration guide and app description.
ClickUp (SAML) was updated.
CardinalOps (SAML) was updated.
OrbiPay Payments (SWA) was updated.

Version: 2025.12.0

December 2025

Generally Available

New versions of Okta Provisioning agent and SDK

Okta Provisioning agent 3.0.6 and Okta Provisioning agent SDK 3.0.6 are now available. This release contains the following:

The maxItemsPerPage is now configurable to meet your specific requirements.
Memory optimizations and other minor improvements.

Sign-In Widget, version 7.38.0

For details about this release, see the Sign-In Widget Release Notes. For more information about the Widget, see the Okta Sign-In Widget.

Allow profile updates for deactivated users

Super admins can now choose to allow updates to profile attribute values for deactivated users, ensuring their profiles remain current. See Edit deactivated user profiles.

Device assurance OS version update

The following OS versions are now supported in device assurance policies:

iOS 18.7.2, 26.1
macOS 14.8.2, 15.7.2, 26.1
Android 13, 14, 15, 16 security patch 2025-12-01

Okta LDAP agent, version 5.25.0

This version of the agent includes security enhancements.

Nonce rollout for Content Security Policy

Okta is removing unsafe-eval from the script-src directive of Content-Security-Policy for every endpoint that returns html content. These are endpoints that you can't customize and whose Content-Type response header is text/html. This is a two-stage process: first, unsafe-eval is removed from the Content-Security-Policy-Report-Only header's script-src directive; later, after any violations of unsafe-eval instances are fixed, unsafe-eval is removed from the Content-Security-Policy response header script-src directive.

This update will be gradually applied over several months, until all endpoints enforce the new Content-Security-Policy, which means this change will span several releases.

Changes to preview user functionality

On the User page of the campaign wizard, Preview user is now called Preview expression scope. When you preview a user, Okta only validates the user against the Okta Expression Language expression that you specified. A user who matches the expression but isn't assigned to a resource in the campaign won't be included in the campaign.

Enhanced policy tracking in the System Log

The System Log now includes the PolicyId and PolicyRulePriority fields in the Rule target for policy.evaluate_sign_on events.

Universal Directory map toggle

The new Universal Directory (UD) map toggle enables admins to link a user's email address to their identifier. This allows admins to enable the self-service registration feature. See General Security.

Smart Card enrollment and activation events

When a new user authenticates with a Smart Card through the Sign-in with PIV/CAC button, factor enrollment and activation events are now recorded in the System Log.

Support for Microsoft 365 GCC environment

Okta now supports the Microsoft Office 365 Government Community Cloud (GCC) environment. You can now use the Microsoft Office 365 app to configure Single Sign-On and provisioning for GCC tenants.

Local Network Access prompting for Okta FastPass

Passkey and security key subdomain support

Okta now lets users authenticate with their passkeys or security keys in their Okta org or custom domain, and all subdomains below them. This helps you achieve phishing-resistant authentication and avoids the need to issue multiple passkeys or security keys to each user for each domain they access. See Configure the FIDO2 (WebAuthn) authenticator.

Enhanced import monitoring with real-time updates

You can now view real-time progress for imports from the Import Monitoring dashboard. This provides greater visibility into the current status of in-progress imports such as the number of data chunks currently being processed.

Passkeys from Android devices

Okta now accepts passkeys that are generated by Android devices. Okta associates these passkeys with trusted web domains to enable users to authenticate with them. This expands the number of device types that Okta supports for passkey use. See Configure the FIDO2 (WebAuthn) authenticator.

OAuth grant type options for custom apps

Now when you configure SCIM provisioning for a custom SWA or SAML app with OAuth 2, you can set the grant type to Authorization code or Client credentials. See Add SCIM provisioning to app integrations.

Enhanced provisioning support for Office 365 Entitlement Management

When Entitlement Management is enabled for the Office 365 app, you can now use all four provisioning options: licenses/role management, profile sync, user sync, and universal sync.

More Universal Directory attributes available for identity verification mapping

Admins can now map more Universal Directory attributes when sending verification claims to an identity verification (IDV) vendor. This improves the accuracy of verification and gives the admin control over which attributes are sent to the IDV vendor. See Map profile attributes from Okta to an identity verification vendor.

Improved realm picker access

The realm picker now automatically filters to display up to five realms that only an admin can access.

System Log updates for security.request.blocked events

When security.request.blocked events are triggered by dynamic or enhanced dynamic network zones, the System Log now populates the client.zone field.

Delegated flow updates

Delegated flows now include a Caller input field. This allows you to pass more information to a flow that was called from another Okta product. For example, the requestID from Access Requests is now passed to the delegated flow. See Build a delegated flow.

Early Access

SHA-256 digest algorithm support

Okta now supports the SHA-256 digest algorithm when hashing SAML AuthnRequests that are sent to external IdPs.

Device conditions in the Okta account management policy

With this feature, admins can now restrict account management activities such as self-service password resets or new authenticator enrollments with device conditions. Admins can configure Okta account management policy rules with registered and managed devices, or require devices to meet the requirements of a device assurance policy. See Add a rule for enrollment of your first phishing-resistant authenticator.

Governance for Workflows now available in EA

You can now use Okta Identity Governance to manage access to Workflows roles. This helps you ensure that access to Workflows is granted consistently and in compliance with your company's requirements. See Governance for Workflows.

Breached credentials protection

Breached credentials protection is now available for Federal customers.

Enable custom admin roles for inline and event hooks

The inline hook and event hook framework now supports read and write permissions for custom admin roles. This enhancement gives fine-grained access to manage inline and event hooks that previously required the super admin role. See Role permissions.

Device Assurance for Windows: Virus and threat protection

Detection settings in session protection

Tailor ITP to your org's security priorities to gain control and balance security with a seamless user experience. With new detection settings, you can define which session context changes trigger policy re-evaluations, helping you focus only on what truly matters. See Session protection.

User enumeration prevention enhancement

Improved End-User Settings version 2.0 user interface

End-User Settings version 2.0 has new enhanced user interface elements.

Fixes

Group push sometimes failed during deployments. (OKTA-941489)
The SCIM 2.0 User update operation sent an empty object when multi-value roles were configured and one of the roles or attributes was undefined or null for the user. (OKTA-945579)
When admins created a linked group, no description was displayed. (OKTA-996729)
When an import exceeded the app unassignment limit, the Learn More link resulted in an error. Additionally, the App assignment removal limit link incorrectly redirected to the main Assignments tab instead of the Import Safeguard configuration settings. (OKTA-1010606)
A misleading error appeared in the System Log when admins selected Refresh Application Data for CSV Directory integrations. The system attempted to download unsupported custom objects, generating an error even though the import completed successfully. (OKTA-1011439)
Users who were locked out of their account, had an account in recovery, or had an expired password, saw an Internal Server Error message when they clicked Request activation email. (OKTA-1020121)
The MFA Enrollment by User report displayed an "Unexpected response" error when loading the Enrollment by Authenticator Type dynamic chart. (OKTA-1030846)
Users with a custom admin role were unable to confirm assignments in Active Directory. (OKTA-1034364)
When configuring OIDC identity providers in the Admin Console, admins couldn't set the issuerMode property because it was missing. (OKTA-1035016)
Users in Germany who were added to a new app sign-in policy that required biometrics saw an Internal Server Error when they tried to sign in. (OKTA-1036434)
Active Directory imports failed with an Incorrect result size error when DirSync was enabled. This occurred because creating a new group in Active Directory generated duplicate entries during the import process. (OKTA-1043592)
Sometimes, clicking Retry Selected to retry information tasks incorrectly resulted in a failure. (OKTA-1043901)
The expected text when Don't create Okta password was selected on the Finish campaign dialog wasn't displayed. (OKTA-1044068)
The Sign-In Widget (third generation) didn't show an error message if users clicked Verify without entering their SMS OTP in the Enter Code field. (OKTA-1056852)
DirSync jobs continued to be scheduled for Office 365 instances even after provisioning was disabled. (OKTA-1059506)
The state of the Include Groups in RADIUS response checkbox didn't update correctly when Radius agents were configured to send multiple group response attributes. (OKTA-1060165)
There were several alignment issues on the user profile > Admin roles tab and throughout the Administrators pages. (OKTA-1061753)
In the Actions menu on the App sign-in policy page, the description for the Delete action was missing when the action was unavailable. (OKTA-1061865)
Customized names for authenticators with multiple enrollments weren't displayed to anonymous users when user enumeration prevention was enabled. (OKTA-1063947)
On the App sign-in policy page, the description under Actions > Clone didn't update based on whether or not the policy was shareable. (OKTA-1064678)
During a password migration, when a password capture was skipped, the wrong reason for skipping the capture was recorded in the System Log. (OKTA-1068361)
On the App sign-in policy page, admins who had custom policy permissions but lacked application permissions couldn't view the app sign-in policy rules. (OKTA-1069119)
When an Identity Verification IdP was created with openid, profile, identity_assurance, idv_flow scopes, only the default scopes were sent to the Pushed Authorization Request. (OKTA-1069299)
Updates to user entitlements in JDBC applications failed to sync to the remote profile. This occurred when a user was re-imported without any changes to their profile data. (OKTA-1070338)

Okta Integration Network

Svix (OIDC) is now available. Learn more.
OpenPolicy (SCIM) is now available. Learn more.
Coalition Control has a new integration guide.
Practising Law Institute (SWA) was updated. (OKTA-1063963)
Clearout.io (OIDC) has updated use cases and a new Initiate login URI. Learn more.
Svix now supports Universal Logout.
Harmony SASE (SCIM) has been updated with new regions.

Weekly Updates

2025.12.1: Update 1 started deployment on January 5

Generally Available

Device assurance OS version update

The following OS versions are now supported in Device Assurance policies:

Windows 10 (10.0.17763.8146, 10.0.19044.6691, 10.0.19045.6691)
Windows 11 (10.0.22631.6345, 10.0.26100.7462, 10.0.26200.7462)

Event hooks for app provisioning and imported changes events

You can now use event hooks for the Okta events that provision app users and import changes from apps. The following events are now event hook eligible:

application.provision.user.push_profile
application.provision.user.push
application.provision.user.reactivate
application.provision.user.import_profile
app.user_management.user_group_import.upsert_success

See Event Types.

Fixes

Sometimes a Null Pointer Exception caused an HTTP 500 error when users initiated a Self-Service Registration. (OKTA-909226)
The End-User Setting 2.0 app didn't recognize the Okta global session cookies persist across browser sessions setting, even though admins disabled it. (OKTA-1010661)
Attempts to build the Okta Provisioning Connector SDK (version 02.04.00) example server failed with a dependency resolution error. (OKTA-1021402)
Active Directory imports failed with an "Incorrect result size" error when DirSync was enabled. This occurred because creating a new group in Active Directory generated duplicate entries during the import process. (OKTA-1043592)
In some orgs, after assigning a group to an app, any users in the group that failed to be activated in the downstream app weren't able to access the app from their End-User Dashboard, and the task to retry the activation was inadvertently hidden. (OKTA-1060837)
When security.request.blocked events were triggered by IP zones, the client.zone field wasn't populated in the System Log. (OKTA-1060987)
Recent UI changes prevented some admins from accessing the Account page. (OKTA-1062156)
In orgs with end-user remediation for management attestation enabled, the Sign-In Widget incorrectly displayed remediation instructions when the authenticating device's platform didn't match the platform defined in the device assurance policy. (OKTA-1064062)
The Add a domain to Office 365 link in the Office 365 manual federation instructions pointed to an invalid URL. (OKTA-1068862)
When an admin reused a device policy identifier from a preview org in a production org, users received a Resource not found error during the sign-in flow. (OKTA-1069092)
Updates to user entitlements in JDBC applications failed to sync to the remote profile. This occurred when a user was re-imported without any changes to their profile data. (OKTA-1070338)
When ISVs attempted to submit an app in the OIN wizard, the scim_base_url wasn't allowed in the submissions as an App Instance Property (AIP). (OKTA-1070530)
The PagerDuty app integration didn't use the correct Universal Logout endpoint. (OKTA-1070647)
When a user session context change violated a global session or app sign-in policy, the resulting action had inconsistent names on the Session Protection Violation Report and User risk table. (OKTA-1073989)
Some UI elements in the Encryption keys section of the authorization server Settings tab didn't render correctly. (OKTA-1075244)