Okta Identity Engine release notes (Production)

January
December
November

Version: 2026.01.0

January 2026

Generally Available

Sign-In Widget, version 7.39.0

For details about this release, see the Sign-In Widget Release Notes. For more information about the Widget, see the Okta Sign-In Widget.

Device assurance OS version update

The following OS versions are now supported in device assurance policies:

iOS 18.7.3, 26.2
macOS 14.8.3, 15.7.3, 26.2

Updated help doc links on the Recent activity page

The Recent Activity page in the End-User Settings 2.0 has updated help doc links.

Login hint evaluation for non-OIDC apps

The Security > General page of the Admin Console has been updated with a new Login hint evaluation for Non-OIDC Applications setting. This setting controls whether the Sign-In Widget evaluates login hints when provided by an app. See General Security.

JSON Web Encryption of OIDC ID tokens

You can now encrypt OIDC ID tokens for Okta-protected custom app integrations using JSON Web Encryption. See Encrypt OIDC ID tokens for app integrations.

Unified claims generation for custom apps

Unified claims generation is a new streamlined interface for managing claims (OIDC) and attribute statements (SAML) for Okta-protected custom app integrations. In addition to group and user profile claims, the following new claim types are available: entitlements (requires OIG), device profile, session ID, and session AMR. See Configure custom claims for app integrations.

Stay signed in text clarification

The App sign-in policy configuration page has updated text clarifying that the option to stay signed in persists across all apps. See Add an app sign-in policy rule.

New look and feel in the Access Requests email notifications

The Access Requests email notifications have a new look and feel, including updates to the text alignment, colors used, location of the Okta logo, and the addition of a gray background.

Escalate tasks is generally available in Production environments

Access request admins and request assignees can escalate stalled tasks within a request to the task assignee's manager. Requesters can also escalate tasks within their access requests if you've enabled the Allow requesters to escalate tasks toggle on the Settings page. This helps expedite request resolution, prevents bottlenecks, improves productivity, and helps reduce the use of risky workarounds. Task escalation is a secure, auditable, and automated process that helps you adopt time-based access request models by supporting both efficient operations and strong security postures.

See Manage tasks and Allow requesters to escalate tasks.

New custom admin permissions

New custom admin permissions let you read or read and write in app sign-in, global session, and Okta account management policies. This enhances the granularity of admin permissions in your org. See Create a resource set.

Usability enhancements for Office 365 WS-Federation configuration

The WS-Federation configuration interface on the sign-in page has been refined for improved clarity and usability:

The View Setup Instructions button has been relocated to optimize the visual layout.
A new display option has been added to visualize parent and child domain relationships.

Device Assurance for Windows: Virus and threat protection

Admins can now enforce a Device Assurance condition that requires Windows devices using the Chrome browser to have virus and threat protection enabled. This feature strengthens your org's security posture by ensuring that user devices are protected by active antivirus software before granting access.

Local Network Access prompting for Okta FastPass

When signing in to Okta-protected apps, users should allow Local Network Access at the browser prompt. If access is blocked, the Sign-in Widget shows remediation instructions and a link to the help documentation so users can continue to use Okta FastPass.

Enhanced provisioning support for Office 365 GCC High integration

Office 365 GCC High provisioning now supports Universal Sync. This enables admins to synchronize on-premises attributes to Microsoft Entra ID.

Okta account management policy protection for password expiry flows

This feature improves the security posture of customer orgs by protecting the password expiry flow with the Okta account management policy. Password expiry flows now require the assurance defined in an org's Okta account management policy. See Enable password expiry.

Early Access

Okta for AI agents

You can now register, secure, and govern AI agent identities directly within Okta. Designed to secure human-to-agent-to-app connections, Okta for AI agents helps you enforce least privilege access, eliminate standing privileges, and track every agent action using the System Log. It also enables you to allow AI agents to operate as an accountable part of your digital workforce while maintaining a seamless user experience. See Manage AI agents.

Breached credentials protection

Protect your org from the impact of credentials that have been compromised. If Okta determines that a username and password combination has been compromised after being compared to a third-party curated dataset, the protection response is customizable through password policies, including resetting the user's password, forcing a logout, or calling a delegated Workflow. See Breached credentials protection.

Breached credentials protection is now available for Federal customers.

Native to Web SSO

Native to Web SSO creates a seamless, unified authentication experience when a user transitions from an OIDC app (like a native or web app) to a web app (either OIDC or SAML). This feature uses standard, web-based federation protocols like SAML and OpenID Connect that help bridge the gap between two different application environments, using a single-use, one-way interclient trust SSO token. This eliminates repeating already provided sign-on assurances, and simplifies development by reducing authentication complexity. See Configure Native to Web SSO.

Policy Insights Dashboard

The Policy Insights Dashboard gives you a clear view of a policy's impact on your org. You can monitor trends in successful sign-ins, access denials, and authenticator enrollments, and also gain insight into the time users spend signing in and the prevalence of phishing-resistant authentications. The dashboard also tracks the frequency of rule matches and the percentage of successful sign-in attempts. See Use the Policy Insights Dashboard.

Bring your own telephony credentials

You can now connect your own telephony provider using a new simplified setup that doesn't require you to use a telephony inline hook. You can handle usage billing directly with your provider. Okta currently supports Twilio and Telesign. See Configure telephony providers through the Admin Console.

Release controls for Okta Verify on Windows

With the new release controls feature, admins can configure whether to allow, pause, or restrict automatic updates to Okta Verify on Windows. This provides greater flexibility for meeting enterprise change management requirements and managing version rollouts across Windows endpoints. See Configure Okta Verify release controls.

Inline step-up flow for User Verification with Okta Verify

End users can now easily satisfy authentication policies that require higher User Verification (UV) levels, even if their current enrollment is insufficient. This feature proactively guides users through the necessary UV enablement steps. As a result, administrators can confidently implement stricter biometric UV policies to eliminate the risk of user lockouts and reduce support inquiries related to UV mismatches. See User experience based on Okta Verify user verification settings.

Fixes

In orgs with global session policies that required a password, users couldn't authenticate with their password and a security question, even though the org's app sign-in policy allowed that combination of factors. (OKTA-1020729)
When users entered an invalid OTP in the Sign-in Widget too many times and clicked Back to sign in, they were redirected to the wrong page. (OKTA-1038368)
When an authenticator enrollment policy required Okta Verify, some users weren't prompted to enroll it in their desktop browser. (OKTA-1047509)
The following attributes weren't properly being gated as reserved attributes: orgid, activationstatus, apistatus, logintype, initialreconcilecomplete, activationdate, statuschangeddate, apilastupdate, passwordexpirationguess, passwordexpirationcursor, numunlocks, changedstatus. See Review reserved attributes. (OKTA-1049339)
In Preview orgs, admins couldn't see error messages because they were blocked by a banner. (OKTA-1053703)
Sometimes, if users attempted to sign in through JIT during a replication lag, a 500 error occurred. (OKTA-1055324)
In orgs with claims sharing enabled, admins couldn't disable the FastPass authentication method when they tried to change their app sign-in policies. (OKTA-1076241)
In orgs with End-User Settings 2.0 enabled, brand logos didn't display on the My Settings page. (OKTA-1082109)
In orgs with End-User Settings 2.0 enabled, the branding primary color didn't display on the navigation menu of the My Settings page. (OKTA-1082119)
In the Access Testing Tool, the column that explained which conditions matched had a title and text that were sometimes unclear for admins. (OKTA-949568)
The User.Session.Start event wasn't consistently recorded in the System Log when users signed in with TouchID. (OKTA-996730)
Admins encountered an error when they attempted to update the username for an app user. (OKTA-1047716)
When an admin provisioned an LDAP user with a LDAP Generalized Time attribute from Okta to LDAP, the time value was formatted incorrectly. (OKTA-1056428)
Some authentication attempts from computers were incorrectly identified as iOS devices, causing access denials for policies that used a client.device eq "Computer" expression. (OKTA-1060121)
JIT users were redirected to a SP before app assignments were completed, causing an access denied error. (OKTA-1061698)
In orgs with an Okta Org2Org integration, the Sign-In Widget displayed the wrong user email address if the address was changed during authentication. (OKTA-1063332)
Microsoft Office 365 user provisioning failed intermittently with a 429 error. This occurred when the system attempted to provision users who already existed in the Microsoft Entra recycle bin with the same onPremisesImmutableId. (OKTA-1068843)
Some users on unmanaged devices received an internal server error in the Sign-In Widget. This occurred when the users authenticated to orgs that had management attestation enabled but lacked a custom message for the managed device remediation. (OKTA-1079371)
In orgs that disabled certificate-based authentication for Office 365, Windows Autopilot was incorrectly removed from the app sign-in policy. (OKTA-1081329)
Active Directory imports failed with an "Incorrect result size" error when DirSync was enabled. This occurred because creating a new group in Active Directory generated duplicate entries during the import process. (OKTA-1082847)
When users clicked the Microsoft Teams tile on the Okta End-User Dashboard, they were directed to an error page stating that "Classic Teams is no longer available." This occurred because the destination URL was outdated following a change by Microsoft. (OKTA-1084267)

Okta Integration Network

Dokio (SCIM) is now available. Learn more.
Kuranosuke (SAML) is now available. Learn more.
LINE WORKS (SCIM) is now available. Learn more.
SciLeads Portal (OIDC) is now available. Learn more.
SciLeads Portal (SCIM) is now available. Learn more.
ShareCal (SCIM) is now available. Learn more.
ShareCal (SAML) was updated with a new logo.
Humana Military (SWA) was updated.
Xint (OIDC) added new IDP flow.
cmBuilder(OIDC) has a new Redirect URI and a new Post Logout Redirect URI Learn more.
Xurrent IMR (Formerly Zenduty) (SAML) has a new name and new icon.

Version: 2025.12.0

December 2025

Generally Available

New versions of Okta Provisioning agent and SDK

Okta Provisioning agent 3.0.6 and Okta Provisioning agent SDK 3.0.6 are now available. This release contains the following:

The maxItemsPerPage is now configurable to meet your specific requirements.
Memory optimizations and other minor improvements.

Sign-In Widget, version 7.38.0

For details about this release, see the Sign-In Widget Release Notes. For more information about the Widget, see the Okta Sign-In Widget.

Allow profile updates for deactivated users

Super admins can now choose to allow updates to profile attribute values for deactivated users, ensuring their profiles remain current. See Edit deactivated user profiles.

Device assurance OS version update

The following OS versions are now supported in device assurance policies:

iOS 18.7.2, 26.1
macOS 14.8.2, 15.7.2, 26.1
Android 13, 14, 15, 16 security patch 2025-11-01

Okta LDAP agent, version 5.25.0

This version of the agent includes security enhancements.

Nonce rollout for Content Security Policy

Okta is removing unsafe-eval from the script-src directive of Content-Security-Policy for every endpoint that returns html content. These are endpoints that you can't customize and whose Content-Type response header is text/html. This is a two-stage process: first, unsafe-eval is removed from the Content-Security-Policy-Report-Only header's script-src directive; later, after any violations of unsafe-eval instances are fixed, unsafe-eval is removed from the Content-Security-Policy response header script-src directive.

This update will be gradually applied over several months, until all endpoints enforce the new Content-Security-Policy, which means this change will span several releases.

Changes to preview user functionality

On the User page of the campaign wizard, Preview user is now called Preview expression scope. When you preview a user, Okta only validates the user against the Okta Expression Language expression that you specified. A user who matches the expression but isn't assigned to a resource in the campaign won't be included in the campaign.

Enhanced policy tracking in the System Log

The System Log now includes the PolicyId and PolicyRulePriority fields in the Rule target for policy.evaluate_sign_on events.

Universal Directory map toggle

The new Universal Directory (UD) map toggle enables admins to link a user's email address to their identifier. This allows admins to enable the self-service registration feature. See General Security.

Smart Card enrollment and activation events

When a new user authenticates with a Smart Card through the Sign-in with PIV/CAC button, factor enrollment and activation events are now recorded in the System Log.

Support for Microsoft 365 GCC environment

Okta now supports the Microsoft Office 365 Government Community Cloud (GCC) environment. You can now use the Microsoft Office 365 app to configure Single Sign-On and provisioning for GCC tenants.

Local Network Access prompting for Okta FastPass

Passkey and security key subdomain support

Okta now lets users authenticate with their passkeys or security keys in their Okta org or custom domain, and all subdomains below them. This helps you achieve phishing-resistant authentication and avoids the need to issue multiple passkeys or security keys to each user for each domain they access. See Configure the FIDO2 (WebAuthn) authenticator.

Enhanced import monitoring with real-time updates

You can now view real-time progress for imports from the Import Monitoring dashboard. This provides greater visibility into the current status of in-progress imports such as the number of data chunks currently being processed.

Passkeys from Android devices

Okta now accepts passkeys that are generated by Android devices. Okta associates these passkeys with trusted web domains to enable users to authenticate with them. This expands the number of device types that Okta supports for passkey use. See Configure the FIDO2 (WebAuthn) authenticator.

OAuth grant type options for custom apps

Now when you configure SCIM provisioning for a custom SWA or SAML app with OAuth 2, you can set the grant type to Authorization code or Client credentials. See Add SCIM provisioning to app integrations.

Enhanced provisioning support for Office 365 Entitlement Management

When Entitlement Management is enabled for the Office 365 app, you can now use all four provisioning options: licenses/role management, profile sync, user sync, and universal sync.

More Universal Directory attributes available for identity verification mapping

Admins can now map more Universal Directory attributes when sending verification claims to an identity verification (IDV) vendor. This improves the accuracy of verification and gives the admin control over which attributes are sent to the IDV vendor. See Map profile attributes from Okta to an identity verification vendor.

Improved realm picker access

The realm picker now automatically filters to display up to five realms that only an admin can access.

System Log updates for security.request.blocked events

When security.request.blocked events are triggered by dynamic or enhanced dynamic network zones, the System Log now populates the client.zone field.

Delegated flow updates

Delegated flows now include a Caller input field. This allows you to pass more information to a flow that was called from another Okta product. For example, the requestID from Access Requests is now passed to the delegated flow. See Build a delegated flow.

Early Access

SHA-256 digest algorithm support

Okta now supports the SHA-256 digest algorithm when hashing SAML AuthnRequests that are sent to external IdPs.

Device conditions in the Okta account management policy

With this feature, admins can now restrict account management activities such as self-service password resets or new authenticator enrollments with device conditions. Admins can configure Okta account management policy rules with registered and managed devices, or require devices to meet the requirements of a device assurance policy. See Add a rule for enrollment of your first phishing-resistant authenticator.

Governance for Workflows now available in EA

You can now use Okta Identity Governance to manage access to Workflows roles. This helps you ensure that access to Workflows is granted consistently and in compliance with your company's requirements. See Governance for Workflows.

Breached credentials protection

Breached credentials protection is now available for Federal customers.

Enable custom admin roles for inline and event hooks

The inline hook and event hook framework now supports read and write permissions for custom admin roles. This enhancement gives fine-grained access to manage inline and event hooks that previously required the super admin role. See Role permissions.

Device Assurance for Windows: Virus and threat protection

Detection settings in session protection

Tailor ITP to your org's security priorities to gain control and balance security with a seamless user experience. With new detection settings, you can define which session context changes trigger policy re-evaluations, helping you focus only on what truly matters. See Session protection.

User enumeration prevention enhancement

Admins can now configure which authentication methods users are prompted for when they sign in from an unknown device or browser and trigger enumeration prevention. This enhances org security by adding more protection to sign-in attempts. See General Security.

Improved End-User Settings version 2.0 user interface

End-User Settings version 2.0 has new enhanced user interface elements.

Fixes

Group push sometimes failed during deployments. (OKTA-941489)
The SCIM 2.0 User update operation sent an empty object when multi-value roles were configured and one of the roles or attributes was undefined or null for the user. (OKTA-945579)
When admins created a linked group, no description was displayed. (OKTA-996729)
When an import exceeded the app unassignment limit, the Learn More link resulted in an error. Additionally, the App assignment removal limit link incorrectly redirected to the main Assignments tab instead of the Import Safeguard configuration settings. (OKTA-1010606)
A misleading error appeared in the System Log when admins selected Refresh Application Data for CSV Directory integrations. The system attempted to download unsupported custom objects, generating an error even though the import completed successfully. (OKTA-1011439)
Users who were locked out of their account, had an account in recovery, or had an expired password, saw an Internal Server Error message when they clicked Request activation email. (OKTA-1020121)
The MFA Enrollment by User report displayed an "Unexpected response" error when loading the Enrollment by Authenticator Type dynamic chart. (OKTA-1030846)
Users with a custom admin role were unable to confirm assignments in Active Directory. (OKTA-1034364)
When configuring OIDC identity providers in the Admin Console, admins couldn't set the issuerMode property because it was missing. (OKTA-1035016)
Users in Germany who were added to a new app sign-in policy that required biometrics saw an Internal Server Error when they tried to sign in. (OKTA-1036434)
Active Directory imports failed with an Incorrect result size error when DirSync was enabled. This occurred because creating a new group in Active Directory generated duplicate entries during the import process. (OKTA-1043592)
Sometimes, clicking Retry Selected to retry information tasks incorrectly resulted in a failure. (OKTA-1043901)
The expected text when Don't create Okta password was selected on the Finish campaign dialog wasn't displayed. (OKTA-1044068)
The Sign-In Widget (third generation) didn't show an error message if users clicked Verify without entering their SMS OTP in the Enter Code field. (OKTA-1056852)
DirSync jobs continued to be scheduled for Office 365 instances even after provisioning was disabled. (OKTA-1059506)
The state of the Include Groups in RADIUS response checkbox didn't update correctly when Radius agents were configured to send multiple group response attributes. (OKTA-1060165)
There were several alignment issues on the user profile > Admin roles tab and throughout the Administrators pages. (OKTA-1061753)
In the Actions menu on the App sign-in policy page, the description for the Delete action was missing when the action was unavailable. (OKTA-1061865)
Customized names for authenticators with multiple enrollments weren't displayed to anonymous users when user enumeration prevention was enabled. (OKTA-1063947)
On the App sign-in policy page, the description under Actions > Clone didn't update based on whether or not the policy was shareable. (OKTA-1064678)
During a password migration, when a password capture was skipped, the wrong reason for skipping the capture was recorded in the System Log. (OKTA-1068361)
On the App sign-in policy page, admins who had custom policy permissions but lacked application permissions couldn't view the app sign-in policy rules. (OKTA-1069119)
When an Identity Verification IdP was created with openid, profile, identity_assurance, idv_flow scopes, only the default scopes were sent to the Pushed Authorization Request. (OKTA-1069299)
Updates to user entitlements in JDBC applications failed to sync to the remote profile. This occurred when a user was re-imported without any changes to their profile data. (OKTA-1070338)

Okta Integration Network

Svix (OIDC) is now available. Learn more.
OpenPolicy (SCIM) is now available. Learn more.
Coalition Control has a new integration guide.
Practising Law Institute (SWA) was updated. (OKTA-1063963)
Clearout.io (OIDC) has updated use cases and a new Initiate login URI. Learn more.
Svix now supports Universal Logout.
Harmony SASE (SCIM) has been updated with new regions.

Weekly Updates

2025.12.1: Update 1 started deployment on January 5

Generally Available

Device assurance OS version update

The following OS versions are now supported in Device Assurance policies:

Windows 10 (10.0.17763.8146, 10.0.19044.6691, 10.0.19045.6691)
Windows 11 (10.0.22631.6345, 10.0.26100.7462, 10.0.26200.7462)

Event hooks for app provisioning and imported changes events

You can now use event hooks for the Okta events that provision app users and import changes from apps. The following events are now event hook eligible:

application.provision.user.push_profile
application.provision.user.push
application.provision.user.reactivate
application.provision.user.import_profile
app.user_management.user_group_import.upsert_success

See Event Types.

Fixes

Sometimes a Null Pointer Exception caused an HTTP 500 error when users initiated a Self-Service Registration. (OKTA-909226)
The End-User Setting 2.0 app didn't recognize the Okta global session cookies persist across browser sessions setting, even though admins disabled it. (OKTA-1010661)
Attempts to build the Okta Provisioning Connector SDK (version 02.04.00) example server failed with a dependency resolution error. (OKTA-1021402)
Active Directory imports failed with an "Incorrect result size" error when DirSync was enabled. This occurred because creating a new group in Active Directory generated duplicate entries during the import process. (OKTA-1043592)
In some orgs, after assigning a group to an app, any users in the group that failed to be activated in the downstream app weren't able to access the app from their End-User Dashboard, and the task to retry the activation was inadvertently hidden. (OKTA-1060837)
When security.request.blocked events were triggered by IP zones, the client.zone field wasn't populated in the System Log. (OKTA-1060987)
Recent UI changes prevented some admins from accessing the Account page. (OKTA-1062156)
In orgs with end-user remediation for management attestation enabled, the Sign-In Widget incorrectly displayed remediation instructions when the authenticating device's platform didn't match the platform defined in the device assurance policy. (OKTA-1064062)
The Add a domain to Office 365 link in the Office 365 manual federation instructions pointed to an invalid URL. (OKTA-1068862)
When an admin reused a device policy identifier from a preview org in a production org, users received a Resource not found error during the sign-in flow. (OKTA-1069092)
Updates to user entitlements in JDBC applications failed to sync to the remote profile. This occurred when a user was re-imported without any changes to their profile data. (OKTA-1070338)
When ISVs attempted to submit an app in the OIN wizard, the scim_base_url wasn't allowed in the submissions as an App Instance Property (AIP). (OKTA-1070530)
The PagerDuty app integration didn't use the correct Universal Logout endpoint. (OKTA-1070647)
When a user session context change violated a global session or app sign-in policy, the resulting action had inconsistent names on the Session Protection Violation Report and User risk table. (OKTA-1073989)
Some UI elements in the Encryption keys section of the authorization server Settings tab didn't render correctly. (OKTA-1075244)

Version: 2025.11.0

November 2025

Generally Available

Manage agents permission granted to certain roles

Custom admin roles with the View application and their details permission now have the View agents permission. This is a temporary change that helps Okta separate the two permissions in a future release. See Role permissions.

New System Log event for AD agent changes

The System Log event system.agent.ad.config.change.detected reports when Okta support modified an AD agent configuration.

Express Configuration supports Universal Logout

Admins can now quickly integrate Universal Logout-enabled apps using Express Configuration. When Universal Logout is available for an Express Configuration app, a Configure SSO & UL button appears on the configuration page. See Add an app with Express Configuration.

Custom domains and certificates

Okta now supports the use of SHA 384 and SHA 512 signed certificates for custom domains. See Configure a custom domain.

Sign-In Widget, version 7.36.3

For details about this release, see the Sign-In Widget Release Notes. For more information about the Widget, see the Okta Sign-In Widget.

Partner Admin Portal App Switcher

In the Partner Admin Portal, you can now use the App Switcher to navigate to your apps.

Okta Active Directory agent, version 3.22.0

This release includes LDAPS support and bug fixes. See Okta Active Directory agent version history.

Remember last-used authenticator: Okta FastPass

Okta now remembers FastPass as the last-used authenticator when users click "Sign in with Okta FastPass" on the Sign-In Widget.

Simplified Windows Autopilot integration

You can use Okta to secure and streamline the Windows Autopilot flow on end-user devices. You can add a sign-on policy rule in Okta that requires MFA when enrolling a device through Windows Autopilot. This increases security without compromising the user experience and ensures that every new device is provisioned by the right user. See Typical workflow for using Okta with Windows Autopilot.

ITP landing page

Previously, Identity Threat Protection with Okta AI (ITP) information and controls were nested across various pages of the Admin Console. All of your ITP insights and controls are now consolidated on the Security tab in the Admin Console. This unified view saves you time and enables faster action by allowing you to investigate data and configure a response, all in a single place. See Identity Threat Protection with Okta AI.

Inline FastPass enrollment on multiple devices

Users can complete inline enrollment of Okta Verify when they have already enrolled in Okta Verify on a different device platform using a different method.

Network restrictions for OIDC token endpoints is GA in Production

You can now apply network restrictions to OIDC token endpoints to enhance token security. See Create OpenID Connect app integrations.

Export Okta Identity Governance reports in PDF format

You can now export Okta Identity Governance reports to PDF. When exporting, you can also select specific columns to include in the report.

Changes to the Okta Sign-In Widget UI

The Okta Sign-In Widget (first and second generation) now uses the native Select component for dropdown elements. These UI elements have a new appearance, and the dropdown search functionality is no longer available.

Behavior Detections for new ASN

Admins have been able to create behavior detections for IP, Velocity, Location, or Device. This new functionality introduces behavior detection on a new ASN (Autonomous System Number), based on the IP found in the request tied to the event. See Add an ASN behavior.

Temporary Access Code authenticator

The Temporary Access Code (TAC) authenticator allows admins to generate temporary codes that let users authenticate in onboarding, account recovery, and other temporary access scenarios. This authenticator enhances security in these scenarios by granting users access to their orgs without having to use their usual authenticators. See Configure the temporary access code authenticator.

Automatically select Okta Verify and custom push methods

Okta now automatically selects Okta Verify (OV) and custom push methods when they are the only options that meet assurance requirements. Previously, in some scenarios, users had to manually select these methods. This update eliminates that extra step.

Enrollment grace periods

Today, when admins define an enrollment policy for a group, the entire group must enroll immediately, which can be disruptive to their day-to-day tasks.

With Enrollment Grace Periods, end users can defer enrollment in new authenticators until an admin-defined deadline when enrollment becomes mandatory. This allows end users to enroll at a time convenient to them and allows for more graceful enrollment before enforcing new authenticator types in authentication policies. See Authenticator enrollment policies.

Enhanced security for Okta Access Requests web app

The Okta Access Requests web app now performs policy evaluations before granting new access tokens.

Early Access

Password complexity requirements

Okta now lets you limit the number of consecutive repeating characters that users can put in their passwords. Password complexity requirements are now also applied to Active Directory and LDAP-sourced users. This change enhances the security of your org by expanding password complexity options, and applying this protection to more user profile types. See Configure the password authenticator.

New custom admin permissions

Submit entitlement management integrations

Independent Software Vendors (ISVs) can now submit SCIM 2.0-based entitlement management integrations to the Okta Integration Network (OIN). This enhancement enables customers and IT admins to discover, manage, and assign fine-grained entitlements such as roles and permissions directly from Okta. By standardizing entitlement management, organizations can automate access assignments and streamline Identity Governance, ensuring users receive the right access and roles without manual intervention. For more information, see Submit an integration with the OIN Wizard.

Device Assurance for Windows: Virus and threat protection

Admins can now enforce a Device Assurance condition that requires Windows devices using the Chrome browser to have virus and threat protection enabled. This self-service EA feature strengthens your org's security posture by ensuring that user devices are protected by active antivirus software before granting access.

User enumeration prevention enhancement

Inline step-up flow for User Verification with Okta Verify

Fixes

An Okta Verify error prevented some users from signing in to orgs that had the Advanced Posture Check feature enabled. The error wasn't recorded in the System Log. (OKTA-897459)
When an app sign-in policy included an authentication method chain, users who enrolled Okta Verify on another device couldn't complete inline enrollment into Okta Verify on a second device using a different authentication method. (OKTA-908311)
Some users could unlock their accounts even though this wasn't allowed in password policies. (OKTA-984362)
In orgs with the Send Application Context to an External IdP feature enabled, users couldn't access apps if the app names had trailing whitespaces. (OKTA-998869)
AD password resets sometimes failed with an exception. (OKTA-1004233)
When interacting with the Access Request web app using Safari browser, users couldn't tag another user with @ in the request's chat. (OKTA-1005685)
When a phishing attack was detected, the System Log didn't always record the event. (OKTA-1006043)
Deleted request types sometimes reappeared if the org had the Unified Requester Experience feature enabled. (OKTA-1040545)
When the LDAP agent installer successfully registered the agent but the installation failed, the agent incorrectly appeared as operational. (OKTA-1045661)

Okta Integration Network

Harmony now has the okta.users.manage, okta.groups.read, and okta.groups.manage scopes.
Valos (OIDC) has a new redirect URI. Learn more.
Chronicle of Higher Education (SWA) was updated.
1VALET (SAML) has updated attribute statements.
Fabrix Smart Actions (API Service) now has the okta.groups.manage scope.
Boston Properties (SWA) was updated.
Holistiplan SSO (SAML) is now available. Learn more.
Mimecast Human Risk Integration (API Service) is now available. Learn more.
Aglide (SAML) is now available. Learn more.
Aglide (SCIM) is now available. Learn more.
SmarterSign Digital Signage (OIDC) is now available. Learn more.
SmarterSign Digital Signage (SCIM) is now available. Learn more.

Weekly Updates

2025.11.1: Update 1 started deployment on November 13

Generally Available

Partner Admin Portal App Switcher

In the Partner Admin Portal, you can now use the App Switcher to navigate to your apps.

Device assurance OS version update

The following OS versions are now supported in device assurance policies:

iOS 18.7.2, 26.1
macOS 14.8.2, 15.7.2, 26.1
Android 13, 14, 15, 16 security patch 2025-11-01

Fixes

Okta authentication requests for some orgs resulted in high latency and database CPU spikes when a user's email address in the request started with a space. (OKTA-627502)
A validation error with trust certificates prevented admins from enrolling some specific security keys. (OKTA-963828)
Users @mentioned in an access request Slack thread didn't receive a notification unless they were already a follower of the request. (OKTA-1053390)
When a user belonged to multiple migration groups and their password was successfully migrated to Okta for one group, the count of migrated users for the other groups weren't updated. (OKTA-1005843)
The Edit resource set page didn't load if the resource set included a deleted resource. (OKTA-1030613)
When signing in to Okta, AD-sourced users with expired passwords weren't evaluated by the Okta account management policy's password expiry rule. (OKTA-1031443)
Some users were unable to enroll in Okta Verify on Android devices. (OKTA-1043465)
When an AD integration had DirSync enabled, the user's manager and Group owners didn't get updated during an incremental import. (OKTA-1047146)
When the Okta account management policy for expiring passwords feature was enabled, the Authentication policies page displayed incorrect strings. (OKTA-1048345)
Lifecycle changes for custom Simple Mail Transfer Protocol (SMTP) servers weren't recorded in the System Log. (OKTA-1053839)

Okta Integration Network

Ziflow has a new icon.
Valence (SAML) was updated.
Extreme Platform ONE Security API Service (API Service Integration) is now available. Learn more.
Clever (District Administrator Login) (SWA) was updated.
DynaMed (SAML) is now available. Learn more.
Intercom now supports Group Push.

2025.11.2: Update 2 started deployment on December 2

Generally Available

Device assurance OS version update

The following OS versions are now supported in device assurance policies:

Windows 10 (10.0.17763.8027, 10.0.19044.6575, 10.0.19045.6575)
Windows 11 (10.0.22631.6199, 10.0.26100.7171, 10.0.26200.7171)

Sign-In Widget, version 7.37.1

For details about this release, see the Sign-In Widget Release Notes. For more information about the Widget, see the Okta Sign-In Widget.

Fixes

On the app page, read-only admins saw an Edit button in the User authentication section of the Authentication tab, even though they didn't have permission to edit the policy. (OKTA-1031617)
The user.session.start event wasn't recorded in the System Log when some users signed in to a custom push app with the okta.myAccount.authenticators.manage scope. (OKTA-1043867)
Some users weren't able to select the Keep me signed in checkbox in the Sign-In Widget (third generation). (OKTA-1047889)
Some users experienced localization errors in the Secure Partner Access portal because the app rendered before the localization utilities loaded. (OKTA-1068547)

Okta Integration Network

LegalOn (Japan) (SAML) was updated.
Lyster (OIDC) is now available. Learn more.
Canva (SWA) was updated.
Rubrik Security Cloud (API Service Integration) is now available. Learn more.
Veraproof SSO (OIDC) is now available. Learn more.
Lumen5 (SAML) is now available. Learn more.
Cloudflare One (OIDC) is now available. Learn more.

2025.11.3: Update 3 started deployment on December 8

Generally Available

Device assurance OS version update

The following OS versions are now supported in device assurance policies:

Windows 10 (10.0.17763.8027, 10.0.19044.6575, 10.0.19045.6575)
Windows 11 (10.0.22631.6199, 10.0.26100.7171, 10.0.26200.7171)

Sign-In Widget, version 7.37.1

For details about this release, see the Sign-In Widget Release Notes. For more information about the Widget, see the Okta Sign-In Widget.

Fixes

On the app page, read-only admins saw an Edit button in the User authentication section of the Authentication tab, even though they didn't have permission to edit the policy. (OKTA-1031617)
The user.session.start event wasn't recorded in the System Log when some users signed in to a custom push app with the okta.myAccount.authenticators.manage scope. (OKTA-1043867)
Some users weren't able to select the Keep me signed in checkbox in the Sign-In Widget (third generation). (OKTA-1047889)
Some users experienced localization errors in the Secure Partner Access portal because the app rendered before the localization utilities loaded. (OKTA-1068547)

Okta Integration Network

LegalOn (Japan) (SAML) was updated.
Lyster (OIDC) is now available. Learn more.
Canva (SWA) was updated.
Rubrik Security Cloud (API Service Integration) is now available. Learn more.
Veraproof SSO (OIDC) is now available. Learn more.
Lumen5 (SAML) is now available. Learn more.
Cloudflare One (OIDC) is now available. Learn more.