Okta Identity Engine release notes (Preview)

Version: 2025.06.0

June 2025

Generally Available

Conditions for create user permission

You can now add conditions to the Create user permission for custom admin roles. This enables you to granularly control which user attributes admins can set values for during user creation. See Permission conditions.

Increased maximum displayed group membership count

The membership count that appears on the groups page for very large groups now maxes out at 1M+. Click this number to view the exact count, which is cached for two hours. See View group members.

New look and feel in the End-User Dashboard

The End-User Dashboard now provides a new look and feel, including redesigned side and top navigation menus and the addition of a gray background.

Expanded use of user.getGroups() function in Okta Expression Language

Admins can now use the user.getGroups() function across all features that support Expression Language. See Group functions.

Device assurance OS version updates

The following OS versions are now supported in device assurance policies:

  • Android 13, 14, 15 security patch 2025-06-01
  • iOS 15.8.4
  • iOS 16.7.11
  • iOS 18.5
  • macOS Ventura 13.7.6
  • macOS Sonoma 14.7.6
  • macOS Sequoia 15.5
  • Windows 10 (10.0.17763.7314, 10.0.19044.5854, 10.0.19045.5854)
  • Windows 11 (10.0.22621.5335, 10.0.22631.5335, 10.0.26100.4061)

Map unknown platform to desktop

Okta now maps unrecognized platform conditions to Other desktop. Previously, unrecognized platform conditions matched correctly only when Any platform condition was selected in the authentication policy.

Personal apps excluded from apps count

On the Admin Dashboard, the Total apps count on the Apps widget now excludes personal apps. This provides a more accurate apps count for the org. See Monitor your apps.

Per-app SAML certificate expiry notifications

The Tasks page now displays certificate expiry notifications for individual SAML apps.

New help message for custom domains

Admins creating an Okta-managed custom domain now see a message encouraging them to add a CAA record.

Okta Provisioning Agent now supports Group Push with SCIM 2.0

You can now use Group Push with on-premises apps by using Okta Provisioning Agent and SCIM 2.0. See Create SCIM connectors for on-premises provisioning.

Name matching for identity verification

Admins can now map attributes for both preferred and legal first and last names when sending verification claims to an identity verification (IDV) vendor. This improves the accuracy of verification and gives the admin control over which attributes are sent to the vendor.

Bypass ASN binding with the Default Exempt IP Zone

The ASN binding feature associates admins with the IP address that they signed in from. If the IP changes during a session, the admin is signed out of Okta, and an event appears in the System Log. To bypass IP and ASN binding, you can add the client IP to the Default Exempt IP Zone. See IP exempt zone.

Improvements to Okta RADIUS

Okta RADIUS now supports Java version 17 and has a new 64-bit installer.

Secure Partner Access for external partners

Secure Partner Access provides a secure way for external business partners to access your org's resources. It streamlines your partner management tasks, reduces IT workload, and simplifies the process of configuring your org's security requirements. See Manage Secure Partner Access.

Certificate-based authentication for Office 365

Okta Identity Engine now supports certificate-based authentication for WS-Fed SSO requests. Users can authenticate using smart/PIV cards to seamlessly access their Windows devices and Office 365 apps.

Restrict access to the Admin Console

By default, users and groups with assigned admin roles have access to the Admin Console app. With this feature, super admins can choose to manually assign the app to delegated admins instead. This is recommended for orgs with admins who don't need access, like business partners, third-party admins, or admins who only use the Okta API. See Configure administrator settings.

Manage Subscription button removed

The Manage Subscription button has been removed from the Settings page.

Admins prevented from deleting published app instances

When an app instance has the Published version status, admins can no longer delete it from their org.

Early Access

Send app context to external IdPs

You can now forward context about an app to an external identity provider (IdP) when a user attempts to access the app. When you enable the Application context checkbox for an IdP, the app name and unique instance ID are included in the SAML or OpenID Connect request sent to the external IdP. This enhancement allows external IdPs to make more informed, context-aware authentication decisions, supporting advanced security scenarios, and Zero Trust environments. To enable this feature, go to Settings > Features in the Admin Console, locate Send Application Context to an External IdP, and enable.

Enrollment grace periods

Today, when admins define an enrollment policy for a group, the entire group must enroll immediately, which can be disruptive to their day-to-day tasks.

With Enrollment Grace Periods, end users can defer enrollment in new authenticators until an admin-defined deadline when enrollment becomes mandatory. This allows end users to enroll at a time convenient to them and allows for more graceful enrollment before enforcing new authenticator types in authentication policies. See Authenticator enrollment policies.

RingCentral uses new default phone number logic

The RingCentral app integration's logic for detecting and populating phone numbers has been updated to work with both DirectNumber and IntegrationNumber entries.

Single Logout for IdPs is EA in Preview

The Single Logout (SLO) for IdPs feature boosts security for organizations using shared devices and external IdPs by automatically ending IdP sessions when a user signs out of any app. This feature also requires a fresh authentication for every new user, eliminating session hijacking risks on shared devices. SLO for IdP supports both SAML 2.0 and OIDC IdP connections, which provides robust session management for shared workstations in any environment. See Add a SAML Identity Provider.

Block words from being used in passwords

You can now use Okta Expression Language to block words from being used in passwords. This feature enhances security by allowing you to customize your password strength requirements.

Fixes

  • SDK strings that contained iOS were parsed as unknown operating systems. (OKTA-856044)

  • Some UI elements on the Personal information page in My Settings had the wrong background color. (OKTA-904266)

  • In orgs with an embedded Sign-In Widget and the Email Optional feature enabled, users weren't prompted for their email address during self-service unlock flows. (OKTA-917289)

  • The /idp/myaccount/sessions endpoint didn't accept access tokens granted by custom authorization servers. (OKTA-929488)

  • Some users were prompted by their service provider to authenticate with Okta Verify (OV) even though they had already authenticated using OV at their identity provider. (OKTA-937311)

  • On the Settings page, the Technical contact field displayed a "This field cannot be left blank" error even when there was text in the field. (OKTA-939469)

  • In the End-User Dashboard, if a user resized the browser to a mobile-sized view, the navigation menu opened and closed repeatedly. (OKTA-940213)

Okta Integration Network

  • Pluto Bioinformatics is now available (SAML). Learn more.
  • FORA is now available (OIDC). Learn more.
  • Teamplify is now available (OIDC). Learn more.
  • XOPS is now available (API Service Integration). Learn more.

Weekly Updates

2025.06.1: Update 1 started deployment on June 18

Generally Available

Frame-ancestors rollout for Content Security Policy

Okta is rolling out the frame-ancestors directive of the Content Security Policy (CSP) for the /auth/services/devicefingerprint and /API/v1/internal/device/nonce endpoints. To prevent blocking access to these endpoints from embedded frames, add any embedder origin as a trusted origin. See Trusted Origins for iFrame embedding.

In addition, Okta is rolling out the use of nonce with the script-src directive of the CSP for the /auth/services/devicefingerprint. To prevent blocking inline scripts that you may have injected on the page returned by this endpoint, allowlist your inline script to account for the nonce addition to script-src.

Org2Org OIDC Sign-on mode

The Org2Org app now includes an OIDC Sign-on mode using the Okta Integration IdP. This sign-on mode reduces the complexity of configuration between the Org2Org app and the target org, and takes advantage of modern security features of OIDC. You also need to enable the Okta Integration IdP feature to use the OIDC Sign-on mode. See Integrate Okta Org2Org with Okta.

New look and feel in the End-User Dashboard

The End-User Dashboard now provides a new look and feel, including redesigned side and top navigation menus and the addition of a gray background.

Fixes

  • The request.userAgent.contains("XXX") expression was supported only in authentication policies for Office 365 apps. (OKTA-827195)

  • Users were sometimes prompted for additional security methods from authentication method chain steps even though they weren't needed to satisfy assurance requirements. (OKTA-869644)

  • App logos could be added or updated using any SVG format. (OKTA-876028)

  • After the Okta Active Directory or LDAP agents was successfully updated, the corresponding email notification reported that zero agents were running the new version. (OKTA-876968)

  • Customization fields in email templates were populated with unencoded information. (OKTA-922766)

  • The Proxy IP Usage report returned unknown values for Proxy Type. (OKTA-930091)

  • Chromebook users were prompted to enroll Okta Verify on their device even though it wasn't supported. (OKTA-937063)

  • SAML attribute statements were incorrectly hidden on some users' custom SAML app pages. (OKTA-939543)

  • Users with existing sessions were prompted to authenticate with a password even though Trust claims from this identity provider was enabled on their IdP. (OKTA-947997)

  • The table on the HealthInsight page was misaligned. (OKTA-948682)

  • When the Governance for admin roles feature was enabled, admins could create custom roles with the same name as a standard role. (OKTA-950114)

  • Custom authenticator logos weren't displayed on the Security methods page. (OKTA-950902)

  • When some AD or LDAP imports failed, the warning "Incorrect result size: expected 1, actual 2" was displayed in the job UI, but no System Log message was written. (OKTA-638810)

  • When admins changed the prompt for authentication frequency to 1825 days (five years) in authentication policy rules, the option changed to When an Okta global session doesn't exist. (OKTA-920782)

  • During a full import with AD DirSync, appuser.CN was cleared, which resulted in any attributes mapped from appuser.CN to the Okta user profile being cleared. (OKTA-944122)

  • When an admin opened a video from the Getting Started page, the close button wasn't visible. (OKTA-946268)

  • Editing a previously blank default value of an attribute in the Profile Editor failed if the Attribute length was set. (OKTA-958747)

  • This version includes security enhancements. (OKTA-963287)

Okta Integration Network

  • Complyfirst.co (OIDC) is now available. Learn more.
  • Duo Security SCIM Provisioning (SCIM) is now available. Learn more.
  • Genea Access Control (SAML) is now available. Learn more.
  • Genea Access Control (OIDC) is now available. Learn more.
  • Snapshot AI (OIDC) is now available. Learn more.

2025.06.2: Update 2 started deployment on June 25

Generally Available

OAMP protection for password expiry flows

This feature improves the security posture of customer orgs by protecting the password expiry flow with the Okta account management policy. Password expiry flows now require the assurance defined in an org's Okta account management policy. See Enable password expiry.

Fixes

  • When a user's session expired and they tried to reauthenticate through the Sign-In Widget (second generation), an error sometimes appeared. (OKTA-805758)

  • Inline enrollment didn't trigger when the user clicked Sign in with Okta FastPass. (OKTA-864326)

  • The Report a Security Issue section appeared on the Sign-In Help page even though the End User Help Form setting was disabled. (OKTA-898824)

  • When an admin retried a failed Office365 provisioning task, the Immutable ID value was cleared. (OKTA-913410)

  • Certificate authorities for Okta Device Access didn't appear in the Admin Console after the user who created them was deleted. (OKTA-928246)

  • Android users couldn't authenticate using Okta FastPass after they clicked Edit Profile on the end-user settings page. (OKTA-939020)

  • Some users received an error when they tried to enroll in an authenticator. (OKTA-941710)

Okta Integration Network

Preview Features

Changes to Okta apps

You can no longer view or assign the following apps to users:

  • Okta Access Certifications
  • Okta Access Requests Admin
  • Okta Entitlement Management

Additionally, the sign-on policies for these apps will default to the existing sign-on policy that you use for the Okta Admin Console.

Track MFA abandonment in the System Log

You can now monitor abandoned MFA attempts in the System Log using the user.authentication.auth_via_mfa event. The event now has two additional statuses for the event outcome:

  • UNANSWERED: MFA prompt was abandoned, but the user eventually signed in using another authenticator.
  • ABANDONED: MFA prompt was abandoned and the user couldn't sign in.

See Track MFA abandonment in the System Log

Workday supports incremental imports

Workday now has the ability to run immediate, incremental imports. Incremental imports are much faster than full imports. However, they don't detect when users only have changes to custom attributes, so you must periodically run a full import to capture these changes. See Incremental imports

Same-device enrollment for Okta FastPass

On orgs with Okta FastPass, the Okta Verify enrollment process has been streamlined: - Users can initiate and complete enrollment on the device they're currently using. Previously, two different devices were required to set up an account. - Users no longer need to enter their org URL during enrollment. - The enrollment flow has fewer steps. This feature is supported on Android, iOS, and macOS devices.

Prevent new single-factor access to the Admin Console

This feature prevents admins from configuring any new single-factor access to the Admin Console. This feature is currently available to new orgs only.

Application Entitlement Policy

Administrators can now override attribute mapping when assigning apps to individuals or groups. Attributes can also be reverted to their default mappings. See Override application attribute mapping. This feature will be gradually made available to all orgs.

End-user setting for nicknaming factors

End users can now nickname their phone, WebAuthn, and Okta Verify factors. If they have enrolled multiple instances of a factor, giving nicknames helps them identify the factors quickly (for example, "My personal cellphone" or "My office MacBook TouchID"). See the End-User documentation. This is a self-service feature.

Content security policy enforcement on end-user pages

Content security policy is now enforced for end-user pages on orgs with custom domains on non-customizable pages. Content Security Policy headers provide an additional layer of security that helps to detect attacks such as cross-site scripting and data injection by ensuring browsers know what kind of actions the webpage can execute. We already had a policy enforced in our admin pages from last year and in report-only mode for end-user pages. We plan that future iterations of our Content Security Policy enforcement for end-user pages will become stricter than this first release.

This feature will be gradually made available to all orgs.

Descriptive System Log events

When Okta identifies a security threat, the resulting security.threat.detected System Log entry now provides a descriptive reason for the event. See System Log.

New flexible LDAP

A new LDAP schema allows flexibility by moving email to the custom schema and making first name, last name, username, and UID optional. This avoids error scenarios when an LDAP schema doesn't include specific attributes.

ThreatInsight coverage on core Okta API endpoints

Okta ThreatInsight coverage is now available for core Okta API endpoints:

Based on heuristics and machine learning models, Okta ThreatInsight maintains an evolving list of IP addresses that consistently show malicious activity across Okta's customer base. Requests from these bad IP addresses can be blocked or elevated for further analysis when Okta ThreatInsight is enabled for an Okta org. Previously, Okta ThreatInsight coverage only applied to Okta authentication endpoints (including enrollment and recovery endpoints). With this release, enhanced attack patterns are detected for authentication endpoints and limited attack patterns are also detected for non-authentication endpoints. There are no changes to the existing Okta ThreatInsight configuration. You can still enable Okta ThreatInsight with log and block mode, log mode, and exempt network zones. A new Negative IP Reputation reason is available for high security.threat.detected events. See System Log events for Okta ThreatInsight.

SSO apps dashboard widget

The new SSO apps widget displays the number of user sign-in events across each of your org's apps over a selected period of time. You can use it to see which apps are used most frequently and to easily monitor the authentication activity across your org.

Email failure events in the System Log

Admins can now view email delivery failure events in the System Log. This helps admins better monitor the email event activity in their org. See System Log.

Improvements to the self-service unlock process

Earlier versions of the self-service unlock (SSU) flow created unnecessary friction in the end user experience. The newly enhanced SSU feature introduces a seamless magic link experience in emails sent out to unlock accounts. Users no longer need to provide consent when using the same browser. In addition, after successfully unlocking their account, clicking the email magic link counts towards the application's assurance policy. After the assurance requirements are met, the user is signed directly in to the application.

Improvements to the self-service registration experience

Earlier versions of the self-service registration (SSR) flow used a complicated array of templates to send activation emails to end users. The simplified SSR flow reduces this to only two email templates with customized welcome messages. If your application requires immediate verification of the end user's email address, Okta uses the Registration - Activation template. This template includes a magic link for a smoother sign-in experience. If email verification isn't immediately required to sign in to the application, Okta uses the Registration - Email Verification template. This template includes a link for end users to complete email verification at any time after they successfully sign in to the application.

Choose additional filters for Office 365 sign-on policy

Filters have been added to enable admins to distinguish between web browsers and Modern Authentication clients when creating an app sign-on policy.

Device Authorization grant type

Advancements in internet technology have seen an explosion of smart devices and the Internet of Things. Consumers need to sign in to applications that run on these devices, but the devices either lack support for a web browser or have limited ability for input, such as smart TVs, car consoles, and thermostats. As a result, users resort to insecure authentication solutions that are error-prone and time-consuming.

The Device Authorization grant feature is an OAuth 2.0 grant type that allows users to sign in to input-constrained devices and also to devices that lack web browsers. This feature enables users to use a secondary device, such as a laptop or mobile phone, to complete sign-in to applications that run on such devices.