Okta Identity Engine release notes (Preview)

Version: 2025.08.0

August 2025

Generally Available

Device assurance OS version updates

The following OS versions are now supported in device assurance policies:

  • iOS (18.6)
  • macOS (13.7.7, 14.7.7, 15.6)

New password expiration message

The Breached Credentials Protection feature now displays a more intuitive error message to users whose passwords have expired.

New user profile permission

The Create new role and Edit role pages now have the View users' profile attributes permission. This permission grants admins read-only access to user profile attributes. See Role permissions.

Authentication policy UI updates

UI enhancements have been made to the authentication policies pages. Merge, clone, and delete tasks are now on the Authentication Policies page, among other enhancements. This improves navigation and user experience. See Authentication policies.

Okta Provisioning agent, version 3.0.2

Okta Provisioning agent 3.0.2 is now available. This release of the Okta Provisioning agent uses OAuth 2.0 for authorization and OAuth 2.0 Demonstrating Proof-of-Possession (DPoP) to securely communicate with Okta. Agents are now registered through the OAuth 2.0 device registration flow and operate independently from the account used to register them. This release also uses UTC time as the default for meta.lastModified timestamps and includes security enhancements and bug fixes. See Okta Provisioning Agent and SDK version history.

New option to clear "keep me signed in"

When revoking a user's IdP sessions and refresh tokens in the Clear sessions and revoke tokens dialog, admins can now choose whether or not to use the Clear "keep me signed in" option.

Okta Active Directory agent, version 3.21.0

This release includes general enhancements, branding updates, and bug fixes. See Okta Active Directory agent version history.

Identity provider validation

Okta now validates identity providers (IdPs) when admins create IdP routing rules to ensure that only IdPs used for SSO can be configured.

Define default values for custom user attributes

Admins can now define default values for custom attributes in a user profile. If you set a custom attribute to be unique, then the default value is automatically set to null (as opposed to an empty string). See Add custom attributes to an Okta user profile.

Assigning/revoking an admin role is a protected action

Now when an admin assigns or revokes an admin role from a user, they're prompted for additional authentication. See Protected actions in the Admin Console.

Universal Logout for AMFA orgs

Previously, AMFA orgs were unable to quickly revoke a user's access across all apps. This new feature provides AMFA orgs with the ability to manually trigger Universal Logout from the Admin Console with a rate limit, allowing for the revocation of a user's access tokens, refresh tokens, and active sessions across all devices. This provides enhanced security and efficiency by ensuring all tokens and sessions are terminated. See Configure Universal Logout.

Updates for groups in the Partner Admin portal

The Partner Admin portal now displays up to 20 groups per page instead of 10. Additionally, if there are at least three characters in the search query and the contains search feature turned on, the system will use the the contains search instead of the starts with search in the groups list.

Auto-confirm for CSV imports

When Identity Governance is enabled and admins use CSV Import with entitlements, auto-confirm is enabled on exact email matches.

Identity Governance user entitlements import limit increased

The maximum number of user entitlements that can be imported from CSV has been increased to 25,000. See Import user entitlements from CSV.

Okta as an external authentication method for Microsoft Entra ID

Use Okta multifactor authentication (MFA) to satisfy Microsoft Entra ID MFA requirements. This helps users avoid double authentication and provides a seamless experience across Okta and Microsoft 365 apps. See Configure Okta as an external authentication method for Microsoft Entra ID.

Send app context to external IdPs

You can now forward context about an app to an external identity provider (IdP) when a user attempts to access the app. When you enable the Application context checkbox for an IdP, the app name and unique instance ID are included in the SAML or OpenID Connect request sent to the external IdP. This enhancement allows external IdPs to make more informed, context-aware authentication decisions, supporting advanced security scenarios, and Zero Trust environments.

Child Domain Authentication for Office 365 WS-Federation

Office 365 WS-Federation automatic configuration now supports child domain authentication. See Federate multiple Office 365 domains in a single app instance.

Universal Directory map toggle

The new Universal Directory (UD) map toggle enables admins to link a user's email address to their identifier. This allows admins to enable the self-service registration feature. See General Security.

Custom remediation for device assurance

You can now display custom remediation instructions to users when authentication fails due to unsuccessful device posture checks with Okta Verify or Chrome Device Trust. See Configure custom remediation instructions for device assurance.

Custom profile attributes for OIDC apps

Admins can now add custom profile attributes to OIDC apps in JSON format. See Configure profile attributes for OIDC apps.

Breached Credentials Protection

Protect your org from the impact of credentials that have been compromised. If Okta determines that a username and password combination has been compromised after being compared to a third-party curated dataset, the protection response is customizable through password policies, including resetting the user's password, forcing a logout, or calling a delegated Workflow. See Breached credentials protection.

Web app integrations now mandate the use of the Authorization Code flow

To enhance security, web app integrations now mandate the use of the Authorization Code flow, as the Implicit flow is no longer recommended. See Build a Single Sign-On (SSO) integration.

Early Access

Export Okta Identity Governance reports in PDF format

You can now export Okta Identity Governance reports to PDF. When exporting, you can also select specific columns to include in the report.

Passkeys from Android devices

Okta now accepts passkeys that are generated by Android devices. Okta associates these passkeys with trusted web domains to enable users to authenticate with them. This expands the number of device types that Okta supports for passkey use. See Configure the FIDO2 (WebAuthn) authenticator.

Custom FIDO2 AAGUID

Customers can add non-FIDO Metadata Service (MDS) security keys and other authenticators and have more granular control over them. This extends FIDO2 (WebAuthn) authenticator support to a wider range of security keys and other authenticators, which gives customers greater flexibility and control over the security in their environment.

Provisioning for Oracle Human Capital Management

Provisioning is now available for the Oracle Human Capital Management app integration. When you provision the app, you can enable security features like Entitlement Management, Privileged Access, and more. See Oracle Human Capital Management.

Temporary Access Code authenticator

The Temporary Access Code (TAC) authenticator allows admins to generate temporary codes that let users authenticate in onboarding, account recovery, and other temporary access scenarios. This authenticator enhances security in these scenarios by granting users access to their orgs without having to use their usual authenticators. See Configure the temporary access code authenticator.

Associated domains

Associated domains let you build a trust relationship among your app, the referring domain, the user's credentials that are associated with that domain, and your brand in Okta. This feature makes it easier to adopt phishing-resistant authenticators, like passkeys in the FIDO2 (WebAuthn) authenticator. See Configure associated domains.

System Log event for Identity Assertion Authorization Grant (ID-JAG) issuance

The app.oauth2.token.grant.id_jag event is generated when an app completes an OAuth 2.0 token exchange to get an Identity Assertion Authorization Grant (ID-JAG) JWT.

Unified claims generation for custom apps

Unified claims generation is a new streamlined interface for managing claims (OIDC) and attribute statements (SAML) for Okta-protected custom app integrations. In addition to group and user profile claims, the following new claim types are available: entitlements (requires OIG), device profile, session ID, and session AMR. See Configure custom claims for app integrations.

Governance delegates

Super admins and users can assign another user as a delegate to complete governance tasks for them. Governance tasks include access certification campaign review items and access request approvals, questions, and other tasks. After a delegate is specified, all future governance tasks (access request approvals and access certification reviews) are assigned to the delegate instead of the original approver or reviewer. This helps ensure that governance processes don't stall when approvers are unavailable or tasks need to be rerouted to a different stakeholder for a long period. It also reduces the time spent in reassigning requests and reviews manually. See Governance delegates

Multiple active IdP signing certificates

Okta now supports multiple active signing certificates for a single SAML identity provider (IdP), enabling seamless certificate rotation with zero downtime. Admins can upload up to two certificates per IdP connection. This improvement eliminates the need for tightly coordinated swaps with IdP partners and reduces the risk of authentication failures due to expired certificates. The feature is available for both the Admin Console and the IdP Certificates API.

Device signal collection policy

With the new device signal collection policy, admins can override Okta default behavior and specify how Okta must collect device data, which is then used to evaluate authentication policies. See Create device signal collection rules.

JSON Web Encryption of OIDC ID Tokens

You can now encrypt OIDC ID tokens for Okta-protected custom app integrations using JSON Web Encryption. See Encrypt OIDC ID tokens for app integrations.

App Switcher for Okta first-party apps

The End-User Dashboard, Admin Console, and Workflows Console now have an App Switcher that helps admins quickly navigate between their assigned Okta apps. Note that you must enable the Unified look and feel for Okta Admin Console and Unified look and feel for Okta Dashboard Early Access features for the App Switcher to appear.

Device Logout

Device Logout allows admins to sign users out of devices that are protected by Desktop MFA. Admins can perform device sign out from the user's risk profile. If your org has Identity Threat Protection with Okta AI, you can configure an entity risk policy to automatically trigger a sign-out action. If a user is deactivated or suspended, Okta automatically signs the user out from all devices that are protected with Desktop MFA. See Sign users out of devices.

Cross App Access

Admins can now manage third-party app data sharing with the new Cross App Access feature in the Okta Admin Console. This feature moves complex consent processes away from end-users, enhancing security and streamlining the experience. Once configured, end users can access their data from other SaaS apps without navigating OAuth consent flows. See Configure Cross App Access.

Fixes

  • When an admin performed an incremental import using the Okta Provisioning agent, the last.modified timestamp was in the local time zone rather than the expected UTC. (OKTA-908307)

  • Admins couldn't always reactivate an app, even when there were active instances of that same app. (OKTA-944775)

  • After a reviewer approved or revoked a review item, the value for the campaignItemRemediationStatus System Log event incorrectly displayed NONE. (OKTA-950851)

  • When conditions were removed from a groups resource, admins who were assigned the resource set couldn't add groups. (OKTA-961708)

  • When enrolling in Okta, users in orgs with specific Access Control settings were shown incorrect authenticators. (OKTA-963136)

  • When a user selected the Remind me later option in an org that allowed grace periods and then accessed an app, an error sometimes appeared. (OKTA-964324)

  • When users accessed an app after signing in to Classic Engine, their session was overridden if they subsequently accessed an app after signing in to Identity Engine. (OKTA-968179)

  • In the Partner Admin Portal, some pages took longer than expected to load or refresh. (OKTA-976067)

  • On the Edit role page, the Role description field displayed the Role name value. (OKTA-984100)

  • In orgs with the Breached Credentials Protection feature enabled, the wrong password expiration date was displayed to some users. (OKTA-984104)

  • When an admin assigned a group to an app, the resulting System Log event was incomplete. (OKTA-985709)

  • When accessing the Edit User Attributes page for a given user in the Partner Admin Portal, the screen didn't show the form when an enum array property was in the user schema, but not present in the user profile. (OKTA-986528)

Weekly Updates

2025.08.1: Update 1 started deployment on August 14

Generally Available

Device assurance OS version updates

The following OS versions are now supported in device assurance policies:

  • Android 13, 14, 15, 16 security patch 2025-08-01

Desktop MFA recovery for Windows

This release enhances the Desktop MFA feature on Windows to include an admin-assisted recovery path. If a user is locked out of their Windows device, an admin can now issue a time-based recovery PIN. This grants the user temporary access to their computer without needing their primary MFA device, enabling them to resolve their authenticator issue and sign in successfully. See Enable Desktop MFA recovery for Windows.

Fixes

  • When an admin edited a resource set, the event didn't appear in the Admin changes section on the Administrators page. (OKTA-817804)

  • Admins couldn't publish customized sign-in and error pages, and some users saw default sign-in and error pages instead of previously published customized ones. (OKTA-838267)

  • An error was intermittently returned when attempting to add a new sign-in redirect URI to an existing OIDC app. (OKTA-892769)

  • Notification emails for AD and LDAP agent upgrades included sections for updated agents when none existed. (OKTA-958346)

  • Okta didn't migrate customer-provided certificates to Okta-managed ones. (OKTA-959003)

  • Custom admins with privileges for customizing domains didn't see the Edit menu item on the Domains tab of a brand page. (OKTA-974191)

  • Some users couldn't reset their passwords when they were enrolled in more than two authenticators, and User Enumeration Prevention for Recovery and an Okta account management policy were enabled in their org. (OKTA-981374)

  • The App sign-in tile was smaller than the other tiles on the Authentication policies page. (OKTA-987744)

  • In the Partner Admin Portal, the enum array fields on the Edit User Attributes page failed to load initial values from the user's profile. (OKTA-988096)

  • When LDAP instances were either deactivated or reactivated, the associated LDAP agents remained in their current state. (OKTA-990260)

  • The LDAP interface app showed an Okta IP address instead of the requester's original IP address, leading to authentication failure. (OKTA-991371)

  • In the Partner Admin Portal, the side navigation text loaded before the main content of the page. This caused a visual issue where the text appeared to leak before a user was fully authenticated. (OKTA-991510)

  • Some users who enabled the Early Access feature Unified claims generation for Okta-protected SAML and OIDC custom app integrations saw an error when they tried to add custom claims to an app integration. (OKTA-997102)

  • An error message appeared to super admins when they tried to configure the custom OTP authenticator, and the authenticator didn't appear on the Authenticators page. (OKTA-997916)

Okta Integration Network

  • Prowler (Prowler SaaS) has a new display name.

  • Ethos has a new Redirect URI.

  • Prowler Cloud (SAML) is now available. Learn more.

  • 1VALET was updated.

  • Adobe Enterprise (SWA) was updated.

  • Adobe (SWA) was updated.

  • Apple store for Business (SWA) was updated.

  • Paycor (SWA) was updated

  • National Car Rental (SWA) was updated.

  • Marriott Hotels (SWA) was updated.

  • Desana has a new icon.

  • Console updated with a new redirect URI and icon (OIDC). Learn more.

  • FORA was updated.

  • Approveit (SAML) is now available. Learn more.

  • Bing Webmaster (SWA) was updated.

  • Reward Builder is now available. Learn more.

  • Staircase AI (SCIM) now supports the EU region.

Preview Features

Authentication policy UI updates

UI enhancements have been made to the authentication policies pages. Merge, clone, and delete tasks are now on the Authentication Policies page, among other enhancements. This improves navigation and user experience. See Authentication policies.

New option to clear "keep me signed in"

When revoking a user's IdP sessions and refresh tokens in the Clear sessions and revoke tokens dialog, admins can now choose whether or not to use the Clear "keep me signed in" option.

Increased maximum displayed group membership count

The membership count that appears on the groups page for very large groups now maxes out at 1M+. Click this number to view the exact count, which is cached for two hours. See View group members.

LDAP Interface OIDC app

LDAP Interface now has an application session policy that only enforces password. This only applies to Okta orgs without a prior LDAP interface setup. For orgs with an existing LDAP interface setup, global session policies still control LDAP Interface authentication policies. See Set up and manage the LDAP Interface.

Okta as an external authentication method for Microsoft Entra ID

Use Okta multifactor authentication (MFA) to satisfy Microsoft Entra ID MFA requirements. This helps users avoid double authentication and provides a seamless experience across Okta and Microsoft 365 apps. See Configure Okta as an external authentication method for Microsoft Entra ID.

Send app context to external IdPs

You can now forward context about an app to an external identity provider (IdP) when a user attempts to access the app. When you enable the Application context checkbox for an IdP, the app name and unique instance ID are included in the SAML or OpenID Connect request sent to the external IdP. This enhancement allows external IdPs to make more informed, context-aware authentication decisions, supporting advanced security scenarios, and Zero Trust environments.

App Switcher for Okta first-party apps

The End-User Dashboard, Admin Console, and Workflows Console now have an App Switcher that helps admins quickly navigate between their assigned Okta apps. Note that you must enable the Unified look and feel for Okta Admin Console and Unified look and feel for Okta Dashboard Early Access features for the App Switcher to appear.

Universal Directory map toggle

The new Universal Directory (UD) map toggle enables admins to link a user's email address to their identifier. This allows admins to enable the self-service registration feature. See General Security.

Custom remediation for device assurance

You can now display custom remediation instructions to users when authentication fails due to unsuccessful device posture checks with Okta Verify or Chrome Device Trust. See Configure custom remediation instructions for device assurance.

Workday supports incremental imports

Workday now has the ability to run immediate, incremental imports. Incremental imports are much faster than full imports. However, they don't detect when users only have changes to custom attributes, so you must periodically run a full import to capture these changes. See Incremental imports

Breached Credentials Protection

Protect your org from the impact of credentials that have been compromised. If Okta determines that a username and password combination has been compromised after being compared to a third-party curated dataset, the protection response is customizable through password policies, including resetting the user's password, forcing a logout, or calling a delegated Workflow. See Breached credentials protection.

Same-device enrollment for Okta FastPass

On orgs with Okta FastPass, the Okta Verify enrollment process has been streamlined: - Users can initiate and complete enrollment on the device they're currently using. Previously, two different devices were required to set up an account. - Users no longer need to enter their org URL during enrollment. - The enrollment flow has fewer steps. This feature is supported on Android, iOS, and macOS devices.

Prevent new single-factor access to the Admin Console

This feature prevents admins from configuring any new single-factor access to the Admin Console. This feature is currently available to new orgs only.

Application Entitlement Policy

Administrators can now override attribute mapping when assigning apps to individuals or groups. Attributes can also be reverted to their default mappings. See Override application attribute mapping. This feature will be gradually made available to all orgs.

End-user setting for nicknaming factors

End users can now nickname their phone, WebAuthn, and Okta Verify factors. If they have enrolled multiple instances of a factor, giving nicknames helps them identify the factors quickly (for example, "My personal cellphone" or "My office MacBook TouchID"). See the End-User documentation. This is a self-service feature.

Content security policy enforcement on end-user pages

Content security policy is now enforced for end-user pages on orgs with custom domains on non-customizable pages. Content Security Policy headers provide an additional layer of security that helps to detect attacks such as cross-site scripting and data injection by ensuring browsers know what kind of actions the webpage can execute. We already had a policy enforced in our admin pages from last year and in report-only mode for end-user pages. We plan that future iterations of our Content Security Policy enforcement for end-user pages will become stricter than this first release.

This feature will be gradually made available to all orgs.

Descriptive System Log events

When Okta identifies a security threat, the resulting security.threat.detected System Log entry now provides a descriptive reason for the event. See System Log.

New flexible LDAP

A new LDAP schema allows flexibility by moving email to the custom schema and making first name, last name, username, and UID optional. This avoids error scenarios when an LDAP schema doesn't include specific attributes.

ThreatInsight coverage on core Okta API endpoints

Okta ThreatInsight coverage is now available for core Okta API endpoints:

Based on heuristics and machine learning models, Okta ThreatInsight maintains an evolving list of IP addresses that consistently show malicious activity across Okta's customer base. Requests from these bad IP addresses can be blocked or elevated for further analysis when Okta ThreatInsight is enabled for an Okta org. Previously, Okta ThreatInsight coverage only applied to Okta authentication endpoints (including enrollment and recovery endpoints). With this release, enhanced attack patterns are detected for authentication endpoints and limited attack patterns are also detected for non-authentication endpoints. There are no changes to the existing Okta ThreatInsight configuration. You can still enable Okta ThreatInsight with log and block mode, log mode, and exempt network zones. A new Negative IP Reputation reason is available for high security.threat.detected events. See System Log events for Okta ThreatInsight.

SSO apps dashboard widget

The new SSO apps widget displays the number of user sign-in events across each of your org's apps over a selected period of time. You can use it to see which apps are used most frequently and to easily monitor the authentication activity across your org.

Email failure events in the System Log

Admins can now view email delivery failure events in the System Log. This helps admins better monitor the email event activity in their org. See System Log.

Improvements to the self-service unlock process

Earlier versions of the self-service unlock (SSU) flow created unnecessary friction in the end user experience. The newly enhanced SSU feature introduces a seamless magic link experience in emails sent out to unlock accounts. Users no longer need to provide consent when using the same browser. In addition, after successfully unlocking their account, clicking the email magic link counts towards the application's assurance policy. After the assurance requirements are met, the user is signed directly in to the application.

Improvements to the self-service registration experience

Earlier versions of the self-service registration (SSR) flow used a complicated array of templates to send activation emails to end users. The simplified SSR flow reduces this to only two email templates with customized welcome messages. If your application requires immediate verification of the end user's email address, Okta uses the Registration - Activation template. This template includes a magic link for a smoother sign-in experience. If email verification isn't immediately required to sign in to the application, Okta uses the Registration - Email Verification template. This template includes a link for end users to complete email verification at any time after they successfully sign in to the application.

Choose additional filters for Office 365 sign-on policy

Filters have been added to enable admins to distinguish between web browsers and Modern Authentication clients when creating an app sign-on policy.

Device Authorization grant type

Advancements in internet technology have seen an explosion of smart devices and the Internet of Things. Consumers need to sign in to applications that run on these devices, but the devices either lack support for a web browser or have limited ability for input, such as smart TVs, car consoles, and thermostats. As a result, users resort to insecure authentication solutions that are error-prone and time-consuming.

The Device Authorization grant feature is an OAuth 2.0 grant type that allows users to sign in to input-constrained devices and also to devices that lack web browsers. This feature enables users to use a secondary device, such as a laptop or mobile phone, to complete sign-in to applications that run on such devices.