Okta Identity Engine release notes (Production)

October
September
August

Version: 2025.10.0

October 2025

Generally Available

Changes to access request notifications

To ensure conversations are displayed consistently across platforms, messages sent within an access request from the web app now automatically appear for the message sender in the corresponding Slack or Microsoft Teams thread. This reduces confusion for the message sender around the messages associated that are with a request.

Okta Provisioning agent, version 3.0.4

Okta Provisioning agent 3.0.4 is now available. This release contains bug fixes and minor improvements.

Simplified Windows Installer for Okta Provisioning agent

The Windows Installer UI for the Okta Provisioning agent has been simplified. The environment selection dropdown list has been removed to support a wider range of Okta environments.

Device assurance OS version update

The following OS versions are now supported in device assurance policies:

iOS 18.7.1
iOS 26.0.1
macOS Sonoma 14.8.1
macOS Sequoia 15.7.1
macOS Tahoe 26.0.1

Detections added to entity risk policy

New detections have been added to the entity risk policy.

Suspicious Login From An IP Flagged By FastPass: Indicates a sign-in event occurred from an IP address that Okta FastPass flagged in a phishing event.
Suspicious Login From An IP Flagged In A Credential Based Attack: Indicates a successful sign-in event occurred from an IP address where multiple sign-in failures also occurred.
Breached Credentials Detected: Indicates that a username-password combination in your org appears in a third-party list of public data breaches.

See Detection settings for entity risk policy.

Okta Active Directory Password Sync agent, version 1.7.0

This version of the agent includes security enhancements.

Trace ID added to event

A traceId has been added to the security.breached_credential.detected System Log event so that you can easily query and link ITP events like user.risk.detect and ERP events in system logs.

New look and feel for delegated flows

On the Delegated flows page, the buttons, modals, and input fields have been redesigned for a better user experience. See Delegated flows.

Euskara (Basque) language translations for end users

In the End-User Dashboard, users can now set the display language to Euskara (Basque). When they select a language, the end-user experience, including when a user signs in, is translated accordingly. See Supported display languages.

New VPN service for enhanced dynamic zones

The SURF_EASY_VPN is now supported as an individual VPN service category in enhanced dynamic zones. See Supported IP service categories.

Error message update

The error message text that appears when activating a group rule that has an invalid expression has been updated to include the reason for the failure, making it easier to troubleshoot.

Create user permission conditions

You can now add conditions to the Create user permission for custom admin roles, applicable to both realm-enabled orgs and those without realms. See Permission conditions.

User status in Okta Expression Language

You can now reference User Status in the Okta expression language. Group Rules can leverage user statuses to drive group membership.

SharePoint On-Premises integration supports SHA-256

SharePoint integrations (WS-Fed) now use SHA-256 for signing the authentication token.

Group Push Linking for Microsoft Office 365

The Group Push feature in the Microsoft Office 365 integration has been enhanced to link existing Okta groups with existing Entra groups.

This change establishes Okta as the single source of truth for group membership. Once linked, the membership changes made in Okta are pushed automatically, ensuring consistency and seamless access control.

Supporting additional attributes in O365's Universal Sync provisioning

To enable seamless access to Kerberos resources through Windows Hello for Business and to help you manage data based on geographies, Okta now supports four additional attributes in O365's Universal Sync provisioning.

onPremisesSamAccountName
onPremisesDomainName
onPremisesUserPrincipalName
PreferredDataLocation

Changes to the Session Protection Violation report

A filter has been added to the Session Protection Violation report that allows filtering on risk level (LOW, MEDIUM, HIGH). Also, the Session Context Change count has been removed from the report.

Okta Integration IdP type

The Okta Integration IdP allows you to use an Okta org as an external IdP, simplifying configuration and providing secure defaults. See Add an Okta Integration Identity Provider.

Custom admin roles for ITP

Through this feature, customers can use granular ITP permissions and resources to create custom roles to right-size authorization for ITP configuration and monitoring. See Configure custom admin roles for ITP.

Behavior Detections for new ASN

The error message text that appears when activating a group rule that has an invalid expression has been updated to include the reason for the failure, making it easier to troubleshoot.

Early Access

User password migration from AD to Okta

Seamlessly migrate user passwords from AD to Okta without disrupting your users or operations. This establishes Okta as the source of truth for user passwords, enabling it to handle user authentication and eliminating the need for delegated authentication. See Password migration from AD to Okta

Protected action support for device signal collection policies

Okta prompts for step-up authentication when admins make changes to device signal collection policies in the Admin Console. The changes are only allowed after the admin authenticates successfully. This feature enhances org security by allowing admins to require MFA before performing protected actions. See Protected actions in the Admin Console.

Fixes

Users found accessibility issues in the Sign-In Widget (third generation) error messages, SVG icons, and the show/hide password toggle. (OKTA-867363)
Sometimes, inactive apps that had provisioning enabled sent deprovisioning calls to downstream apps. (OKTA-930436)
Sometimes, users who were assigned an app were unable to view or access the app on their End-User Dashboard. (OKTA-985663)
Some users saw a Conflicting App User IDs specified on state token error message when they tried to sign in to an OIDC app using the embedded Okta Sign-In Widget. (OKTA-992348)
SAML assertions were encrypted if they included the oktaAuthPayload parameter even though encryption wasn't enabled on the app. (OKTA-998820)
If the "End-user remediation for management attestation" feature was enabled and an admin had also configured a custom access denied error message, users were shown the custom error message instead of the remediation steps in the Okta Sign-In Widget. (OKTA-1008850)
In some orgs with the Unified claims generation for Okta-protected SAML and OIDC custom app integrations early access feature enabled, users were unable to use the dropdown menus in the Attribute Statements > Show legacy configuration section of the app page. (OKTA-1010898)
When an OIDC app had an authentication policy with a rule that includes device assurance through a Chrome device trust connector, users received an error when accessing the app through a sign-in URL configured with prompt=none. (OKTA-1016620)
In orgs with the Custom Password Policy Restrictions early access feature enabled, some admins saw an incorrect error message when they selected Use an OEL statement to block restricted content and entered an expression. (OKTA-1027968)
In orgs with Japanese translations, untranslated text appeared on the Active Directory Policy page. (OKTA-1029000)
In orgs with the Custom Password Policy Restrictions early access feature enabled, some admins saw an Internal Server Error message when they tried to reset a user's password using a temporary password. (OKTA-1030190)

Okta Integration Network

Paychex Online was updated.
Ravenna is now available (API Service Integration). Learn more.
zkipster was updated.

Doc Updates

Okta Aerial documentation

Documentation for Okta Aerial has been added to help.okta.com with the following updates:

Aerial card added to the home page.
Aerial option added to Documentation dropdown list.
Aerial release notes added to Release notes dropdown list.

Okta Aerial allows you to manage multiple Okta orgs from a single, centralized account. The Aerial account lives outside of your other orgs and can manage any Production or Preview org that's linked to the Aerial account. Each Aerial account has a dedicated Aerial org where you can invite Aerial admins who can request and be granted access to connected orgs in your environment. See Okta Aerial.

Version: 2025.09.0

September 2025

Generally Available

Translations update for the Partner Admin Portal

Japanese translations for the Add user and Edit user forms have been updated. This change aligns the Japanese labels with their English counterparts.

Office 365 License and Roles Management now supports sync entitlements

Sync entitlements are now supported for the Office 365 License and Roles Management provisioning type in orgs with Identity Governance enabled.

Sign-In Widget, version 7.35.0

For details about this release, see the Sign-In Widget Release Notes. For more information about the Widget, see the Okta Sign-In Widget.

Improved user experience for Access Requests

The access request details page has been improved to provide more visibility on tasks assigned approvers and answers submitted by requesters. If you integrated Slack or Teams with Access Requests, similar changes have been made to the access request message that approvers receive. Additionally, the email notification sender's name and address have been changed. The sender's name is Okta Access Requests and the email address is noreply@at.okta.com.

New versions of Okta Provisioning agent and SDK

Okta Provisioning agent 3.0.3 and Okta Provisioning agent SDK 2.4.0 are now available. These releases contain bug fixes and minor improvements.

Improved search in the Partner Admin Portal

The Partner Admin Portal user list now sorts by the Last Updated column in descending order by default. The search feature uses a Contains operator for three or more characters.

Device assurance OS version update

The following OS versions are now supported in device assurance policies:

Android 13, 14, 15, 16 security patch 2025-09-01
iOS 18.6.2
iOS 26.0.0 (major version)
macOS Ventura 13.7.8
macOS Sonoma 14.7.8
macOS Sequoia 15.6.1
macOS Tahoe 26.0.0 (major version)
Windows 10 (10.0.17763.7678, 10.0.19044.6216, 10.0.19045.6216)
Windows 11 (10.0.22621.5768, 10.0.22631.5768, 10.0.26100.4946)

The following versions are no longer supported:

iOS 15.8.4
iOS 16.7.11
macOS 12.7.6
Windows 11 (10.0.22000.3260)

Nonce rollout for Content Security Policy

Okta is rolling out nonces for the style-src directive of the Content Security Policy for every endpoint that returns html content. This is a two stage process: first, the nonce is added to the Content-Security-Policy-Report-Only header style-src directive; later, after any unsafe inline instances are identified and fixed, the nonce is added to the Content-Security-Policy header style-src directive. This update will be gradually applied to all endpoints.

These updates will be applied to Okta domains and custom domain pages that aren't customizable by admins (for example, sign-in pages, and error pages on custom domains). See Customize an error page.

Export Admin Console reports in GZIP format

You can now export most Admin Console reports in GZIP format, in addition to the existing CSV format. GZIP exports have a higher row limit (30 million) and a smaller file size.

Breached Credentials Protection

Protect your org from the impact of credentials that have been compromised. If Okta determines that a username and password combination has been compromised after being compared to a third-party curated dataset, the protection response is customizable through password policies, including resetting the user's password, forcing a logout, or calling a delegated Workflow. See Breached credentials protection.

This feature is following a slow rollout process.

Assigning/revoking an admin role is a protected action

Now when an admin assigns or revokes an admin role from a user, they're prompted for additional authentication. See Protected actions in the Admin Console.

API service apps

API service apps are no longer assigned to the shared default app sign-in policy when they're created. See App sign-in policies.

Authentication policy UI updates

Authentication policies have been renamed and are now known as "app sign-in policies." The term "authentication policies" now refers to a group of policies: app sign-in policies, the Okta account management policy, and the session protection policy. UI enhancements have also been made to these pages to improve navigation and user experience. See App sign-in policies.

New option to clear "keep me signed in"

When revoking a user's IdP sessions and refresh tokens in the Clear sessions and revoke tokens dialog, admins can now choose whether or not to use the Clear "keep me signed in" option.

Admin Console Realm updates

The hint text for the Realm dropdown on the Add User form has been updated to provide clearer instructions.

Secure Identity Integrations filters in the OIN catalog

The Browse App Integration Catalog page now provides three new Secure Identity Integrations checkboxes: Secure Identity Integrations - Fundamental, Secure Identity Integrations - Advanced, and Secure Identity Integrations - Strategic. When you select one, the OIN catalog displays only the apps with that specific functionality.

New System Log target

The Authentication Enrollment Policy target was added to the 'policy.evaluate_sign_on' System Log event. This change makes it easier for admins to identify the policy that was involved in user sign-in attempts.

LDAP Interface OIDC app

LDAP Interface now has an app sign-in policy that only enforces password. This only applies to Okta orgs without a prior LDAP interface setup. For orgs with an existing LDAP interface setup, global session policies still control LDAP Interface authentication policies. See Set up and manage the LDAP Interface. The session length for OpenID Connect (OIDC) connections is now limited to one hour. After the session expires, a new BIND operation is required to continue performing SEARCH queries on the same connection. You may need to update existing scripts to account for this enforced session length.

Map unknown platform to desktop

Okta now maps unrecognized platform conditions to Other desktop. Previously, unrecognized platform conditions matched correctly only when the Any platform condition was selected in the app sign-in policy.

Send app context to external IdPs

You can now forward context about an app to an external identity provider (IdP) when a user attempts to access the app. When you enable the Application context checkbox for an IdP, the app name and unique instance ID are included in the SAML or OpenID Connect request sent to the external IdP. This enhancement allows external IdPs to make more informed, context-aware authentication decisions, supporting advanced security scenarios, and Zero Trust environments.

Child Domain Authentication for Office 365 WS-Federation

Office 365 WS-Federation automatic configuration now supports child domain authentication. See Federate multiple Office 365 domains in a single app instance.

App Switcher for Okta first-party apps

The End-User Dashboard, Admin Console, and Workflows Console now have an App Switcher that helps admins quickly navigate between their assigned Okta apps. Note that you must enable the Unified look and feel for Okta Admin Console and Unified look and feel for Okta Dashboard Early Access features for the App Switcher to appear.

New change password feature for end users

The Security methods page in My Settings now allows end users to change their password.

Custom remediation for device assurance

You can now display custom remediation instructions to users when authentication fails due to unsuccessful device posture checks with Okta Verify or Chrome Device Trust. See Configure custom remediation instructions for device assurance.

Early Access

Desktop MFA recovery for Windows

This release enhances the Desktop MFA feature on Windows to include an admin-assisted recovery path. If a user is locked out of their Windows device, an admin can now issue a time-based recovery PIN. This grants the user temporary access to their computer without needing their primary MFA device, enabling them to resolve their authenticator issue and sign in successfully. See Enable Desktop MFA recovery for Windows.

End-user remediation for management attestation

This enhancement improves Okta's custom error remediation by extending it to management attestation across all OS platforms. Admins can now create specific remediation messages for devices that fail a management check (for example, their device is not MDM-managed). Users receive clear, actionable remediation instructions during the sign-in flow, and can troubleshoot problems independently. This leads to fewer IT helpdesk tickets, faster secure access, and a better user experience. See Remediation messages for device assurance.

More Universal Directory attributes available for identity verification mapping

Admins can now map more Universal Directory attributes when sending verification claims to an identity verification (IDV) vendor. This improves the accuracy of verification and gives the admin control over which attributes are sent to the IDV vendor. See Add a pre-configured identity verification vendor.

Passkey and security key subdomain support

Okta now lets users authenticate with their passkeys or security keys in their Okta org or custom domain, and all subdomains below them. This helps you achieve phishing-resistant authentication and avoids the need to issue multiple passkeys or security keys to each user for each domain they access. See Configure the FIDO2 (WebAuthn) authenticator.

Anything-as-a-Source for groups and group memberships

Anything-as-a-Source (XaaS) capabilities allow customers to use a custom identity source with Okta. With XaaS, customers can connect custom HR apps or custom databases to source users into Okta's Universal Directory.

This release offers XaaS capabilities with groups and group memberships, allowing customers to start sourcing groups with XaaS. Okta now enables creating and updating users, creating and updating groups, and managing group memberships into Okta's Universal Directory from any identity source using XaaS APIs. See Anything-as-a-Source.

Fixes

Some users received an error message when they reset their passwords on mobile devices that didn't have Okta Verify installed, even though the password reset was completed. (OKTA-958340)
In some orgs with an Okta Org2Org integration, users were unable to access bookmark or Org2Org apps from the spoke org, even though they had permission to use the app. (OKTA-981462)
Some users received an error message instead of an account unlock challenge when User Enumeration Prevention was turned off. (OKTA-993341)
In the Partner Admin Portal, the chevron icon in the sidebar wasn't correctly aligned. (OKTA-1003466)
When a user signed in to a custom domain and then clicked Admin in the App Switcher, they were sometimes presented with the wrong sign-in flow. (OKTA-1014174)

Okta Integration Network

AmexGBT Egencia has a new app name, icon, and SAML Integration guide. Learn more.
ZAMP (OIDC) has two new redirect URIs. Learn more.
Harmony (API Service Integration) is now available. Learn more.
Shift Security (API Service Integration) is now available. Learn more.
Teem Finance (OIDC) is now available. Learn more.
Island (Universal Logout) is now available. Learn more.
CloudEagle (API Service Integration) was updated.
Bruin was updated.
EventNeat (OIDC) is now available. Learn more.
AdvancedMD was updated.
Nuclei (OIDC) is now available. Learn more.
FloQast (SCIM) is now available. Learn more.
Astrix Security Monitoring (API Service Integration) is now available. Learn more.
Scrut Automation (OIDC) has a new Redirect URI.
Canva (SWA) was updated.
eSignon (SAML) is now available. Learn more.
eSignon (SCIM) is now available. Learn more.
AmexGBT Egencia (SCIM) is now available. Learn more.

Weekly Updates

2025.9.1: Update 1 started deployment on September 29

Generally Available

Enhanced protection for Google group imports

A safeguard has been added to prevent accidental data loss during group imports from Google. When a large volume of group deletions is detected, the import is stopped to protect against importing bad data.

Removed delegate self-approval for Access Requests

Delegates can no longer approve requests made on their behalf, ensuring proper separation of duties.

Okta Provisioning agent SDK, version 3.0.3

This release contains security enhancements and support for JDK 17. See Okta Provisioning agent and SDK version history.

New functionality filters in the OIN

The Browse App Integration Catalog page now provides Cross App Access and Privileged Access Management functionality filters. The new filters help admins quickly find Cross App Access- and Privileged Access Management-enabled apps in the OIN.

Fixes

System Log entries weren't recorded for users who were denied access to an app when they were resetting their password. (OKTA-934302)
Some users received an error message when they tried to enroll in the smart card authenticator. (OKTA-964611)
Okta didn't redirect some users to apps when they tried to access an app. (OKTA-975872)
Some users who authenticated with Okta when signing in to Microsoft Entra with a smart card received an error message. (OKTA-978342)
Users with inactive or suspended accounts received a new account activation email when they clicked Request activation email instead of an error message. (OKTA-997612)
If an admin had a browser extension that used the postMessage API, they sometimes saw an error when they performed a protected action. (OKTA-1001437)
Some users were prompted to re-authenticate during the grace period that was configured in the authenticator enrollment policy. (OKTA-1002373)
When a user signed in to a custom domain and then clicked Admin in the App Switcher, they were sometimes presented with the wrong sign-in flow. (OKTA-1014174)
Abandoned MFA attempts were incorrectly logged in the System Log when users signed in with a Duo authenticator or IdP authenticator. (OKTA-1016718)
In the System Log, policy.auth_reevaluate.fail events didn't display risk unless the event was a synchronous flow and the global session policy failed without remediation. (OKTA-1017389)

Okta Integration Network

MIND (API Service Integration) is now available. Learn more.
Frame Security Platform Connector (API Service Integration) is now available. Learn more.
Fabrix Smart Actions (API Service Integration) is now available. Learn more

2025.9.2: Update 2 started deployment on October 6

Generally Available

Device assurance OS version update

The following OS versions are now supported in device assurance policies:

iOS 18.7
macOS Sonoma 14.8
macOS Sequoia 15.7
Windows 10 (10.0.17763.7792, 10.0.19044.6332, 10.0.19045.6332)
Windows 11 (10.0.22621.5909, 10.0.22631.5909, 10.0.26100.6584)

Okta Provisioning agent SDK, version 3.0.3

This release contains security enhancements and support for JDK 17. See Okta Provisioning agent and SDK version history.

Certificate revocation list is deprecated

The Cache CRL for configuration option has been removed. Okta now manages the certificate revocation list cache for you.

Fixes

Sometimes resetting a user name for an app user failed. (OKTA-963368)
Some SAML apps with password synchronization enabled didn't appear on the End-User Dashboard. (OKTA-968243)
Group push errors sometimes appeared for apps that had provisioning disabled. (OKTA-983336)
Okta admins with custom admin roles couldn't confirm the assignment for an imported user. (OKTA-988692)
The Profile EditorUsers page didn't render correctly for some users. (OKTA-990194)
The System Log entry for Email Domains update operations was missing the change details for username and the domain display name. (OKTA-997246)
During AD and LDAP imports, group membership processing missed some updates. (OKTA-1007037)
Admins couldn't assign people or groups to PagerDuty when Identity Governance was enabled. (OKTA-1007080)
When DirSync was enabled, users located in containers had their common name (CN) changed to an invalid value. (OKTA-1007911)
When a user signed in to a custom domain and then clicked Admin in the App Switcher, they were sometimes presented with the wrong sign-in flow. (OKTA-1014174)
Temporary access code (TAC) expirations weren't recorded in the System Log. (OKTA-1015095)
When Governance Engine was enabled for Zoho Mail + Actions, importing users failed. (OKTA-1015810)
In orgs with Front-channel Single Logout enabled, some users saw an Okta-branded loading page when they signed out of their End-User Dashboard, even though the page shouldn't have been branded. (OKTA-954103)
The If no match is found option for non-JIT provisioning, account-linking OIDC IdPs was incorrectly labeled as Redirect to Okta sign-in page. (OKTA-961757)
Some users with specific characters in their name couldn't enroll in Okta Verify on any platform. (OKTA-966335)
Users with custom admin roles saw a Create Token button on the SecurityAPI page, even though they didn't have the required permissions. (OKTA-976743)
When an admin disabled provisioning for a SAML app, the provisioning settings no longer appeared on the Application > General tab. (OKTA-988899)
When an error was encountered during a group push event, the system incorrectly reported that the failed operation would be automatically retried. (OKTA-1017493)
In the Profile Editor, the checkbox for an enum property with a default value was displayed as unselected after a page refresh, even when the property's default value had been chosen. (OKTA-1020672)
In orgs with End User Settings version 2.0 enabled, federated users saw an error message when they tried to open the My Settings > Security Methods page. (OKTA-1022960)
Some users incorrectly received an "Invalid Phone Number" error when they enrolled a phone authenticator. (OKTA-1024021)
In the System Log, policy.auth_reevaluate.fail events didn't display risk unless the event was a synchronous flow and the global session policy failed without remediation. (OKTA-1024106)
Some admins saw an error message when they tried to create a custom OTP authenticator. (OKTA-1024746)
In some orgs with Okta Identity Governance, admins couldn't delete a policy even though there were no apps assigned to it on the Assignments tab. (OKTA-1025333)

Okta Integration Network

Employment hero was updated.
Notion was updated.
Briefly AI has updated the ACS, Audience URLs, and Attribute Statements.
Verizon MDM is now available {API Service Integration}. Learn more.

Version: 2025.08.0

August 2025

Generally Available

Device assurance OS version updates

The following OS versions are now supported in device assurance policies:

iOS (18.6)
macOS (13.7.7, 14.7.7, 15.6)

Sign-In Widget 7.34.0

For details about this release, see the Sign-In Widget Release Notes. For more information about the Widget, see the Okta Sign-In Widget.

Okta On-Prem MFA agent version 1.8.5

This version includes security enhancements.

New password expiration message

The Breached Credentials Protection feature now displays a more intuitive error message to users whose passwords have expired.

Okta Provisioning agent, version 3.0.2

Okta Provisioning agent 3.0.2 is now available. This release of the Okta Provisioning agent uses OAuth 2.0 for authorization and OAuth 2.0 Demonstrating Proof-of-Possession (DPoP) to securely communicate with Okta. Agents are now registered through the OAuth 2.0 device registration flow and operate independently from the account used to register them. This release also uses UTC time as the default for meta.lastModified timestamps and includes security enhancements and bug fixes. See Okta Provisioning agent and SDK version history.

ITP detections for AMFA orgs

Adaptive MFA orgs now benefit from ITP detections on sessions and entity users when these are detected on directly assigned super admins. These detection events are actionable using Workflows. This feature aligns with the [Okta Secure Identity Commitment](https://www.okta.com/secure-identity-commitment). See Identity Threat Protection events in System Log. This feature is now available to FedRAMP Moderate customers.

Okta Active Directory agent, version 3.21.0

This release includes general enhancements, branding updates, and bug fixes. See Okta Active Directory agent version history.

Automate SCIM Integration for OIN Apps with Express Configuration

Express Configuration is a feature designed to automate the setup of SSO and SCIM for instances of OIN SaaS integrations by enterprise customers with minimal manual effort. It allows enterprise customers to securely configure OIDC and SCIM integrations without copying and pasting configuration values between Okta and Auth0-enabled apps. See Add an app with Express Configuration.

OAuth 2.0 provisioning for Org2Org with Autorotation

Admins deploying multi-org architectures (for example Okta hub-and-spoke orgs) need to secure user and group provisioning. Provisioning using OAuth2.0 scoped tokens has several advantages over API tokens, including more access granularity, shorter token lifespans, and automatic key rotation. You can now enable OAuth 2.0 Autorotation for Org2Org app provisioning directly from the Admin Console.

See Integrate Okta Org2Org with Okta.

Define default values for custom user attributes

Admins can now define default values for custom attributes in a user profile. If you set a custom attribute to be unique, then the default value is automatically set to null (as opposed to an empty string). See Add custom attributes to an Okta user profile.

Updates for groups in the Partner Admin portal

The Partner Admin portal now displays up to 20 groups per page instead of 10. Additionally, if there are at least three characters in the search query and the contains search feature turned on, the system will use the the contains search instead of the starts with search in the groups list.

Expanded use of user.getGroups() function in Okta Expression Language

Admins can now use the user.getGroups() function across all features that support Expression Language. See Group functions for more information.

Auto-confirm for CSV imports

When Identity Governance is enabled and admins use CSV Import with entitlements, auto-confirm is enabled on exact email matches.

Identity Governance user entitlements import limit increased

The maximum number of user entitlements that can be imported from CSV has been increased to 25,000. See Import user entitlements from CSV.

New System Log event for ID verification events

The new user.identity_verification.start System Log event is triggered when an identity verification flow begins. It includes a reference ID for relevant events in the identity verification process, and indicates which operation lead to the start of this process. See Add a pre-configured identity verification vendor.

License grouping UI improvement

Microsoft O365 licenses are now grouped under Primary Licenses in the assignment tab for users and groups. Licenses are displayed as collapsed dropdown menus with only primary license name visible. Expanding the dropdown menu displays all sub-licenses under it.

Track MFA abandonment in the System Log

You can now monitor abandoned MFA attempts in the System Log using the user.authentication.auth_via_mfa event. The event now has two additional statuses for the event outcome:

UNANSWERED: MFA prompt was abandoned, but the user eventually signed in using another authenticator.
ABANDONED: MFA prompt was abandoned and the user couldn't sign in.

See Track MFA abandonment in the System Log

New custom attributes for profile sync provisioning

Profile sync provisioning now supports several custom attributes for Office 365. See Supported user profile attributes for Office 365 provisioning.

Custom profile attributes for OIDC apps

Admins can now add custom profile attributes to OIDC apps in JSON format. See Configure profile attributes for OIDC apps.

Universal Logout in the OIN Wizard

Universal Logout (UL) in the Okta Integration Network Wizard allows you to build, test, and submit UL functionality to the Okta Integration Network (OIN). It lets you terminate users' sessions and revoke their tokens for supported OIN apps, as well as for generic OpenID Connect (OIDC) and Security Assertion Markup Language (SAML) apps.

Granular configuration for Keep Me Signed In

Admins can now configure the post-authentication prompt for Keep Me Signed In (KMSI) at a granular level in authentication policies. This allows admins to selectively enable post-authentication KMSI on a per-user, per-group, or per-app basis. When enabled, this feature exposes a frequency setting that lets admins control how often the post-authentication prompt is presented to users. See Keep me signed in. The post-authentication prompt text (title, subtitle, accept button, and reject button) is now customizable through the Brands management API. See Configure Keep me signed in (KMSI) and Brands API.

Web app integrations now mandate the use of the Authorization Code flow

To enhance security, web app integrations now mandate the use of the Authorization Code flow, as the Implicit flow is no longer recommended. See Build a Single Sign-On (SSO) integration.

Early Access

Export Okta Identity Governance reports in PDF format

You can now export Okta Identity Governance reports to PDF. When exporting, you can also select specific columns to include in the report.

Passkeys from Android devices

Okta now accepts passkeys that are generated by Android devices. Okta associates these passkeys with trusted web domains to enable users to authenticate with them. This expands the number of device types that Okta supports for passkey use. See Configure the FIDO2 (WebAuthn) authenticator.

Custom FIDO2 AAGUID

Customers can add non-FIDO Metadata Service (MDS) security keys and other authenticators and have more granular control over them. This extends FIDO2 (WebAuthn) authenticator support to a wider range of security keys and other authenticators, which gives customers greater flexibility and control over the security in their environment.

Provisioning for Oracle Human Capital Management

Provisioning is now available for the Oracle Human Capital Management app integration. When you provision the app, you can enable security features like Entitlement Management, Privileged Access, and more. See Oracle Human Capital Management.

Temporary Access Code authenticator

The Temporary Access Code (TAC) authenticator allows admins to generate temporary codes that let users authenticate in onboarding, account recovery, and other temporary access scenarios. This authenticator enhances security in these scenarios by granting users access to their orgs without having to use their usual authenticators. See Configure the temporary access code authenticator.

Associated domains

Associated domains let you build a trust relationship among your app, the referring domain, the user's credentials that are associated with that domain, and your brand in Okta. This feature makes it easier to adopt phishing-resistant authenticators, like passkeys in the FIDO2 (WebAuthn) authenticator. See Configure associated domains.

System Log event for Identity Assertion Authorization Grant (ID-JAG) issuance

The app.oauth2.token.grant.id_jag event is generated when an app completes an OAuth 2.0 token exchange to get an Identity Assertion Authorization Grant (ID-JAG) JWT.

Unified claims generation for custom apps

Unified claims generation is a new streamlined interface for managing claims (OIDC) and attribute statements (SAML) for Okta-protected custom app integrations. In addition to group and user profile claims, the following new claim types are available: entitlements (requires OIG), device profile, session ID, and session AMR. See Configure custom claims for app integrations.

Governance delegates

Super admins and users can assign another user as a delegate to complete governance tasks for them. Governance tasks include access certification campaign review items and access request approvals, questions, and other tasks. After a delegate is specified, all future governance tasks (access request approvals and access certification reviews) are assigned to the delegate instead of the original approver or reviewer. This helps ensure that governance processes don't stall when approvers are unavailable or tasks need to be rerouted to a different stakeholder for a long period. It also reduces the time spent in reassigning requests and reviews manually. See Governance delegates.

Multiple active IdP signing certificates

Okta now supports multiple active signing certificates for a single SAML identity provider (IdP), enabling seamless certificate rotation with zero downtime. Admins can upload up to two certificates per IdP connection. This improvement eliminates the need for tightly coordinated swaps with IdP partners and reduces the risk of authentication failures due to expired certificates. The feature is available for both the Admin Console and the IdP Certificates API.

Device signal collection policy

With the new device signal collection policy, admins can override Okta default behavior and specify how Okta must collect device data, which is then used to evaluate authentication policies. See Create device signal collection rules.

JSON Web Encryption of OIDC ID Tokens

You can now encrypt OIDC ID tokens for Okta-protected custom app integrations using JSON Web Encryption. See Encrypt OIDC ID tokens for app integrations.

App Switcher for Okta first-party apps

Device Logout

Device Logout allows admins to sign users out of devices that are protected by Desktop MFA. Admins can perform device sign out from the user's risk profile. If your org has Identity Threat Protection with Okta AI, you can configure an entity risk policy to automatically trigger a sign-out action. If a user is deactivated or suspended, Okta automatically signs the user out from all devices that are protected with Desktop MFA. See Sign users out of devices.

Cross App Access

Admins can now manage third-party app data sharing with the new Cross App Access feature in the Okta Admin Console. This feature moves complex consent processes away from end-users, enhancing security and streamlining the experience. Once configured, end users can access their data from other SaaS apps without navigating OAuth consent flows. See Configure Cross App Access.

Fixes

When an admin performed an incremental import using the Okta Provisioning agent, the last.modified timestamp was in the local time zone rather than the expected UTC. (OKTA-908307)
Admins couldn't always reactivate an app, even when there were active instances of that same app. (OKTA-944775)
After a reviewer approved or revoked a review item, the value for the campaignItemRemediationStatus System Log event incorrectly displayed NONE. (OKTA-950851)
When conditions were removed from a groups resource, admins who were assigned the resource set couldn't add groups. (OKTA-961708)
When enrolling in Okta, users in orgs with specific Access Control settings were shown incorrect authenticators. (OKTA-963136)
When a user selected the Remind me later option in an org that allowed grace periods and then accessed an app, an error sometimes appeared. (OKTA-964324)
When users accessed an app after signing in to Classic Engine, their session was overridden if they subsequently accessed an app after signing in to Identity Engine. (OKTA-968179)
In the Partner Admin Portal, some pages took longer than expected to load or refresh. (OKTA-976067)
On the Edit role page, the Role description field displayed the Role name value. (OKTA-984100)
In orgs with the Breached Credentials Protection feature enabled, the wrong password expiration date was displayed to some users. (OKTA-984104)
When an admin assigned a group to an app, the resulting System Log event was incomplete. (OKTA-985709)
When accessing the Edit User Attributes page for a given user in the Partner Admin Portal, the screen didn't show the form when an enum array property was in the user schema, but not present in the user profile. (OKTA-986528)

Weekly Updates

2025.8.1: Update 1 started deployment on August 18

Generally Available

Device assurance OS version updates

The following OS versions are now supported in device assurance policies:

Android 13, 14, 15, 16 security patch 2025-08-01

Export Okta Identity Governance reports in PDF format

You can now export Okta Identity Governance reports to PDF. When exporting, you can also select specific columns to include in the report.

Early Access

Desktop MFA recovery for Windows

Fixes

Sometimes admins could assign themselves as approvers for their own access requests.
When an admin edited a resource set, the event didn't appear in the Admin changes section on the Administrators page. (OKTA-817804)
Admins couldn't publish customized sign-in and error pages, and some users saw default sign-in and error pages instead of previously published customized ones. (OKTA-838267)
An error was intermittently returned when attempting to add a new sign-in redirect URI to an existing OIDC app. (OKTA-892769)
Notification emails for AD and LDAP agent upgrades included sections for updated agents when none existed. (OKTA-958346)
Okta didn't migrate customer-provided certificates to Okta-managed ones. (OKTA-959003)
Custom admins with privileges for customizing domains didn't see the Edit menu item on the Domains tab of a brand page. (OKTA-974191)
Some users couldn't reset their passwords when they were enrolled in more than two authenticators, and User Enumeration Prevention for Recovery and an Okta account management policy were enabled in their org. (OKTA-981374)
The App sign-in tile was smaller than the other tiles on the Authentication policies page. (OKTA-987744)
In the Partner Admin Portal, the enum array fields on the Edit User Attributes page failed to load initial values from the user's profile. (OKTA-988096)
When LDAP instances were either deactivated or reactivated, the associated LDAP agents remained in their current state. (OKTA-990260)
The LDAP interface app showed an Okta IP address instead of the requester's original IP address, leading to authentication failure. (OKTA-991371)
In the Partner Admin Portal, the side navigation text loaded before the main content of the page. This caused a visual issue where the text appeared to leak before a user was fully authenticated. (OKTA-991510)
Some users who enabled the Early Access feature Unified claims generation for Okta-protected SAML and OIDC custom app integrations saw an error when they tried to add custom claims to an app integration. (OKTA-997102)
An error message appeared to super admins when they tried to configure the custom OTP authenticator, and the authenticator didn't appear on the Authenticators page. (OKTA-997916)

Okta Integration Network

Prowler (Prowler SaaS) has a new display name.
Ethos has a new Redirect URI.
Prowler Cloud (SAML) is now available. Learn more.
1VALET was updated.
Adobe Enterprise (SWA) was updated.
Adobe (SWA) was updated.
Apple store for Business (SWA) was updated.
Paycor (SWA) was updated
National Car Rental (SWA) was updated.
Marriott Hotels (SWA) was updated.
Desana has a new icon.
Console updated with a new redirect URI and icon (OIDC). Learn more.
FORA was updated.
Approveit (SAML) is now available. Learn more.
Bing Webmaster (SWA) was updated.
Reward Builder is now available. Learn more.
Staircase AI (SCIM) now supports the EU region.

2025.8.2: Update 2 started deployment on August 25

Fixes

When an app was deleted, group push rules weren't deleted and would sometimes trigger erroneous System Log entries. This fix will be slowly made available to all orgs. (OKTA-881642)
This update includes security enhancements. (OKTA-945597)
When a group push failed due to a rate limit being exceeded, a System Log event was logged and marked with success instead of an error. (OKTA-952427)
In authenticator enrollment policies, an auto-populate pop-up containing a phone number appeared when admins tried to select a due date for the phone authenticator's grace period. (OKTA-963746)
Some users saw an error when submitting their username to sign in. (OKTA-963933)
App groups weren't fully deleted after a successful DELETE API call and could still be found by their ID. This fix will be slowly made available to all orgs. (OKTA-972614)
In orgs that didn't have Multifactor Authentication (MFA) or Adaptive MFA enabled, the Require user interaction option in authentication policy rules remained selected after admins cleared it. (OKTA-972708)
Custom admins with privileges for customizing domains didn't see the Edit menu item on the Domains tab of a brand page. (OKTA-974191)
Some custom admin roles had different permissions for authentication policies and device signal collection policies and couldn't access them. (OKTA-982043)
When an admin triggered a password reset for a user who was concurrently also being provisioned in AD or LDAP, the user's status was discarded. This fix will be slowly made available to all orgs. (OKTA-982286)
The PolicyRuleChangeDetails System Log event didn't track UI schema events. (OKTA-984139)
Okta admins with custom admin roles couldn't unsuspend users due to the missing Activate button. (OKTA-986984)
When multiple signing certificates were configured for an IdP, and the certificates were invalid, the System Log didn't display information about which certificate failed to validate. (OKTA-987881)
Some user-provided passwords that didn't meet the configured strength requirements accepted by Okta. (OKTA-988423)
On the People page in the Admin Console, the Suspended status was incorrectly categorized as Inactive. (OKTA-990078)
Some users saw an error when trying to sign in from an external IdP. (OKTA-993126)
The Set up button for the password authenticator was displayed on the End-User Settings 2.0 page, even though a password couldn't be enrolled. (OKTA-997943)
Okta couldn't send emails from orgs with custom SMTP server configurations. (OKTA-1003170)

Okta Integration Network

Exaforce has a new app icon.
DMARCwise (SAML) is now available. Learn more.
WMSPanel (OIDC) is now available. Learn more.
Giftsenda (SAML) is now available. Learn more.

2025.8.3: Update 3 started deployment on September 2

Fixes

When an admin generated a preview of a telephony inline hook request, a default user locale was always returned in the JSON preview, even if the user profile had a different locale. (OKTA-799466)
Some users saw the account unlock page on the Sign-In Widget when they signed in to an org with account unlocking disabled. (OKTA-961600)
In the Admin Console, the "Active Directory groups in Okta that have been deleted in Active Directory will be removed from Okta only during full imports" text wasn't correctly translated to Japanese. (OKTA-963124)
Some group members weren't granted access to the correct group-assigned apps. (OKTA-964259)
When the End-User Settings 2.0 was zoomed in to 200%, users couldn't close menus using the escape key. (OKTA-974265)
When using a self-hosted Sign-In Widget, some macOS and iOS users encountered issues when signing in to apps through an SSO extension. (OKTA-978545)
When admins changed the priority of a rule in an authentication policy, the System Log created an entry for all of the rules in the policy, instead of just the rule that was updated. (OKTA-981929)
The Sign-In Widget (second generation) displayed an error message when users signed in to orgs that had a relying party ID and domain validation enabled. (OKTA-985005)
When an AD or LDAP import failed due to an incorrect result size, the system indicated that a Reset Batch Import (RBI) would re-run, no RBI was performed. (OKTA-986331)
Users were sometimes incorrectly prompted for optional authenticators that couldn't always satisfy assurance for enrollment. (OKTA-987248)
Profile sources weren't properly shown in the Realms tab of the Admin Console if Google Workspace was set up as a profile source. (OKTA-991246)
An error message appeared to super admins when they tried to configure the custom OTP authenticator, and the authenticator didn't appear on the Authenticators page. (OKTA-997916)
When admins tried to add or edit enum attributes in the profile editor, there wasn't an option to skip defining a default value. (OKTA-1002231)

Okta Integration Network

Foqal (API Service Integration) is now available. Learn more.
Udemy Business (SAML) is now available. Learn more.
Salto (Universal Logout) is now available. Learn more.
Cerby (Universal Logout) is now available. Learn more.
Sansan has an updated description.
Template SAML 2.0 App (Deprecated) (SAML) is now available. Learn more.
Employment hero was updated.
Availity was updated.
Overdrive by Mike Albert (OIDC) is now available. Learn more.
DraftPilot (OIDC) is now available. Learn more.
DraftPilot (SCIM) is now available. Learn more.
1Password Business was updated.
Udemy Business (SCIM) is now available. Learn more.

2025.8.4: Update 4 started deployment on September 8

Documentation updates

Changes to the existing Access Certification documentation

The existing Get started with Access Certifications topic and the Review campaigns topic section have been relocated to the Campaigns section.

Fixes

Read-only admins with the View roles, resources, and admin assignments custom role permission couldn't run the admin role assignments report. (OKTA-719485)
System Logs displayed an incorrect user ID for failed LDAP interface authentication. (OKTA-869548)
The number of group push errors displayed on the main dashboard of the Admin Console was different than the number displayed on the Tasks page. (OKTA-885883)
Custom email previews didn't display the logo correctly. (OKTA-899903)
When an admin performed an incremental import using the Okta Provisioning agent, the last.modified timestamp was in the local time zone rather than the expected UTC. (OKTA-908307)
Okta account management policy events weren't recorded in the System Log when users enrolled in Okta through the Okta Verify desktop app. (OKTA-923493)
When an admin changed the O365 provisioning from User Sync to Profile Sync, the mail attribute synced data incorrectly. (OKTA-970525)
Step-up multifactor authentication failed for some users who authenticated into an app using a smart card. (OKTA-972725)
The custom OTP authenticator sometimes didn't appear correctly in the Authentication methods section in app sign-in policy rules when multiple instances of them were configured. (OKTA-977123)
Some device signal collection policy events weren't recorded in the System Log. (OKTA-977755)
When admins changed the priority of a rule in an authentication policy, the System Log created an entry for all of the rules in the policy, instead of just the rule that was updated. (OKTA-981929)
Users received an error message when they selected Keep me signed in after authenticating. (OKTA-987229)
Admins encountered a higher number of 429 rate limit codes on some loopback API endpoints. (OKTA-1000341)
The search results cleared when users refreshed the resource catalog on the End-User Dashboard after searching for an item. (OKTA-1006498)

Okta Integration Network

Iterate now supports IdP-initiated SSO flows.
MODocs AI (OIDC) is now available. Learn more.