Okta Identity Engine release notes (Preview)

Version: 2025.11.0

November 2025

Generally Available

New Admin Console search logic

The spotlight search now uses "contains" logic, returning matches from any part of a search instead of only the beginning. This helps admins find results quicker and more easily. See Admin Console search.

New System Log event for AD agent changes

The System Log event system.agent.ad.config.change.detected reports when Okta support modified an AD agent configuration. (OKTA-1047077)

Custom domains and certificates

Okta now supports the use of SHA 384 and SHA 512 signed certificates for custom domains. See Configure a custom domain.

Partner Admin Portal App Switcher

In the Partner Admin Portal, you can now use the App Switcher to navigate to your apps.

Okta Active Directory agent, version 3.22.0

This release includes LDAPS support and bug fixes. See Okta Active Directory agent version history.

Usability enhancements for Office 365 WS-Federation configuration

The WS-Federation configuration interface on the sign-in page has been refined for improved clarity and usability:

  • The View Setup Instructions button has been relocated to optimize the visual layout.
  • A new display option has been added to visualize parent and child domain relationships.

Remember last-used authenticator: Okta FastPass

Okta now remembers FastPass as the last-used authenticator when users click "Sign in with Okta FastPass" on the Sign-In Widget.

Passkey and security key subdomain support

Okta now lets users authenticate with their passkeys or security keys in their Okta org or custom domain, and all subdomains below them. This helps you achieve phishing-resistant authentication and avoids the need to issue multiple passkeys or security keys to each user for each domain they access. See Configure the FIDO2 (WebAuthn) authenticator.

Integrate Okta with Device Posture Provider

The Device Posture Provider feature enhances Zero Trust security by integrating external device compliance signals into the Okta policy engine. Previously, Okta couldn't leverage signals from third-party or custom tools to enforce access policies. Now, by accepting SAML/OIDC assertions from external compliance services, admins can incorporate custom compliance attributes into device assurance policies. This enables orgs to use their existing device trust signals within Okta, and foster a more flexible and secure posture without the need for extra agents or redundant tooling. See Integrate Okta with Device Posture Provider.

Passkeys from Android devices

Okta now accepts passkeys that are generated by Android devices. Okta associates these passkeys with trusted web domains to enable users to authenticate with them. This expands the number of device types that Okta supports for passkey use. See Configure the FIDO2 (WebAuthn) authenticator.

OAuth grant type options for custom apps

Now when you configure SCIM provisioning for a custom SWA or SAML app with OAuth 2, you can set the grant type to Authorization code or Client credentials. See Add SCIM provisioning to app integrations.

More Universal Directory attributes available for identity verification mapping

Admins can now map more Universal Directory attributes when sending verification claims to an identity verification (IDV) vendor. This improves the accuracy of verification and gives the admin control over which attributes are sent to the IDV vendor. See Map profile attributes from Okta to an identity verification vendor.

Associated domains

Associated domains let you build a trust relationship among your app, the referring domain, the user's credentials that are associated with that domain, and your brand in Okta. This feature makes it easier to adopt phishing-resistant authenticators, like passkeys in the FIDO2 (WebAuthn) authenticator. See Configure associated domains.

Automatically select Okta Verify and custom push methods

Okta now automatically selects Okta Verify (OV) and custom push methods when they are the only options that meet assurance requirements. Previously, in some scenarios, users had to manually select these methods. This update eliminates that extra step.

Enhanced security for Okta Access Requests web app

The Okta Access Requests web app now performs policy evaluations before granting new access tokens.

Universal Logout for Okta Access Requests web app

The Okta Access Requests web app now supports Universal Logout. This enables admins to automatically sign users out of this app when Universal Logout is triggered. See Third-party apps that support Universal Logout.

Early Access

Password complexity requirements

Okta now lets you limit the number of consecutive repeating characters that users can put in their passwords. Password complexity requirements are now also applied to Active Directory and LDAP-sourced users. This change enhances the security of your org by expanding password complexity options, and applying this protection to more user profile types. See Configure the password authenticator.

New custom admin permissions

New custom admin permissions let you read or read and write in app sign-in, global session, and Okta account management policies. This enhances the granularity of admin permissions in your org. See Create a resource set.

Submit entitlement management integrations

Independent Software Vendors (ISVs) can now submit SCIM 2.0-based entitlement management integrations to the Okta Integration Network (OIN). This enhancement enables customers and IT admins to discover, manage, and assign fine-grained entitlements such as roles and permissions directly from Okta. By standardizing entitlement management, organizations can automate access assignments and streamline Identity Governance, ensuring users receive the right access and roles without manual intervention. For more information, see Submit an integration with the OIN Wizard.

Device Assurance for Windows: Virus and threat protection

Admins can now enforce a Device Assurance condition that requires Windows devices using the Chrome browser to have virus and threat protection enabled. This self-service EA feature strengthens your org's security posture by ensuring that user devices are protected by active antivirus software before granting access.

User enumeration prevention enhancement

Admins can now configure which authentication methods users are prompted for when they sign in from an unknown device or browser and trigger enumeration prevention. This enhances org security by adding more protection to sign-in attempts. See General Security.

Inline step-up flow for User Verification with Okta Verify

End users can now easily satisfy authentication policies that require higher User Verification (UV) levels, even if their current enrollment is insufficient. This feature proactively guides users through the necessary UV enablement steps. As a result, administrators can confidently implement stricter biometric UV policies to eliminate the risk of user lockouts and reduce support inquiries related to UV mismatches. See User experience based on Okta Verify user verification settings.

Fixes

  • An Okta Verify error prevented some users from signing in to orgs that had the Advanced Posture Check feature enabled. The error wasn't recorded in the System Log. (OKTA-897459)

  • Some users saw incorrectly rendered dropdown menus that persisted between screens. (OKTA-955890)

  • When an app sign-in policy included an authentication method chain, users who enrolled Okta Verify on another device couldn't complete inline enrollment into Okta Verify on a second device using a different authentication method. (OKTA-908311)

  • Some users could unlock their accounts even though this wasn't allowed in password policies. (OKTA-984362)

  • In orgs with the Send Application Context to an External IdP feature enabled, users couldn't access apps if the app names had trailing whitespaces. (OKTA-998869)

  • AD password resets sometimes failed with an exception. (OKTA-1004233)

  • When interacting with the Access Request web app using Safari browser, users couldn't tag another user with @ in the request's chat. (OKTA-1005685)

  • When a phishing attack was detected, the System Log didn't always record the event. (OKTA-1006043)

  • Deleted request types sometimes reappeared if the org had the Unified Requester Experience feature enabled. (OKTA-1040545)

  • When the LDAP agent installer successfully registered the agent but the installation failed, the agent incorrectly appeared as operational. (OKTA-1045661)

Okta Integration Network

  • Harmony now has the okta.users.manage, okta.groups.read, and okta.groups.manage scopes.

  • Valos (OIDC) has a new redirect URI. Learn more.

  • Chronicle of Higher Education (SWA) was updated.

  • 1VALET (SAML) has updated attribute statements.

  • Fabrix Smart Actions (API Service) now has the okta.groups.manage scope.

  • Boston Properties (SWA) was updated.

  • Holistiplan SSO (SAML) is now available. Learn more.

  • Mimecast Human Risk Integration (API Service) is now available. Learn more.

  • Aglide (SAML) is now available. Learn more.

  • Aglide (SCIM) is now available. Learn more.

  • SmarterSign Digital Signage (OIDC) is now available. Learn more.

  • SmarterSign Digital Signage (SCIM) is now available. Learn more.

Doc Updates

Okta Aerial documentation

Documentation for Okta Aerial has been added to help.okta.com with the following updates:

  • Aerial card added to the home page.
  • Aerial option added to Documentation dropdown list.
  • Aerial release notes added to Release notes dropdown list.

Okta Aerial allows you to manage multiple Okta orgs from a single, centralized account. The Aerial account lives outside of your other orgs and can manage any Production or Preview org that's linked to the Aerial account. Each Aerial account has a dedicated Aerial org where you can invite Aerial admins who can request and be granted access to connected orgs in your environment. See Okta Aerial.

Preview Features

Enhanced import monitoring with real-time updates

You can now view real-time progress for imports from the Import Monitoring dashboard. This provides greater visibility into the current status of in-progress imports such as the number of data chunks currently being processed.

Workday supports incremental imports

Workday now has the ability to run immediate, incremental imports. Incremental imports are much faster than full imports. However, they don't detect when users only have changes to custom attributes, so you must periodically run a full import to capture these changes. See Incremental imports

Same-device enrollment for Okta FastPass

On orgs with Okta FastPass, the Okta Verify enrollment process has been streamlined: - Users can initiate and complete enrollment on the device they're currently using. Previously, two different devices were required to set up an account. - Users no longer need to enter their org URL during enrollment. - The enrollment flow has fewer steps. This feature is supported on Android, iOS, and macOS devices.

Prevent new single-factor access to the Admin Console

This feature prevents admins from configuring any new single-factor access to the Admin Console. This feature is currently available to new orgs only.

Application Entitlement Policy

Admins can now override attribute mapping when assigning apps to individuals or groups. You can also revert attributes to their default mappings. See Override application attribute mapping. This feature will be gradually made available to all orgs.

End-user setting for nicknaming factors

End users can now nickname their phone, WebAuthn, and Okta Verify factors. If they have enrolled multiple instances of a factor, giving nicknames helps them identify the factors quickly (for example, "My personal cellphone" or "My office MacBook TouchID"). See the end-user documentation. This is a self-service feature.

Content security policy enforcement on end-user pages

Content security policy is now enforced for end-user pages on orgs with custom domains on non-customizable pages. Content Security Policy headers provide an additional layer of security that helps to detect attacks such as cross-site scripting and data injection by ensuring browsers know what kind of actions the webpage can execute. We already had a policy enforced in our admin pages from last year and in report-only mode for end-user pages. We plan that future iterations of our Content Security Policy enforcement for end-user pages will become stricter than this first release.

This feature will be gradually made available to all orgs.

Descriptive System Log events

When Okta identifies a security threat, the resulting security.threat.detected System Log entry now provides a descriptive reason for the event. See System Log.

New flexible LDAP

A new LDAP schema allows flexibility by moving email to the custom schema and making first name, last name, username, and UID optional. This avoids error scenarios when an LDAP schema doesn't include specific attributes.

ThreatInsight coverage on core Okta API endpoints

Okta ThreatInsight coverage is now available for core Okta API endpoints:

Based on heuristics and machine learning models, Okta ThreatInsight maintains an evolving list of IP addresses that consistently show malicious activity across Okta's customer base. Requests from these bad IP addresses can be blocked or elevated for further analysis when Okta ThreatInsight is enabled for an Okta org. Previously, Okta ThreatInsight coverage only applied to Okta authentication endpoints (including enrollment and recovery endpoints). With this release, enhanced attack patterns are detected for authentication endpoints and limited attack patterns are also detected for non-authentication endpoints. There are no changes to the existing Okta ThreatInsight configuration. You can still enable Okta ThreatInsight with log and block mode, log mode, and exempt network zones. A new Negative IP Reputation reason is available for high security.threat.detected events. See System Log events for Okta ThreatInsight.

SSO apps dashboard widget

The new SSO apps widget displays the number of user sign-in events across each of your org's apps over a selected period of time. You can use it to see which apps are used most frequently and to easily monitor the authentication activity across your org.

Email failure events in the System Log

Admins can now view email delivery failure events in the System Log. This helps admins better monitor the email event activity in their org. See System Log.

Improvements to the self-service unlock process

Earlier versions of the self-service unlock (SSU) flow created unnecessary friction in the end user experience. The newly enhanced SSU feature introduces a seamless magic link experience in emails sent out to unlock accounts. Users no longer need to provide consent when using the same browser. In addition, after successfully unlocking their account, clicking the email magic link counts towards the app's assurance policy. After the assurance requirements are met, the user is signed directly in to the app.

Improvements to the self-service registration experience

Earlier versions of the self-service registration (SSR) flow used a complicated array of templates to send activation emails to end users. The simplified SSR flow reduces this to only two email templates with customized welcome messages. If your app requires immediate verification of the end user's email address, Okta uses the Registration - Activation template. This template includes a magic link for a smoother sign-in experience. If email verification isn't immediately required to sign in to the app, Okta uses the Registration - Email Verification template. This template includes a link for end users to complete email verification at any time after they successfully sign in to the app.

Device Authorization grant type

Advancements in internet technology have seen an explosion of smart devices and the Internet of Things. Consumers need to sign in to apps that run on these devices, but the devices either lack support for a web browser or have limited ability for input, such as smart TVs, car consoles, and thermostats. As a result, users resort to insecure authentication solutions that are error prone and time consuming.

The Device Authorization grant feature is an OAuth 2.0 grant type that allows users to sign in to input-constrained devices and also to devices that lack web browsers. This feature enables users to use a secondary device, such as a laptop or mobile phone, to sign-in to apps that run on such devices.