Okta Identity Engine release notes (Production)

Version: 2026.06.0

Search, filtering, and configurable views for AI agents

Admins can now use enhanced filtering, search, and configuration capabilities on the AI agents, AI agent providers, and Import Monitoring > AI agent import pages. 

Realm ID included in System Log user activity events

The System Log now includes the Realm ID attribute for user activity events, such as authentication, MFA, and app access. This allows admins to filter and categorize user activity by division in downstream security tools without manual logic replication.

Configurable connection lifetime for OIDC-enabled LDAP Interface

The LDAP Interface now includes a configurable setting for the maximum connection lifetime when using the OpenID Connect (OIDC) flow. This allows admins to define connection validity for up to 90 days and decouples connection expiry from the global session policy.

Sign-In Widget, version 7.46.0

For details about this release, see Sign-In Widget Release Notes. For more information about the widget, see Okta Sign-In Widget.

Import AI agents from DataRobot

You can now import and manage AI agents built in DataRobot Agent Workforce Platform directly through DataRobot. See AI agent imports.

Suspicious login details added to entity risk detection

In Suspicious Login From An IP Flagged By FastPass detections, the reason field now populates the external_session_id of the suspicious login.

Salesforce provisioning support for PKCE

The Salesforce app integration now supports Proof Key for Code Exchange (PKCE) for OAuth 2.0 flows. This update ensures uninterrupted user provisioning and requires admins to update their Salesforce configuration to maintain service continuity.

Improved network zone error messages

The error message that appears when admins try to delete a network zone that's referenced by multiple policies or rules is now easier to read.

Secure SaaS and Okta Service Accounts

Manage and secure passwords for SaaS app service accounts and Okta service accounts with Okta Privileged Access. You can now assign new Service Accounts permissions to custom roles to delegate service account management duties to non-super admins. See Manage service accounts and Role permissions.

New System Log fields for matched network zones

Okta now includes richer network zone match information in System Log events. When a request is blocked by a network zone (security.request.blocked) or evaluated against a sign-on policy (policy.evaluate_sign_on), the System Log now surfaces the names and IDs of all matched network zones, across IP zones, Dynamic Network Zones (DNZ), and Enhanced Dynamic Network Zones (EDNZ), through new ZoneIdMatch and ZoneNameMatch fields. Up to 10 matched zones are reported per event.

These new fields provide more granular and structured network zone context than the existing Client.Zone field. This gives admins and security teams precise, actionable detail for blocked requests and policy evaluations, making SIEM investigations and audit reviews significantly easier. See Troubleshoot network zone issues using System Log.

Bring your own telephony credentials

Bring Your Own Telephony (BYOT) is now available, allowing admins to use an existing Twilio or Telesign account to deliver MFA SMS and voice messages. This release adds Twilio Verify Fraud Guard support to improve fraud detection. It also introduces a deactivation guardrail that prevents admins from disabling their last active custom telephony provider while the phone authenticator is active. See Configure telephony providers through the Admin Console.

SHA-256 digest algorithm support

Okta now supports the SHA-256 digest algorithm when hashing SAML AuthnRequests that are sent to external IdPs.

Navigation label update for integration agents

The Agents label in the Admin Console has been renamed to Integration agents to provide a more intuitive experience. A dismissible link to the AI Agents page is also available on the Integration agents page to improve navigation.

Improved request details layout

The request details page now features an optimized layout for small screens to improve readability.

Seamless ISV experience for SCIM

Okta now provides a seamless ISV experience to optimize the [Okta Integration Network (OIN)] submission experience for SCIM integrations. This new experience enables independent software vendors (ISVs) to build and manually test their SCIM integration metadata before submission to the OIN. This reduces the time needed for the OIN team to review and validate that the SCIM integration functions as intended, which shortens the time to publish in the OIN. This experience also incorporates communication processes in Salesforce, enabling improved collaboration internally within Okta teams and externally with ISVs. See [Publish an OIN integration overview] and [Submit an integration with the OIN Wizard] guide.

Links: 1. https://www.okta.com/integrations/ 2. https://developer.okta.com/docs/guides/submit-app-overview/ 3. https://developer.okta.com/docs/guides/submit-oin-app/scim/main/

SAP SuccessFactors OAuth 2.0 with SAML Assertion

The SAP SuccessFactors app integration now supports OAuth 2.0 with SAML Assertion for enhanced API security. To ensure your provisioning and sync processes continue without interruption, you must migrate to this new authentication method before SAP Basic Authentication deletion deadline on November 20, 2026. See Configure OAuth 2.0 with SAML for SAP SuccessFactors.

New System Log events for privileged access database integrations

Two new System Log events, pam.integration.create and pam.integration.delete, are now available for Okta Privileged Access database management. This enhancement allows admins to track when database integrations are created or deleted. See System Log.

• The Send me an email button on the email verification screen of the Sign-In Widget (third generation) was truncated for Ukrainian translations. (OKTA-1016906)

• App integrations didn't populate user credentials for subdomains that used the /auth/v3/signin endpoint, preventing users from signing in to the app. (OKTA-1074055)

• In orgs that use a custom domain, users were redirected to a non-custom domain after they signed out of the My Settings page. (OKTA-1139970)

• The show/hide password icon on the Sign-In Widget (third-generation) was missing alt text. (OKTA-1156653)

• Attempts to deactivate and delete a device failed and returned a 404 Not Found: Resource not found error. (OKTA-1160266)

• The help link image on the Sign-In Widget (third generation) was missing alt text. (OKTA-1164533)

• The "OR" separator on the Sign-In Widget (third generation) couldn't be read by screen readers. (OKTA-1164534)

• Okta Expression Language expressions with array attributes didn't always behave as expected. (OKTA-1166566)

• Sign-in attempts originating from the IP exempt zone or trusted proxies were incorrectly evaluated as high risk with the reason "Anonymizing Proxy." (OKTA-1168827)

• After a multibrand-enabled org upgraded to Okta Identity Engine, custom brand redirect settings weren't migrated and the end user was incorrectly directed to the End-User Dashboard. (OKTA-1174572)

• The application.lifecycle.update System Log event didn't populate the changeDetails field when admins updated Active Directory app settings. (OKTA-1178325)

• RADIUS app sign-in policy rules were missing the Linux platform condition. (OKTA-1184034)

• Iden (API Service) has a new scope.

• Fleetclear (OIDC) is now available. Learn more.

• Dell PowerProtect Backup Services (API Service) is now available. Learn more.

• Kirin (SAML) is now available. Learn more.