Production release notes

Help us improve our release notes by filling out this short survey.

Current release status

Current Upcoming
Production 2023.09.0 2023.09.1 Production release is scheduled to begin deployment on September 25
Preview 2023.09.1

2023.09.2 Preview release is scheduled to begin deployment on September 27

September 2023

2023.09.0: Monthly Production release began deployment on September 18

* Features may not be available in all Okta Product SKUs.

Generally Available Features

Widget, version 7.10.0

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Okta Sign-In Widget Guide.

Okta LDAP agent, version 5.18.0

This version of the agent contains security enhancements.

Note: In Windows, the LDAP Agent auto-update feature isn't capable of deploying all security enhancements that are introduced in version 5.18. To completely deploy all security enhancements from this release, all LDAP agents running version 5.17 or earlier must be uninstalled, and version 5.18 must be manually installed. See Install the Okta LDAP Agent.

Okta MFA Credential Provider for Windows, version 1.3.9

This release includes bug fixes, security enhancements, and support for an additional top-level domain. See Okta MFA Credential Provider for Windows Version History.

Chrome Device Trust connector integration

With the introduction of the Chrome Device Trust Connector integration for Device Assurance, administrators can create policies that ensure compliance with specific device requirements prior to accessing resources protected by Okta. This integration between Okta and Google facilitates access policies that receive device posture signals directly from a Google API backend, eliminating the need for any agent deployment. As a result, users logging in to a ChromeOS device, or managed Chrome browser, benefit from enhanced authentication security through device security signals.

Authentication challenge for redirects

Users now receive an authentication challenge for each redirect sent to an Identity Provider with Factor only configured, even if the IdP session is active.

Access Testing tool

With the Access Testing tool you can quickly and easily test policies and validate whether your desired security outcomes will be achieved. This tool allows you to simulate user access attributes, such as IP address, device, risk, and so on, to test whether the user will be granted access to the specified application. The tool helps you identify potential security risks and compliance issues before you implement a policy. See Access Testing Tool.

Custom Identity Source app available

The Custom Identity Source app is now available in Okta Integration Network.

Count summary added to report

The User accounts report now displays the total number of records returned for the report.

Product Offers dashboard widget

A Product Offers widget now displays on the Admin Dashboard for super and org admins. The widget provides a cost- and commitment-free way for admins to explore and test the capabilities of various Okta products. When a new free trial is available, admins can click Get started to activate it, or Not interested to dismiss the widget.

Okta Verify requirements for self-service upgrades

Orgs with incorrect Okta Verify enrollment settings are now notified of configuration requirements before they upgrade to Identity Engine.

Automatically assign the super admin role to an app

Admins can now automatically assign the super admin role to all of their newly created public client apps. See Work with the admin component.

Device attributes label update

Some device attribute labels are renamed for clarity and to accommodate the new Chrome Device Trust connector.

Okta apps and plugin no longer available to certain users

Beta users of the PingFederate MFA plugin can no longer create Okta apps or download the plugin.

Early Access Features

Custom admin roles with device permissions

You can now create custom admin roles with permissions to view and manage devices. You can add the Devices to your resource set and then specify device permissions for your custom admin. See Create a resource set and Devices permissions.

Okta FastPass and Smart Card options on Sign-in page

Currently, if you configured both the Sign in with Okta FastPass option and Smart Card as an authenticator, users only see the Okta FastPass option when they sign in. With this feature, you can make both options available for your users during the sign-in process. See Configure the Smart Card authenticator.

Enhanced security of Okta Verify enrollments

To ensure users enroll in Okta Verify in a phishing-resistant manner, a Higher security methods option now appears on the authenticator configuration page. With this option, users can't enroll with QR code, email, or SMS link. See Configure Okta Verify options.


  • OKTA-570804

    The RADIUS Server Agent installer for versions 1.3.7 and 1.3.8 didn't prompt users to install missing C++ runtime libraries on Microsoft Windows servers.

  • OKTA-574216

    Reconciling group memberships sometimes failed for large groups.

  • OKTA-578184

    The inbound delegated authentication endpoint didn't correctly handle errors when the authentication request wasn't associated with an org.

  • OKTA-592745

    Full and incremental imports of Workday users took longer than expected.

  • OKTA-605996

    A token inline hook secured by an OAuth 2.0 private key returned an error for all users except super admins.

  • OKTA-616604

    The password requirements list on the Sign-In Widget contained a grammatical error.

  • OKTA-616905

    Events weren't automatically triggered for Add assigned application to group, Remove assigned group from application, and Update Assign application group event hooks.

  • OKTA-618302

    Application users weren't created when a required application user attribute was missing.

  • OKTA-619102

    Invalid text sometimes appeared in attribute names.

  • OKTA-619179

    A timeout error occurred when accessing a custom report for UKG Pro (formerly UltiPro).

  • OKTA-619419

    Group admins could see their org’s app sign-in data.

  • OKTA-624387

    Sometimes attempting to change an app's username failed due to a timeout.

  • OKTA-627559

    Access policy evaluation for custom authorization servers was inconsistent when default scopes were used.

  • OKTA-628944

    Email notifications from Okta Verify were sent from the default domain address instead of the email address configured for the brand.

  • OKTA-631621

    Read-only admins couldn't review the details of IdP configurations.

  • OKTA-633431

    When an Okta Org2Org integration encountered an API failure, the resulting error message was displayed in Japanese.

  • OKTA-634308

    Group app assignment ordering for Office 365 apps couldn't be changed.

  • OKTA-636839

    Smart Card IdP users couldn't set a password after signing in for the first time.

  • OKTA-637259

    An error occurred when importing users from Solarwinds Service Desk.

  • OKTA-641062

    The link to Slack configuration documentation was invalid.

  • OKTA-641447

    Super admins couldn’t save new custom admin roles.

  • OKTA-648092

    New admins didn't get the Support app in their End-User Dashboard.

Okta Integration Network

App updates

  • The CoRise app integration has been rebranded as Cobalt.

New Okta Verified app integrations

App integration fixes

  • American Express Online (OKTA-637925)
  • hoovers_level3 (OKTA-637274)
  • MSCI ESG Manager (OKTA-637624)
  • PartnerXchange (OKTA-632251)
  • Staples Advantage (OKTA-639141)

August 2023

2023.08.0: Monthly Production release began deployment on August 14

* Features may not be available in all Okta Product SKUs.

Generally Available Features

Okta AD agent, version 3.16.0

When the executor.log and coordinator.log files exceed 5 MB in size, the contents roll over into executor.log.old and coordinator.log.old files.

Okta Active Directory Federation Services Plugin, version 1.7.13

Version 1.7.13 of the Okta Active Directory Federation Services (ADFS) Plugin is now available for download. It includes support for Microsoft Windows Server 2022 and includes bug fixes and security hardening. See Okta ADFS Plugin version history.

Telephony inline hook required for phone authenticator

New orgs now require a Telephony inline hook to use the phone authenticator. You can connect an external telephony provider with Okta using the inline hook. See Phone authenticator. Alternatively, you can acquire the Okta SMS/Voice SKU.

Redesigned resource set pages

The Create new resource set and Edit resource set pages that are displayed when an admin creates or edit a resource set now provide a simpler, more intuitive user experience. See Create a resource set.

Hardware-protected FIDO2 WebAuthn available

Hardware-protected FIDO2 WebAuthn as defined by the FIDO Metadata Service is now available in authentication policies when the Hardware-protected checkbox is selected. See About MFA authenticators.

Integrate with any identity source

To get Okta's full HR-driven provisioning and LCM functionality for an HR integration, customers previously had to use one of five pre-integrated HR systems or build complex custom code with the Okta Users API to replicate some of Okta’s LCM functionality for other identity sources.

With Anything-as-a-Source (XaaS), customers now have the flexibility to connect any identity source to Okta and realize the full benefits of HR-driven provisioning with a simpler solution. See Anything-as-a-Source.

Smart Card authenticator available

You can add a new Smart Card authenticator that enables PIV to be used in authentication policies. You can also restrict the authentication policies to use only Smart Card Authenticator as MFA. See Configure the Smart Card authenticator.

Getting Started video for new orgs

The Getting Started page now displays an introductory video. The video provides a quick overview of the common tasks and functions for new orgs, and helps admins familiarize themselves with the Admin Console. See Get started with Okta.

API service integration client secret rotation in the Admin Console

New in this release is the ability to rotate client secrets for an API service integration through the Admin Console. Previously, if a customer wanted to update the client secret for an API service integration, they had to reinstall the integration to obtain a new client ID and secret. There was no option to revoke the client secret while maintaining the client ID and API service integration instance in Okta. With this new feature, customers can generate a new secret, deactivate an old secret, and remove a deactivated secret from the API service integration instance. These functionalities help customers implement security best practices without service downtime. See API Service Integrations.

New event types for User Auth Events

Two additional event types are now available under User Auth Events:

  • User's session was cleared
  • User's MFA factor was updated

New application lifecycle event hook

An event hook to deny user access due to a condition in an authentication policy is now available to admins. See Create an event hook .

Polling enhancements for Agentless DSSO

When the server is in SAFE_MODE, Agentless DSSO polling signs in a user if they are in ACTIVE state in Okta.

Early Access Features

Early Access features from this release are now Generally Available.


  • OKTA-575884

    The Okta Active Directory Federation Services (ADFS) Plugin wrote errors to the plugin log when users attempted to sign in.

  • OKTA-595086

    The display of the authorization server Access Policies page froze with large numbers of policies.

  • OKTA-596293

    After upgrades to Identity Engine, users were sometimes asked to re-authenticate when refreshing their Okta dashboards even though the sessions were still valid.

  • OKTA-606898

    Some users got stuck in a password expiration warning loop when they signed in with AD delegated authentication and updated their password.

  • OKTA-610347

    Some orgs couldn't add more than 50 global session policies.

  • OKTA-617816

    After orgs upgraded to Identity Engine, the application name in OV Push disappeared.

  • OKTA-626699

    On the Administrator assignment by admin page, the Role dropdown list sometimes displayed duplicate admin roles.

  • OKTA-626968

    The error message that appeared when the admin attempted to add an inactive Smart Card IdP to the authenticator didn't mention the name of the IdP.

  • OKTA-631657

    Users were sometimes improperly redirected to a device-posture provider when none was configured in the authentication policy.

  • OKTA-631752

    Adding some IdPs as Factor only caused errors.

  • OKTA-632786

    Admins could require Smart Card in an authentication policy even when it wasn't set up as an authenticator.


New Integrations

New SCIM Integration applications

The following partner-built provisioning integration apps are now Generally Available in the OIN:

SAML for the following Okta Verified applications

OIDC for the following Okta Verified applications

Weekly Updates

July 2023

2023.07.0: Monthly Production release began deployment on July 17

* Features may not be available in all Okta Product SKUs.

Generally Available Features

Widget, version 7.8.0

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Okta Sign-In Widget Guide.

Okta LDAP agent, version 5.17.0

This version of the agent contains:

  • Migration of the Windows installer from Internet Explorer to Edge
  • The service OktaLDAPAgent stop command now correctly terminates agents installed on Red Hat and CentOS platforms
  • Security enhancements

See Okta LDAP Agent version history.

System Log time zone formats updated

In the System Log, the time zone dropdown menu now provides additional information about each available time zone. See System Log.

App Password Health report uses browser time zone

On the App Password Health report, last-reset request dates and times are now based on the browser’s time zone settings. See App Password Health report.

Okta-generated client secret length increase

The length of Okta-generated client secrets is increased from 40 to 64 characters.

Updated Okta logo

A branding update to the Okta groups logo is now available in the Admin Console.

RADIUS sign-in error prevention

For orgs that upgraded from Classic Engine, if the Okta Verify authenticator is configured with number challenge, the challenge may be presented unexpectedly to RADIUS users. This can prevent users from using RADIUS with Okta Verify because RADIUS doesn't support the number challenge today. For upgraded orgs, a new feature is enabled that prevents any such errors. See RADIUS applications in Okta.

New authenticator management functionality

Okta now enables you to manage which authenticators are allowed in your org for new enrollments, authentication enrollment policies, and user verification. You can view a list of all Okta-recognized authenticators, create authenticator groups, and use them in policies. This allows admins to have greater control over which authenticators may be used in their orgs and determine which users may access them in a granular way. See Configure the FIDO2 (WebAuthn) authenticator.

Google Authenticator available for account recovery

Admins may now allow their users to initiate account recovery scenarios with Google Authenticator, Email, Phone, or Okta Verify. Increasing the number of options available for recovery enhances the user experience. See Configure the Password authenticator.

Early Access Features

IdP permissions for custom admin roles

Admins can now leverage new Identity Provider management permissions when creating custom admin roles. These permissions allow more precise access control and reinforce the principle of least privilege. See About role permissions.

Redesigned admin role pages

The Create a role and Edit role pages for custom admin-role configuration now provide a simpler, more intuitive user experience. See Create a role.

Admin Console Japanese translation

When you set your display language to Japanese, the Admin Console is now translated. See Supported display languages.

IME support for international characters

Admins can now use an Input Method Editor (IME) to type international characters into the Admin Console.

Front-channel Single Logout

Front-channel Single Logout (SLO) allows a user to sign out of an SLO-participating app on their device and end their Okta session. Okta then automatically sends a sign-out request to all other participating apps that the user accessed during their session. See Configure Single Logout in app integrations.


  • OKTA-556787

    During step-up verification, multiple indistinguishable enrollments for the smart card authenticator were displayed. Now only one smart card authenticator enrollment is displayed.

  • OKTA-602939

    The Admin role assignments report email wasn’t translated.

  • OKTA-615453

    Some text strings were incorrect on the End-User Dashboard layout page.

  • OKTA-623542

    The link to the Access Policy Simulation help topic on the Features page was incorrect.


Application Updates

  • The Rybbon app integration has been rebranded as BHN Rewards.

New Integrations

New SCIM Integration applications

The following partner-built provisioning integration apps are now Generally Available in the OIN:

  • Apono: For configuration information, see Okta SCIM.

SAML for the following Okta Verified applications

App Integration Fixes

The following SWA app was not working correctly and is now fixed:

  • BlueHost (OKTA-620224)

Weekly Updates