Okta Identity Engine release notes (Preview)

Version: 2025.07.0

July 2025

Generally Available

OAuth 2.0 provisioning for Org2Org with Autorotation

Admins deploying multi-org architectures (for example Okta hub-and-spoke orgs) need to secure user and group provisioning. Provisioning using OAuth2.0 scoped tokens has several advantages over API tokens, including more access granularity, shorter token lifespans, and automatic key rotation. You can now enable OAuth 2.0 Autorotation for Org2Org app provisioning directly from the Admin Console.

See Integrate Okta Org2Org with Okta.

Release notes available in Japanese

Release notes for Okta Identity Engine are now translated to Japanese for each release. These translations are published within a week of the English publication.

Okta Provisioning agent, version 2.3.1

This release contains security enhancements. See Okta Provisioning Agent and SDK version history.

Universal Logout for AMFA orgs

Previously, AMFA orgs were unable to quickly revoke a user's access across all apps. This new feature provides AMFA orgs with the ability to manually trigger Universal Logout from the Admin Console with a rate limit, allowing for the revocation of a user's access tokens, refresh tokens, and active sessions across all devices. This provides enhanced security and efficiency by ensuring all tokens and sessions are terminated. See Configure Universal Logout.

Enhanced security for End User Settings

End User Settings version 2.0 now performs policy evaluations before granting new access tokens.

Claims sharing enhancement

Claims sharing between Identity Engine orgs now supports the inclusion of authentication policy and global session policy rules that include authentication method chains. This enhancement gives admins greater flexibility when designing authentication for org-to-org scenarios. See Add a SAML Identity Provider.

Okta LDAP agent, version 5.24.0

This version of the agent includes the following:

  • Configuration files are now encrypted
  • Local LDAP agent configuration files are monitored for unexpected changes
  • install.log created to help debug installation issues
  • Security enhancements

Enhancement for advanced posture checks

Admins can now configure advanced posture checks to appear as a checkbox or textbox in device assurance policies.

Google Workspace improvements

The following changes have been made to improve the performance of the Google Workspace app integration:

  • More robust group-related error handling
  • Eliminated duplicate group creation upon import when Import Groups is disabled

LDAP Interface OIDC app

LDAP Interface now has an application session policy that only enforces password. This only applies to Okta orgs without a prior LDAP interface setup. For orgs with an existing LDAP interface setup, global session policies still control LDAP Interface authentication policies. See Set up and manage the LDAP Interface.

New label for admin-initiated security methods

The My Settings > Security methods page now displays an Enrolled by admin label on admin-initiated security methods.

License Grouping UI improvement

Microsoft O365 Licenses are now grouped under Primary Licenses in the assignment tab for users and groups. Licenses are displayed as collapsed dropdown menus with only Primary License name visible. Expanding the dropdown menu displays all sub-licenses under it.

New custom attributes for Profile Sync provisioning

Profile sync provisioning now supports several custom attributes for Office 365. See Supported user profile attributes for Office 365 provisioning.

New validation rule for user profile attributes in OIN Wizard

The OIN Wizard now requires the use of valid user profile properties when referencing attribute values in EL expressions. The system rejects any invalid user EL expressions and attributes that aren't included in the allowlist. See Define attribute statements.

Manage Subscription button removed

The Manage Subscription button has been removed from the Settings page.

Changes to Okta apps

You can no longer view or assign the following apps to users:

  • Okta Access Certifications
  • Okta Access Requests Admin
  • Okta Entitlement Management

Additionally, the sign-on policies for these apps will default to the existing sign-on policy that you use for the Okta Admin Console.

New look and feel in the Admin Console

The Admin Console now provides a new look and feel, including redesigned side and top navigation menus and the addition of a gray background.

New look and feel in the End-User Dashboard

The End-User Dashboard now provides a new look and feel, including redesigned side and top navigation menus and the addition of a gray background.

Early Access

Network restrictions for OIDC token endpoints is EA in Preview

You can now apply network restrictions to OIDC token endpoints to enhance token security. See Create OpenID Connect app integrations.

Okta Integration IdP type is EA in Preview

The Okta Integration IdP allows you to use an Okta org as an external IdP, simplifying configuration and providing secure defaults. See Add an Okta Integration Identity Provider.

Universal Directory map toggle

The new Universal Directory (UD) map toggle enables admins to link a user's email address to their identifier. This allows admins to enable the self-service registration feature. See General Security.

OAMP protection for password expiry flows

This feature improves the security posture of customer orgs by protecting the password expiry flow with the Okta account management policy. Password expiry flows now require the assurance defined in an org's Okta account management policy. See Enable password expiry.

Enforce MFA for Identity Governance admin apps

The Enforce MFA for Identity Governance admin apps feature is no longer available as a self-service Early Access feature. Admins must contact Okta Support to enable or disable this feature. See Enable MFA for the Admin Console.

OU moves for LDAP-provisioned users

When an admin configures Okta to LDAP provisioning settings, they can now move users to a different Organizational Unit (OU) by changing their group assignments. See Configure Okta to LDAP provisioning settings.

Okta Hyperspace agent, version 1.5.1

This version includes security enhancements.

System Log event for monitoring LDAP Agent config file changes

A system.agent.ldap.config_change_detected event is generated when an LDAP agent detects changes to its configuration file.

On-prem Connector for Oracle EBS

On-prem Connector for Oracle EBS connects Oracle EBS on-premises apps with Okta Identity Governance. It helps admins discover, view, and manage Oracle EBS entitlements directly in Okta. This integration enhances security, saves time, streamlines entitlement management, and eliminates the need for custom integrations. See On-prem Connector for Oracle EBS and Supported entitlements by On-prem Connector.

Integrate Okta with Device Posture Provider

The Device Posture Provider feature enhances Zero Trust security by integrating external device compliance signals into the Okta policy engine. Previously, Okta couldn't leverage signals from third-party or custom tools to enforce access policies. Now, by accepting SAML/OIDC assertions from external compliance services, admins can incorporate custom compliance attributes into device assurance policies. This enables organizations to utilize their existing device trust signals within Okta, and foster a more flexible and secure posture without the need for extra agents or redundant tooling. See Integrate Okta with Device Posture Provider.

Provisioning for Oracle Human Capital Management

Provisioning is now available for the Oracle Human Capital Management app integration. When you provision the app, you can enable security features like Entitlement Management, Privileged Access, and more. See Oracle Human Capital Management.

Fixes

  • The Grace period for device assurance feature didn't apply to Chrome Device Trust users. (OKTA-817660)

  • Group push errors were displayed for app instances that didn't have provisioning enabled. (OKTA-924631)

  • Client location, IP address, and user agent weren't visible for security.breached_credential.detected events in System Log. (OKTA-934324)

  • In orgs with user enumeration prevention enabled, users who locked out their account saw an incorrect warning in the Sign-In Widget. (OKTA-939242)

  • When any of the When a user is reactivated in the app options were enabled for an app integration, the first attempt to re-login using ADSSO by disconnected AD users failed. (OKTA-939542)

  • Additional roles couldn't be added to the base Role attribute for SmartRecruiters app integrations. (OKTA-944146)

  • Users on devices with small viewports were unable to sign out. (OKTA-958188)

  • Editing a previously blank default value of an attribute in the Profile Editor failed if the Attribute length was set. (OKTA-958747)

  • Some users who were logged out of Okta by the breached credentials protection feature had custom attribute values deleted from their user profile. (OKTA-964312)

Okta Integration Network

  • Cockroach Labs (SCIM) is now available. Learn more.
  • Grace (OIDC) is now available. Learn more.
  • Hive (SCIM) is now available. Learn more.
  • Optmyzr (OIDC) is now available. Learn more.
  • Planfix (SCIM) is now available. Learn more.
  • Planfix (SAML) is now available. Learn more.
  • Splunk Add-on for Okta Identity Cloud (API integration) is now available. Learn more.

Weekly Updates

2025.07.1: Update 1 started deployment on July 9

Generally Available

Govern Okta admin roles

As a super admin, use this feature to adopt a zero standing privilege model for your org. This feature enables users to request time-bound access to Okta admin roles directly from their End-User Dashboard. It also enables you to periodically review their admin access.

The feature helps you streamline processes around requesting, approving, and certifying access to admin roles. It also enables you to control the level of access and its duration to your org's critical resources. In addition, you can audit a user's existing admin role assignments using Access Certifications campaigns and specify reviewers who should approve or revoke a user's access. See Govern Okta admin roles.

Govern Okta admin roles is available to all customers who have Universal Directory. Contact your account executive or customer success manager.

Fixes

  • Some users had to authenticate with their passwords twice when signing in to Okta to access a bookmark app in orgs where Okta Verify Push was required as the second authenticator. (OKTA-817382)

  • In some OIE preview orgs with routing rules, users who clicked the embedded URL of an app were incorrectly sent to the IdP, even though they weren't assigned to that app. (OKTA-827133)

  • Users were deactivated during imports where Super Admin privileges had been granted through group membership assignment. (OKTA-831811)

  • Some users with custom admin roles were unable to use the authorization server token preview. (OKTA-847900)

  • Users weren't able to validate MFA through FIDO2, Okta Verify Push, or TOTP authentication if the OrgUrl contained a trailing slash character or uppercase letters. (OKTA-897324)

  • Users were unable to enroll in Okta Verify on their mobile device when signing in to an org using the Okta Org2Org app. (OKTA-926590)

  • Some users saw an error when they tried to load the list of apps mapped to a policy. (OKTA-934678)

  • The create user form didn't clearly indicate whether an admin can view or edit the files, which caused confusion during user creation. (OKTA-953319)

  • When the /login/agentlessDsso test login flow was used with a null state token, a null pointer exception occurred. (OKTA-958088)

  • The Networks page became unresponsive when admins clicked the Show more option. (OKTA-958764)

  • When an admin triggered a password reset for a user who was concurrently also being provisioned in AD or LDAP, the user's status was discarded. (OKTA-961859)

  • Users were unable to create a new schema property using a previously used name due to an incomplete cleanup process of deleted schema properties. (OKTA-963030)

  • A blank page was displayed after an Okta user was successfully converted to a service account. (OKTA-969178)

  • The create user form didn't clearly indicate whether an admin can view or edit the files, which caused confusion during user creation. (OKTA-971861)

Okta Integration Network

  • NVIDIA Identity Federation (SCIM & SAML) is now available. Learn more.
  • Zoho Directory (API Integration) is now available. Learn more.

2025.07.2: Update 2 started deployment on July 16

Fixes

  • Authentication policies timed out if they included a lot of app instances. (OKTA-886236)

  • The System Log displayed an inaccurate risk level for Entity Risk Policy Action Cleared User Risk detections. (OKTA-944114)

  • Some users saw an error when they tried to access the End User Settings version 2.0. (OKTA-944786)

  • When the Direct Authentication feature was enabled, admins with a custom role couldn't create OIDC apps. (OKTA-970705)

  • The options to add WebAuthn and set permission conditions weren't available on the Partner Admin Portal. (OKTA-971778)

  • The create user form didn't clearly indicate whether an admin can view or edit the files, which caused confusion during user creation. (OKTA-971861)

  • Provisioning new users without a password to on-premises SAP instances failed, even when Sync Password was disabled. (OKTA-973324)

  • The create user form didn't clearly indicate whether an admin can view or edit files, which caused confusion during user creation. (OKTA-977736)

Okta Integration Network

  • CaterCow (OIDC) is now available. Learn more.

  • Cato Portal has a new Redirect URI. Learn more.

  • DevRev (SAML) is now available. Learn more.

  • DevRev (SCIM) is now available. Learn more.

  • Fastly has a new configuration guide. Learn more.

  • Fastly (SCIM) is now available. Learn more.

  • Hexnode (API service) is now available. Learn more.

  • ImmuniWeb (OIDC) is now available. Learn more.

  • Observe.ai (Provisioning)(SCIM) is now available. Learn more.

  • SmartCompany is now OneHR.

  • Sociabble (OIDC) is now available. Learn more.

  • Sociabble (SAML) is now available. Learn more.

Preview Features

Universal Logout for AMFA orgs

Previously, AMFA orgs were unable to quickly revoke a user's access across all apps. This new feature provides AMFA orgs with the ability to manually trigger Universal Logout from the Admin Console with a rate limit, allowing for the revocation of a user's access tokens, refresh tokens, and active sessions across all devices. This provides enhanced security and efficiency by ensuring all tokens and sessions are terminated. See Configure Universal Logout.

Expanded use of user.getGroups() function in Okta Expression Language

Admins can now use the user.getGroups() function across all features that support Expression Language. See Group functions for more information.

Increased maximum displayed group membership count

The membership count that appears on the groups page for very large groups now maxes out at 1M+. Click this number to view the exact count, which is cached for two hours. See View group members.

Changes to Okta apps are available in Preview

You can no longer view or assign the following apps to users:

  • Okta Access Certifications
  • Okta Access Requests Admin
  • Okta Entitlement Management

Additionally, the sign-on policies for these apps will default to the existing sign-on policy that you use for the Okta Admin Console.

Track MFA abandonment in the System Log

You can now monitor abandoned MFA attempts in the System Log using the user.authentication.auth_via_mfa event. The event now has two additional statuses for the event outcome:

  • UNANSWERED: MFA prompt was abandoned, but the user eventually signed in using another authenticator.
  • ABANDONED: MFA prompt was abandoned and the user couldn't sign in.

See Track MFA abandonment in the System Log

Workday supports incremental imports

Workday now has the ability to run immediate, incremental imports. Incremental imports are much faster than full imports. However, they don't detect when users only have changes to custom attributes, so you must periodically run a full import to capture these changes. See Incremental imports

Granular configuration for Keep Me Signed In

Admins can now configure the post-authentication prompt for Keep Me Signed In (KMSI) at a granular level in authentication policies. This allows admins to selectively enable post-authentication KMSI on a per-user, per-group, or per-app basis. When enabled, this feature exposes a frequency setting that lets admins control how often the post-authentication prompt is presented to users. See Keep me signed in. The post-authentication prompt text (title, subtitle, accept button, and reject button) is now customizable through the Brands management API. See Configure Keep me signed in (KMSI) and Brands API.

Same-device enrollment for Okta FastPass

On orgs with Okta FastPass, the Okta Verify enrollment process has been streamlined: - Users can initiate and complete enrollment on the device they're currently using. Previously, two different devices were required to set up an account. - Users no longer need to enter their org URL during enrollment. - The enrollment flow has fewer steps. This feature is supported on Android, iOS, and macOS devices.

Prevent new single-factor access to the Admin Console

This feature prevents admins from configuring any new single-factor access to the Admin Console. This feature is currently available to new orgs only.

Application Entitlement Policy

Administrators can now override attribute mapping when assigning apps to individuals or groups. Attributes can also be reverted to their default mappings. See Override application attribute mapping. This feature will be gradually made available to all orgs.

End-user setting for nicknaming factors

End users can now nickname their phone, WebAuthn, and Okta Verify factors. If they have enrolled multiple instances of a factor, giving nicknames helps them identify the factors quickly (for example, "My personal cellphone" or "My office MacBook TouchID"). See the End-User documentation. This is a self-service feature.

Content security policy enforcement on end-user pages

Content security policy is now enforced for end-user pages on orgs with custom domains on non-customizable pages. Content Security Policy headers provide an additional layer of security that helps to detect attacks such as cross-site scripting and data injection by ensuring browsers know what kind of actions the webpage can execute. We already had a policy enforced in our admin pages from last year and in report-only mode for end-user pages. We plan that future iterations of our Content Security Policy enforcement for end-user pages will become stricter than this first release.

This feature will be gradually made available to all orgs.

Descriptive System Log events

When Okta identifies a security threat, the resulting security.threat.detected System Log entry now provides a descriptive reason for the event. See System Log.

New flexible LDAP

A new LDAP schema allows flexibility by moving email to the custom schema and making first name, last name, username, and UID optional. This avoids error scenarios when an LDAP schema doesn't include specific attributes.

ThreatInsight coverage on core Okta API endpoints

Okta ThreatInsight coverage is now available for core Okta API endpoints:

Based on heuristics and machine learning models, Okta ThreatInsight maintains an evolving list of IP addresses that consistently show malicious activity across Okta's customer base. Requests from these bad IP addresses can be blocked or elevated for further analysis when Okta ThreatInsight is enabled for an Okta org. Previously, Okta ThreatInsight coverage only applied to Okta authentication endpoints (including enrollment and recovery endpoints). With this release, enhanced attack patterns are detected for authentication endpoints and limited attack patterns are also detected for non-authentication endpoints. There are no changes to the existing Okta ThreatInsight configuration. You can still enable Okta ThreatInsight with log and block mode, log mode, and exempt network zones. A new Negative IP Reputation reason is available for high security.threat.detected events. See System Log events for Okta ThreatInsight.

SSO apps dashboard widget

The new SSO apps widget displays the number of user sign-in events across each of your org's apps over a selected period of time. You can use it to see which apps are used most frequently and to easily monitor the authentication activity across your org.

Email failure events in the System Log

Admins can now view email delivery failure events in the System Log. This helps admins better monitor the email event activity in their org. See System Log.

Improvements to the self-service unlock process

Earlier versions of the self-service unlock (SSU) flow created unnecessary friction in the end user experience. The newly enhanced SSU feature introduces a seamless magic link experience in emails sent out to unlock accounts. Users no longer need to provide consent when using the same browser. In addition, after successfully unlocking their account, clicking the email magic link counts towards the application's assurance policy. After the assurance requirements are met, the user is signed directly in to the application.

Improvements to the self-service registration experience

Earlier versions of the self-service registration (SSR) flow used a complicated array of templates to send activation emails to end users. The simplified SSR flow reduces this to only two email templates with customized welcome messages. If your application requires immediate verification of the end user's email address, Okta uses the Registration - Activation template. This template includes a magic link for a smoother sign-in experience. If email verification isn't immediately required to sign in to the application, Okta uses the Registration - Email Verification template. This template includes a link for end users to complete email verification at any time after they successfully sign in to the application.

Choose additional filters for Office 365 sign-on policy

Filters have been added to enable admins to distinguish between web browsers and Modern Authentication clients when creating an app sign-on policy.

Device Authorization grant type

Advancements in internet technology have seen an explosion of smart devices and the Internet of Things. Consumers need to sign in to applications that run on these devices, but the devices either lack support for a web browser or have limited ability for input, such as smart TVs, car consoles, and thermostats. As a result, users resort to insecure authentication solutions that are error-prone and time-consuming.

The Device Authorization grant feature is an OAuth 2.0 grant type that allows users to sign in to input-constrained devices and also to devices that lack web browsers. This feature enables users to use a secondary device, such as a laptop or mobile phone, to complete sign-in to applications that run on such devices.