Okta Identity Engine release notes (Preview)

Version: 2025.09.0

September 2025

Generally Available

Translations update for the Partner Admin Portal

Japanese translations for the Add user and Edit user forms have been updated. This change aligns the Japanese labels with their English counterparts.

Manage agents permission granted to certain roles

Custom admin roles with the View application and their details permission now have the Manage agents permission. This is a temporary change that helps Okta separate the two permissions in a future release. See Role permissions.

Improved user experience for Access Requests

The access request details page has been improved to provide more visibility on tasks assigned approvers and answers submitted by requesters. If you integrated Slack or Teams with Access Requests, similar changes have been made to the access request message that approvers receive. Additionally, the email notification sender's name and address have been changed. The sender's name is Okta Access Requests and the email address is noreply@at.okta.com.

New versions of Okta Provisioning agent and SDK

Okta Provisioning agent 3.0.3 and Okta Provisioning agent SDK 2.4.0 are now available. These releases contain bug fixes and minor improvements.

Improved search in the Partner Admin Portal

The Partner Admin Portal user list now sorts by the Last Updated column in descending order by default. The search feature uses a Contains operator for three or more characters.

Org2Org OIDC Sign-on mode

The Org2Org app now includes an OIDC Sign-on mode using the Okta Integration IdP. This sign-on mode reduces the complexity of configuration between the Org2Org app and the target org, and takes advantage of modern security features of OIDC. See Integrate Okta Org2Org with Okta.

Device assurance OS version update

The following OS versions are now supported in device assurance policies:

  • Android 13, 14, 15, 16 security patch 2025-09-01
  • iOS 18.6.2
  • iOS 26.0.0 (major version)
  • macOS Ventura 13.7.8
  • macOS Sonoma 14.7.8
  • macOS Sequoia 15.6.1
  • macOS Tahoe 26.0.0 (major version)
  • Windows 10 (10.0.17763.7678, 10.0.19044.6216, 10.0.19045.6216)
  • Windows 11 (10.0.22621.5768, 10.0.22631.5768, 10.0.26100.4946)

The following versions are no longer supported:

  • iOS 15.8.4
  • iOS 16.7.11
  • macOS 12.7.6
  • Windows 11 (10.0.22000.3260)

Nonce rollout for Content Security Policy

Okta is rolling out nonces for the style-src directive of the Content Security Policy for every endpoint that returns html content. This is a two stage process: first, the nonce is added to the Content-Security-Policy-Report-Only header style-src directive; later, after any unsafe inline instances are identified and fixed, the nonce is added to the Content-Security-Policy header style-src directive. This update will be gradually applied to all endpoints.

These updates will be applied to Okta domains and custom domain pages that aren't customizable by admins (for example, sign-in pages, and error pages on custom domains). See Customize an error page.

Enhanced import monitoring with real-time updates

You can now view real-time progress for imports from the Import Monitoring dashboard. This provides greater visibility into the current status of in-progress imports such as the number of data chunks currently being processed.

Export Admin Console reports in GZIP format

You can now export most Admin Console reports in GZIP format, in addition to the existing CSV format. GZIP exports have a higher row limit (30 million) and a smaller file size.

API service apps

API service apps are no longer assigned to the shared default app sign-in policy when they're created. See App sign-in policies.

User status in Okta Expression Language

You can now reference User Status in the Okta expression language. Group Rules can leverage user statuses to drive group membership.

SharePoint On-Premises integration supports SHA-256

SharePoint integrations (WS-Fed) now use SHA-256 for signing the authentication token.

Admin Console Realm updates

The hint text for the Realm dropdown on the Add User form has been updated to provide clearer instructions.

Secure Identity Integrations filters in the OIN catalog

The Browse App Integration Catalog page now provides three new Secure Identity Integrations checkboxes: Secure Identity Integrations - Fundamental, Secure Identity Integrations - Advanced, and Secure Identity Integrations - Strategic. When you select one, the OIN catalog displays only the apps with that specific functionality.

Okta Integration IdP type

The Okta Integration IdP allows you to use an Okta org as an external IdP, simplifying configuration and providing secure defaults. See Add an Okta Integration Identity Provider.

New System Log target

The Authentication Enrollment Policy target was added to the 'policy.evaluate_sign_on' System Log event. This change makes it easier for admins to identify the policy that was involved in user sign-in attempts.

Okta as an external authentication method for Microsoft Entra ID

Use Okta multifactor authentication (MFA) to satisfy Microsoft Entra ID MFA requirements. This helps users avoid double authentication and provides a seamless experience across Okta and Microsoft 365 apps. See Configure Okta as an external authentication method for Microsoft Entra ID.

Universal Directory map toggle

The new Universal Directory (UD) map toggle enables admins to link a user's email address to their identifier. This allows admins to enable the self-service registration feature. See General Security.

New change password feature for end users

The Security methods page in My Settings now allows end users to change their password.

Enhanced device assurance with Android Device Trust

Android Device Trust integration for Device Assurance enhances Okta's capability to evaluate and enforce security measures on Android devices. It introduces additional security settings such as checks for Play Integrity status and Wi-Fi security. This integration strengthens device compliance while eliminating the need for Mobile Device Management (MDM), providing orgs with increased flexibility in securing their Android endpoints. See Integrate Okta with Android Device Trust.

Early Access

Desktop MFA recovery for Windows

This release enhances the Desktop MFA feature on Windows to include an admin-assisted recovery path. If a user is locked out of their Windows device, an admin can now issue a time-based recovery PIN. This grants the user temporary access to their computer without needing their primary MFA device, enabling them to resolve their authenticator issue and sign in successfully. See Enable Desktop MFA recovery for Windows.

End-user remediation for management attestation

This enhancement improves Okta's custom error remediation by extending it to management attestation across all OS platforms. Admins can now create specific remediation messages for devices that fail a management check (for example, their device is not MDM-managed). Users receive clear, actionable remediation instructions during the sign-in flow, and can troubleshoot problems independently. This leads to fewer IT helpdesk tickets, faster secure access, and a better user experience. See Remediation messages for device assurance.

More Universal Directory attributes available for identity verification mapping

Admins can now map more Universal Directory attributes when sending verification claims to an identity verification (IDV) vendor. This improves the accuracy of verification and gives the admin control over which attributes are sent to the IDV vendor. See Add an identity verification vendor as an identity provider.

Passkey and security key subdomain support

Okta now lets users authenticate with their passkeys or security keys in their Okta org or custom domain, and all subdomains below them. This helps you achieve phishing-resistant authentication and avoids the need to issue multiple passkeys or security keys to each user for each domain they access. See Configure the FIDO2 (WebAuthn) authenticator.

Anything-as-a-Source for groups and group memberships

Anything-as-a-Source (XaaS) capabilities allow customers to use a custom identity source with Okta. With XaaS, customers can connect custom HR apps or custom databases to source users into Okta's Universal Directory.

This release offers XaaS capabilities with groups and group memberships, allowing customers to start sourcing groups with XaaS. Okta now enables creating and updating users, creating and updating groups, and managing group memberships into Okta's Universal Directory from any identity source using XaaS APIs. See Anything-as-a-Source.

Fixes

  • Some users received an error message when they reset their passwords on mobile devices that didn't have Okta Verify installed, even though the password reset was completed. (OKTA-958340)

  • In some orgs with an Okta Org2Org integration, users were unable to access bookmark or Org2Org apps from the spoke org, even though they had permission to use the app. (OKTA-981462)

  • Some users received an error message instead of an account unlock challenge when User Enumeration Prevention was turned off. (OKTA-993341)

  • In the Partner Admin Portal, the chevron icon in the sidebar wasn't correctly aligned. (OKTA-1003466)

  • When a user signed in to a custom domain and then clicked Admin in the App Switcher, they were sometimes presented with the wrong sign-in flow. (OKTA-1014174)

Okta Integration Network

  • AmexGBT Egencia has a new app name, icon, and SAML Integration guide. Learn more.

  • ZAMP (OIDC) has two new redirect URIs. Learn more.

  • Harmony (API Service Integration) is now available. Learn more.

  • Shift Security (API Service Integration) is now available. Learn more.

  • Teem Finance (OIDC) is now available. Learn more.

  • Island (Universal Logout) is now available. Learn more.

  • CloudEagle (API Service Integration) was updated.

  • Bruin was updated.

  • EventNeat (OIDC) is now available. Learn more.

  • AdvancedMD was updated.

  • Nuclei (OIDC) is now available. Learn more.

  • FloQast (SCIM) is now available. Learn more.

  • Astrix Security Monitoring (API Service Integration) is now available. Learn more.

  • Scrut Automation (OIDC) has a new Redirect URI.

  • Canva (SWA) was updated.

  • eSignon (SAML) is now available. Learn more.

  • eSignon (SCIM) is now available. Learn more.

  • AmexGBT Egencia (SCIM) is now available. Learn more.

Weekly Updates

2025.09.1: Update 1 started deployment on September 17

Generally Available

Enhanced protection for Google group imports

A safeguard has been added to prevent accidental data loss during group imports from Google. When a large volume of group deletions is detected, the import is stopped to protect against importing bad data.

Removed delegate self-approval for Access Requests

Delegates can no longer approve requests made on their behalf, ensuring proper separation of duties.

Okta Provisioning agent SDK, version 3.0.3

This release contains security enhancements and support for JDK 17. See Okta Provisioning agent and SDK version history.

New functionality filters in the OIN

The Browse App Integration Catalog page now provides Cross App Access and Privileged Access Management functionality filters. The new filters help admins quickly find Cross App Access- and Privileged Access Management-enabled apps in the OIN.

Fixes

  • System Log entries weren't recorded for users who were denied access to an app when they were resetting their password. (OKTA-934302)

  • Some users received an error message when they tried to enroll in the smart card authenticator. (OKTA-964611)

  • Okta didn't redirect some users to apps when they tried to access an app. (OKTA-975872)

  • Some users who authenticated with Okta when signing in to Microsoft Entra with a smart card received an error message. (OKTA-978342)

  • Users with inactive or suspended accounts received a new account activation email when they clicked Request activation email instead of an error message. (OKTA-997612)

  • If an admin had a browser extension that used the postMessage API, they sometimes saw an error when they performed a protected action. (OKTA-1001437)

  • Some users were prompted to re-authenticate during the grace period that was configured in the authenticator enrollment policy. (OKTA-1002373)

  • When a user signed in to a custom domain and then clicked Admin in the App Switcher, they were sometimes presented with the wrong sign-in flow. (OKTA-1014174)

  • Abandoned MFA attempts were incorrectly logged in the System Log when users signed in with a Duo authenticator or IdP authenticator. (OKTA-1016718)

  • In the System Log, policy.auth_reevaluate.fail events didn't display risk unless the event was a synchronous flow and the global session policy failed without remediation. (OKTA-1017389)

Okta Integration Network

  • MIND (API Service Integration) is now available. Learn more.

  • Frame Security Platform Connector (API Service Integration) is now available. Learn more.

  • Fabrix Smart Actions (API Service Integration) is now available. Learn more

2025.09.2: Update 2 started deployment on October 1

Generally Available

Device assurance OS version update

The following OS versions are now supported in device assurance policies:

  • iOS 18.7
  • macOS Sonoma 14.8
  • macOS Sequoia 15.7
  • Windows 10 (10.0.17763.7792, 10.0.19044.6332, 10.0.19045.6332)
  • Windows 11 (10.0.22621.5909, 10.0.22631.5909, 10.0.26100.6584)

Fixes

  • Sometimes resetting a user name for an app user failed. (OKTA-963368)

  • Some SAML apps with password synchronization enabled didn't appear on the End-User Dashboard. (OKTA-968243)

  • Users encountered authentication problems when attempting to access resources protected by policy rules that use trusted app filters for device attestation. (OKTA-978402)

  • Group push errors sometimes appeared for apps that had provisioning disabled. (OKTA-983336)

  • Okta admins with custom admin roles couldn't confirm the assignment for an imported user. (OKTA-988692)

  • The Profile EditorUsers page didn't render correctly for some users. (OKTA-990194)

  • The System Log entry for Email Domains update operations was missing the change details for username and the domain display name. (OKTA-997246)

  • During AD and LDAP imports, group membership processing missed some updates. (OKTA-1007037)

  • Admins couldn't assign people or groups to PagerDuty when Identity Governance was enabled. (OKTA-1007080)

  • When DirSync was enabled, users located in containers had their common name (CN) changed to an invalid value. (OKTA-1007911)

  • When a user signed in to a custom domain and then clicked Admin in the App Switcher, they were sometimes presented with the wrong sign-in flow. (OKTA-1014174)

  • Temporary access code (TAC) expirations weren't recorded in the System Log. (OKTA-1015095)

  • When Governance Engine was enabled for Zoho Mail + Actions, importing users failed. (OKTA-1015810)

  • In orgs with Front-channel Single Logout enabled, some users saw an Okta-branded loading page when they signed out of their End-User Dashboard, even though the page shouldn't have been branded. (OKTA-954103)

  • The If no match is found option for non-JIT provisioning, account-linking OIDC IdPs was incorrectly labeled as Redirect to Okta sign-in page. (OKTA-961757)

  • Some users with specific characters in their name couldn't enroll in Okta Verify on any platform. (OKTA-966335)

  • Users with custom admin roles saw a Create Token button on the SecurityAPI page, even though they didn't have the required permissions. (OKTA-976743)

  • When an admin disabled provisioning for a SAML app, the provisioning settings no longer appeared on the Application > General tab. (OKTA-988899)

  • When an error was encountered during a group push event, the system incorrectly reported that the failed operation would be automatically retried. (OKTA-1017493)

  • In the Profile Editor, the checkbox for an enum property with a default value was displayed as unselected after a page refresh, even when the property's default value had been chosen. (OKTA-1020672)

  • In orgs with End User Settings version 2.0 enabled, federated users saw an error message when they tried to open the My Settings > Security Methods page. (OKTA-1022960)

  • Some users incorrectly received an "Invalid Phone Number" error when they enrolled a phone authenticator. (OKTA-1024021)

  • In the System Log, policy.auth_reevaluate.fail events didn't display risk unless the event was a synchronous flow and the global session policy failed without remediation. (OKTA-1024106)

  • Some admins saw an error message when they tried to create a custom OTP authenticator. (OKTA-1024746)

  • In some orgs with Okta Identity Governance, admins couldn't delete a policy even though there were no apps assigned to it on the Assignments tab. (OKTA-1025333)

Okta Integration Network

  • Employment hero was updated.

  • Notion was updated.

  • Briefly AI has updated the ACS, Audience URLs, and Attribute Statements.

  • Verizon MDM is now available {API Service Integration}. Learn more.

Preview Features

Enhanced import monitoring with real-time updates

You can now view real-time progress for imports from the Import Monitoring dashboard. This provides greater visibility into the current status of in-progress imports such as the number of data chunks currently being processed.

User status in Okta Expression Language

You can now reference user status in the Okta Expression Language. Group rules can leverage user statuses to drive group membership.

Increased maximum displayed group membership count

The membership count that appears on the groups page for very large groups now maxes out at 1M+. Click this number to view the exact count, which is cached for two hours. See View group members.

Workday supports incremental imports

Workday now has the ability to run immediate, incremental imports. Incremental imports are much faster than full imports. However, they don't detect when users only have changes to custom attributes, so you must periodically run a full import to capture these changes. See Incremental imports

Same-device enrollment for Okta FastPass

On orgs with Okta FastPass, the Okta Verify enrollment process has been streamlined: - Users can initiate and complete enrollment on the device they're currently using. Previously, two different devices were required to set up an account. - Users no longer need to enter their org URL during enrollment. - The enrollment flow has fewer steps. This feature is supported on Android, iOS, and macOS devices.

Prevent new single-factor access to the Admin Console

This feature prevents admins from configuring any new single-factor access to the Admin Console. This feature is currently available to new orgs only.

Application Entitlement Policy

Admins can now override attribute mapping when assigning apps to individuals or groups. You can also revert attributes to their default mappings. See Override application attribute mapping. This feature will be gradually made available to all orgs.

End-user setting for nicknaming factors

End users can now nickname their phone, WebAuthn, and Okta Verify factors. If they have enrolled multiple instances of a factor, giving nicknames helps them identify the factors quickly (for example, "My personal cellphone" or "My office MacBook TouchID"). See the end-user documentation. This is a self-service feature.

Content security policy enforcement on end-user pages

Content security policy is now enforced for end-user pages on orgs with custom domains on non-customizable pages. Content Security Policy headers provide an additional layer of security that helps to detect attacks such as cross-site scripting and data injection by ensuring browsers know what kind of actions the webpage can execute. Okta already had a policy enforced in our admin pages from last year and in report-only mode for end-user pages. Future iterations of our Content Security Policy enforcement for end-user pages will become stricter than this first release.

This feature will be gradually made available to all orgs.

Descriptive System Log events

When Okta identifies a security threat, the resulting security.threat.detected System Log entry now provides a descriptive reason for the event. See System Log.

New flexible LDAP

A new LDAP schema allows flexibility by moving email to the custom schema and making first name, last name, username, and UID optional. This avoids error scenarios when an LDAP schema doesn't include specific attributes.

ThreatInsight coverage on core Okta API endpoints

Okta ThreatInsight coverage is now available for core Okta API endpoints:

Based on heuristics and machine learning models, Okta ThreatInsight maintains an evolving list of IP addresses that consistently show malicious activity across Okta's customer base. You can block or elevate for further analysis requests from these bad IP addresses when Okta ThreatInsight is enabled for an Okta org. Previously, Okta ThreatInsight coverage only applied to Okta authentication endpoints (including enrollment and recovery endpoints). With this release, enhanced attack patterns are detected for authentication endpoints and limited attack patterns are also detected for non-authentication endpoints. There are no changes to the existing Okta ThreatInsight configuration. You can still enable Okta ThreatInsight with log and block mode, log mode, and exempt network zones. A new Negative IP Reputation reason is available for high security.threat.detected events. See System Log events for Okta ThreatInsight.

SSO apps dashboard widget

The new SSO apps widget displays the number of user sign-in events across each of your org's apps over a selected period of time. You can use it to see which apps are used most frequently and to easily monitor the authentication activity across your org.

Email failure events in the System Log

Admins can now view email delivery failure events in the System Log. This helps admins better monitor the email event activity in their org. See System Log.

Improvements to the self-service unlock process

Earlier versions of the self-service unlock (SSU) flow created unnecessary friction in the end user experience. The newly enhanced SSU feature introduces a seamless magic link experience in emails sent out to unlock accounts. Users no longer need to provide consent when using the same browser. In addition, after successfully unlocking their account, clicking the email magic link counts towards the app's assurance policy. After the assurance requirements are met, the user is signed directly in to the app.

Improvements to the self-service registration experience

Earlier versions of the self-service registration (SSR) flow used a complicated array of templates to send activation emails to end users. The simplified SSR flow reduces this to only two email templates with customized welcome messages. If your app requires immediate verification of the end user's email address, Okta uses the Registration - Activation template. This template includes a magic link for a smoother sign-in experience. If email verification isn't immediately required to sign in to the app, Okta uses the Registration - Email Verification template. This template includes a link for end users to complete email verification at any time after they successfully sign in to the app.

Choose additional filters for Office 365 sign-on policy

Filters have been added to enable admins to distinguish between web browsers and Modern Authentication clients when creating an app sign-on policy.

Device Authorization grant type

Advancements in internet technology have seen an explosion of smart devices and the Internet of Things. Consumers need to sign in to apps that run on these devices, but the devices either lack support for a web browser or have limited ability for input, such as smart TVs, car consoles, and thermostats. As a result, users resort to insecure authentication solutions that are error prone and time consuming.

The Device Authorization grant feature is an OAuth 2.0 grant type that allows users to sign in to input-constrained devices and also to devices that lack web browsers. This feature enables users to use a secondary device, such as a laptop or mobile phone, to sign-in to apps that run on such devices.