Okta Identity Engine release notes (Preview)

Current release
Preview org features

Version: 2025.12.0

December 2025

Generally Available

New versions of Okta Provisioning agent and SDK

Okta Provisioning agent 3.0.6 and Okta Provisioning agent SDK 3.0.6 are now available. This release contains the following:

The maxItemsPerPage is now configurable to meet your specific requirements.
Memory optimizations and other minor improvements.

Provisioning for Netskope Admin Console

Provisioning is now available for the Netskope Admin Console app integration. When you provision the app, you can enable security features like Entitlement Management. See Netskope Admin Console.

Allow profile updates for deactivated users

Super admins can now choose to allow updates to profile attribute values for deactivated users, ensuring their profiles remain current. See Edit deactivated user profiles.

Device assurance OS version update

The following OS versions are now supported in device assurance policies:

iOS 18.7.2, 26.1
macOS 14.8.2, 15.7.2, 26.1
Android 13, 14, 15, 16 security patch 2025-11-01

Seamless Admin Console navigation

When navigating to the Admin Console from the App Switcher, Admin button, or a direct URL, your active session is now reused. This reduces redundant MFA prompts and improves the navigation experience.

Updates to first-party App Switcher

Previously, you had to be an Okta admin to use the Okta first-party App Switcher. Now, non-admin users can use the App Switcher to seamlessly navigate between Okta first-party apps like ISPM, Workflows, or the Partner Admin Portal.

Okta LDAP agent, version 5.25.0

This version of the agent includes security enhancements.

Nonce rollout for Content Security Policy

Okta is removing unsafe-eval from the script-src directive of Content-Security-Policy for every endpoint that returns html content. These are endpoints that you can't customize and whose Content-Type response header is text/html. This is a two-stage process: first, unsafe-eval is removed from the Content-Security-Policy-Report-Only header's script-src directive; later, after any violations of unsafe-eval instances are fixed, unsafe-eval is removed from the Content-Security-Policy response header script-src directive.

This update will be gradually applied over several months, until all endpoints enforce the new Content-Security-Policy, which means this change will span several releases.

LDAP Bidirectional Group Management

Bidirectional Group Management for Lightweight Directory Access Protocol (LDAP) allows you to manage LDAP groups from within Okta. You can add or remove users from groups based on their identity and access requirements. This ensures that changes made to user access in Okta are reflected in LDAP.

Okta can only manage group memberships for users and groups imported into Okta using the LDAP or Active Directory (AD) integration. It isn't possible to manage users and groups that weren't imported through LDAP or AD integration or are outside the organizational unit's scope for the integration using this feature.

More granular maximum clock skew options for LDAP incremental imports

More granular maximum clock skew intervals for LDAP incremental imports have been added to allow for better tuning and improved performance. You can now configure the clock skew to 1, 2, 5, or 10 minutes. This granularity helps you improve import speed by using a clock skew value closer to the actual maximum clock drive of your LDAP server. It also prevents missed updates when the server's clock temporarily moves backward, which ensures data accuracy.

Escalate tasks

Access request admins and request assignees can escalate stalled tasks within a request to the task assignee's manager. Requesters can also escalate tasks within their access requests if you've enabled the Allow requesters to escalate tasks toggle on the Settings page. This helps expedite request resolution, prevents bottlenecks, improves productivity, and helps reduce the use of risky workarounds. Task escalation is a secure, auditable, and automated process that helps you adopt time-based access request models by supporting both efficient operations and strong security postures.

See Manage tasks and Allow requesters to escalate tasks.

This feature is generally available in Preview environments and is an Early Access release for Production environments.

Changes to preview user functionality

On the User page of the campaign wizard, Preview user is now called Preview expression scope. When you preview a user, Okta only validates the user against the Okta Expression Language expression that you specified. A user who matches the expression but isn't assigned to a resource in the campaign won't be included in the campaign.

Integrate Okta with Device Posture Provider

The Device Posture Provider feature enhances Zero Trust security by integrating external device compliance signals into the Okta policy engine. Previously, Okta couldn't leverage signals from third-party or custom tools to enforce access policies. Now, by accepting SAML/OIDC assertions from external compliance services, admins can incorporate custom compliance attributes into device assurance policies. This enables orgs to use their existing device trust signals within Okta, and foster a more flexible and secure posture without the need for extra agents or redundant tooling. See Integrate Okta with Device Posture Provider.

New field in `user.identity_verification` events

The System Log now displays a reasonForFailure field in user.identity_verification events when a reason for failure of the IDV flow is known. This additional information helps IDV vendors integrating with Okta troubleshoot their software. See Event Types.

Enhanced policy tracking in the System Log

The System Log now includes the PolicyId and PolicyRulePriority fields in the Rule target for policy.evaluate_sign_on events.

Smart Card enrollment and activation events

When a new user authenticates with a Smart Card through the Sign-in with PIV/CAC button, factor enrollment and activation events are now recorded in the System Log.

New Admin Console search logic

The spotlight search now uses "contains" logic, returning matches from any part of a search instead of only the beginning. This helps admins find results quicker and more easily. See Admin Console search.

New custom admin permissions

New custom admin permissions let you read or read and write in app sign-in, global session, and Okta account management policies. This enhances the granularity of admin permissions in your org. See Create a resource set.

Workday now supports Entitlement Management

Entitlement Management with Workday enables support for governing Workday User-based Security Groups. With provisioning and Entitlement Management enabled, Okta can govern, certify, and assign Workday User-based Security Groups. Through imports, Okta discovers User-based Security Groups from Workday and current assignments for users. All entitlement capabilities such as policies, SOD rules, bundles, and time-bound requests are then supported for Workday User-based Security Groups. See Entitlement Management.

Anything-as-a-Source for groups and group memberships

Anything-as-a-Source (XaaS) capabilities allow customers to use a custom identity source with Okta. With XaaS, customers can source entities such as users into Okta's Universal Directory by connecting a custom HR app or a custom database.

This release offers XaaS capabilities with groups and group memberships, allowing customers to start sourcing groups with XaaS. Okta now enables creating and updating users, creating and updating groups, and managing group memberships in Okta's Universal Directory from any identity source using XaaS APIs. See Anything-as-a-Source.

Local Network Access prompting for Okta FastPass

When signing in to Okta-protected apps, users should allow Local Network Access at the browser prompt. If access is blocked, the Sign-in Widget shows remediation instructions and a link to the help documentation so users can continue to use Okta FastPass.

JSON Web Encryption of OIDC ID tokens

You can now encrypt OIDC ID tokens for Okta-protected custom app integrations using JSON Web Encryption. See Encrypt OIDC ID tokens for app integrations.

Unified claims generation for custom apps

Unified claims generation is a new streamlined interface for managing claims (OIDC) and attribute statements (SAML) for Okta-protected custom app integrations. In addition to group and user profile claims, the following new claim types are available: entitlements (requires OIG), device profile, session ID, and session AMR. See Configure custom claims for app integrations.

Enhanced provisioning support for Office 365 GCC High integration

Office 365 GCC High provisioning now supports Universal Sync. This enables admins to synchronize on-premises attributes to Microsoft Entra ID.

Associated domains

Associated domains let you build a trust relationship among your app, the referring domain, the user's credentials that are associated with that domain, and your brand in Okta. This feature makes it easier to adopt phishing-resistant authenticators, like passkeys in the FIDO2 (WebAuthn) authenticator. See Configure associated domains.

Maximum consecutive characters setting for passwords

You can now set a maximum number of consecutive repeating characters in passwords. This feature enhances security by allowing you to customize your password strength requirements.

Improved realm picker access

The realm picker now automatically filters to display up to five realms that only an admin can access.

Okta account management policy protection for password expiry flows

This feature improves the security posture of customer orgs by protecting the password expiry flow with the Okta account management policy. Password expiry flows now require the assurance defined in an org's Okta account management policy. See Enable password expiry.

System Log updates for security.request.blocked events

When security.request.blocked events are triggered by dynamic or enhanced dynamic network zones, the System Log now populates the client.zone field.

Delegated flow updates

Delegated flows now include a Caller input field. This allows you to pass more information to a flow that was called from another Okta product. For example, the requestID from Access Requests is now passed to the delegated flow. See Build a delegated flow.

Early Access

SHA-256 digest algorithm support

Okta now supports the SHA-256 digest algorithm when hashing SAML AuthnRequests that are sent to external IdPs.

Device conditions in the Okta account management policy

With this feature, admins can now restrict account management activities such as self-service password resets or new authenticator enrollments with device conditions. Admins can configure Okta account management policy rules with registered and managed devices, or require devices to meet the requirements of a device assurance policy. See Add a rule for enrollment of your first phishing-resistant authenticator.

Governance for Workflows now available in EA

You can now use Okta Identity Governance to manage access to Workflows roles. This helps you ensure that access to Workflows is granted consistently and in compliance with your company's requirements. See Governance for Workflows.

Breached credentials protection

Protect your org from the impact of credentials that have been compromised. If Okta determines that a username and password combination has been compromised after being compared to a third-party curated dataset, the protection response is customizable through password policies, including resetting the user's password, forcing a logout, or calling a delegated Workflow. See Breached credentials protection.

Breached credentials protection is now available for Federal customers.

Enable custom admin roles for inline and event hooks

The inline hook and event hook framework now supports read and write permissions for custom admin roles. This enhancement gives fine-grained access to manage inline and event hooks that previously required the super admin role. See Role permissions.

Device Assurance for Windows: Virus and threat protection

Admins can now enforce a Device Assurance condition that requires Windows devices using the Chrome browser to have virus and threat protection enabled. This feature strengthens your org's security posture by ensuring that user devices are protected by active antivirus software before granting access.

Detection settings in session protection

Tailor ITP to your org's security priorities to gain control and balance security with a seamless user experience. With new detection settings, you can define which session context changes trigger policy re-evaluations, helping you focus only on what truly matters. See Session protection.

User enumeration prevention enhancement

Admins can now configure which authentication methods users are prompted for when they sign in from an unknown device or browser and trigger enumeration prevention. This enhances org security by adding more protection to sign-in attempts. See General Security.

Improved End-User Settings version 2.0 user interface

End-User Settings version 2.0 has new enhanced user interface elements.

Fixes

Group push sometimes failed during deployments. (OKTA-941489)
The SCIM 2.0 User update operation sent an empty object when multi-value roles were configured and one of the roles or attributes was undefined or null for the user. (OKTA-945579)
When admins created a linked group, no description was displayed. (OKTA-996729)
When an import exceeded the app unassignment limit, the Learn More link resulted in an error. Additionally, the App assignment removal limit link incorrectly redirected to the main Assignments tab instead of the Import Safeguard configuration settings. (OKTA-1010606)
A misleading error appeared in the System Log when admins selected Refresh Application Data for CSV Directory integrations. The system attempted to download unsupported custom objects, generating an error even though the import completed successfully. (OKTA-1011439)
Users who were locked out of their account, had an account in recovery, or had an expired password, saw an Internal Server Error message when they clicked Request activation email. (OKTA-1020121)
The MFA Enrollment by User report displayed an "Unexpected response" error when loading the Enrollment by Authenticator Type dynamic chart. (OKTA-1030846)
Users with a custom admin role were unable to confirm assignments in Active Directory. (OKTA-1034364)
When configuring OIDC identity providers in the Admin Console, admins couldn't set the issuerMode property because it was missing. (OKTA-1035016)
Users in Germany who were added to a new app sign-in policy that required biometrics saw an Internal Server Error when they tried to sign in. (OKTA-1036434)
Active Directory imports failed with an Incorrect result size error when DirSync was enabled. This occurred because creating a new group in Active Directory generated duplicate entries during the import process. (OKTA-1043592)
Sometimes, clicking Retry Selected to retry information tasks incorrectly resulted in a failure. (OKTA-1043901)
The expected text when Don't create Okta password was selected on the Finish campaign dialog wasn't displayed. (OKTA-1044068)
The Sign-In Widget (third generation) didn't show an error message if users clicked Verify without entering their SMS OTP in the Enter Code field. (OKTA-1056852)
DirSync jobs continued to be scheduled for Office 365 instances even after provisioning was disabled. (OKTA-1059506)
The state of the Include Groups in RADIUS response checkbox didn't update correctly when Radius agents were configured to send multiple group response attributes. (OKTA-1060165)
There were several alignment issues on the user profile > Admin roles tab and throughout the Administrators pages. (OKTA-1061753)
In the Actions menu on the App sign-in policy page, the description for the Delete action was missing when the action was unavailable. (OKTA-1061865)
Customized names for authenticators with multiple enrollments weren't displayed to anonymous users when user enumeration prevention was enabled. (OKTA-1063947)
On the App sign-in policy page, the description under Actions > Clone didn't update based on whether or not the policy was shareable. (OKTA-1064678)
During a password migration, when a password capture was skipped, the wrong reason for skipping the capture was recorded in the System Log. (OKTA-1068361)
On the App sign-in policy page, admins who had custom policy permissions but lacked application permissions couldn't view the app sign-in policy rules. (OKTA-1069119)
When an Identity Verification IdP was created with openid, profile, identity_assurance, idv_flow scopes, only the default scopes were sent to the Pushed Authorization Request. (OKTA-1069299)
Updates to user entitlements in JDBC applications failed to sync to the remote profile. This occurred when a user was re-imported without any changes to their profile data. (OKTA-1070338)

Okta Integration Network

Svix (OIDC) is now available. Learn more.
OpenPolicy (SCIM) is now available. Learn more.
Coalition Control has a new integration guide.
Practising Law Institute (SWA) was updated. (OKTA-1063963)
Clearout.io (OIDC) has updated use cases and a new Initiate login URI. Learn more.
Svix now supports Universal Logout.
Harmony SASE (SCIM) has been updated with new regions.

Preview Features

Updates to first-party App Switcher

Lightweight Directory Access Protocol Bidirectional Group Management

More granular maximum clock skew options for LDAP incremental imports

Anything-as-a-Source for groups and group memberships

JSON Web Encryption of OIDC ID tokens

You can now encrypt OIDC ID tokens for Okta-protected custom app integrations using JSON Web Encryption. See Encrypt OIDC ID tokens for app integrations.

Unified claims generation for custom apps

New System Log objects for security.request.blocked events

The System Log now displays the following IpDetails objects for dynamic and enhanced dynamic zones:

Operator indicates whether the type is VPN or Proxy
Type includes values like VPN, Proxy, and Tor
IsAnonymous indicates if the proxy is anonymous

These objects move risk and behavior telemetry out of string-only keys in the debug context and into dedicated, structured fields in the security context event. This change improves risk visibility and eliminates the need for string parsing.

Associated domains

Maximum consecutive characters setting for passwords

You can now set a maximum number of consecutive repeating characters in passwords. This feature enhances security by allowing you to customize your password strength requirements.

Okta account management policy protection for password expiry flows

Workday supports incremental imports

Workday now has the ability to run immediate, incremental imports. Incremental imports are much faster than full imports. However, they don't detect when users only have changes to custom attributes, so you must periodically run a full import to capture these changes. See Incremental imports

Same-device enrollment for Okta FastPass

On orgs with Okta FastPass, the Okta Verify enrollment process has been streamlined: - Users can initiate and complete enrollment on the device they're currently using. Previously, two different devices were required to set up an account. - Users no longer need to enter their org URL during enrollment. - The enrollment flow has fewer steps. This feature is supported on Android, iOS, and macOS devices.

Prevent new single-factor access to the Admin Console

This feature prevents admins from configuring any new single-factor access to the Admin Console. This feature is currently available to new orgs only.

Application Entitlement Policy

Admins can now override attribute mapping when assigning apps to individuals or groups. You can also revert attributes to their default mappings. See Override application attribute mapping. This feature will be gradually made available to all orgs.

End-user setting for nicknaming factors

End users can now nickname their phone, WebAuthn, and Okta Verify factors. If they have enrolled multiple instances of a factor, giving nicknames helps them identify the factors quickly (for example, "My personal cellphone" or "My office MacBook TouchID"). See the end-user documentation. This is a self-service feature.

Content security policy enforcement on end-user pages

Content security policy is now enforced for end-user pages on orgs with custom domains on non-customizable pages. Content Security Policy headers provide an additional layer of security that helps to detect attacks such as cross-site scripting and data injection by ensuring browsers know what kind of actions the webpage can execute. We already had a policy enforced in our admin pages from last year and in report-only mode for end-user pages. We plan that future iterations of our Content Security Policy enforcement for end-user pages will become stricter than this first release.

This feature will be gradually made available to all orgs.

Descriptive System Log events

When Okta identifies a security threat, the resulting security.threat.detected System Log entry now provides a descriptive reason for the event. See System Log.

New flexible LDAP

A new LDAP schema allows flexibility by moving email to the custom schema and making first name, last name, username, and UID optional. This avoids error scenarios when an LDAP schema doesn't include specific attributes.

ThreatInsight coverage on core Okta API endpoints

Okta ThreatInsight coverage is now available for core Okta API endpoints:

Based on heuristics and machine learning models, Okta ThreatInsight maintains an evolving list of IP addresses that consistently show malicious activity across Okta's customer base. Requests from these bad IP addresses can be blocked or elevated for further analysis when Okta ThreatInsight is enabled for an Okta org. Previously, Okta ThreatInsight coverage only applied to Okta authentication endpoints (including enrollment and recovery endpoints). With this release, enhanced attack patterns are detected for authentication endpoints and limited attack patterns are also detected for non-authentication endpoints. There are no changes to the existing Okta ThreatInsight configuration. You can still enable Okta ThreatInsight with log and block mode, log mode, and exempt network zones. A new Negative IP Reputation reason is available for high security.threat.detected events. See System Log events for Okta ThreatInsight.

SSO apps dashboard widget

The new SSO apps widget displays the number of user sign-in events across each of your org's apps over a selected period of time. You can use it to see which apps are used most frequently and to easily monitor the authentication activity across your org.

Email failure events in the System Log

Admins can now view email delivery failure events in the System Log. This helps admins better monitor the email event activity in their org. See System Log.

Improvements to the self-service unlock process

Earlier versions of the self-service unlock (SSU) flow created unnecessary friction in the end user experience. The newly enhanced SSU feature introduces a seamless magic link experience in emails sent out to unlock accounts. Users no longer need to provide consent when using the same browser. In addition, after successfully unlocking their account, clicking the email magic link counts towards the app's assurance policy. After the assurance requirements are met, the user is signed directly in to the app.

Improvements to the self-service registration experience

Earlier versions of the self-service registration (SSR) flow used a complicated array of templates to send activation emails to end users. The simplified SSR flow reduces this to only two email templates with customized welcome messages. If your app requires immediate verification of the end user's email address, Okta uses the Registration - Activation template. This template includes a magic link for a smoother sign-in experience. If email verification isn't immediately required to sign in to the app, Okta uses the Registration - Email Verification template. This template includes a link for end users to complete email verification at any time after they successfully sign in to the app.

Device Authorization grant type

Advancements in internet technology have seen an explosion of smart devices and the Internet of Things. Consumers need to sign in to apps that run on these devices, but the devices either lack support for a web browser or have limited ability for input, such as smart TVs, car consoles, and thermostats. As a result, users resort to insecure authentication solutions that are error prone and time consuming.

The Device Authorization grant feature is an OAuth 2.0 grant type that allows users to sign in to input-constrained devices and also to devices that lack web browsers. This feature enables users to use a secondary device, such as a laptop or mobile phone, to sign-in to apps that run on such devices.