Okta Identity Engine release notes (Preview)

Generally Available

Version: 2026.05.0

Workday entitlement management

Admins can now manage entitlements for Workday app instances on Okta. This feature allows for the discovery and governance of user-based security groups to enable automated access requests and certifications.

Report exports

You can now choose between CSV and GZIP export formats when generating the following reports:

  • Okta usage
  • Application usage
  • MFA usage
Dynamic attribute updates for Smart Card authentication

Smart Card authentication supports real-time attribute updates during Just-In-Time (JIT) provisioning. As a result, user profiles are kept up to date by synchronizing identity attributes directly from the PIV/CAC card at the time of authentication.

Secure SaaS and Okta Service Accounts

Manage and secure passwords for SaaS app service accounts and Okta service accounts with Okta Privileged Access. You can now assign new Service Accounts permissions to custom roles to delegate service account management duties to non-super admins. See Manage service accounts and Role permissions.

Slack resource server connector

You can now use the Slack resource server connector to create resource connections between Slack and an AI agent. See Configure resource server connectors.

Session retention after user password changes

When users change their password and select Sign me out of all other devices, Okta now retains their current session after their other active sessions are revoked.

System Log event for unconfigured identifiers

When JIT is enabled for Active Directory and a user authenticates with an unconfigured identifier, the event now appears in the System Log.

System Log event for DirSync imports

When Active Directory agent compatibility is verified for DirSync-based imports, the event now appears in the System Log.

New System Log fields for matched network zones

Okta now includes richer network zone match information in System Log events. When a request is blocked by a network zone (security.request.blocked) or evaluated against a sign-on policy (policy.evaluate_sign_on), the System Log now surfaces the names and IDs of all matched network zones, across IP zones, Dynamic Network Zones (DNZ), and Enhanced Dynamic Network Zones (EDNZ), through new ZoneIdMatch and ZoneNameMatch fields. Up to 10 matched zones are reported per event.

These new fields provide more granular and structured network zone context than the existing Client.Zone field. This gives admins and security teams precise, actionable detail for blocked requests and policy evaluations, making SIEM investigations and audit reviews significantly easier. See Troubleshoot network zone issues using System Log.

SHA-256 digest algorithm support

Okta now supports the SHA-256 digest algorithm when hashing SAML AuthnRequests that are sent to external IdPs.

Updated default settings for Passkey (FIDO2 WebAuthn) authenticator

The configuration for WebAuthn authenticators defaults to preferred user verification for all orgs and defaults to passkeys for new orgs. These updates reduce manual configuration, ensure a seamless enrollment process, and provide a more reliable sign-in experience for users across various devices.

DirSync group imports for Active Directory

For Active Directory (AD) integrations, the Provisioning tab now provides an Enable imports with AD using DirSync checkbox. When you enable the checkbox, admins can perform incremental group imports using DirSync. See Configure Active Directory import and account settings.

Early Access

Global Token Revocation for third-party and Org2Org IdPs

Okta now supports Global Token Revocation (GTR) for third-party and Org2Org identity providers (IdPs). This feature allows external IdPs to securely trigger Universal Logout, instantly revoking all user sessions and tokens across your entire app ecosystem. See Configure Universal Logout for supported apps.

Redirect federated users to IdPs for reauthentication

Reauthentication to an IdP helps Okta admins secure federated identities by redirecting federated users to their source SAML, OIDC, or Org2Org IdP when a policy requires them to reauthenticate. By forcing reauthentication at the source IdP, admins can close security gaps from long-lived sessions and remove the need to configure duplicate MFA enrolment in Okta. See Redirect federated users to IdPs for re-authentication.

Email auto-enrollment and recovery management

Admins can control the automatic enrollment of email as an authenticator and configure email-based password recovery, unlock, and change where email is not an authenticator. See Make email an optional authenticator.

Managed app assurance for Android

The new Device Profile Restriction condition in device assurance policies ensures that Android users can only access protected apps from the same managed work profile where Okta Verify is installed. This prevents access from personal profiles, which reduces the risk of data leaks and improves security posture. See Add a device assurance policy.

Platform SSO password integration with Device-Bound SSO

The Platform SSO password authentication method now integrates with Device-Bound SSO. When a user signs in at the macOS sign-in window, Okta verifies the password factor and creates a device-bound session. Users can then access Okta-protected apps in their browser without additional password prompts. See Platform SSO for macOS and Configure device configuration profiles for PSSO using a generic MDM.

Secure Enclave key support for Platform SSO

Platform SSO now supports a Secure Enclave key-based authentication method that integrates with Device-Bound SSO. When a user authenticates at the macOS sign-in window with their password, the authentication unlocks a hardware-bound cryptographic key stored in the Secure Enclave. Okta uses the key to create a device-bound session that satisfies any authentication policy that requires Okta FastPass with user verification, without repeated MFA prompts. See Platform SSO for macOS and Configure device configuration profiles for Secure Enclave using a generic MDM.

Detect and discover AI agents

Use the Security Access Monitor browser plugin and Okta Identity Security Posture Management (ISPM) to get visibility into any new OAuth grants to apps and the consequent shadow AI agent usage for your org. The plugin monitors managed browsers for any new OAuth grants to apps and AI agents. ISPM captures OAuth grant telemetry, analyzes the data, and provides you with the visibility you need to identify every third-party app that your users authorize. This helps you mitigate risks related to shadow OAuth grants and AI agents. After you configure the plugin, you can find all new OAuth grants across your org by going to NHIs and AI agents > Browser OAuth Grants page in the ISPM console. See Discover and assess AI agents.

Fixes

  • After deactivating an AD Agent, an incorrect format of the version for the agent was displayed. (OKTA-1117122)

  • Customized error messages weren't displayed to new users when they clicked Forgot password. (OKTA-1118986)

  • Some users couldn't sign in if the global session policy that applied to them was deleted. (OKTA-1131197)

  • The Scan QR Code option appeared for users who required only the Use Security Key option. (OKTA-1145766)

  • After a user.session.context.change event, some global session and app sign-in policy rules configured with In any network zone defined in Okta failed to match during ITP policy re-evaluation. (OKTA-1151868)

  • The Sign-In Widget displayed an error after users completed a self-service password reset when the app authentication policy had the Keep Me Signed In prompt enabled. (OKTA-1152243)

  • AMR claim updates weren't applied to the Salesforce (Federated ID) app integration. (OKTA-1164030)

  • On the Administrator assignment by role page, the Preview role pane displayed "L10N_ERROR[okta.apps.clientCredentials.read.name.code]" instead of the View client credentials permission. (OKTA-1166616)

  • Manual remediation was required when reviewers revoked a user’s access to Active Directory-source groups in a campaign. (OKTA-1167090)

Okta Integration Network

  • Asset Integrity for Pipelines (OIDC) is now available. Learn more.

  • CJ Affiliate (OIDC) is now available. Learn more.

  • Conduit Security (OIDC) is now available. Learn more.

  • Form (OIDC) is now available. Learn more.

  • Harmony (SAML) is now available. Learn more.

  • Harmony (SCIM) is now available. Learn more.

  • Haystack (SCIM) is now available. Learn more.

  • JumpCloud (OIDC) is now available. See JumpCloud.

  • LinkedIn Sales Navigator (SCIM) is now available. Learn more.

  • Magnite Streamr (OIDC) is now available. Learn more.

  • Matik (SAML) is now available. Learn more.

  • Matik (SCIM) is now available. Learn more.

  • Syndio (OIDC) is now available. Learn more.

  • Tandem Health (OIDC) is now available. Learn more.

  • Ternary (OIDC) is now available. Learn more.

  • ThoughtSpot (OIDC) is now available. See Create ThoughtSpot OIDC integration.

  • TOPdesk Operator by FuseLogic (Entitlements Management) is now available. Learn more.

  • Truepic Vision (OIDC) is now available. Learn more.

  • WideField Security - Detect and Remediate (API integration) is now available. Learn more.

  • YipitData Agent (OIDC) is now available. Learn more.

  • Yunu (OIDC) is now available. Learn more.

  • Console (API Service) has a new icon and description.

  • Console (OIDC) has a new app description.

  • Sastrufy has a new app name and a new configuration guide.

  • Software Analytics (OIDC) has a new app name (Antenna), icon, description, new Redirect URIs, and integration guide. Learn more.

  • Suger (OIDC) has a new Redirect URI.

  • Matik (Basic Auth) was updated.

  • Metlife MyBenefits (SWA) was updated.

  • TOPdesk Operator by FuseLogic (SCIM) was updated.

2026.05.1: Update 1 started deployment on May 14

Fixes

  • When a refresh token failure or revocation event was logged in the System Log, an incomplete version of the refresh token hash appeared in the event's target.detailEntry. (OKTA-1145851)

  • The List all profile mappings API sometimes returned an error if the request didn't include the sourceId or targetID parameters. (OKTA-1153229)

  • In the Admin Console, status site links for some cells pointed to an incorrect status page. (OKTA-1158204)

  • The Manage Event Hooks permission didn't allow an admin or service app to create an event hook. (OKTA-1162004)

  • On the Recent Activity page in My Settings, screen reader announcements didn't match the static text for security events. (OKTA-1164456)

  • When an authentication error occurred, the Sign-In Widget displayed an SQL error message instead of a helpful one. (OKTA-1168939)

  • When an admin viewed the Preview pane for Custom Admin Roles, some labels for identity permissions were displayed incorrectly. (OKTA-1168945)

  • Admins with the Manage third-party MCP Servers permission couldn't edit their org's MCP servers. (OKTA-1173945)

Okta Integration Network

  • Butterfly Security (OIDC) is now available. Learn more.

  • Butterfly Security (SCIM) is now available. Learn more.

  • Cimento AI (SAML) is now available. Learn more.

  • Cimento AI (SCIM) is now available. Learn more.

  • Redblock AI (SAML) is now available. Learn more.

  • Scribble Maps (OIDC) is now available. Learn more.

  • Scribble Maps (SAML) is now available. Learn more.

  • Scribble Maps (SCIM) is now available. Learn more.

  • Stripe (SCIM) is now available. Learn more.

  • Common Room (SCIM) now supports Group Push.

  • Rubrik Security Cloud now supports the following scopes:

    • okta.authorizationServers.manage
    • okta.authorizationServers.read
    • okta.idps.manage
    • okta.idps.read
    • okta.networkZones.manage
    • okta.networkZones.read

  • Wrike (SCIM) now supports Group Push.

  • Check Point SASE (SCIM) has been updated with new regions.

  • Dokio (SCIM) has a new API and configuration guide.

  • Harmony SASE (SAML) has a new icon, display name, and description. Learn more.

  • Stripe has a new configuration guide. Learn more.

  • Augment Code (OIDC) was updated.

2026.05.2: Update 2 started deployment on May 21

Sign-In Widget, version 7.45.3

For details about this release, see Sign-In Widget Release Notes. For more information about the widget, see Okta Sign-In Widget.

Device assurance OS version update

The following OS versions are now supported in Device Assurance policies:

  • Android 14 (2026-05-01)
  • Android 15 (2026-05-01)
  • Android 16 (2026-05-01)
  • iOS 18.7.9
  • iOS 26.5
  • macOS Sonoma 14.8.7
  • macOS Sequoia 15.7.7
  • macOS Tahoe 26.5
  • Windows 10 builds (10.0.17763.8755, 10.0.19044.7291, 10.0.19045.7291)
  • Windows 11 builds (10.0.22621.7079, 10.0.22631.8457, 10.0.26100.8457)
Provisioning for Axway Amplify

Provisioning is now available for the Axway Amplify app integration. When you provision the app, you can enable security features like Entitlement Management. See Axway Amplify.

Fixes

  • Admins with read-only permissions could see action buttons for pre-enrolled authenticators. (OKTA-983779)

  • Read-only admins could refresh app groups for apps that support Group Push. (OKTA-1114983)

  • The System Log displayed duplicate Push user deactivation to external application events for SAML apps with SCIM provisioning. (OKTA-1124966)

  • Some deactivated users retained the Deactivating status and couldn't be modified in the Admin Console or through the API. (OKTA-1138239)

  • When a user was assigned a SAML app through a group, they couldn't always access the app after signing in to Okta. (OKTA-1140346)

  • The email attribute for a new primary email address was updated before the email verification process was complete. (OKTA-1147280)

  • The Sign-In Widget displayed an error after users completed a self-service password reset when the app authentication policy had the Keep Me Signed In prompt enabled. (OKTA-1152243)

  • Admins couldn't always use device assurance policies in sign-in policies unless they enabled Okta FastPass as an authenticator. (OKTA-1153165)

  • The AI Agents page didn't provide a link to the ISPM console. (OKTA-1174497)

  • When group rule evaluations failed, the System Log displayed exception messages and SQL queries. (OKTA-1177889)

Okta Integration Network

  • Butterfly Security (API Service) is now available. Learn more.

  • Gatekeeper (SCIM) is now available. Learn more.

  • Icite (API Service) now has the okta.roles.read scope.

2026.05.3: Update 3 started deployment on May 28

Realm ID included in System Log user activity events

The System Log now includes the Realm ID attribute for user activity events, such as authentication, MFA, and app access. This allows admins to filter and categorize user activity by division in downstream security tools without manual logic replication.

Fixes

  • The Add agent, Update agent, Deactivate agent, and Manage auto-update buttons remained active for read-only admins in the Admin Console. Although the server blocked any changes, the Admin Console didn't visually indicate that these actions were restricted. (OKTA-1031559)

  • In orgs with app sign-in policies that used an authentication method chain, users couldn't set up email as an optional authenticator during their account onboarding. This occurred even though email was an allowed optional authenticator. (OKTA-1102579)

  • The Import results dashboard for the Okta Provisioning agent displayed inconsistent totals for a SCIM app. The sum of individual record categories didn't match the overall total of audited records. (OKTA-1135158)

  • When an admin viewed a user profile, the device management status for shared devices displayed incorrectly. (OKTA-1148888)

  • All access certification campaign notification emails were in English even when a different Locale was specified on the user's profile page in the Admin Console. (OKTA-1170541)

  • Group Rules weren't always evaluated after a user's profile was updated.  (OKTA-1171950)

  • In some orgs, admins were prompted to authenticate twice when they tried to sign in to the Admin Console. (OKTA-1175980)

Okta Integration Network

  • Factor Labs (SAML) is now available. Learn more.

  • Requirement Yogi (OIDC) is now available. Learn more.

  • ReReady (OIDC) is now available. Learn more.

  • SYEN Comply for Okta (API Service) is now available. Learn more.

  • Teleport (SAML) is now available. Learn more.

  • Teleport (SCIM) is now available. Learn more.

  • Cisco Webex has a new icon.

  • Clozd (OIDC) has a new redirect URI.

  • KnowBe4 (SAML) has an updated app logo.

  • KnowBe4 (SCIM) has an updated app logo.

  • Lucid (SAML) has an updated title in App Links.

  • SCIM 2.0 Test App (Basic Auth) has an updated app logo.

  • Tenable Cloud Security (SAML) has a configurable ACS and Audience URL.

  • Tenable Cloud Security JIT (SAML) has a configurable ACS and Audience URL.

  • Aetna Health Insurance (SWA) was updated.

  • Samsara (SWA) was updated.

  • Scalefusion OneIdP (SCIM) was updated.

  • Zscaler (SCIM) now offers additional attributes.

Preview org features

Secure SaaS and Okta Service Accounts

Manage and secure passwords for SaaS app service accounts and Okta service accounts with Okta Privileged Access. You can now assign new Service Accounts permissions to custom roles to delegate service account management duties to non-super admins. See Manage service accounts and Role permissions.

New System Log fields for matched network zones

Okta now includes richer network zone match information in System Log events. When a request is blocked by a network zone (security.request.blocked) or evaluated against a sign-on policy (policy.evaluate_sign_on), the System Log now surfaces the names and IDs of all matched network zones, across IP zones, Dynamic Network Zones (DNZ), and Enhanced Dynamic Network Zones (EDNZ), through new ZoneIdMatch and ZoneNameMatch fields. Up to 10 matched zones are reported per event.

These new fields provide more granular and structured network zone context than the existing Client.Zone field. This gives admins and security teams precise, actionable detail for blocked requests and policy evaluations, making SIEM investigations and audit reviews significantly easier. See Troubleshoot network zone issues using System Log.

SHA-256 digest algorithm support

Okta now supports the SHA-256 digest algorithm when hashing SAML AuthnRequests that are sent to external IdPs.

DirSync group imports for Active Directory

For Active Directory (AD) integrations, the Provisioning tab now provides an Enable imports with AD using DirSync checkbox. When you enable the checkbox, admins can perform incremental group imports using DirSync. See Configure Active Directory import and account settings.

Workday supports incremental imports

Workday now has the ability to run immediate, incremental imports. Incremental imports are much faster than full imports. However, they don't detect when users only have changes to custom attributes, so you must periodically run a full import to capture these changes. See ../provisioning/workday/workday-provisioning.htm#provisioning-workday-workday-provisioning__incremen

Same-device enrollment for Okta FastPass

On orgs with Okta FastPass, the Okta Verify enrollment process has been streamlined:

  • Users can initiate and complete enrollment on the device they're currently using. Previously, two different devices were required to set up an account.
  • Users no longer need to enter their org URL during enrollment.
  • The enrollment flow has fewer steps. This feature is supported on Android, iOS, and macOS devices.
Prevent new single-factor access to the Admin Console

This feature prevents admins from configuring any new single-factor access to the Admin Console. This feature is currently available to new orgs only.

Application Entitlement Policy

Admins can now override attribute mapping when assigning apps to individuals or groups. You can also revert attributes to their default mappings. See Override application attribute mapping. This feature will be gradually made available to all orgs.

Direct End-User Settings access

Users may now access their Settings page through a direct URL in addition to the End-User Dashboard. This feature provides convenience and security for users, gives admins greater flexibility when working with End-User Dashboard access control scenarios, and includes accessibility and UX improvements. See End-User Settings.

End-user setting for nicknaming factors

End users can now nickname their phone, WebAuthn, and Okta Verify factors. If they have enrolled multiple instances of a factor, giving nicknames helps them identify the factors quickly (for example, "My personal cellphone" or "My office MacBook TouchID"). See the end-user documentation. This is a self-service feature.

Descriptive System Log events

When Okta identifies a security threat, the resulting security.threat.detected System Log entry now provides a descriptive reason for the event. See System Log.

New flexible LDAP

A new LDAP schema allows flexibility by moving email to the custom schema and making first name, last name, username, and UID optional. This avoids error scenarios when an LDAP schema doesn't include specific attributes.

ThreatInsight coverage on core Okta API endpoints

Okta ThreatInsight coverage is now available for core Okta API endpoints:

Based on heuristics and machine learning models, Okta ThreatInsight maintains an evolving list of IP addresses that consistently show malicious activity across Okta's customer base. Requests from these bad IP addresses can be blocked or elevated for further analysis when Okta ThreatInsight is enabled for an Okta org. Previously, Okta ThreatInsight coverage only applied to Okta authentication endpoints (including enrollment and recovery endpoints). With this release, enhanced attack patterns are detected for authentication endpoints and limited attack patterns are also detected for non-authentication endpoints. There are no changes to the existing Okta ThreatInsight configuration. You can still enable Okta ThreatInsight with log and block mode, log mode, and exempt network zones. A new Negative IP Reputation reason is available for high security.threat.detected events. See System Log events for Okta ThreatInsight.

SSO apps dashboard widget

The new SSO apps widget displays the number of user sign-in events across each of your org's apps over a selected period of time. You can use it to see which apps are used most frequently and to easily monitor the authentication activity across your org.

Improvements to the self-service unlock process

Earlier versions of the self-service unlock (SSU) flow created unnecessary friction in the end user experience. The newly enhanced SSU feature introduces a seamless magic link experience in emails sent out to unlock accounts. Users no longer need to provide consent when using the same browser. In addition, after successfully unlocking their account, clicking the email magic link counts towards the app's assurance policy. After the assurance requirements are met, the user is signed directly in to the app.

Improvements to the self-service registration experience

Earlier versions of the self-service registration (SSR) flow used a complicated array of templates to send activation emails to end users. The simplified SSR flow reduces this to only two email templates with customized welcome messages. If your app requires immediate verification of the end user's email address, Okta uses the Registration - Activation template. This template includes a magic link for a smoother sign-in experience. If email verification isn't immediately required to sign in to the app, Okta uses the Registration - Email Verification template. This template includes a link for end users to complete email verification at any time after they successfully sign in to the app.

Device Authorization grant type

Advancements in internet technology have seen an explosion of smart devices and the Internet of Things. Consumers need to sign in to apps that run on these devices, but the devices either lack support for a web browser or have limited ability for input, such as smart TVs, car consoles, and thermostats. As a result, users resort to insecure authentication solutions that are error prone and time consuming.

The Device Authorization grant feature is an OAuth 2.0 grant type that allows users to sign in to input-constrained devices and also to devices that lack web browsers. This feature enables users to use a secondary device, such as a laptop or mobile phone, to sign-in to apps that run on such devices.