Okta Identity Engine release notes (Preview)

Version: 2025.04.0

April 2025

Generally Available

Secure Identity Integrations

Secure Identity Integrations (SII) provides additional depth for the 50+ most-used enterprise SaaS applications with the inclusion of SSO, SCIM, Apps with entitlement support, Third-party apps that support Universal Logout, Workflows, and Identity Security Posture Management (ISPM).

New versions of Okta Provisioning agent and SDK

Okta Provisioning agent 2.2.1 and Okta Provisioning agent SDK 2.1.1 are now available. These releases contain bug fixes and minor improvements.

OIN test account information deleted after 30 days

Okta deletes your test account credentials 30 days after you publish your app in OIN Wizard. You must create a new test account and re-enter the required information before submitting the app.

Entitlement claims

You can now enrich tokens with app entitlements that produce deeper integrations. After you configure this feature for your app integration, use the Okta Expression Language in Identity Engine to add entitlements at runtime as OIDC claims and SAML assertions. See Generate federated claims.

New look and feel in Access Requests

The Access Requests console and Okta Access Requests web app now have a new look and feel, including redesigned side and top navigation menus and the addition of a gray background. Additionally, Dark mode is no longer available for Access Requests.

Okta Verified text removed from the OIN

In the OIN catalog, the Okta Verified disclaimer has been removed from the app integration pages.

New rate limit event type

This rate limit event type now appears in the System Log: system.rate_limit.configuration.update. It logs the following:

  • Changes to client-based rate limit settings
  • Changes in the rate limit warning notification threshold
  • If the rate limit notification is enabled or disabled
  • Updates to the rate-limit percentage of an API token

Create dynamic resource sets with conditions

Resource set conditions help you limit the scope of a role by excluding an admin's access to certain apps. This gives you more granular control over your custom admin roles and helps meet your org's unique security needs. See Resource set conditions.

Same-device enrollment for Okta FastPass

On orgs with Okta FastPass, the Okta Verify enrollment process has been streamlined:

  • Users can initiate and complete enrollment on the device they're currently using. Previously, two different devices were required to set up an account.
  • Users no longer need to enter their org URL during enrollment.
  • The enrollment flow has fewer steps. This feature is supported on Android, iOS, and macOS devices.

Continuous Access Evaluation for Partner Admin Portal

The Secure Partner Access Partner Admin Portal now employs Continuous Access Evaluation, securing session tokens by following a standard token duration and triggering reauthentication when the token has expired.

Domain restrictions on Realms

You can now limit users to a specific domain in Realms, which adds an extra layer of oversight for realm and partner admins and enforces boundaries between user populations. See Manage realms.

Early Access

Manage Active Directory accounts in Okta Privileged Access

This feature allows management of Active Directory (AD) account passwords through Okta Privileged Access using the Okta AD Agent. Admins can set discovery rules for accounts in specific organizational units (OUs) and create policies for user access, ensuring passwords are rotated upon check-in or on a schedule. Users with access can view their assigned accounts and retrieve passwords. To enable this feature, contact Okta support. See Manage Active Directory accounts

OAuth 2.0 provisioning for Org2Org with Auto-Rotation

Admins deploying multi-org architectures (for example Okta hub-and-spoke orgs) need to secure user and group provisioning. Provisioning using OAuth2.0 scoped tokens has several advantages over API tokens, including more access granularity, shorter token lifespans, and automatic key rotation. You can now enable OAuth 2.0 Auto-Rotation for Org2Org app provisioning directly from the Admin Console.

See Integrate Okta Org2Org with Okta.

On-prem Connector for SAP Netweaver ABAP supports more attributes

Okta On-prem Connector now supports more user attributes, which enables better integration between Okta and SAP Netweaver ABAP.

Fixes

  • The Sign-In Widget (third generation) didn't display font sizes correctly. (OKTA-552923)

  • Custom app logos didn't appear on the app's page. (OKTA-655724)

  • This update applied general security fixes. (OKTA-690936)

  • The reported results of an import varied between what was displayed when the import finished, the import summary email, and the values displayed on the Import Monitoring page. (OKTA-739010)

  • Some users with profiles imported from Active Directory didn't receive the self-service unlock email and couldn't recover their accounts. (OKTA-843086)

  • Some admins couldn't delete an authenticator from orgs with many authentication policy rules. (OKTA-847583)

  • The MFA Factor column in the MFA Usage report displayed the name Windows Hello (Web Authentication) for the FIDO2 (WebAuthn) authenticator.

    (OKTA-848611)
  • Orgs that had registration inline hooks in Classic Engine couldn't deactivate them after upgrading to Identity Engine. (OKTA-855960)

  • The SettingsAPI menu appeared to some admins who didn't have permission to view it. (OKTA-856337)

  • Pagination controls and Show more on the Authentication policies page didn't work correctly. (OKTA-858605)

  • The risk level was LOW in some network related user.session.context.change events. (OKTA-863401)

  • The Recent activity tab of the end-user Settings page didn't render tables correctly. (OKTA-874276)

  • The end-user Settings page didn't display text correctly when the window was resized. (OKTA-874292)

  • Screen readers couldn't read the names of languages in the Select language dropdown menu on the end-user Settings page. (OKTA-874318)

  • Admins couldn't add FIDO2 (WebAuthn) authenticators to authenticator groups. (OKTA-875920)

  • Admins using multiple user types sometimes encountered an internal error when attempting to update an app instance. (OKTA-880825)

  • The Import Monitoring page was viewable by admins who didn't have the necessary permissions. Accessing the page resulted in a 403 error. (OKTA-880835)

  • Sometimes a Null Pointer Exception error occurred when performing a group push to Google Workspace. (OKTA-886861)

  • The user.risk.detect event was incorrectly identified on the Entity Risk Policy page. (OKTA-887297)

  • When users signed in to the end-user Settings page and tried to authenticate with an identity verification vendor, the Back to Settings button was missing. This button was also missing from the error page if the user didn't satisfy the identity verification. (OKTA-894271)

  • LDAP agents failed to parse queries when group names had special characters. (OKTA-902231)

Okta Integration Network

  • AppVentory (API Service) is now available. Learn more.
  • Curricula (SAML) has a new integration guide.
  • Fabrix (API Service) is now available. Learn more.
  • GoSearch (SCIM) now supports Group Push.
  • OpenAI by Aquera (SCIM) is now available. Learn more.
  • Peaxy Lifecycle Intelligence (OIDC) is now available. Learn more.
  • Suger (OIDC) is now available. Learn more.
  • Suger (SCIM) is now available. Learn more.
  • Warp Employee Provisioning (API Service) is now available. Learn more.

Weekly Updates

2025.04.1: Update 1 started deployment on April 9

Generally Available

Device assurance OS version updates

The following OS versions are now supported in device assurance policies:

  • Android 12, 13, 14, 15 security patch 2025-04-01
  • iOS 16.7.11
  • iOS 18.4
  • macOS Ventura 13.7.5
  • macOS Sonoma 14.7.5
  • macOS Sequoia 15.4
  • Windows 10 (10.0.17763.7009, 10.0.19044.5608, 10.0.19045.5608)
  • Windows 11 (10.0.22621.5039, 10.0.22631.5039, 10.0.26100.3476)

Fixes

  • The Access Testing Tool didn't work if the device assurance policy included Chrome OS platform conditions. (OKTA-840977)

  • On the Sign-In Widget (third generation), an error sometimes occurred when a user with an Apple device attempted to sign in using Okta Verify. (OKTA-861910)

  • Error messages appeared in different places on the Sign-In Widget (third generation) depending on which authenticator the user chose. (OKTA-871675)

  • In Preview orgs, org admins couldn't edit IdP group assignments when a super admin group was included in the group list. (OKTA-880124)

  • The Edit role screen didn't always display the correct Workflow permissions. (OKTA-886964)

  • Users couldn't sign in to their org with a Smart Card when the org used authentication method chains and the Keep me signed in option was selected. (OKTA-887124)

  • Super admins saw an error when they attempted to reset a user's authenticators. (OKTA-890695)

  • The id_token_hint parameter was exposed in the System Log. (OKTA-890738)

  • When a user interacted with the Graph API in Azure Active Directory PowerShell, the activity was incorrectly logged in Office 365. (OKTA-896032)

  • Users couldn't sign in to the Office 365 GCC High OIN app if it was integrated with WS-Fed. (OKTA-899506)

  • On the Give access to Okta Support page, the Provide Support access for self-assigned cases section sometimes didn't display the correct cases. (OKTA-909308)

  • A JavaScript issue prevented users from accessing the Glory app. (OKTA-917414)

Okta Integration Network

  • Adroll by Aquera (SCIM) is now available. Learn more.
  • Hero (API Service) is now available. Learn more.
  • Hyperproof (SCIM) is now available. Learn more.
  • Microsoft Dynamics 365 BC by Aquera (SCIM) is now available. Learn more.
  • ZAMP (OIDC) has additional redirect URIs.

2025.04.2: Update 2 started deployment on April 16

Generally Available

Trust incidents and updates checkbox removed

On the Account page, the Admin email notifications section no longer has the Trust incidents and updates checkbox. Admins can subscribe to this communication type through https://status.okta.com.

Fixes

  • Some domains and realm types weren't recorded in the System Log. (OKTA-834681)

  • The Email Optional feature didn't work when self-service password resets were switched to the Okta account management policy. Email requirements from the legacy password policy were still being enforced. (OKTA-863721)

  • When users tried to sign in from outside of their permitted network zone, they saw a Contact your administrator link on the error page even though the admin disabled the link. (OKTA-874992)

  • The registration inline hook for progressive profiling returned the user's default time zone instead of the one in their profile. (OKTA-881008)

  • Super admins couldn't update the operator for profile attribute conditions on a custom admin role. (OKTA-884966)

  • Sometimes, Google Workspace licenses couldn't be edited. (OKTA-892397)

  • Desktop Multifactor Authentication (MFA) push notifications gave the wrong name for the computer's operating system. (OKTA-902839)

  • When the Unified look and feel for Okta Admin Console feature was enabled, the headings on the Downloads page were misaligned. (OKTA-904262)

  • Some text strings in the Move user to realm page weren't translated. (OKTA-909317)

  • When the Unified look and feel for Okta Admin Console feature was enabled, users' names didn't always render correctly. (OKTA-909497)

  • When some users selected the Unlock account option, they received the Self Service Unlock is not allowed at this time error message. (OKTA-913307)

  • In the Edit user attributes page of the Secure Partner Access Admin Portal, the base attributes couldn't be edited. (OKTA-914964)

  • Global session policy rules weren't honored as expected in certain scenarios. (OKTA-916343)

Okta Integration Network

  • Adroll by Aquera (SCIM) has a new description and display name.
  • Files.com by Aquera (SCIM) is now available. Learn more.
  • Global Relay Identity Sync has a new display name.
  • GoTo Meeting by Aquera (SCIM) is now available. Learn more.
  • GroWrk (SAML) is now available. Learn more.
  • Helpjuice by Aquera (SCIM) is now available. Learn more.
  • Island Management Console (SCIM) is now available. Learn more.
  • OK2Pay (SAML) is now available. Learn more.

Preview Features

Automatic renewal of Okta Certificate Authorities

Okta Certificate Authorities (CAs) used for management attestation expire every five years. Without proactive renewal, expired CAs lead to disruptions in authentication and hinder compliance requirements. To mitigate this risk, the Okta CA Renewal Service automatically renews CAs 1.5 years before expiration, ensuring uninterrupted authentication and compliance. By managing CA renewals proactively, this service prevents downtime, reduces manual intervention, and guarantees that management attestation remains seamless and uninterrupted. See Okta Certificate Authority Renewal and Activation Guide

Granular configuration for Keep Me Signed In

Admins can now configure the post-authentication prompt for Keep Me Signed In (KMSI) at a granular level in authentication policies. This allows admins to selectively enable post-authentication KMSI on a per-user, per-group, or per-app basis. When enabled, this feature exposes a frequency setting that lets admins control how often the post-authentication prompt is presented to users. See Keep me signed in. The post-authentication prompt text (title, subtitle, accept button, and reject button) is now customizable through the Brands management API. See Configure Keep me signed in (KMSI) and Brands API.

Workday supports incremental imports

Workday now has the ability to run immediate, incremental imports. Incremental imports are much faster than full imports. However, they don't detect when users only have changes to custom attributes, so you must periodically run a full import to capture these changes. See Incremental imports.

New flexible LDAP

A new LDAP schema allows flexibility by moving email to the custom schema and making first name, last name, username, and UID optional. This avoids error scenarios when an LDAP schema doesn't include specific attributes.

Prevent new single-factor access to the Admin Console

This feature prevents admins from configuring any new single-factor access to the Admin Console. This feature is currently available to new orgs only.

Application Entitlement Policy

Administrators can now override attribute mapping when assigning apps to individuals or groups. Attributes can also be reverted to their default mappings. See Override application attribute mapping. This feature will be gradually made available to all orgs.

End-user setting for nicknaming factors

End users can now nickname their phone, WebAuthn, and Okta Verify factors. If they have enrolled multiple instances of a factor, giving nicknames helps them identify the factors quickly (for example, "My personal cellphone" or "My office MacBook TouchID"). See the End-User documentation. This is a self-service feature.

Descriptive System Log events

When Okta identifies a security threat, the resulting security.threat.detected System Log entry now provides a descriptive reason for the event. See System Log.

ThreatInsight coverage on core Okta API endpoints

Okta ThreatInsight coverage is now available for core Okta API endpoints (OpenID Connect &; OAuth 2.0, Okta Management, and MyAccount API). Based on heuristics and machine learning models, Okta ThreatInsight maintains an evolving list of IP addresses that consistently show malicious activity across Okta's customer base. Requests from these bad IP addresses can be blocked or elevated for further analysis when Okta ThreatInsight is enabled for an Okta org. Previously, Okta ThreatInsight coverage only applied to Okta authentication endpoints (including enrollment and recovery endpoints). With this release, enhanced attack patterns are detected for authentication endpoints and limited attack patterns are also detected for non-authentication endpoints. There are no changes to the existing Okta ThreatInsight configuration. You can still enable Okta ThreatInsight with log and block mode, log mode, and exempt network zones. A new Negative IP Reputation reason is available for high security.threat.detected events. See System Log events for Okta ThreatInsight.

SSO apps dashboard widget

The new SSO apps widget displays the number of user sign-in events across each of your org's apps over a selected period of time. You can use it to see which apps are used most frequently and to easily monitor the authentication activity across your org.

Improvements to the self-service unlock process

Earlier versions of the self-service unlock (SSU) flow created unnecessary friction in the end user experience. The newly enhanced SSU feature introduces a seamless magic link experience in emails sent out to unlock accounts. Users no longer need to provide consent when using the same browser. In addition, after successfully unlocking their account, clicking the email magic link counts towards the application's assurance policy. After the assurance requirements are met, the user is signed directly in to the application.

Improvements to the self-service registration experience

Earlier versions of the self-service registration (SSR) flow used a complicated array of templates to send activation emails to end users. The simplified SSR flow reduces this to only two email templates with customized welcome messages. If your application requires immediate verification of the end user's email address, Okta uses the Registration - Activation template. This template includes a magic link for a smoother sign-in experience. If email verification isn't immediately required to sign in to the application, Okta uses the Registration - Email Verification template. This template includes a link for end users to complete email verification at any time after they successfully sign in to the application.

Email failure events in the System Log

Admins can now view email delivery failure events in the System Log. This helps admins better monitor the email event activity in their org. See System Log.

Choose additional filters for Office 365 sign-on policy

Filters have been added to enable admins to distinguish between web browsers and Modern Authentication clients when creating an app sign-on policy.

Device Authorization grant type

Advancements in internet technology have seen an explosion of smart devices and the Internet of Things. Consumers need to sign in to applications that run on these devices, but the devices either lack support for a web browser or have limited ability for input, such as smart TVs, car consoles, and thermostats. As a result, users resort to insecure authentication solutions that are error-prone and time-consuming.

The Device Authorization grant feature is an OAuth 2.0 grant type that allows users to sign in to input-constrained devices and also to devices that lack web browsers. This feature enables users to use a secondary device, such as a laptop or mobile phone, to complete sign-in to applications that run on such devices.

Content security policy enforcement on end-user pages

Content security policy is now enforced for end-user pages on orgs with custom domains on non-customizable pages. Content Security Policy headers provide an additional layer of security that helps to detect attacks such as cross-site scripting and data injection by ensuring browsers know what kind of actions the webpage can execute. We already had a policy enforced in our admin pages from last year and in report-only mode for end-user pages. We plan that future iterations of our Content Security Policy enforcement for end-user pages will become stricter than this first release.

This feature will be gradually made available to all orgs.