Okta Identity Engine release notes (2025)

Version: 2025.01.0

January 2025

Generally Available

Sign-In Widget, version 7.27.1

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Okta Sign-In Widget Guide.

Okta Provisioning agent, version 2.2.0

This release contains bug fixes and minor improvements. The RPM installer is now signed. See Okta Provisioning agent and SDK version history.

Okta Active Directory agent, version 3.19.0

This release of the Okta Active Directory agent includes an additional layer of end-to-end encryption for payloads that are exchanged between Okta and the agent. Support for monitoring the Active Directory agent configuration file has been added, where a System Log event is emitted when the agent configuration has been changed on premises. This release also includes security enhancements and bug fixes. See Okta Active Directory agent version history

Multiple Identifiers

Today, end users must sign in to Okta with a username or email address only. With the Multiple Identifiers feature, admins can configure identifiers, or user attributes from Universal Directory, that an end user can enter to authenticate. Multiple identifiers work in sign-on, recovery, self-service registration, and unlock flows. Admins can configure up to three identifiers, including email (which is still a required identifier). See Multiple identifiers.

OAuth 2.0 security for invoking API endpoints

Okta Workflows users can now securely invoke API endpoints using OAuth 2.0 protocols and their Okta org authorization server. Compared with the existing token authorization option, this feature is more secure while also being easier to implement. Add the okta.workflows.invoke.manage scope to any new or existing app integration to make it eligible to invoke your API endpoint. See Invoke a flow with an API endpoint.

Granular deprovisioning in Microsoft Office 365

You can now deprovision users in Office 365 using multiple methods. See Deprovisioning options for Office 365.

Just-In-Time Local Account Creation for macOS

Just-In-Time Local Account Creation is available for Okta Device Access. Okta admins can allow macOS users to create a local account by entering their Okta username and Okta password in the macOS sign-in dialog. This feature enables easier account management for admins and streamlines the user account creation process for end users. This is especially beneficial for devices or workstations that support multiple users. See Just-In-Time Local Account Creation for macOS.

Identity Verification with third-party Identity Verification providers

When users take certain actions, Identity Verification enables you to use a third-party Identity Verification provider to verify the identity of your users. Verification requirements and the Identity Verification provider are based on your authentication policies and configurations within your Okta org. Okta supports Persona as a third-party Identity Verification provider. See Add an identity verification vendor as an identity provider.

Block syncable passkeys

You can now block syncable passkeys during authentication. Previously, you could only block them during enrollment. This enhances the security of your org by preventing users from presenting such passkeys to attempt to enroll new, unmanaged devices. See Configure the FIDO2 (WebAuthn) authenticator.

Authentication method chain

With this feature, you can require users to verify with multiple authentication methods in a specified sequence. You can create multiple authentication method chains in an authentication policy rule to cater to different use cases and scenarios. This feature is now also supported in the Okta account management policy. See Authentication method chain.

Additional use case selection in the OIN Wizard

Independent software vendors (ISVs) can select the following additional use case categories when they submit their integration to the OIN:

  • Automation

  • Centralized Logging

  • Directory and HR Sync

  • Multifactor Authentication (MFA)

See Use case selection in the OIN Wizard.

New group.source.id key for group functions in Expression Language

You can now use the group.source.id key in Expression Language group functions to filter between groups that have the same name.

Early Access

MFA for Secure Partner Access admin portal

MFA is required for accessing the partner admin portal app. See Manage Secure Partner Access.

Entitlement claims

You can now enrich tokens with app entitlements that produce deeper integrations. After you configure this feature for your app integration, use the Okta Expression Language in Identity Engine to add entitlements at runtime as OIDC claims and SAML assertions. See Generate federated claims.

Block syncable passkeys

You can now block syncable passkeys during authentication. Previously, you could only block them during enrollment. This enhances the security of your org by preventing users from presenting such passkeys to attempt to enroll new, unmanaged devices. See Configure the FIDO2 (WebAuthn) authenticator.

Fixes

  • In some orgs, users were unlocked based on the settings of the default AD password policy rather than a higher priority password policy. (OKTA-755979)

  • The user counts weren't updated accurately when running Realm assignment jobs. (OKTA-790104)

  • Some text on the security methods page of the Sign-In Widget wasn't rendered correctly. (OKTA-803760)

  • Leaving the Custom character restriction field empty in the Profile Editor resulted in an error. (OKTA-811861)

  • The Manage Applications permission for Custom Admin roles unnecessarily allowed admins to mange the client credentials section for OAuth 2.0 Service apps. (OKTA-821119)

  • The MFA Enrollment by User report didn't include the security question authenticator in the list of authenticators in situations where it was enrolled in a Classic Engine org that was migrated to Identity Engine. (OKTA-823066)

  • In orgs using the Sign-In Widget (third generation), the Back to sign in link redirected users to the dashboard instead of the resource they intended to access. (OKTA-826892)

  • In orgs using the Sign-In Widget (third generation), self-service registration failed for users who provided an invalid attribute during their first registration attempt. (OKTA-834905)

  • Long group names were truncated on the Edit resources to a standard role page. (OKTA-839491)

  • Users who completed self-service registration saw unexpected behavior when they enrolled in authenticators from their Settings page. (OKTA-843223)

  • Viewing group members in the Admin Console sometimes displayed an error. (OKTA-844568)

  • In some orgs using the Okta account management policy, AD users received an error when they tried to edit their password. (OKTA-844675)

Weekly Updates

2025.1.1: Update 1 started deployment on January 21

Generally Available

Sign-In Widget, version 7.27.1

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Okta Sign-In Widget Guide.

Device assurance OS version update

The following OS versions are now supported in device assurance policies:

  • Android 12, 13, 14, 15 security patch 2025-01-05

  • iOS 18.2

  • macOS Ventura 13.7.2

  • macOS Sonoma 14.7.2

  • macOS Sequoia 15.2

  • Windows 10 (10.0.17763.6659, 10.0.19044.5247, 10.0.19045.5247)

  • Windows 11 (10.0.22621.4602, 10.0.22631.4602, 10.0.26100.2605)

New IP service categories

The NORDLAYER_VPN and PIA_VPN proxy services are now supported as IP service categories in enhanced dynamic zones. See Supported IP service categories.

Fixes

  • The Slack start date wasn't imported through schema discovery. (OKTA-826971)

  • User movement logs for Realm assignment jobs didn't display correctly. (OKTA-844398)

  • When an Okta group was deleted while an app group reconciliation job was in progress, the job to delete the downstream app group wasn't scheduled. (OKTA-826938)

  • Users on some orgs encountered an HTTP 500 error response when they tried to authenticate. (OKTA-802900)

  • In orgs with Same-Device Enrollment for Okta FastPass enabled, some usernames with special characters were incorrectly displayed during Okta Verify enrollment on Android devices. (OKTA-839304)

  • By using device-to-device bootstrap, users could enroll in Okta Verify despite policy rules configured to block enrollment for these users. (OKTA-814436)

Okta Integration Network

  • Airflow by Tech Prescient (SCIM) is now available. Learn more.
  • Asana by Aquera (SCIM) is now available. Learn more.
  • Avigilon Alta (SCIM) now supports user deactivation.
  • Corma (API Service) is now available. Learn more.
  • Dovetail (OIDC) has a new icon and integration guide.
  • ELMO (SCIM) is now available. Learn more.
  • FCTR Identity Support Portal (SAML) is now available. Learn more.
  • Jotform (SAML) is now available. Learn more.
  • Island (SAML) has updated endpoints.
  • Natoma (SAML) is now available. Learn more.
  • Posit Workbench (SAML) is now available. Learn more.
  • Posit Workbench (OIDC) is now available. Learn more.
  • PrimeDrive (SAML) is now available. Learn more.
  • Rocketlane (SCIM) is now available. Learn more.
  • SAP HANA Provisioning Connector by Aquera (SCIM) is now available. Learn more.
  • Udemy Business (SCIM) is now available. Learn more.
  • UKG Pro Workforce Management by Aquera (SCIM) is now available. Learn more.
  • VASTOnline (SCIM) is now available. Learn more.
  • Vbrick Rev Cloud (SCIM) is now available. Learn more.

2025.1.2: Update 1 started deployment on February 3

Generally Available

RADIUS Server Agent version 2.24.2

This version fixes a bug in the Password Authentication Protocol, where in some instances the authentication failed if the user password was greater than 16 characters. It also includes security enhancements.

Sign-In Widget, version 7.27.3

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Okta Sign-In Widget.

Fixes

  • When a super admin updated a deactivated user to a different realm, admins received a Resource not found error. (OKTA-699778)

  • Searching a name with special characters in Realms failed. (OKTA-801220)

  • A permission wasn't checked for the MFA WebAuthn action. (OKTA-801809)

  • Some accounts that used custom admin roles were unable to create, delete, or unlink group push mappings. (OKTA-803378)

  • If an error occurred while an admin performed a protected action, the resulting error message was sometimes unclear. (OKTA-808668)

  • When a device name changed, the name displayed on the user profile page didn't match the the name shown on the Reset Authenticators page. (OKTA-811522)

  • Some users with the application administrator role weren't able to manage the apps they were assigned. (OKTA-814563)

  • The Manage Applications permission for custom admin roles unnecessarily allowed admins to manage the client credentials section of OAuth Service applications. (OKTA-821119)

  • The System Log sometimes displayed the org authorization server even though the error and the call were related to the custom authorization server. (OKTA-821988)

  • Users weren't signed out of Single Logout-enabled apps when they accessed Okta through a custom domain with iFrame embedding enabled. (OKTA-822650)

  • Users couldn't sign in to Okta after an app was deactivated and deleted. (OKTA-828955)

  • The Authentication Policy page sometimes displayed an error message instead of policies. (OKTA-832259)

  • Events for tokens revoked in bulk for a resource didn't appear in the System Log. (OKTA-834025)

  • Custom app instance icons weren't displayed in Profile Editor in the Admin Console. (OKTA-837626)

  • Some service account users received an error message despite successfully changing their passwords. (OKTA-841078)

  • Some admins received an error message when they clicked Admin on the End-User Dashboard. (OKTA-842573)

  • When admins updated an authentication policy rule, the previous and changed states didn't appear in the 'policy.rule.update' System Log event. (OKTA-843745)

  • The Atlassian Jira Cloud app didn't inject credentials when using SWA. (OKTA-843781)

  • Some users weren't prompted for multifactor authentication if another user was signed in to Okta with a different session on the same browser. (OKTA-846381)

  • Users received an error message when they enrolled a Personal Identity Verification card even though the System Log indicated that the enrollment was successful. (OKTA-846423)

  • Account unlock didn't work for some orgs using the Okta account management policy. (OKTA-848066)

  • The Username hint was inaccurate. (OKTA-851440)

  • Some users could enroll authenticators with self-attested passkeys even though the admin only allowed certificate-based attestation in their org. (OKTA-851468)

  • On the Admin Dashboard, the Tasks widget sometimes didn't load. (OKTA-851807)

  • When admins tried to customize the signing options of the SAML 1.1 app, their changes didn't appear. (OKTA-852911)

  • In orgs with Multiple Identifiers enabled, some users couldn't perform self-service registration. (OKTA-853911)

  • The Administrator assignment by role page displayed an error if an admin had duplicate assignments. (OKTA-854906)

  • The email notification for protected actions indicated that actions were taken instead of attempted. (OKTA-854973)

  • Users with passwords greater than 16 characters couldn't sign in when the Password Authentication Protocol with Message-Authenticator feature was enabled. (OKTA-856260)

Okta Integration Network

  • ADP Link by Aquera (SCIM) is now available. Learn more.
  • Cirro (OIDC) is now available. Learn more.
  • Concentric AI (SAML) is now available. Learn more.
  • Cyble Vision (SAML) is now available. Learn more.
  • Dayforce by Aquera (SCIM) is now available. Learn more.
  • Deel HR (SCIM) now supports profile sourcing.
  • FCTR Identity Support Portal (API Service) is now available. Learn more.
  • Gumband (OIDC) is now available. Learn more.
  • Island Management Console (SAML) has updated endpoints.
  • Microsoft SQL Server by Aquera (SCIM) is now available. Learn more.
  • Opensense (SAML) is now available. Learn more.
  • QuickBooks Online by Aquera (SCIM) is now available. Learn more.
  • Payflows (SAML) is now available. Learn more.
  • Redshift by Aquera (SCIM) is now available. Learn more.
  • Resonance by spiderSilk (SAML) is now available. Learn more.
  • SmartSite (OIDC) is now available. Learn more.
  • Speeda Sales Insights (OIDC) is now available. Learn more.
  • TrustWorks (SAML) is now available. Learn more.
  • XplicitTrust Network Access (API Service) is now available. Learn more.