Okta Identity Engine release notes (Production)

Version: 2025.03.0

March 2025

Generally Available

Sign-In Widget, version 7.28.3 and 7.29.0

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Okta Sign-In Widget Guide.

Okta MFA Credential Provider for Windows, version 1.4.3

This version includes bug fixes and security enhancements. See Okta MFA Credential Provider for Windows version history.

Okta LDAP agent, version 5.23.0

This version of the agent includes security enhancements.

Updated Japanese translations

The Admin Dashboard, Administrator pages, and Admin Console search now provide updated Japanese translations.

Improved group search functionality

You can now search for groups whose names or descriptions contain specified text. This makes it easier to find a group when you don't recall its exact name.

Improved user search functionality

You can now search for users whose names, email addresses, or usernames contain specified text, making it easier to do user lookups and add users to groups.

Identity Security Posture Management functionality in the OIN catalog

The Okta Integration Network page now provides Identity Security Posture Management functionality. When you select it, the OIN catalog displays only the apps with Identity Security Posture Management functionality.

New default reauthentication frequency for new authentication policy rules

The default reauthentication frequency has been changed to one hour for the Prompt for password authentication and Prompt for all other factors of authentication options on the authentication policy rule page. This applies by default to new rules with Time since last sign in selected. See Add an authentication policy rule.

Realms for Workforce

Realms allow you to unlock greater flexibility in managing and delegating the management of your distinct user populations within a single Okta org. See Manage realms.

ITP detections for AMFA orgs

All Adaptive MFA orgs now benefit from ITP detections on sessions and entity users when these are detected on directly assigned super admins. These detection events are actionable using Workflows. This feature aligns with the Okta Secure Identity Commitment. See Risk scoring.

Granular account linking for certain identity providers is GA

When admins link users from SAML and OIDC identity providers, they can now exclude specific users and admins. This improves security by allowing admins to configure granular access control scenarios. See Add a SAML Identity Provider.

OIDC identity providers now support group sync

OpenID Connect identity providers (IdPs) now support full group sync and adding a user to a group that they don't already belong to. A user who authenticates with an external IdP is added to all available groups when Full sync of groups is enabled. The user is added to any groups that they don't already belong to when Add user to missing groups is enabled. This allows you to specify certain groups that users should be added to. See Generic OpenID Connect.

Global token revocation for wizard SAML and OIDC apps

Universal Logout clears sessions and tokens for wizard SAML and OIDC apps. This enhancement extends Universal Logout functionality to more types of apps and provides greater flexibility to admins.

Entitlement management for Microsoft Office 365

The Microsoft Office 365 app now supports entitlement management. See Apps with entitlement support

Early Access

Custom remediation for device assurance

You can now display custom remediation instructions to users when authentication fails due to unsuccessful device posture checks with Okta Verify or Chrome Device Trust. See Configure custom remediation instructions for device assurance.

Entitlement support for disconnected apps

Disconnected apps are apps that aren't LCM integrated within Okta. This feature allows you to use CSV files to import users and entitlements into Okta from disconnected apps. This enables consistent governance and compliance across all apps, including those not fully integrated with Okta. See Import user entitlements from CSV.

New look and feel in the Admin Console

The Admin Console now provides a new look and feel, including redesigned side and top navigation menus and the addition of a gray background.

New identity verification providers added

Okta now supports using Incode and CLEAR Verified as identity providers. This increases the number of identity verification vendors (IDVs) you can use to verify the identity of your users when they onboard or reset their account. See Add an identity verification vendor as an identity provider.

Bypass ASN binding with the Default Exempt IP Zone

The ASN binding feature associates admins with the IP address that they signed in from. If the IP changes during a session, the admin is signed out of Okta, and an event appears in the System Log. To bypass IP and ASN binding, you can add the client IP to the Default Exempt IP Zone. See IP exempt zone.

App Switcher for Okta first-party apps

The End-User Dashboard, Admin Console, and Workflows Console now have an App Switcher that helps admins quickly navigate between their assigned Okta apps. Note that you must enable the Unified look and feel for Okta Admin Console and Unified look and feel for Okta Dashboard Early Access features for the App Switcher to appear.

New look and feel in the End-User Dashboard

The End-User Dashboard now provides a new look and feel, including redesigned side and top navigation menus and the addition of a gray background.

New attributes in Universal Sync

The following attributes are now supported in Universal Sync: AuthOrig, DLMemRejectPerms, DLMemSubmitPerms, and UnauthOrig.

Okta-to-Okta claims sharing enhancement

Okta-to-Okta claims sharing now supports the use of the smart card authenticator and Active Directory for Single Sign-On. This removes the need for users to authenticate with a service provider when they've already authenticated to an Okta org. See Add a SAML Identity Provider.

Verify an SSF Stream

Okta SSF Transmitter now supports the verification endpoint to enable receivers to request verification events and validate the end-to-end delivery between the transmitter and receiver. The SSF Transmitter verification events claim structure is also now compliant with the OpenID Shared Signals Framework ID3 spec.

Fixes

  • When provisioning and Import Groups were enabled for the O365 GCC High app, the Groups page didn't display the group icon. (OKTA-283826)

  • Some certificates with trailing characters were uploaded successfully despite their invalid format. (OKTA-486406)

  • The consent buttons for the Office 365 and Office 365 GCC High apps didn't render correctly. (OKTA-488281)

  • The Microsoft Office 365 Government - GCC High app integration didn't have the correct metadata tags. (OKTA-509443)

  • A realm assignment didn't work as expected when using expressions based on attribute type. (OKTA-728487)

  • Users weren't automatically confirmed when the inline hook updated conflicting appuser values during import. (OKTA-792372)

  • The Add rule page for an authentication policy sometimes displayed the wrong factor types in the preview. (OKTA-849411)

  • An invalid authentication error sometimes occurred when an admin assigned users to the ShareFile app. (OKTA-850064)

  • Emails intended for an unverified primary or secondary email were dropped when the Audience setting for the template was Admin only. (OKTA-852156)

  • When the Send all admin emails as BCC notification setting was selected, all email recipients were sent to the To field instead of the BCC field for protected actions. (OKTA-856627)

  • Users who selected the Send me an email option from a locked account notification didn't receive the requested email. (OKTA-858751)

  • Some users couldn't complete account recovery using Okta Verify with push. (OKTA-870580)

  • Unknown users received an internal server error when they tried to recover their passwords. (OKTA-873911)

  • Some pages in the End-User Dashboard had a typo in the footer. (OKTA-877065)

  • The Entitlement SAML Assertions and OIDC Claims feature wasn't available in the Settings Features menu for some customers. (OKTA-880967)

  • An error occurred in the Okta Provisioning Agent when trying to import users from on-premises apps through CSV files. (OKTA-880996)

  • Access requests for admin role bundles weren't processed properly. (OKTA-892613)

Okta Integration Network

  • Better Stack (SCIM) is now available. Learn more.
  • Employment Hero by Aquera (SCIM) is now available. Learn more.
  • Harriet (OIDC) is now available. Learn more.
  • Harriet (SCIM) is now available. Learn more.
  • HYCU R-Cloud (OIDC) is now available. Learn more.
  • Kyriba By Aquera (SCIM) is now available. Learn more.
  • MySQL by Aquera (SCIM) is now available. Learn more.
  • ZAMP (SCIM) is now available. Learn more.
  • Zoom (SAML) has updated endpoints.

Weekly Updates

2025.3.1: Update 1 started deployment on March 17

Generally Available

Device assurance OS version update

The following OS versions are now supported in device assurance policies:

  • Android 12, 13, 14, 15 security patch 2025-03-01
  • iOS 18.3.1
  • macOS Ventura 13.7.4
  • macOS Sonoma 14.7.4
  • macOS Sequoia 15.3.1
  • Windows 10 (10.0.17763.6893, 10.0.19044.5487, 10.0.19045.5487)
  • Windows 11 (10.0.22621.4890, 10.0.22631.4890, 10.0.26100.3194)

Sign-in Widget 7.18 for Same-Device Enrollment

If you use the Same-Device Enrollment feature in your org, the Sign-In Widget version must be 7.18 or later.

Fixes

  • createdBy and lastUpdatedBy custom attributes couldn't be used in group rules. (OKTA-566492)

  • Some issues occurred during the creation of Devices Assurance settings. (OKTA-603807)

  • Some Android users couldn't authenticate with Duo Verify when enrolling in Okta Verify. (OKTA-791813)

  • Custom admins who were limited to viewing only application group members received incomplete results when using the List All Users API without a search or filter. (OKTA-801592)

  • In some orgs, unnecessary writebacks were made to Workday when a sync was performed from Okta. (OKTA-817160)

  • Users who were excluded from a group rule were displayed incorrectly in the Admin Console. (OKTA-838039)

  • The System Log displayed two usernames in the user.authentication.auth_via_social event when a user signed in to Okta with an identity provider in the same browser as a user who was already signed in. (OKTA-842179)

  • Users authenticating to Microsoft Office 365 on macOS were matched to a rule with a Modern Authentication condition only when using the Edge browser. (OKTA-847605)

  • Admins who were assigned the super admin role through group assignments couldn't run password hash exports or view the reports. (OKTA-851991)

  • The MFA enrollment by user report displayed inaccurate figures for the security question authenticator. (OKTA-858427)

  • Okta sometimes timed out earlier than expected when admins configured authentication policies. (OKTA-867807)

  • The page title didn't appear correctly on the browser tab for the Recent activity and My Settings pages. (OKTA-874289)

  • Using device conditions in an authentication policy sometimes caused the post auth session policy evaluation to fail and generate a policy.auth_reevaluate.fail event. (OKTA-876114)

  • Admins didn't receive the correct notifications when they had both role and admin email notifications selected. (OKTA-876846)

  • The Back to sign in button didn't work on the Sign-In Widget (third generation) version 7.26.1 or later. (OKTA-877241)

  • Okta admins assigned to non-visible apps were taken to the End-User Dashboard instead of the Admin Console when signing in. (OKTA-882675)

  • When the Unified look and feel for Okta Admin Console feature was enabled, the Settings and Features pages didn't render correctly in the Safari browser. (OKTA-884821)

  • Admins couldn't create or edit third-party identity providers in orgs with Okta-to-Okta claims sharing enabled. (OKTA-893483)

Okta Integration Network

  • Better Stack (SAML) has a new integration guide.
  • Bundle by freee (SCIM) is now available. Learn more.
  • Chargebee (SAML) has a new integration guide.
  • Chargebee (SCIM) is now available. Learn more.
  • Lobbipad (SCIM) has updated help text.
  • Marfeel (OIDC) is now available. Learn more.
  • Oracle Cloud Applications by Aquera (SCIM) is now available. Learn more.

2025.3.2: Update 2 started deployment on March 24

Generally Available

Sign-In Widget, version 7.29.2

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Okta Sign-In Widget Guide.

Accessibility enhancements for screen readers

UI elements on the end-user Settings page have been enhanced to work with screen readers. See User settings.

Fixes

  • createdBy and lastUpdatedBy custom attributes couldn't be used in group rules. (OKTA-566492)

  • Workday imports sometimes failed when the number of parameters sent in a query exceeded the maximum. (OKTA-819984)

  • Authentication was interrupted or prevented in legacy embedded browsers due to a DNS issue. (OKTA-845120)

  • Changes to the manager attribute in Workday were only reflected in Okta after a full import. (OKTA-846352)

  • The View Client Credentials permission didn't appear when the App settings for custom admin roles feature was enabled. (OKTA-851994)

  • AWS account federation with SWA was incompatible with the new AWS sign in page. (OKTA-856995)

  • When the Enable Sync Account Information setting was disabled for a custom domain, login.okta.com still loaded iframes. (OKTA-865098)

  • In Dynamic Zones, some IPs were classified incorrectly as anonymous proxies because of a misconfiguration by a third-party provider. (OKTA-867976)

  • On the Admin Dashboard, some post auth session labels weren't updated to session protection. (OKTA-886337)

  • Admins couldn't increase the global session policy maximum idle time if they set it to a longer duration than the previously saved maximum session time. (OKTA-891348)

Okta Integration Network

  • Attribute Dashboard (OIDC) is now available. Learn more.
  • Balsamiq (SAML) has a new app name, icon, and integration guide.
  • bob (SCIM, SAML) now supports sandbox environments.
  • Drata (OIDC) has a new icon.
  • Mighty ID (OIDC) is now available. Learn more.
  • Salesloft (SAML) is now available. Learn more.
  • Salesloft (SCIM) is now available. Learn more.

Version: 2025.02.0

February 2025

Generally Available

Sign-In Widget, version 7.28.0

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Okta Sign-In Widget Guide.

Request expiration and enhanced notifications for Access Requests

To prevent accumulation of stale requests and improve the notification experience, Okta is making the following changes:

  • New requests now automatically expire after 60 consecutive days of inactivity. Completing a task, answering a question, or leaving a message on a request resets the 60-day expiration period. Any requests created before the general availability of this feature expire after 60 days of inactivity (on or around April 7, 2025).

  • Notifications about expiring requests are sent at 30 days, 5 days, and 1 day before the request expires.

  • The user setting to receive daily reminders about overdue tasks and requests is no longer available. It is replaced by the new request expiration notifications.

Universal Logout for Cerby app

Cerby now supports Universal Logout. This enables admins to automatically sign users out of this app when Universal Logout is triggered.

New look and feel in Access Certifications

In Access Certifications, the Access Certification Reviews app located on your dashboard now has a new look and feel, including a restyled top navigation bar and the addition of a gray background.

Authentication method chain options

The Pin or biometric verification label for authentication method chains on the authentication policy rule page has been changed to User interaction. See Authentication method chain.

New System Log attribute

The application.policy.sign_on.deny_access System Log event now shows the app instance ID. This makes it easier to identify the affected app and enables resource-based filtering for the event.

New System Log attributes

The PolicyName field was added to the policy.evaluate_sign_on System Log event. This change makes it easier for admins to identify the policy that was involved in user sign-in attempts.

Delete users with granular deprovisioning in Microsoft Office 365

You can now delete users as part of the deprovisioning process in Office 365. See Deprovisioning options for Office 365.

RADIUS push notifications

The operating system is no longer included in RADIUS push notifications. Customers can contact Okta Support if they need to display this information.

Support for importing Active Directory group descriptions

The descriptions of groups sourced from Active Directory now use their description from AD. These replace any previous descriptions of AD-sourced groups in Okta, which used a pretty-printed version of the distinguished name (DN) instead.

New Hyperdrive agent version

This version includes the Microsoft Edge WebView2 control. See Okta Hyperdrive agent version history.

Authentication policy rule page updated

The If Okta FastPass is used section of the the authentication policy rule page has been removed. Users can select the Require user interaction option in the Possession factor constraints are section instead. See Add an authentication policy rule.

Polling for Agentless Desktop Single Sign-on and Integrated Windows Authentication

Agentless Desktop Single Sign-on (ADSSO) and Integrated Windows Authentication (IWA) authentication sessions now include polling to reduce the likelihood of service disruptions when bandwidth use peaks. For users authenticating with ADSSO or IWA during peak use periods, this change increases the likelihood that a server will be available to process their authentication request.

Case numbers for impersonation events

When an org grants impersonation for a support case, the case number now appears in the System Log. See Give access to Okta Support.

System Log event for public client app admins

When an admin selects the Automatically assign the super admin role to all newly created public client apps checkbox on the Account page, the System Log now records an event.

Step-up authentication for Office 365

This enhancement enables customers to dynamically prompt for Okta MFA when needed, without having MFA configured in the authentication policy. See Use Okta MFA for Azure Active Directory.

ADSSO authentication parameters

When a state token is used, Okta removes the fromURI parameter from the ADSSO authentication POST request.

Enforce Number Challenge for Desktop MFA

You can now enforce number challenge on all push notifications for Desktop MFA, regardless of the authentication policy. See Configure access policies.

Improved password reset process for Active Directory-sourced users

The password reset process now sends the password update and verification requests to the same Active Directory agent to avoid replication delay.

Role-based access control now available

As Okta Workflows can make comprehensive changes both inside Okta and out to other connected SaaS apps, access to Workflows was previously restricted to Okta super admins. While this regulation enhanced the security of Okta Workflows, it limited the number of users, restricted the scalability of Okta Workflows, and reduced overall value to customers.

With role-based access control (RBAC), you can now assign Workflows privileges to more users without granting unnecessary access.

To support this feature, three new roles are available:

  • Workflows Administrator: For full-access administration within Okta Workflows only
  • Workflows Auditor: For compliance management with read-only access
  • Connection Manager: For securely handling accounts and credentials

RBAC allows customers to expand the use of Okta Workflows beyond super admins, enabling more team members to build, run, and manage Workflows securely and efficiently.

See Access Control.

There are four new event types that record the RBAC feature activity in the Okta System Log:

  • workflows.user.role.user.add
  • workflows.user.role.user.remove
  • workflows.user.role.group.add
  • workflows.user.role.group.remove

See the Event Types API.

Early Access

Authentication claims sharing between Okta orgs

Authentication claims sharing allows an admin to configure their Okta org to trust claims from IdPs during SSO. Sharing claims also allows Okta to interpret the authentication context from an IdP. This helps eliminate duplicate factor challenges during user authentication and helps improve security posture. See Add a SAML Identity Provider.

Custom admin role for Okta Device Access

You can now configure custom admin roles to view and manage Okta Device Access functionality. This enhancement enables IT teams to designate admins who can effectively manage Okta Device Access capabilities without requiring them to have the most elevated security permissions. See Desktop MFA recovery .

On-prem Connector for SAP Netweaver ABAP

On-prem Connector for SAP NetWeaver ABAP provides an out-of-the-box solution that connects SAP on-premises apps with Okta Identity Governance. It enables the discovery, visibility, and management of SAP entitlements (roles) directly in Okta. This integration enhances security, saves time, and simplifies governance by eliminating the need for custom integrations and by streamlining entitlement management. See On-prem Connector for SAP Netweaver ABAP.

Step-up authentication for updating policies

Okta prompts for step-up authentication when admins perform protected actions in the Admin Console, like updating sign-on policies. The changes are only allowed after the admin authenticates successfully. This feature enhances org security by allowing admins to require MFA before performing protected actions. See Protected actions in the Admin Console.

Track MFA abandonment in the System Log

You can now monitor abandoned MFA attempts in the System Log using the user.authentication.auth_via_mfa event. The event now has two additional statuses for the event outcome:

  • UNANSWERED: MFA prompt was abandoned, but the user eventually signed in using another authenticator.
  • ABANDONED: MFA prompt was abandoned and the user couldn't sign in. See Track MFA abandonment in the System Log

Fixes

  • The new end-user Settings page didn't display links, password source text, or custom profile data. (OKTA-806262)

  • A warning banner was incorrectly displayed during the WS-Federation setup, even though the setup was completed successfully. (OKTA-807313)

  • The Sign-In Widget (third generation) wasn't the correct size and was missing the app name. (OKTA-822649)

  • In Org2Org configurations where Okta is the source org, passwords weren't synced after the user signed in using a newly reset password. (OKTA-833862)

  • Autofilled passkeys in the Sign-In Widget (third generation) failed and displayed an Invalid passkey error. (OKTA-836910)

  • When employees were imported into SuccessFactors, past employment records were imported instead of current records. (OKTA-844570)

  • When a custom domain was deleted or its enrollment was reset, the resulting email confirmation had a broken link and no branding. (OKTA-848261)

  • When users signed in to the Secure Partner Access portal, they were redirected to the End-User Dashboard. (OKTA-855049)

  • Microsoft's MSOL deprecation testing triggered the last remaining MSOL call in Okta's Office 365 provisioning, resulting in a failure to synchronize user attributes. (OKTA-870164)

Okta Integration Network

  • Calendly by Aquera (SCIM) is now available. Learn more.
  • Payflows has an additional SAML attribute.
  • SAP ERP by Aquera (SCIM) is now available. Learn more.
  • SAP HANA Provisioning Connector by Aquera has a new display name.

Weekly Updates

2025.2.1: Update 1 started deployment on February 18

Generally Available

Sign-In Widget, version 7.28.1

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Okta Sign-In Widget Guide.

New On-Prem MFA agent version

Version 1.8.1 of the On-Prem MFA agent is now available. This version includes security enhancements.

Device assurance OS version update

The following OS versions are now supported in device assurance policies:

  • Android 12, 13, 14, 15 security patch 2025-02-05
  • iOS 18.3
  • macOS Ventura 13.7.3
  • macOS Sonoma 14.7.3
  • macOS Sequoia 15.3
  • Windows 10 (10.0.17763.6775, 10.0.19044.5371, 10.0.19045.5371)
  • Windows 11 (10.0.22621.4751, 10.0.22631.4751, 10.0.26100.2894)

New System Log event for third-party identity verification

The event type user.identity_verification is triggered when a request is sent to a third-party service for user identity verification as a result of an Okta Account Management Policy (OAMP) evaluation.

Fixes

  • When the third-party admin status was granted or revoked from an admin or group, the System Log didn't record an event. (OKTA-823842)
  • In the Admin Console, updates in the code editor that Okta couldn't parse returned a 500 Internal Server Error. (OKTA-837068)
  • Users whose profiles were imported from Active Directory or LDAP received an error message when they clicked Forgot password. (OKTA-840053)
  • Users whose account had a password expired status couldn't be added as group owners. (OKTA-846195)
  • Admins without proper permissions were able to view the Import Monitoring report. (OKTA-850050)
  • Some users encountered a double sign-in prompt from Okta FastPass when they tried to access apps on iOS devices. (OKTA-856105)
  • NORDLAYER_VPN was incorrectly announced as a supported IP service category in enhanced dynamic zones. (OKTA-857826)
  • Global session policies incorrectly displayed an error message for some authenticators for trust claims. (OKTA-860139)
  • AMR values weren't forwarded to the app when a user signed in and Okta-to-Okta claims sharing was configured. (OKTA-860242)
  • The help link for the Okta-to-Okta claims sharing feature was missing. (OKTA-860321)
  • The help link for possession constraints was missing from the authentication policy rule page. (OKTA-862670)

Okta Integration Network

  • ADP Recruiting Management by Aquera (SCIM) is now available. Learn more.
  • Console (API Service) is now available. Learn more.
  • Console (OIDC) is now available. Learn more.
  • Dayforce by Aquera (SCIM) now has additional use cases.
  • Microsoft SQL Server by Aquera (SCIM) now has additional use cases.
  • Neowit (SAML) is now available. Learn more.
  • Neowit (SCIM) is now available. Learn more.
  • NordPass (OIDC) is now available. Learn more.
  • QuickBooks Online by Aquera (SCIM) now has additional use cases.
  • Redshift by Aquera (SCIM) now has additional use cases.
  • Subble (API Service) is now available. Learn more.
  • Symantec ZTNA (SAML) is now available. Learn more.
  • Udemy Business (SAML) is now available. Learn more.

2025.2.2: Update 2 started deployment on February 24

Fixes

  • Okta LDAP agent installation failed when using an inactive LDAP instance. (OKTA-467846)

  • When an admin tried to use a feature that wasn't enabled in their org, a long error message appeared instead of a 403. (OKTA-733031)

  • When the third-party admin status was granted to or revoked from an admin or group, the System Log didn't record an event. (OKTA-823842)

  • In some authentication policies, the 1 factor type options appeared in the User must authenticate with dropdown menu when the Access is option changed to Allowed after successful authentication. (OKTA-826154)

  • Newly created API Service Integration apps appeared on the Authentication policies page. (OKTA-836681)

  • Some fields on the Add a policy page for authentication policies accepted code as well as regular text. (OKTA-837343)

  • In orgs with the Okta account management policy enabled, federated users who successfully completed self-service account unlock still couldn't sign in. (OKTA-839418)

  • The contains operator sometimes gave unclear error messages when using less than 3 characters or with other operators. (OKTA-846206)

  • Full imports from LDAP sometimes failed due to a timeout. (OKTA-849200)

  • Users weren't prompted for multifactor authentication when the Sessions API was used to create sessions. (OKTA-858391)

  • Some customers weren't required to verify their identity with an Identity Vendor when they clicked Back to sign in on the Sign-In Widget. (OKTA-860270)

  • Some endpoints didn't block access to external redirect URLs. (OKTA-860388)

  • When the Okta account management policy was enabled, some users who navigated to the End User Settings page were redirected to their Okta Dashboard. (OKTA-864257)

  • Admins couldn't retrieve more than five entitlement SAML assertions and OIDC claims when configuring apps. (OKTA-865900)

  • Unknown users received an internal server error when they tried to recover their passwords. (OKTA-873911)

Okta Integration Network

  • AWS S3 by Aquera (SCIM) is now available. Learn more.
  • Clutch Security (API Service) is now available. Learn more.
  • Datadog (SCIM) now supports group push.
  • Oracle Database by Aquera (SCIM) is now available. Learn more.
  • Perimeter 81 (SAML/SCIM) has a new icon, display name, and description.

2025.2.3: Update 3 started deployment on March 3

Generally Available

Sign-In Widget, version 7.28.2

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Okta Sign-In Widget Guide.

Fixes

  • Users received a confusing error message when they attempted to recover a non-recoverable authenticator. (OKTA-717735)

  • Some users could set up their first password after their activation link expired. (OKTA-843013)

  • The Add rule page for an authentication policy sometimes displayed the wrong factor types in the preview. (OKTA-849411)

  • In some orgs, Okta users and AD-sourced users couldn't edit their profile information on the Settings page. (OKTA-864160)

  • In Dynamic Zones, some IPs were classified incorrectly as anonymous proxies because of a misconfiguration by a third-party provider. (OKTA-864349)

  • The System Log didn't display accurate client IP address data for refresh requests from first-party apps. (OKTA-864998)

  • Some of the text on the Realms page wasn't translated. (OKTA-875929)

Okta Integration Network

  • Chaos (OIDC) is now available. Learn more.
  • Chaos (SCIM) is now available. Learn more.
  • Jobvite by Aquera (SCIM) is now available. Learn more.
  • Lifebalance Program (OIDC) has a new Redirect URI.
  • Lobbipad (OIDC) is now available. Learn more.
  • Lobbipad (SCIM) is now available. Learn more.
  • narrativ.ai (OIDC) is now available. Learn more.
  • NordPass (OIDC) has a new Redirect URI.
  • Okta ISPM (API Service) now has the okta.roles.read and okta.factors.read scopes.
  • Relvy AI (OIDC) is now available. Learn more.
  • Zoom (SAML) now has a configurable ACS and Audience URLs.

Version: 2025.01.0

January 2025

Generally Available

Sign-In Widget, version 7.27.1

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Okta Sign-In Widget Guide.

Okta Provisioning agent, version 2.2.0

This release contains bug fixes and minor improvements. The RPM installer is now signed. See Okta Provisioning agent and SDK version history.

Okta Active Directory agent, version 3.19.0

This release of the Okta Active Directory agent includes an additional layer of end-to-end encryption for payloads that are exchanged between Okta and the agent. Support for monitoring the Active Directory agent configuration file has been added, where a System Log event is emitted when the agent configuration has been changed on premises. This release also includes security enhancements and bug fixes. See Okta Active Directory agent version history

Multiple Identifiers

Today, end users must sign in to Okta with a username or email address only. With the Multiple Identifiers feature, admins can configure identifiers, or user attributes from Universal Directory, that an end user can enter to authenticate. Multiple identifiers work in sign-on, recovery, self-service registration, and unlock flows. Admins can configure up to three identifiers, including email (which is still a required identifier). See Multiple identifiers.

OAuth 2.0 security for invoking API endpoints

Okta Workflows users can now securely invoke API endpoints using OAuth 2.0 protocols and their Okta org authorization server. Compared with the existing token authorization option, this feature is more secure while also being easier to implement. Add the okta.workflows.invoke.manage scope to any new or existing app integration to make it eligible to invoke your API endpoint. See Invoke a flow with an API endpoint.

Granular deprovisioning in Microsoft Office 365

You can now deprovision users in Office 365 using multiple methods. See Deprovisioning options for Office 365.

Just-In-Time Local Account Creation for macOS

Just-In-Time Local Account Creation is available for Okta Device Access. Okta admins can allow macOS users to create a local account by entering their Okta username and Okta password in the macOS sign-in dialog. This feature enables easier account management for admins and streamlines the user account creation process for end users. This is especially beneficial for devices or workstations that support multiple users. See Just-In-Time Local Account Creation for macOS.

Identity Verification with third-party Identity Verification providers

When users take certain actions, Identity Verification enables you to use a third-party Identity Verification provider to verify the identity of your users. Verification requirements and the Identity Verification provider are based on your authentication policies and configurations within your Okta org. Okta supports Persona as a third-party Identity Verification provider. See Add an identity verification vendor as an identity provider.

Block syncable passkeys

You can now block syncable passkeys during authentication. Previously, you could only block them during enrollment. This enhances the security of your org by preventing users from presenting such passkeys to attempt to enroll new, unmanaged devices. See Configure the FIDO2 (WebAuthn) authenticator.

Authentication method chain

With this feature, you can require users to verify with multiple authentication methods in a specified sequence. You can create multiple authentication method chains in an authentication policy rule to cater to different use cases and scenarios. This feature is now also supported in the Okta account management policy. See Authentication method chain.

Additional use case selection in the OIN Wizard

Independent software vendors (ISVs) can select the following additional use case categories when they submit their integration to the OIN:

  • Automation

  • Centralized Logging

  • Directory and HR Sync

  • Multifactor Authentication (MFA)

See Use case selection in the OIN Wizard.

New group.source.id key for group functions in Expression Language

You can now use the group.source.id key in Expression Language group functions to filter between groups that have the same name.

Early Access

MFA for Secure Partner Access admin portal

MFA is required for accessing the partner admin portal app. See Manage Secure Partner Access.

Entitlement claims

You can now enrich tokens with app entitlements that produce deeper integrations. After you configure this feature for your app integration, use the Okta Expression Language in Identity Engine to add entitlements at runtime as OIDC claims and SAML assertions. See Generate federated claims.

Block syncable passkeys

You can now block syncable passkeys during authentication. Previously, you could only block them during enrollment. This enhances the security of your org by preventing users from presenting such passkeys to attempt to enroll new, unmanaged devices. See Configure the FIDO2 (WebAuthn) authenticator.

Fixes

  • In some orgs, users were unlocked based on the settings of the default AD password policy rather than a higher priority password policy. (OKTA-755979)

  • The user counts weren't updated accurately when running Realm assignment jobs. (OKTA-790104)

  • Some text on the security methods page of the Sign-In Widget wasn't rendered correctly. (OKTA-803760)

  • Leaving the Custom character restriction field empty in the Profile Editor resulted in an error. (OKTA-811861)

  • The Manage Applications permission for Custom Admin roles unnecessarily allowed admins to mange the client credentials section for OAuth 2.0 Service apps. (OKTA-821119)

  • The MFA Enrollment by User report didn't include the security question authenticator in the list of authenticators in situations where it was enrolled in a Classic Engine org that was migrated to Identity Engine. (OKTA-823066)

  • In orgs using the Sign-In Widget (third generation), the Back to sign in link redirected users to the dashboard instead of the resource they intended to access. (OKTA-826892)

  • In orgs using the Sign-In Widget (third generation), self-service registration failed for users who provided an invalid attribute during their first registration attempt. (OKTA-834905)

  • Long group names were truncated on the Edit resources to a standard role page. (OKTA-839491)

  • Users who completed self-service registration saw unexpected behavior when they enrolled in authenticators from their Settings page. (OKTA-843223)

  • Viewing group members in the Admin Console sometimes displayed an error. (OKTA-844568)

  • In some orgs using the Okta account management policy, AD users received an error when they tried to edit their password. (OKTA-844675)

Weekly Updates

2025.1.1: Update 1 started deployment on January 21

Generally Available

Sign-In Widget, version 7.27.1

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Okta Sign-In Widget Guide.

Device assurance OS version update

The following OS versions are now supported in device assurance policies:

  • Android 12, 13, 14, 15 security patch 2025-01-05

  • iOS 18.2

  • macOS Ventura 13.7.2

  • macOS Sonoma 14.7.2

  • macOS Sequoia 15.2

  • Windows 10 (10.0.17763.6659, 10.0.19044.5247, 10.0.19045.5247)

  • Windows 11 (10.0.22621.4602, 10.0.22631.4602, 10.0.26100.2605)

New IP service categories

The NORDLAYER_VPN and PIA_VPN proxy services are now supported as IP service categories in enhanced dynamic zones. See Supported IP service categories.

Fixes

  • The Slack start date wasn't imported through schema discovery. (OKTA-826971)

  • User movement logs for Realm assignment jobs didn't display correctly. (OKTA-844398)

  • When an Okta group was deleted while an app group reconciliation job was in progress, the job to delete the downstream app group wasn't scheduled. (OKTA-826938)

  • Users on some orgs encountered an HTTP 500 error response when they tried to authenticate. (OKTA-802900)

  • In orgs with Same-Device Enrollment for Okta FastPass enabled, some usernames with special characters were incorrectly displayed during Okta Verify enrollment on Android devices. (OKTA-839304)

  • By using device-to-device bootstrap, users could enroll in Okta Verify despite policy rules configured to block enrollment for these users. (OKTA-814436)

Okta Integration Network

  • Airflow by Tech Prescient (SCIM) is now available. Learn more.
  • Asana by Aquera (SCIM) is now available. Learn more.
  • Avigilon Alta (SCIM) now supports user deactivation.
  • Corma (API Service) is now available. Learn more.
  • Dovetail (OIDC) has a new icon and integration guide.
  • ELMO (SCIM) is now available. Learn more.
  • FCTR Identity Support Portal (SAML) is now available. Learn more.
  • Jotform (SAML) is now available. Learn more.
  • Island (SAML) has updated endpoints.
  • Natoma (SAML) is now available. Learn more.
  • Posit Workbench (SAML) is now available. Learn more.
  • Posit Workbench (OIDC) is now available. Learn more.
  • PrimeDrive (SAML) is now available. Learn more.
  • Rocketlane (SCIM) is now available. Learn more.
  • SAP HANA Provisioning Connector by Aquera (SCIM) is now available. Learn more.
  • Udemy Business (SCIM) is now available. Learn more.
  • UKG Pro Workforce Management by Aquera (SCIM) is now available. Learn more.
  • VASTOnline (SCIM) is now available. Learn more.
  • Vbrick Rev Cloud (SCIM) is now available. Learn more.

2025.1.2: Update 1 started deployment on February 3

Generally Available

RADIUS Server Agent version 2.24.2

This version fixes a bug in the Password Authentication Protocol, where in some instances the authentication failed if the user password was greater than 16 characters. It also includes security enhancements.

Sign-In Widget, version 7.27.3

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Okta Sign-In Widget.

Fixes

  • When a super admin updated a deactivated user to a different realm, admins received a Resource not found error. (OKTA-699778)

  • Searching a name with special characters in Realms failed. (OKTA-801220)

  • A permission wasn't checked for the MFA WebAuthn action. (OKTA-801809)

  • Some accounts that used custom admin roles were unable to create, delete, or unlink group push mappings. (OKTA-803378)

  • If an error occurred while an admin performed a protected action, the resulting error message was sometimes unclear. (OKTA-808668)

  • When a device name changed, the name displayed on the user profile page didn't match the the name shown on the Reset Authenticators page. (OKTA-811522)

  • Some users with the application administrator role weren't able to manage the apps they were assigned. (OKTA-814563)

  • The Manage Applications permission for custom admin roles unnecessarily allowed admins to manage the client credentials section of OAuth Service applications. (OKTA-821119)

  • The System Log sometimes displayed the org authorization server even though the error and the call were related to the custom authorization server. (OKTA-821988)

  • Users weren't signed out of Single Logout-enabled apps when they accessed Okta through a custom domain with iFrame embedding enabled. (OKTA-822650)

  • Users couldn't sign in to Okta after an app was deactivated and deleted. (OKTA-828955)

  • The Authentication Policy page sometimes displayed an error message instead of policies. (OKTA-832259)

  • Events for tokens revoked in bulk for a resource didn't appear in the System Log. (OKTA-834025)

  • Custom app instance icons weren't displayed in Profile Editor in the Admin Console. (OKTA-837626)

  • Some service account users received an error message despite successfully changing their passwords. (OKTA-841078)

  • Some admins received an error message when they clicked Admin on the End-User Dashboard. (OKTA-842573)

  • When admins updated an authentication policy rule, the previous and changed states didn't appear in the 'policy.rule.update' System Log event. (OKTA-843745)

  • The Atlassian Jira Cloud app didn't inject credentials when using SWA. (OKTA-843781)

  • Some users weren't prompted for multifactor authentication if another user was signed in to Okta with a different session on the same browser. (OKTA-846381)

  • Users received an error message when they enrolled a Personal Identity Verification card even though the System Log indicated that the enrollment was successful. (OKTA-846423)

  • Account unlock didn't work for some orgs using the Okta account management policy. (OKTA-848066)

  • The Username hint was inaccurate. (OKTA-851440)

  • Some users could enroll authenticators with self-attested passkeys even though the admin only allowed certificate-based attestation in their org. (OKTA-851468)

  • On the Admin Dashboard, the Tasks widget sometimes didn't load. (OKTA-851807)

  • When admins tried to customize the signing options of the SAML 1.1 app, their changes didn't appear. (OKTA-852911)

  • In orgs with Multiple Identifiers enabled, some users couldn't perform self-service registration. (OKTA-853911)

  • The Administrator assignment by role page displayed an error if an admin had duplicate assignments. (OKTA-854906)

  • The email notification for protected actions indicated that actions were taken instead of attempted. (OKTA-854973)

  • Users with passwords greater than 16 characters couldn't sign in when the Password Authentication Protocol with Message-Authenticator feature was enabled. (OKTA-856260)

Okta Integration Network

  • ADP Link by Aquera (SCIM) is now available. Learn more.
  • Cirro (OIDC) is now available. Learn more.
  • Concentric AI (SAML) is now available. Learn more.
  • Cyble Vision (SAML) is now available. Learn more.
  • Dayforce by Aquera (SCIM) is now available. Learn more.
  • Deel HR (SCIM) now supports profile sourcing.
  • FCTR Identity Support Portal (API Service) is now available. Learn more.
  • Gumband (OIDC) is now available. Learn more.
  • Island Management Console (SAML) has updated endpoints.
  • Microsoft SQL Server by Aquera (SCIM) is now available. Learn more.
  • Opensense (SAML) is now available. Learn more.
  • QuickBooks Online by Aquera (SCIM) is now available. Learn more.
  • Payflows (SAML) is now available. Learn more.
  • Redshift by Aquera (SCIM) is now available. Learn more.
  • Resonance by spiderSilk (SAML) is now available. Learn more.
  • SmartSite (OIDC) is now available. Learn more.
  • Speeda Sales Insights (OIDC) is now available. Learn more.
  • TrustWorks (SAML) is now available. Learn more.
  • XplicitTrust Network Access (API Service) is now available. Learn more.