Okta Identity Engine release notes (Preview)

Version: 2025.03.0

March 2025

Generally Available

Okta MFA Credential Provider for Windows, version 1.4.3

This version includes bug fixes and security enhancements. See Okta MFA Credential Provider for Windows version history.

Okta LDAP agent, version 5.23.0

This version of the agent includes security enhancements.

Updated Japanese translations

The Admin Dashboard, Administrator pages, and Admin Console search now provide updated Japanese translations.

Maximum Okta global session lifetime is now configurable

The Set time limit option for the Maximum Okta global session lifetime setting in the default global session policy rule is now configurable. See Add a global session policy rule.

MyAccount Management scopes

The MyAccount Management scopes have been updated to non-system scopes and are now configurable by admins. See Create API access scopes .

Identity Security Posture Management functionality in the OIN catalog

The Okta Integration Network page now provides Identity Security Posture Management functionality. When you select it, the OIN catalog displays only the apps with Identity Security Posture Management functionality.

New default selection for user authentication option in authentication policy rules

The default selection for the User must authenticate with option on the authentication policy rule page is now Any 2 factor types. See Add an authentication policy rule.

New default settings for Okta sessions and idle time in default global session policy rules

The maximum Okta global session lifetime is now one day (24 hours) in the default global session policy rule. See Add a global session policy rule.

New default settings for Okta sessions and session establishment authenticators in default global session policy rules

The maximum Okta global session lifetime is now one day (24 hours) in the default global session policy rule. The default value for the Establish the user session with option in the default global session policy rule is now Any factor used to meet the authentication policy requirements. This also applies to new rules that you create. See Add a global session policy rule.

Step-up authentication for updating policies

Okta prompts for step-up authentication when admins perform protected actions in the Admin Console, like updating sign-on policies. The changes are only allowed after the admin authenticates successfully. This feature enhances org security by allowing admins to require MFA before performing protected actions. See Protected actions in the Admin Console.

Post auth session name change

The Post auth session tab of the Authentication Policies page is renamed Session protection, and the post auth session policy is renamed to session protection policy. There's no change in functionality. See Session protection with Identity Threat Protection.

UI enhancements for Identity Threat Protection

Several UI elements were improved for ITP dashboard widgets, the entity risk policy, the user Risk tab, and the risk feedback table.

OIN app for Microsoft Office GCC High

Office 365 app in GCC High environment is now Generally Available. This app is a highly secure version of Office 365 designed specifically for government entities, vendors, and contractors. See Configure Office 365 GCC High Tenant.

System Log event changes for trusted proxies

If a user changes their IP address during a session and the resulting IP address is in a trusted proxy, the System Log doesn't record a user.session.context.change event. See IP zones.

IP Exempt Zone

Use this feature to allow traffic from specific gateway IPs irrespective of Okta ThreatInsight configurations, blocked network zones, or IP change events within Identity Threat Protection with Okta AI. See IP exempt zone.

Automatic renewal of Okta Certificate Authorities

Okta Certificate Authorities (CAs) used for management attestation expire every five years. Without proactive renewal, expired CAs lead to disruptions in authentication and hinder compliance requirements. To mitigate this risk, the Okta CA Renewal Service automatically renews CAs 1.5 years before expiration, ensuring uninterrupted authentication and compliance. By managing CA renewals proactively, this service prevents downtime, reduces manual intervention, and guarantees that management attestation remains seamless and uninterrupted. See Okta Certificate Authority Renewal and Activation Guide

Desktop MFA Recovery for Okta Device Access

Desktop MFA Recovery is now available for Desktop MFA for macOS. It provides a way for admins to generate a time-limited device recovery PIN to unblock Desktop MFA users who lost their MFA authentication device. See Desktop MFA recovery .

Early Access

Custom remediation for device assurance

You can now display custom remediation instructions to users when authentication fails due to unsuccessful device posture checks with Okta Verify or Chrome Device Trust. See Configure custom remediation instructions for device assurance.

Entitlement support for disconnected apps

Disconnected apps are apps that aren't LCM integrated within Okta. This feature allows you to use CSV files to import users and entitlements into Okta from disconnected apps. This enables consistent governance and compliance across all apps, including those not fully integrated with Okta. See Import user entitlements from CSV.

New look and feel in the Admin Console

The Admin Console now provides a new look and feel, including redesigned side and top navigation menus and the addition of a gray background.

New identity verification providers added

Okta now supports using Incode and CLEAR Verified as identity providers. This increases the number of identity verification vendors (IDVs) you can use to verify the identity of your users when they onboard or reset their account. See Add an identity verification vendor as an identity provider.

Bypass ASN binding with the Default Exempt IP Zone

The ASN binding feature associates admins with the IP address that they signed in from. If the IP changes during a session, the admin is signed out of Okta, and an event appears in the System Log. To bypass IP and ASN binding, you can add the client IP to the Default Exempt IP Zone. See IP exempt zone.

App Switcher for Okta first-party apps

The End-User Dashboard, Admin Console, and Workflows Console now have an App Switcher that helps admins quickly navigate between their assigned Okta apps. Note that you must enable the Unified look and feel for Okta Admin Console and Unified look and feel for Okta Dashboard Early Access features for the App Switcher to appear.

New look and feel in the End-User Dashboard

The End-User Dashboard now provides a new look and feel, including redesigned side and top navigation menus and the addition of a gray background.

New attributes in Universal Sync

The following attributes are now supported in Universal Sync: AuthOrig, DLMemRejectPerms, DLMemSubmitPerms, and UnauthOrig.

Okta-to-Okta claims sharing enhancement

Okta-to-Okta claims sharing now supports the use of the smart card authenticator and Active Directory for Single Sign-On. This removes the need for users to authenticate with a service provider when they've already authenticated to an Okta org. See Add a SAML Identity Provider.

Verify an SSF Stream

Okta SSF Transmitter now supports the verification endpoint to enable receivers to request verification events and validate the end-to-end delivery between the transmitter and receiver. The SSF Transmitter verification events claim structure is also now compliant with the OpenID Shared Signals Framework ID3 spec.

Fixes

  • When provisioning and Import Groups were enabled for the O365 GCC High app, the Groups page didn't display the group icon. (OKTA-283826)

  • Some certificates with trailing characters were uploaded successfully despite their invalid format. (OKTA-486406)

  • The consent buttons for the Office 365 and Office 365 GCC High apps didn't render correctly. (OKTA-488281)

  • The Microsoft Office 365 Government - GCC High app integration didn't have the correct metadata tags. (OKTA-509443)

  • A realm assignment didn't work as expected when using expressions based on attribute type. (OKTA-728487)

  • Users weren't automatically confirmed when the inline hook updated conflicting appuser values during import. (OKTA-792372)

  • The Add rule page for an authentication policy sometimes displayed the wrong factor types in the preview. (OKTA-849411)

  • An invalid authentication error sometimes occurred when an admin assigned users to the ShareFile app. (OKTA-850064)

  • Emails intended for an unverified primary or secondary email were dropped when the Audience setting for the template was Admin only. (OKTA-852156)

  • When the Send all admin emails as BCC notification setting was selected, all email recipients were sent to the To field instead of the BCC field for protected actions. (OKTA-856627)

  • Users who selected the Send me an email option from a locked account notification didn't receive the requested email. (OKTA-858751)

  • Some users couldn't complete account recovery using Okta Verify with push. (OKTA-870580)

  • Unknown users received an internal server error when they tried to recover their passwords. (OKTA-873911)

  • Some pages in the End-User Dashboard had a typo in the footer. (OKTA-877065)

  • The Entitlement SAML Assertions and OIDC Claims feature wasn't available in the Settings Features menu for some customers. (OKTA-880967)

  • An error occurred in the Okta Provisioning Agent when trying to import users from on-premises apps through CSV files. (OKTA-880996)

  • Access requests for admin role bundles weren't processed properly. (OKTA-892613)

Okta Integration Network

  • Better Stack (SCIM) is now available. Learn more.
  • Employment Hero by Aquera (SCIM) is now available. Learn more.
  • Harriet (OIDC) is now available. Learn more.
  • Harriet (SCIM) is now available. Learn more.
  • HYCU R-Cloud (OIDC) is now available. Learn more.
  • Kyriba By Aquera (SCIM) is now available. Learn more.
  • MySQL by Aquera (SCIM) is now available. Learn more.
  • ZAMP (SCIM) is now available. Learn more.
  • Zoom (SAML) has updated endpoints.

Weekly Updates

2025.03.1: Update 1 started deployment on March 12

Generally Available

Device assurance OS version update

The following OS versions are now supported in device assurance policies:

  • Android 12, 13, 14, 15 security patch 2025-03-01
  • iOS 18.3.1
  • macOS Ventura 13.7.4
  • macOS Sonoma 14.7.4
  • macOS Sequoia 15.3.1
  • Windows 10 (10.0.17763.6893, 10.0.19044.5487, 10.0.19045.5487)
  • Windows 11 (10.0.22621.4890, 10.0.22631.4890, 10.0.26100.3194)

Sign-in Widget 7.18 for Same-Device Enrollment

If you use the Same-Device Enrollment feature in your org, the Sign-In Widget version must be 7.18 or later.

Fixes

  • createdBy and lastUpdatedBy custom attributes couldn't be used in group rules. (OKTA-566492)

  • Some issues occurred during the creation of Devices Assurance settings. (OKTA-603807)

  • Some Android users couldn't authenticate with Duo Verify when enrolling in Okta Verify. (OKTA-791813)

  • Custom admins who were limited to viewing only application group members received incomplete results when using the List All Users API without a search or filter. (OKTA-801592)

  • In some orgs, unnecessary writebacks were made to Workday when a sync was performed from Okta. (OKTA-817160)

  • Users who were excluded from a group rule were displayed incorrectly in the Admin Console. (OKTA-838039)

  • The System Log displayed two usernames in the user.authentication.auth_via_social event when a user signed in to Okta with an identity provider in the same browser as a user who was already signed in. (OKTA-842179)

  • Users authenticating to Microsoft Office 365 on macOS were matched to a rule with a Modern Authentication condition only when using the Edge browser. (OKTA-847605)

  • Admins who were assigned the super admin role through group assignments couldn't run password hash exports or view the reports. (OKTA-851991)

  • The MFA enrollment by user report displayed inaccurate figures for the security question authenticator. (OKTA-858427)

  • Okta sometimes timed out earlier than expected when admins configured authentication policies. (OKTA-867807)

  • The page title didn't appear correctly on the browser tab for the Recent activity and My Settings pages. (OKTA-874289)

  • Using device conditions in an authentication policy sometimes caused the post auth session policy evaluation to fail and generate a policy.auth_reevaluate.fail event. (OKTA-876114)

  • Admins didn't receive the correct notifications when they had both role and admin email notifications selected. (OKTA-876846)

  • The Back to sign in button didn't work on the Sign-In Widget (third generation) version 7.26.1 or later. (OKTA-877241)

  • Okta admins assigned to non-visible apps were taken to the End-User Dashboard instead of the Admin Console when signing in. (OKTA-882675)

  • When the Unified look and feel for Okta Admin Console feature was enabled, the Settings and Features pages didn't render correctly in the Safari browser. (OKTA-884821)

  • Admins couldn't create or edit third-party identity providers in orgs with Okta-to-Okta claims sharing enabled. (OKTA-893483)

Okta Integration Network

  • Better Stack (SAML) has a new integration guide.
  • Bundle by freee (SCIM) is now available. Learn more.
  • Chargebee (SAML) has a new integration guide.
  • Chargebee (SCIM) is now available. Learn more.
  • Lobbipad (SCIM) has updated help text.
  • Marfeel (OIDC) is now available. Learn more.
  • Oracle Cloud Applications by Aquera (SCIM) is now available. Learn more.

2025.03.2: Update 2 started deployment on March 19

Generally Available

Accessibility enhancements for screen readers

UI elements on the end-user Settings page have been enhanced to work with screen readers. See User settings.

Fixes

  • createdBy and lastUpdatedBy custom attributes couldn't be used in group rules. (OKTA-566492)

  • Workday imports sometimes failed when the number of parameters sent in a query exceeded the maximum. (OKTA-819984)

  • Authentication was interrupted or prevented in legacy embedded browsers due to a DNS issue. (OKTA-845120)

  • Changes to the manager attribute in Workday were only reflected in Okta after a full import. (OKTA-846352)

  • The View Client Credentials permission didn't appear when the App settings for custom admin roles feature was enabled. (OKTA-851994)

  • AWS account federation with SWA was incompatible with the new AWS sign in page. (OKTA-856995)

  • When the Enable Sync Account Information setting was disabled for a custom domain, login.okta.com still loaded iframes. (OKTA-865098)

  • In Dynamic Zones, some IPs were classified incorrectly as anonymous proxies because of a misconfiguration by a third-party provider. (OKTA-867976)

  • On the Admin Dashboard, some post auth session labels weren't updated to session protection. (OKTA-886337)

  • Admins couldn't increase the global session policy maximum idle time if they set it to a longer duration than the previously saved maximum session time. (OKTA-891348)

Okta Integration Network

  • Attribute Dashboard (OIDC) is now available. Learn more.
  • Balsamiq (SAML) has a new app name, icon, and integration guide.
  • bob (SCIM, SAML) now supports sandbox environments.
  • Drata (OIDC) has a new icon.
  • Mighty ID (OIDC) is now available. Learn more.
  • Salesloft (SAML) is now available. Learn more.
  • Salesloft (SCIM) is now available. Learn more.

2025.03.3: Update 3 started deployment on March 26

Fixes

  • The wrong data appeared in the debug data field of the policy.rule.update System Log event. (OKTA-846160)

  • Users received the wrong error message when they tried to authenticate with biometric methods. (OKTA-846488)

  • Risk information was missing from some device context-triggered user.session.context.change events. (OKTA-880859)

  • If the Okta account management policy was used for self-service unlock and a user only had one factor available, that factor was auto-selected when they started the process. (OKTA-884244)

  • If the Okta account management policy required Identity Verification for all actions, users received a 500 internal server error when they tried to edit their profile settings. (OKTA-888155)

  • When the Passkeys Autofill feature was enabled in the hub org of an Org-to-Org configuration, and there was only one identity provider configured, users weren't automatically redirected to non-hub orgs when they signed in. (OKTA-888882)

  • Sometimes, Google Workspace licenses couldn't be edited. (OKTA-892397)

  • The user.identity_verification System Log event displayed an incorrect assurance level for completed identity verifications. (OKTA-893343)

  • Admins couldn't create or edit third-party identity providers in orgs with Okta-to-Okta claims sharing enabled. (OKTA-893483)

  • Admins whose role had permission conditions couldn't search for users by first or last name. (OKTA-894392)

  • Some text was misaligned on the Password PolicyAdd rule page. (OKTA-897943)

Okta Integration Network

  • Akitra (OIDC) is now available. Learn more.
  • AppsFlyer By Aquera (SCIM) is now available. Learn more.
  • Braintree (SAML) is now available. Learn more.
  • Braintree (SCIM) is now available. Learn more.
  • ContentHubGPT (SAML) is now available. Learn more.
  • HRBrain (SAML) is now available. Learn more.
  • HRBrain (SCIM) is now available. Learn more.
  • Speeda Business Insights (OIDC) is now available. Learn more.
  • Speeda Startup Insights (OIDC) is now available. Learn more.

Version: 2025.02.0

Universal Logout for Cerby app

Cerby now supports Universal Logout. This enables admins to automatically sign users out of this app when Universal Logout is triggered.

New look and feel in Access Certifications

In Access Certifications, the Access Certification Reviews app located on your dashboard now has a new look and feel, including a restyled top navigation bar and the addition of a gray background.

Authentication method chain options

The Pin or biometric verification label for authentication method chains on the authentication policy rule page has been changed to User interaction. See Authentication method chain.

New System Log attribute

The application.policy.sign_on.deny_access System Log event now shows the app instance ID. This makes it easier to identify the affected app and enables resource-based filtering for the event.

New System Log attributes

The PolicyName field was added to the policy.evaluate_sign_on System Log event. This change makes it easier for admins to identify the policy that was involved in user sign-in attempts.

Authentication policy rule page updated

The If Okta FastPass is used section of the the authentication policy rule page has been removed. Users can select the Require user interaction option in the Possession factor constraints are section instead. See Add an authentication policy rule.

Discover inactive users and review admin access

You can now use preconfigured campaigns to discover inactive users who are assigned to apps and review their admin access. Preconfigured campaigns are a set of ready-to-use campaigns where Okta presets some default settings. See Access Certifications for admin roles.

Shared signal receiver available for AMFA orgs

Adaptive MFA customers are now able to integrate security events from security event providers compatible with Open ID's Shared Signals Framework into Okta. If these risk events are fired for those assigned the super admin role, risk events will be fired that are actionable using Workflows. See Configure a shared signal receiver.

This feature is following a slow rollout process.

ITP detections for AMFA orgs

Adaptive MFA orgs now benefit from ITP detections on sessions and entity users when these are detected on directly assigned super admins. These detection events are actionable using Workflows. This feature aligns with the Okta Secure Identity Commitment. See Identity Threat Protection events in System Log.

This feature is following a slow rollout process.

Case numbers for impersonation events

When an org grants impersonation for a support case, the case number now appears in the System Log. See Give access to Okta Support.

System Log event for public client app admins

When an admin selects the Automatically assign the super admin role to all newly created public client apps checkbox on the Account page, the System Log now records an event.

Enforce Number Challenge for Desktop MFA

You can now enforce number challenge on all push notifications for Desktop MFA, regardless of the authentication policy. See Configure access policies.

Sign-In Widget, version 7.27.1

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Okta Sign-In Widget Guide.

Granular configuration for Keep Me Signed In

Admins can now configure the post-authentication prompt for Keep Me Signed In (KMSI) at a granular level in authentication policies. This allows admins to selectively enable post-authentication KMSI on a per-user, per-group, or per-app basis. When enabled, this feature exposes a frequency setting that lets admins control how often the post-authentication prompt is presented to users. The post-authentication prompt text (title, subtitle, accept button, and reject button) is now customizable through the Brands management API. See Keep me signed in and Brands API.

Workday supports incremental imports

Workday now has the ability to run immediate, incremental imports. Incremental imports are much faster than full imports. However, they don't detect when users only have changes to custom attributes, so you must periodically run a full import to capture these changes. See Workday.

New flexible LDAP

A new LDAP schema allows flexibility by moving email to the custom schema and making first name, last name, username, and UID optional. This avoids error scenarios when an LDAP schema doesn't include specific attributes.

Prevent new single-factor access to the Admin Console

This feature prevents admins from configuring any new single-factor access to the Admin Console. This feature is now enabled by default for all orgs.

New browser tab reactivation behavior for the Sign-In Widget

The Sign-In Widget now avoids a full page refresh on custom domains when an inactive tab is reactivated. This change improves compatibility with browser memory saver features. This feature will be gradually made available to all orgs.

Sign in with duplicated email authenticators

Previously, users couldn't sign in if they had the same email enrolled twice as an authenticator. This change checks the status of each email authenticator and allows the user to sign in with the most suitable email authenticator.

End-user setting for nicknaming factors

End users can now nickname their phone, WebAuthn, and Okta Verify factors. If they have enrolled multiple instances of a factor, giving nicknames helps them identify the factors quickly (for example, "My personal cellphone" or "My office MacBook TouchID"). See the End-User documentation. This is a self-service feature.

Content security policy enforcement on end-user pages

Content Security Policy is now enforced for end-user pages in orgs with custom domains. Content Security Policy headers help detect attacks such as cross-site scripting and data injection by ensuring browsers know what kind of actions the webpage can execute. Future iterations of the Content Security Policy enforcement for end-user pages will become stricter than this first release. This feature will be gradually made available to all orgs.

Okta ThreatInsight coverage on core Okta API endpoints

Okta ThreatInsight coverage is now available for core Okta API endpoints (OpenID Connect & OAuth 2.0, Okta Management, and MyAccount API). Based on heuristics and machine learning models, Okta ThreatInsight maintains an evolving list of IP addresses that consistently show malicious activity across Okta's customer base. Requests from these bad IP addresses can be blocked or elevated for further analysis when Okta ThreatInsight is enabled for an Okta org.

Previously, Okta ThreatInsight coverage only applied to Okta authentication endpoints (including enrollment and recovery endpoints). With this release, enhanced attack patterns are detected for authentication endpoints and limited attack patterns are also detected for non-authentication endpoints.

There are no changes to the existing Okta ThreatInsight configuration. You can still enable Okta ThreatInsight with log and block mode, log mode, and exempt network zones. A new Negative IP Reputation reason is available for high security.threat.detected events. See System Log events for Okta ThreatInsight.

Application Entitlement Policy

Administrators can now override attribute mapping when assigning apps to individuals or groups. Attributes can also be reverted to their default mappings. See Override application attribute mapping. This feature will be gradually made available to all orgs.

Descriptive System Log events

When Okta identifies a security threat, the resulting security.threat.detected entry now provides a descriptive reason for the event. See System Log.

Improvements to the self-service registration experience

Earlier versions of the self-service registration (SSR) flow used a complicated array of templates to send activation emails to end users. The simplified SSR flow reduces this to only two email templates with customized welcome messages. If your application requires immediate verification of the end user's email address, Okta uses the Registration - Activation template. This template includes a magic link for a smoother sign-in experience. If email verification isn't immediately required to sign in to the application, Okta uses the Registration - Email Verification template. This template includes a link for end users to complete email verification at any time after they successfully sign in to the application. See Customize email notifications and the Okta email (magic link/OTP) integration guide.

SSO apps dashboard widget

The new SSO apps widget displays the number of user sign-in events across each of your org's apps over a selected period of time. You can use it to see which apps are used most frequently and to easily monitor the authentication activity across your org. See Monitor your apps.

Improvements to the self-service unlock process

Earlier versions of the self-service unlock (SSU) flow created unnecessary friction in the end user experience. The newly enhanced SSU feature introduces a seamless magic link experience in emails sent out to unlock accounts. Users no longer need to provide consent when using the same browser. In addition, after successfully unlocking their account, clicking the email magic link counts towards the application's assurance policy. After the assurance requirements are met, the user is signed directly in to the application. See Configure the email authenticator.

Toggle password visibility on the Okta Sign-In page

End users can now toggle visibility of their password on the Sign-In Widget, allowing them to check their password before they click Sign In. Note that passwords are visible for 30 seconds and then hidden automatically. See Authentication. See Enable delegated authentication for LDAP.

Email failure events in the System Log

Admins can now view email delivery failure events in the System Log. This helps admins better monitor the email event activity in their org. See System Log.

Choose additional filters for Office 365 sign-on policy

Filters have been added to enable admins to distinguish between web browsers and Modern Authentication clients when creating an app sign-on policy. See Office 365 sign-on rules options.

Device Authorization grant type

Advancements in internet technology have seen an explosion of smart devices and the Internet of Things. Consumers need to sign in to applications that run on these devices, but the devices either lack support for a web browser or have limited ability for input, such as smart TVs, car consoles, and thermostats. As a result, users resort to insecure authentication solutions that are error-prone and time-consuming.

The Device Authorization grant feature is an OAuth 2.0 grant type that allows users to sign in to input-constrained devices and also to devices that lack web browsers. This feature enables users to use a secondary device, such as a laptop or mobile phone, to complete sign-in to applications that run on such devices. See Configure Device Authorization.

Manage admin email notification subscriptions using API endpoints

Admins can manage email subscriptions using the Admin Email Subscription API endpoints.

  • Super admins can configure default subscription settings by admin type.

  • All admins can manage their own admin email notification subscriptions.

LDAP password reset option

LDAP delegated authentication settings can now be configured to allow users to reset their passwords. This change reduces the time needed for password management and allows users to reset their passwords quickly and easily. See Enable delegated authentication for LDAP.

LDAP admin password reset

For orgs integrated with LDAP, admins can now perform password resets for an active individual end user. See Reset a user password.