Okta Identity Engine release notes (Early Access)
Early Access Features
Unified claims generation for custom apps
Unified claims generation is a new streamlined interface for managing claims (OIDC) and attribute statements (SAML) for Okta-protected custom app integrations. In addition to group and user profile claims, the following new claim types are available: entitlements (requires OIG), device profile, session ID, and session AMR. See Configure custom claims for app integrations.
Enforce MFA for Identity Governance admin apps
The Enforce MFA for Identity Governance admin apps feature is no longer available as a self-service Early Access feature. Admins must contact Okta Support to enable or disable this feature. See Enable MFA for the Admin Console.
OU moves for LDAP-provisioned users
When an admin configures Okta to LDAP provisioning settings, they can now move users to a different Organizational Unit (OU) by changing their group assignments. See Configure Okta to LDAP provisioning settings.
Network restrictions for OIDC token endpoints is EA in Preview
You can now apply network restrictions to OIDC token endpoints to enhance token security. See Create OpenID Connect app integrations.
Okta Hyperspace agent, version 1.5.1
This version includes security enhancements.
On-prem Connector for Oracle EBS
On-prem Connector for Oracle EBS connects Oracle EBS on-premises apps with Okta Identity Governance. It helps admins discover, view, and manage Oracle EBS entitlements directly in Okta. This integration enhances security, saves time, streamlines entitlement management, and eliminates the need for custom integrations. See On-prem Connector for Oracle EBS and Supported entitlements by On-prem Connector.
Okta Integration IdP type is EA in Preview
The Okta Integration IdP allows you to use an Okta org as an external IdP, simplifying configuration and providing secure defaults. See Add an Okta Integration Identity Provider.
Single Logout for IdPs is EA in Preview
The Single Logout (SLO) for IdPs feature boosts security for organizations using shared devices and external IdPs by automatically ending IdP sessions when a user signs out of any app. This feature also requires a fresh authentication for every new user, eliminating session hijacking risks on shared devices. SLO for IdP supports both SAML 2.0 and OIDC IdP connections, which provides robust session management for shared workstations in any environment. See Add a SAML Identity Provider.
Breached Credentials Protection
Protect your org from the impact of credentials that have been compromised. If Okta determines that a username and password combination has been compromised after being compared to a third-party curated dataset, the protection response is customizable through password policies, including resetting the user's password, forcing a logout, or calling a delegated Workflow. See Breached credentials detection.
This feature is following a slow rollout process beginning on May 15.
Okta as an external authentication method for Microsoft Entra ID
Use Okta multifactor authentication (MFA) to satisfy Microsoft Entra ID MFA requirements. This helps users avoid double authentication and provides a seamless experience across Okta and Microsoft 365 apps. See Configure Okta as an external authentication method for Microsoft Entra ID .
DirSync group imports for Active Directory
For Active Directory (AD) integrations, the Provisioning tab now provides an Enable imports with AD using DirSync checkbox. When you enable the checkbox, admins can perform incremental group imports using DirSync. See Configure Active Directory import and account settings.
Custom admin roles for ITP
Through this feature, customers can use granular ITP permissions and resources to create custom roles to right-size authorization for ITP configuration and monitoring. See Configure custom admin roles for ITP.
RingCentral uses new default phone number logic
The RingCentral app integration's logic for detecting and populating phone numbers has been updated to work with both DirectNumber and IntegrationNumber entries.
System Log event for monitoring LDAP Agent config file changes
A system.agent.ldap.config_change_detected event is generated when an LDAP agent detects changes to its configuration file.
Integrate Okta with Device Posture Provider
The Device Posture Provider feature enhances Zero Trust security by integrating external device compliance signals into the Okta policy engine. Previously, Okta couldn't leverage signals from third-party or custom tools to enforce access policies. Now, by accepting SAML/OIDC assertions from external compliance services, admins can incorporate custom compliance attributes into device assurance policies. This enables organizations to utilize their existing device trust signals within Okta, and foster a more flexible and secure posture without the need for extra agents or redundant tooling. See Integrate Okta with Device Posture Provider.
OAuth 2.0 provisioning for Org2Org with Autorotation
Admins deploying multi-org architectures (for example Okta hub-and-spoke orgs) need to secure user and group provisioning. Provisioning using OAuth2.0 scoped tokens has several advantages over API tokens, including more access granularity, shorter token lifespans, and automatic key rotation. You can now enable OAuth 2.0 Autorotation for Org2Org app provisioning directly from the Admin Console.
Manage Active Directory accounts in Okta Privileged Access
This feature allows management of Active Directory (AD) account passwords through Okta Privileged Access using the Okta AD Agent. Admins can set discovery rules for accounts in specific organizational units (OUs) and create policies for user access, ensuring passwords are rotated upon check-in or on a schedule. Users with access can view their assigned accounts and retrieve passwords. To enable this feature, contact Okta support. See Manage Active Directory accounts
Universal Directory map toggle
The new Universal Directory (UD) map toggle enables admins to link a user's email address to their identifier. This allows admins to enable the self-service registration feature. See General Security.
New identity verification provider added
Okta now supports using CLEAR Verified as an identity provider. This increases the number of identity verification vendors (IDVs) you can use to verify the identity of your users when they onboard or reset their account. See Add an identity verification vendor as an identity provider.
Inline step-up flow for User Verification with Okta Verify
End users can now easily satisfy authentication policies that require higher User Verification (UV) levels, even if their current enrollment is insufficient. This feature proactively guides users through the necessary UV enablement steps. As a result, administrators can confidently implement stricter biometric UV policies to eliminate the risk of user lockouts and reduce support inquiries related to UV mismatches. See User experience according to Okta Verify user verification settings.
Custom admin role for Okta Device Access
You can now configure custom admin roles to view and manage Okta Device Access functionality. This enhancement enables IT teams to designate admins who can effectively manage Okta Device Access capabilities without requiring them to have the most elevated security permissions. See Enable Desktop MFA recovery.
New System Log event for identity verification
The 'new user.identity_verification' event displays the result (success or failure) of identity verifications with identity verification vendors (IDVs). If there's a failure, the event also displays the reason.
OAMP protection for password expiry flows
This feature improves the security posture of customer orgs by protecting the password expiry flow with the Okta account management policy. Password expiry flows now require the assurance defined in an org's Okta account management policy. See Enable password expiry.
Advanced device posture checks
Advanced posture checks provide extended device assurance to users. It empowers admins to enforce compliance based on customized device attributes that extend beyond Okta's standard checks. Using osquery, this feature facilitates real-time security assessments across macOS devices. As a result, orgs gain enhanced visibility and control over their device fleet and ensure that only trusted devices can access sensitive resources. See Configure advanced posture checks for device assurance.
Custom remediation for device assurance
You can now display custom remediation instructions to users when authentication fails due to unsuccessful device posture checks with Okta Verify or Chrome Device Trust. See Configure custom remediation instructions for device assurance.
On-prem Connector for SAP Netweaver ABAP
On-prem Connector for SAP NetWeaver ABAP provides an out-of-the-box solution that connects SAP on-premises apps with Okta Identity Governance. It enables the discovery, visibility, and management of SAP entitlements (roles) directly in Okta. This integration enhances security, saves time, and simplifies governance by eliminating the need for custom integrations and by streamlining entitlement management.
New attributes in Universal Sync
The following attributes are now supported in Universal Sync: AuthOrig, DLMemRejectPerms, DLMemSubmitPerms, and UnauthOrig.
Block words from being used in passwords
You can now use Okta Expression Language to block words from being used in passwords. This feature enhances security by allowing you to customize your password strength requirements.
Block syncable passkeys
You can now block syncable passkeys during authentication. Previously, you could only block them during enrollment. This enhances the security of your org by preventing users from presenting such passkeys to attempt to enroll new, unmanaged devices.
Self-service toggle for Deactivate App Users
Admins can now use the self-service toggle to change what happens to an Okta user's individual app assignments upon deactivation. If enabled, the user's individual app assignments deactivate instead of suspend. If a user is reactivated in Okta, the individual app assignments don't reactivate.
Entitlement support for disconnected apps
Disconnected apps are apps that aren't LCM integrated within Okta. This feature allows you to use CSV files to import users and entitlements into Okta from disconnected apps. This enables consistent governance and compliance across all apps, including those not fully integrated with Okta.
MFA for Secure Partner Access admin portal
MFA is now required to access the partner admin portal app.
Enrollment grace periods
Today, when admins define an enrollment policy for a group, the entire group must enroll immediately, which can be disruptive to their day-to-day tasks.
With Enrollment Grace Periods, end users can defer enrollment in new authenticators until an admin-defined deadline when enrollment becomes mandatory. This allows end users to enroll at a time convenient to them and allows for more graceful enrollment before enforcing new authenticator types in authentication policies. See Authenticator enrollment policies.
Force rematching of imported users
This feature enforces a rematch for unconfirmed users imported from a profile source, whether through full or incremental imports. It attempts to match these imported users with existing Okta users. When this feature is enabled, every import re-evaluates matches for unconfirmed users.
New skipping of entitlement sync during import of a user Systems Log event
The following System Log event has been added: Sync skipping of entitlement during import of a user
Okta-to-Okta claims sharing enhancement
Okta-to-Okta claims sharing now supports the use of the smart card authenticator and Active Directory for Single Sign-On. This removes the need for users to authenticate with a service provider when they've already authenticated to an Okta org.
On-prem Connector for SAP Netweaver ABAP supports more attributes
Okta On-prem Connector now supports more user attributes, which enables better integration between Okta and SAP Netweaver ABAP.
Secure Partner Access for external partners
Secure Partner Access provides a secure way for external business partners to access your org's resources. It streamlines your partner management tasks, reduces IT workload, and simplifies the process of configuring your org's security requirements. See Secure Partner Access.
Same-Device Enrollment for Okta FastPass reactivated
Same-Device Enrollment for Okta FastPass is now available again. The feature had been removed to resolve an Okta Verify enrollment issue. On orgs with Okta FastPass, the Okta Verify enrollment process has been streamlined:
- Users can initiate and complete enrollment on the device they're currently using. Previously, a second device was required for enrollments. Note that enrollment requires 2FA if possible, which may involve a second device.
- Users no longer need to enter their org URL during enrollment.
- The enrollment flow has fewer steps.
This feature is supported on Android, iOS, and macOS devices. To enable it, go to and turn on Same-Device Enrollment for Okta FastPass.
Verify an SSF Stream
Okta SSF Transmitter now supports the verification endpoint to enable receivers to request verification events and validate the end-to-end delivery between the transmitter and receiver. The SSF Transmitter verification events claim structure is also now compliant with the OpenID Shared Signals Framework ID3 spec.
Grace period for device assurance
Occasionally, users' devices might fall out of compliance with security policies due to temporary conditions such as missed software updates or unapproved network connections. Without a grace period, they would be immediately blocked from accessing critical resources, which disrupts productivity and causes frustration. The Grace period for device assurance feature allows you to define a temporary window during which non-compliant devices can still access resources. This gives users time to remediate issues without being locked out, balancing productivity with security standards. See Add a device assurance policy
Seamless and secure authentication with passkey autofill
Passkeys offer a streamlined sign in experience to users by leveraging their browser's existing autofill capabilities. This allows users to quickly and intuitively sign in to an org without typing their credentials or seeing extra prompts. This secure, phishing-resistant solution works seamlessly across devices, delivering both enhanced security and convenience for modern authentication needs. See Configure the FIDO2 (WebAuthn) authenticator.
OIDC and SAML app integrations enhancement
When the Front-channel Single Logout feature is enabled, the OIDC and SAML app integration pages now have a single Logout section that includes all of the logout settings for the app.
Require MFA for accessing Identity Governance admin apps
If your org uses Okta Identity Governance, you can require MFA for admins who access these first-party apps: Okta Access Certifications, Okta Entitlement Management, Okta Access Requests Admin. If you have auto-enabled EA features in your org, MFA is automatically enforced for those apps. See Enable MFA for the Admin Console.
Enhanced device assurance with Android Device Trust
Android Device Trust integration for Device Assurance enhances Okta's capability to evaluate and enforce security measures on Android devices. It introduces additional security settings such as checks for Play Integrity status and Wi-Fi security. This integration strengthens device compliance while eliminating the need for Mobile Device Management (MDM), providing orgs with increased flexibility in securing their Android endpoints. See Integrate Okta with Android Device Trust.
Custom Keep me signed in labels
Admins can now customize the Keep me signed in label on their sign-in page.
OAuth 2.0 security for invoking API endpoints
Okta Workflows users can now securely invoke API endpoints using OAuth 2.0 protocols and their Okta org authorization server. Compared with the existing token authorization option, this Early Access feature is more secure while also being easier to implement. Add the okta.workflows.invoke.manage scope to any new or existing app integration to make it eligible to invoke your API endpoint.
Entitlement Management with Okta Provisioning Agent with SCIM 2.0 support
This agent supports Entitlement Management for app integrations that have enabled Governance Engine. This allows the provisioning of entitlements between Okta and on-premises apps.