Okta Identity Engine release notes (Production)

Version: 2025.05.0

May 2025

Generally Available

App permissions no longer include agent permissions

Now when you assign the Manage applications permission to an admin, the Manage agents permission isn't automatically granted. For existing admin role assignments that include the Manage applications permission, the Manage agents permission is retained in the assignment. See Role permissions.

Microsoft Office 365 Single Sign-on integration supports SHA-256

The Office 365 SSO integration (WS-Fed Auto and Manual) now uses SHA-256 for signing the authentication token.

New versions of Okta Provisioning agent and SDK

Okta Provisioning agent 2.3.0 and Okta Provisioning agent SDK 2.2.0 are now available. These releases contain bug fixes and minor improvements. See Okta Provisioning agent and SDK version history.

Reasons added to System Log event

In the System Log, the Reasons field for user.risk.detect events now indicates if the detection was triggered by a DCO event.

Device assurance OS version updates

Device assurance policies now support the following OS versions

  • Android 12, 13, 14, and 15 to security patch 2025-05-01
  • iOS 18.4.1
  • macOS Sequoia 15.4.1
  • Windows 10 (10.0.17763.7136, 10.0.19044.5737, 10.0.19045.5737)
  • Windows 11 (10.0.22621.5189, 10.0.22631.5189, 10.0.26100.3775)

Removal of device support for Windows 11 21H2

Okta Verify no longer supports devices that use Windows 11 21H2. See Supported platforms for Okta Verify.

Support for additional attributes in Office 365's Universal Sync

Office 365's Universal Sync now enables users to access Kerberos resources with Windows Hello for Business. See Supported user profile attributes for Office 365 provisioning

Improved Documentation Search

The search functionality on Okta help has been updated with the following improvements:

  • Localized Japanese search: Supports localized searches in Japanese for all translated content.
  • Focused results: Searches take place directly in Okta help instead of rerouting users to the Okta Help Center.

These features are now available on Okta help to help users quickly locate relevant documentation for their specific needs.

Okta Active Directory agent, version 3.20.0

This release includes support for enhanced incremental imports from AD using DirSync. Incremental import with DirSync avoids full imports and offers delta imports with AD that significantly improves performance. Configuration and opt-in is required within Okta after an agent update. This release also includes security enhancements and bug fixes. See Okta Active Directory agent version history

New protected action

Creating API tokens is now a protected action. When you enable this feature in your org, admins are prompted for authentication when they perform create an API token, at an interval that you specify. This additional layer of security helps ensure that only authorized admins can perform key tasks in your org. See Protected actions in the Admin Console.

Universal Logout for Splunk Enterprise

Splunk Enterprise now supports Universal Logout. This enables admins to automatically sign users out of this app when Universal Logout is triggered. See Third-party apps that support Universal Logout.

Policy Recommendation Tool deprecated

The trial period of the Policy Recommendation Tool has ended and the product has been deprecated.

Authentication claims sharing between Okta orgs

Authentication claims sharing allows an admin to configure their Okta org to trust claims from IdPs during SSO. Sharing claims also allows Okta to interpret the authentication context from an IdP. This helps eliminate duplicate factor challenges during user authentication and helps improve security posture. See Add a SAML Identity Provider.

Updates to the advanced search filters

The operators dropdown menu in the Advanced search section on people, groups and group membership pages shows all options and grays out the options that aren't applicable.

Express Configuration for OIN apps

Express Configuration lets you quickly set up SSO for OIN apps in your org. During Express Configuration, Okta and the app exchange data that's necessary to automatically set up SSO. This reduces the need for manual configuration and minimizes the chance for errors. See Add an app with Express Configuration.

ADFS version 1.8.3

Bug fixes and security hardening.

Updated text for the Login.gov IdP

For the Login.gov IdP, the Type of Identity Verification label has been updated to Type of Service Level, and the list of possible service levels has been updated.

Entitlement claims

You can now enrich tokens with app entitlements that produce deeper integrations. After you configure this feature for your app integration, use the Okta Expression Language in Identity Engine to add entitlements at runtime as OIDC claims and SAML assertions. See Generate federated claims.

Authentication claims sharing between Okta orgs

Authentication claims sharing allows an admin to configure their Okta org to trust claims from IdPs during SSO. Sharing claims also allows Okta to interpret the authentication context from an IdP. This helps eliminate duplicate factor challenges during user authentication and helps improve security posture. See Add a SAML Identity Provider.

Early Access

Advanced device posture checks

Advanced posture checks provide extended device assurance to users. It empowers admins to enforce compliance based on customized device attributes that extend beyond Okta's standard checks. Using osquery, this feature facilitates real-time security assessments across macOS devices. As a result, orgs gain enhanced visibility and control over their device fleet and ensure that only trusted devices can access sensitive resources. See Configure advanced posture checks for device assurance.

Enhanced device assurance with Android Device Trust

Android Device Trust integration for Device Assurance enhances Okta's capability to evaluate and enforce security measures on Android devices. It introduces additional security settings such as checks for Play Integrity status and Wi-Fi security. This integration strengthens device compliance while eliminating the need for Mobile Device Management (MDM), providing orgs with increased flexibility in securing their Android endpoints. See Integrate Okta with Android Device Trust.

Inline step-up flow for User Verification with Okta Verify

End users can now easily satisfy authentication policies that require higher User Verification (UV) levels, even if their current enrollment is insufficient. This feature proactively guides users through the necessary UV enablement steps. As a result, administrators can confidently implement stricter biometric UV policies to eliminate the risk of user lockouts and reduce support inquiries related to UV mismatches. See User experience according to Okta Verify user verification settings.

Breached Credentials Protection

Protect your org from the impact of credentials that have been compromised. If Okta determines that a username and password combination has been compromised after being compared to a third-party curated dataset, the protection response is customizable through password policies, including resetting the user's password, forcing a logout, or calling a delegated Workflow. See Breached credentials detection.

This feature is following a slow rollout process beginning on May 15.

Okta as an external authentication method for Microsoft Entra ID

Use Okta multifactor authentication (MFA) to satisfy Microsoft Entra ID MFA requirements. This helps users avoid double authentication and provides a seamless experience across Okta and Microsoft 365 apps. See Configure Okta as an external authentication method for Microsoft Entra ID .

DirSync group imports for Active Directory

For Active Directory (AD) integrations, the Provisioning tab now provides an Enable imports with AD using DirSync checkbox. When you enable the checkbox, admins can perform incremental group imports using DirSync. See Configure Active Directory import and account settings.

Custom admin roles for ITP

Through this feature, customers can use granular ITP permissions and resources to create custom roles to right-size authorization for ITP configuration and monitoring. See Configure custom admin roles for ITP.

Fixes

  • Users were sent to the wrong help topic when they clicked Learn more in the Change Password section of the end-user Settings page. (OKTA-801189)

  • Admins who tried to create a stream with an inaccessible URL received an Internal Server Error (HTTP 500) instead of an API Validation Error (HTTP 400). (OKTA-827169)

  • Users who signed out of the End-User Settings version 2.0 page were redirected to their sign-in page instead of their custom sign-out page. (OKTA-878856)

  • When a custom admin role had the Generate device recovery PIN permission, admins with that role couldn't create a recovery PIN for a Desktop MFA client. (OKTA-881842)

  • When accessing an Okta org2org application on macOS devices, some users were unnecessarily prompted to enroll in the Okta Verify app. (OKTA-882059)

  • When doing incremental imports using Okta Provisioning agent, users whose profiles weren't modified were removed from groups in Okta. (OKTA-884952)

  • Admins and users couldn't reset the password for staged accounts with an unverified email status. (OKTA-885853)

  • The border for the table of Active Directory instances on the Delegated Authentication page was missing. (OKTA-893589)

  • When authenticating with SMS or Google Authenticator, some users saw an incorrect error message when they entered a space in the Enter code field of the Sign-In Widget (third generation). (OKTA-897996)

  • When admins enabled the Unified Look and Feel for Okta Admin Console feature, some user interface elements didn't render correctly on Default Policy pages. (OKTA-903370)

  • When users enrolled in Okta Verify, the core.user.factor.activate System Log event wasn't recorded. (OKTA-908444)

  • Some users were asked repeatedly to approve multiple Okta FastPass user verification prompts. (OKTA-909450)

  • Users were prompted for multifactor authentication twice when they signed in to a spoke org in an Okta Org2Org scenario even though the Trust claims from this identity provider option was selected for the hub org. (OKTA-912172)

  • Some users saw a login hint in the UserHome page URL for OIDC apps even though login hints were disabled. (OKTA-919432)

  • Super admins couldn't always access Workflows with the role-based access control (RBAC) feature enable. (OKTA-920704)

  • When third-party IdP claims sharing was enabled, the redirect to the IdP happened during reauthentication even if IdP didn't provide any AMR claims. (OKTA-922086)

  • PERIMETER81_VPN was incorrectly announced as a supported IP service category in enhanced dynamic zones. (OKTA-923426)

  • When a call to activate a downstream app user failed while activating a user, the user was stuck in an activating status. (OKTA-925217)

  • The user's profile dropdown menu label displayed the user's email address instead of their first name in the Secure Partner Portal app. (OKTA-925251)

  • If a third-party SAML IdP sent the session.amr SAML attribute without the attribute schema type, Okta rejected the response when the third-party claims sharing feature was enabled. (OKTA-925864)

  • Starting with version 136, Chrome no longer returned the thirdPartyBlockingEnabled signal, and users whose Device Assurance policies relied on the signal were denied access to their resources. (OKTA-927884)

Okta Integration Network

Version: 2025.04.0

April 2025

Generally Available

Secure Identity Integrations

Secure Identity Integrations (SII) provides additional depth for the 50+ most-used enterprise SaaS applications with the inclusion of SSO, SCIM, Apps with entitlement support, Third-party apps that support Universal Logout, Workflows, and Identity Security Posture Management (ISPM).

Sign-In Widget, version 7.30.0

For details about this release, see the Sign-In Widget Release Notes. For more information about the Widget, see the Okta Sign-In Widget.

New versions of Okta Provisioning agent and SDK

Okta Provisioning agent 2.2.1 and Okta Provisioning agent SDK 2.1.1 are now available. These releases contain bug fixes and minor improvements.

OIN test account information deleted after 30 days

Okta deletes your test account credentials 30 days after you publish your app in OIN Wizard. You must create a new test account and re-enter the required information before submitting the app.

Risk Provider and Risk Events APIs are deprecated

These APIs have been deprecated. Use the SSF Security Event Tokens API instead to receive security-related events and other data-subject signals. Use the SSF Receiver API for third-party security event providers.

MyAccount Management scopes

The MyAccount Management scopes have been updated to non-system scopes and are now configurable by admins. See Create API access scopes .

Phishing resistance enabled by default

The Phishing resistant option is now selected by default as a possession factor constraint in newly created authentication policy and Okta account management policy rules. This only applies to orgs with phishing-resistant authenticators enabled. See Add an authentication policy rule and Add a rule for authenticator enrollment.

Step-up authentication for updating policies

Okta prompts for step-up authentication when admins perform protected actions in the Admin Console, like updating sign-on policies. The changes are only allowed after the admin authenticates successfully. This feature enhances org security by allowing admins to require MFA before performing protected actions. See Protected actions in the Admin Console.

Okta Verified text removed from the OIN

In the OIN catalog, the Okta Verified disclaimer has been removed from the app integration pages.

Okta account management policy

The Okta account management policy helps admins easily build phishing resistance into actions such as account unlock, password recovery, authenticator enrollment, and profile setting changes. Using the familiar rule-based framework of an authentication policy, admins can now customize which phishing-resistant authenticators are required when users attempt these common self-service actions. All of the configurations in the authentication policies can now be applied for authenticator management. See Okta account management policy.

Desktop MFA Recovery for Okta Device Access

Desktop MFA Recovery is now available for Desktop MFA for macOS. It provides a way for admins to generate a time-limited device recovery PIN to unblock Desktop MFA users who lost their MFA authentication device. See Desktop MFA recovery .

Early Access

Manage Active Directory accounts in Okta Privileged Access

This feature allows management of Active Directory (AD) account passwords through Okta Privileged Access using the Okta AD Agent. Admins can set discovery rules for accounts in specific organizational units (OUs) and create policies for user access, ensuring passwords are rotated upon check-in or on a schedule. Users with access can view their assigned accounts and retrieve passwords. To enable this feature, contact Okta support. See Manage Active Directory accounts

OAuth 2.0 provisioning for Org2Org with Auto-Rotation

Admins deploying multi-org architectures (for example Okta hub-and-spoke orgs) need to secure user and group provisioning. Provisioning using OAuth2.0 scoped tokens has several advantages over API tokens, including more access granularity, shorter token lifespans, and automatic key rotation. You can now enable OAuth 2.0 Auto-Rotation for Org2Org app provisioning directly from the Admin Console.

See Integrate Okta Org2Org with Okta.

On-prem Connector for SAP Netweaver ABAP supports more attributes

Okta On-prem Connector now supports more user attributes, which enables better integration between Okta and SAP Netweaver ABAP.

Fixes

  • The Sign-In Widget (third generation) didn't display font sizes correctly. (OKTA-552923)

  • Custom app logos didn't appear on the app's page. (OKTA-655724)

  • This update applied general security fixes. (OKTA-690936)

  • The reported results of an import varied between what was displayed when the import finished, the import summary email, and the values displayed on the Import Monitoring page. (OKTA-739010)

  • Some users with profiles imported from Active Directory didn't receive the self-service unlock email and couldn't recover their accounts. (OKTA-843086)

  • Some admins couldn't delete an authenticator from orgs with many authentication policy rules. (OKTA-847583)

  • The MFA Factor column in the MFA Usage report displayed the name Windows Hello (Web Authentication) for the FIDO2 (WebAuthn) authenticator.

    (OKTA-848611)

  • Orgs that had registration inline hooks in Classic Engine couldn't deactivate them after upgrading to Identity Engine. (OKTA-855960)

  • The SettingsAPI menu appeared to some admins who didn't have permission to view it. (OKTA-856337)

  • Pagination controls and Show more on the Authentication policies page didn't work correctly. (OKTA-858605)

  • The risk level was LOW in some network related user.session.context.change events. (OKTA-863401)

  • The Recent activity tab of the end-user Settings page didn't render tables correctly. (OKTA-874276)

  • The end-user Settings page didn't display text correctly when the window was resized. (OKTA-874292)

  • Screen readers couldn't read the names of languages in the Select language dropdown menu on the end-user Settings page. (OKTA-874318)

  • Admins couldn't add FIDO2 (WebAuthn) authenticators to authenticator groups. (OKTA-875920)

  • Admins using multiple user types sometimes encountered an internal error when attempting to update an app instance. (OKTA-880825)

  • The Import Monitoring page was viewable by admins who didn't have the necessary permissions. Accessing the page resulted in a 403 error. (OKTA-880835)

  • Sometimes a Null Pointer Exception error occurred when performing a group push to Google Workspace. (OKTA-886861)

  • The user.risk.detect event was incorrectly identified on the Entity Risk Policy page. (OKTA-887297)

  • When users signed in to the end-user Settings page and tried to authenticate with an identity verification vendor, the Back to Settings button was missing. This button was also missing from the error page if the user didn't satisfy the identity verification. (OKTA-894271)

  • LDAP agents failed to parse queries when group names had special characters. (OKTA-902231)

Okta Integration Network

  • AppVentory (API Service) is now available. Learn more.
  • Curricula (SAML) has a new integration guide.
  • Fabrix (API Service) is now available. Learn more.
  • GoSearch (SCIM) now supports Group Push.
  • OpenAI by Aquera (SCIM) is now available. Learn more.
  • Peaxy Lifecycle Intelligence (OIDC) is now available. Learn more.
  • Suger (OIDC) is now available. Learn more.
  • Suger (SCIM) is now available. Learn more.
  • Warp Employee Provisioning (API Service) is now available. Learn more.

Weekly Updates

2025.4.1: Update 1 started deployment on April 14

Generally Available

Sign-In Widget, version 7.30.1

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Okta Sign-In Widget.

New look and feel in Access Requests

The Access Requests console and Okta Access Requests web app now have a new look and feel, including redesigned side and top navigation menus and the addition of a gray background. Additionally, Dark mode is no longer available for Access Requests.

Device assurance OS version updates

The following OS versions are now supported in device assurance policies:

  • Android 12, 13, 14, 15 security patch 2025-04-01
  • iOS 16.7.11
  • iOS 18.4
  • macOS Ventura 13.7.5
  • macOS Sonoma 14.7.5
  • macOS Sequoia 15.4
  • Windows 10 (10.0.17763.7009, 10.0.19044.5608, 10.0.19045.5608)
  • Windows 11 (10.0.22621.5039, 10.0.22631.5039, 10.0.26100.3476)

Fixes

  • The Access Testing Tool didn't work if the device assurance policy included Chrome OS platform conditions. (OKTA-840977)

  • On the Sign-In Widget (third generation), an error sometimes occurred when a user with an Apple device attempted to sign in using Okta Verify. (OKTA-861910)

  • Error messages appeared in different places on the Sign-In Widget (third generation) depending on which authenticator the user chose. (OKTA-871675)

  • In Preview orgs, org admins couldn't edit IdP group assignments when a super admin group was included in the group list. (OKTA-880124)

  • The Edit role screen didn't always display the correct Workflow permissions. (OKTA-886964)

  • Users couldn't sign in to their org with a Smart Card when the org used authentication method chains and the Keep me signed in option was selected. (OKTA-887124)

  • Super admins saw an error when they attempted to reset a user's authenticators. (OKTA-890695)

  • The id_token_hint parameter was exposed in the System Log. (OKTA-890738)

  • When a user interacted with the Graph API in Azure Active Directory PowerShell, the activity was incorrectly logged in Office 365. (OKTA-896032)

  • Users couldn't sign in to the Office 365 GCC High OIN app if it was integrated with WS-Fed. (OKTA-899506)

  • On the Give access to Okta Support page, the Provide Support access for self-assigned cases section sometimes didn't display the correct cases. (OKTA-909308)

  • A JavaScript issue prevented users from accessing the Glory app. (OKTA-917414)

Okta Integration Network

  • Adroll by Aquera (SCIM) is now available. Learn more.
  • Hero (API Service) is now available. Learn more.
  • Hyperproof (SCIM) is now available. Learn more.
  • Microsoft Dynamics 365 BC by Aquera (SCIM) is now available. Learn more.
  • ZAMP (OIDC) has additional redirect URIs.

2025.4.2: Update 2 started deployment on April 21

Generally Available

Trust incidents and updates checkbox removed

On the Account page, the Admin email notifications section no longer has the Trust incidents and updates checkbox. Admins can subscribe to this communication type through https://status.okta.com.

Fixes

  • Some domains and realm types weren't recorded in the System Log. (OKTA-834681)

  • The Email Optional feature didn't work when self-service password resets were switched to the Okta account management policy. Email requirements from the legacy password policy were still being enforced. (OKTA-863721)

  • When users tried to sign in from outside of their permitted network zone, they saw a Contact your administrator link on the error page even though the admin disabled the link. (OKTA-874992)

  • The registration inline hook for progressive profiling returned the user's default time zone instead of the one in their profile. (OKTA-881008)

  • Super admins couldn't update the operator for profile attribute conditions on a custom admin role. (OKTA-884966)

  • Sometimes, Google Workspace licenses couldn't be edited. (OKTA-892397)

  • Desktop Multifactor Authentication (MFA) push notifications gave the wrong name for the computer's operating system. (OKTA-902839)

  • When the Unified look and feel for Okta Admin Console feature was enabled, the headings on the Downloads page were misaligned. (OKTA-904262)

  • Some text strings in the Move user to realm page weren't translated. (OKTA-909317)

  • When the Unified look and feel for Okta Admin Console feature was enabled, users' names didn't always render correctly. (OKTA-909497)

  • When some users selected the Unlock account option, they received the Self Service Unlock is not allowed at this time error message. (OKTA-913307)

  • In the Edit user attributes page of the Secure Partner Access Admin Portal, the base attributes couldn't be edited. (OKTA-914964)

  • Global session policy rules weren't honored as expected in certain scenarios. (OKTA-916343)

Okta Integration Network

  • Adroll by Aquera (SCIM) has a new description and display name.
  • Files.com by Aquera (SCIM) is now available. Learn more.
  • Global Relay Identity Sync has a new display name.
  • GoTo Meeting by Aquera (SCIM) is now available. Learn more.
  • GroWrk (SAML) is now available. Learn more.
  • Helpjuice by Aquera (SCIM) is now available. Learn more.
  • Island Management Console (SCIM) is now available. Learn more.
  • OK2Pay (SAML) is now available. Learn more.

2025.4.3: Update 3 started deployment on May 5

Generally Available

Trust incidents and updates checkbox removed

On the Account page, the Admin email notifications section no longer has the Trust incidents and updates checkbox. Admins can subscribe to this communication type through https://status.okta.com.

Fixes

  • Some domains and realm types weren't recorded in the System Log. (OKTA-834681)

  • The Email Optional feature didn't work when self-service password resets were switched to the Okta account management policy. Email requirements from the legacy password policy were still being enforced. (OKTA-863721)

  • When users tried to sign in from outside of their permitted network zone, they saw a Contact your administrator link on the error page even though the admin disabled the link. (OKTA-874992)

  • The registration inline hook for progressive profiling returned the user's default time zone instead of the one in their profile. (OKTA-881008)

  • Super admins couldn't update the operator for profile attribute conditions on a custom admin role. (OKTA-884966)

  • Sometimes, Google Workspace licenses couldn't be edited. (OKTA-892397)

  • Desktop Multifactor Authentication (MFA) push notifications gave the wrong name for the computer's operating system. (OKTA-902839)

  • When the Unified look and feel for Okta Admin Console feature was enabled, the headings on the Downloads page were misaligned. (OKTA-904262)

  • Some text strings in the Move user to realm page weren't translated. (OKTA-909317)

  • When the Unified look and feel for Okta Admin Console feature was enabled, users' names didn't always render correctly. (OKTA-909497)

  • When some users selected the Unlock account option, they received the Self Service Unlock is not allowed at this time error message. (OKTA-913307)

  • In the Edit user attributes page of the Secure Partner Access Admin Portal, the base attributes couldn't be edited. (OKTA-914964)

  • Global session policy rules weren't honored as expected in certain scenarios. (OKTA-916343)

Okta Integration Network

  • Adroll by Aquera (SCIM) has a new description and display name.
  • Files.com by Aquera (SCIM) is now available. Learn more.
  • Global Relay Identity Sync has a new display name.
  • GoTo Meeting by Aquera (SCIM) is now available. Learn more.
  • GroWrk (SAML) is now available. Learn more.
  • Helpjuice by Aquera (SCIM) is now available. Learn more.
  • Island Management Console (SCIM) is now available. Learn more.
  • OK2Pay (SAML) is now available. Learn more.

Version: 2025.03.0

March 2025

Generally Available

Sign-In Widget, version 7.28.3 and 7.29.0

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Okta Sign-In Widget Guide.

Okta MFA Credential Provider for Windows, version 1.4.3

This version includes bug fixes and security enhancements. See Okta MFA Credential Provider for Windows version history.

Okta LDAP agent, version 5.23.0

This version of the agent includes security enhancements.

Discover inactive users and review admin access

You can now use preconfigured campaigns to discover inactive users who are assigned to apps and review their admin access. Preconfigured campaigns are a set of ready-to-use campaigns where Okta presets some default settings. See Access Certifications for admin roles.

Update to Access Certification reports availability

The Past Campaign Details and Past Campaign Summary reports are now available for campaigns that govern admin roles even if you're not subscribed to Okta Identity Governance.

Updated Japanese translations

The Admin Dashboard, Administrator pages, and Admin Console search now provide updated Japanese translations.

Improved group search functionality

You can now search for groups whose names or descriptions contain specified text. This makes it easier to find a group when you don't recall its exact name.

Improved user search functionality

You can now search for users whose names, email addresses, or usernames contain specified text, making it easier to do user lookups and add users to groups.

Identity Security Posture Management functionality in the OIN catalog

The Okta Integration Network page now provides Identity Security Posture Management functionality. When you select it, the OIN catalog displays only the apps with Identity Security Posture Management functionality.

New default reauthentication frequency for new authentication policy rules

The default reauthentication frequency has been changed to one hour for the Prompt for password authentication and Prompt for all other factors of authentication options on the authentication policy rule page. This applies by default to new rules with Time since last sign in selected. See Add an authentication policy rule.

Realms for Workforce

Realms allow you to unlock greater flexibility in managing and delegating the management of your distinct user populations within a single Okta org. See Manage realms.

ITP detections for AMFA orgs

All Adaptive MFA orgs now benefit from ITP detections on sessions and entity users when these are detected on directly assigned super admins. These detection events are actionable using Workflows. This feature aligns with the Okta Secure Identity Commitment. See Risk scoring.

Granular account linking for certain identity providers is GA

When admins link users from SAML and OIDC identity providers, they can now exclude specific users and admins. This improves security by allowing admins to configure granular access control scenarios. See Add a SAML Identity Provider.

OIDC identity providers now support group sync

OpenID Connect identity providers (IdPs) now support full group sync and adding a user to a group that they don't already belong to. A user who authenticates with an external IdP is added to all available groups when Full sync of groups is enabled. The user is added to any groups that they don't already belong to when Add user to missing groups is enabled. This allows you to specify certain groups that users should be added to. See Generic OpenID Connect.

Global token revocation for wizard SAML and OIDC apps

Universal Logout clears sessions and tokens for wizard SAML and OIDC apps. This enhancement extends Universal Logout functionality to more types of apps and provides greater flexibility to admins.

Entitlement management for Microsoft Office 365

The Microsoft Office 365 app now supports entitlement management. See Apps with entitlement support

Early Access

Custom remediation for device assurance

You can now display custom remediation instructions to users when authentication fails due to unsuccessful device posture checks with Okta Verify or Chrome Device Trust. See Configure custom remediation instructions for device assurance.

Entitlement support for disconnected apps

Disconnected apps are apps that aren't LCM integrated within Okta. This feature allows you to use CSV files to import users and entitlements into Okta from disconnected apps. This enables consistent governance and compliance across all apps, including those not fully integrated with Okta. See Import user entitlements from CSV.

New look and feel in the Admin Console

The Admin Console now provides a new look and feel, including redesigned side and top navigation menus and the addition of a gray background.

New identity verification providers added

Okta now supports using Incode and CLEAR Verified as identity providers. This increases the number of identity verification vendors (IDVs) you can use to verify the identity of your users when they onboard or reset their account. See Add an identity verification vendor as an identity provider.

Bypass ASN binding with the Default Exempt IP Zone

The ASN binding feature associates admins with the IP address that they signed in from. If the IP changes during a session, the admin is signed out of Okta, and an event appears in the System Log. To bypass IP and ASN binding, you can add the client IP to the Default Exempt IP Zone. See IP exempt zone.

App Switcher for Okta first-party apps

The End-User Dashboard, Admin Console, and Workflows Console now have an App Switcher that helps admins quickly navigate between their assigned Okta apps. Note that you must enable the Unified look and feel for Okta Admin Console and Unified look and feel for Okta Dashboard Early Access features for the App Switcher to appear.

New look and feel in the End-User Dashboard

The End-User Dashboard now provides a new look and feel, including redesigned side and top navigation menus and the addition of a gray background.

New attributes in Universal Sync

The following attributes are now supported in Universal Sync: AuthOrig, DLMemRejectPerms, DLMemSubmitPerms, and UnauthOrig.

Okta-to-Okta claims sharing enhancement

Okta-to-Okta claims sharing now supports the use of the smart card authenticator and Active Directory for Single Sign-On. This removes the need for users to authenticate with a service provider when they've already authenticated to an Okta org. See Add a SAML Identity Provider.

Verify an SSF Stream

Okta SSF Transmitter now supports the verification endpoint to enable receivers to request verification events and validate the end-to-end delivery between the transmitter and receiver. The SSF Transmitter verification events claim structure is also now compliant with the OpenID Shared Signals Framework ID3 spec.

Fixes

  • When provisioning and Import Groups were enabled for the O365 GCC High app, the Groups page didn't display the group icon. (OKTA-283826)

  • Some certificates with trailing characters were uploaded successfully despite their invalid format. (OKTA-486406)

  • The consent buttons for the Office 365 and Office 365 GCC High apps didn't render correctly. (OKTA-488281)

  • The Microsoft Office 365 Government - GCC High app integration didn't have the correct metadata tags. (OKTA-509443)

  • A realm assignment didn't work as expected when using expressions based on attribute type. (OKTA-728487)

  • Users weren't automatically confirmed when the inline hook updated conflicting appuser values during import. (OKTA-792372)

  • The Add rule page for an authentication policy sometimes displayed the wrong factor types in the preview. (OKTA-849411)

  • An invalid authentication error sometimes occurred when an admin assigned users to the ShareFile app. (OKTA-850064)

  • Emails intended for an unverified primary or secondary email were dropped when the Audience setting for the template was Admin only. (OKTA-852156)

  • When the Send all admin emails as BCC notification setting was selected, all email recipients were sent to the To field instead of the BCC field for protected actions. (OKTA-856627)

  • Users who selected the Send me an email option from a locked account notification didn't receive the requested email. (OKTA-858751)

  • Some users couldn't complete account recovery using Okta Verify with push. (OKTA-870580)

  • Unknown users received an internal server error when they tried to recover their passwords. (OKTA-873911)

  • Some pages in the End-User Dashboard had a typo in the footer. (OKTA-877065)

  • The Entitlement SAML Assertions and OIDC Claims feature wasn't available in the Settings Features menu for some customers. (OKTA-880967)

  • An error occurred in the Okta Provisioning Agent when trying to import users from on-premises apps through CSV files. (OKTA-880996)

  • Access requests for admin role bundles weren't processed properly. (OKTA-892613)

Okta Integration Network

  • Better Stack (SCIM) is now available. Learn more.
  • Employment Hero by Aquera (SCIM) is now available. Learn more.
  • Harriet (OIDC) is now available. Learn more.
  • Harriet (SCIM) is now available. Learn more.
  • HYCU R-Cloud (OIDC) is now available. Learn more.
  • Kyriba By Aquera (SCIM) is now available. Learn more.
  • MySQL by Aquera (SCIM) is now available. Learn more.
  • ZAMP (SCIM) is now available. Learn more.
  • Zoom (SAML) has updated endpoints.

Weekly Updates

2025.3.1: Update 1 started deployment on March 17

Generally Available

Device assurance OS version update

The following OS versions are now supported in device assurance policies:

  • Android 12, 13, 14, 15 security patch 2025-03-01
  • iOS 18.3.1
  • macOS Ventura 13.7.4
  • macOS Sonoma 14.7.4
  • macOS Sequoia 15.3.1
  • Windows 10 (10.0.17763.6893, 10.0.19044.5487, 10.0.19045.5487)
  • Windows 11 (10.0.22621.4890, 10.0.22631.4890, 10.0.26100.3194)

Sign-in Widget 7.18 for Same-Device Enrollment

If you use the Same-Device Enrollment feature in your org, the Sign-In Widget version must be 7.18 or later.

Fixes

  • createdBy and lastUpdatedBy custom attributes couldn't be used in group rules. (OKTA-566492)

  • Some issues occurred during the creation of Devices Assurance settings. (OKTA-603807)

  • Some Android users couldn't authenticate with Duo Verify when enrolling in Okta Verify. (OKTA-791813)

  • Custom admins who were limited to viewing only application group members received incomplete results when using the List All Users API without a search or filter. (OKTA-801592)

  • In some orgs, unnecessary writebacks were made to Workday when a sync was performed from Okta. (OKTA-817160)

  • Users who were excluded from a group rule were displayed incorrectly in the Admin Console. (OKTA-838039)

  • The System Log displayed two usernames in the user.authentication.auth_via_social event when a user signed in to Okta with an identity provider in the same browser as a user who was already signed in. (OKTA-842179)

  • Users authenticating to Microsoft Office 365 on macOS were matched to a rule with a Modern Authentication condition only when using the Edge browser. (OKTA-847605)

  • Admins who were assigned the super admin role through group assignments couldn't run password hash exports or view the reports. (OKTA-851991)

  • The MFA enrollment by user report displayed inaccurate figures for the security question authenticator. (OKTA-858427)

  • Okta sometimes timed out earlier than expected when admins configured authentication policies. (OKTA-867807)

  • The page title didn't appear correctly on the browser tab for the Recent activity and My Settings pages. (OKTA-874289)

  • Using device conditions in an authentication policy sometimes caused the post auth session policy evaluation to fail and generate a policy.auth_reevaluate.fail event. (OKTA-876114)

  • Admins didn't receive the correct notifications when they had both role and admin email notifications selected. (OKTA-876846)

  • The Back to sign in button didn't work on the Sign-In Widget (third generation) version 7.26.1 or later. (OKTA-877241)

  • Okta admins assigned to non-visible apps were taken to the End-User Dashboard instead of the Admin Console when signing in. (OKTA-882675)

  • When the Unified look and feel for Okta Admin Console feature was enabled, the Settings and Features pages didn't render correctly in the Safari browser. (OKTA-884821)

  • Admins couldn't create or edit third-party identity providers in orgs with Okta-to-Okta claims sharing enabled. (OKTA-893483)

Okta Integration Network

  • Better Stack (SAML) has a new integration guide.
  • Bundle by freee (SCIM) is now available. Learn more.
  • Chargebee (SAML) has a new integration guide.
  • Chargebee (SCIM) is now available. Learn more.
  • Lobbipad (SCIM) has updated help text.
  • Marfeel (OIDC) is now available. Learn more.
  • Oracle Cloud Applications by Aquera (SCIM) is now available. Learn more.

2025.3.2: Update 2 started deployment on March 24

Generally Available

Sign-In Widget, version 7.29.2

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Okta Sign-In Widget Guide.

Accessibility enhancements for screen readers

UI elements on the end-user Settings page have been enhanced to work with screen readers. See User settings.

Fixes

  • createdBy and lastUpdatedBy custom attributes couldn't be used in group rules. (OKTA-566492)

  • Workday imports sometimes failed when the number of parameters sent in a query exceeded the maximum. (OKTA-819984)

  • Authentication was interrupted or prevented in legacy embedded browsers due to a DNS issue. (OKTA-845120)

  • Changes to the manager attribute in Workday were only reflected in Okta after a full import. (OKTA-846352)

  • The View Client Credentials permission didn't appear when the App settings for custom admin roles feature was enabled. (OKTA-851994)

  • AWS account federation with SWA was incompatible with the new AWS sign in page. (OKTA-856995)

  • When the Enable Sync Account Information setting was disabled for a custom domain, login.okta.com still loaded iframes. (OKTA-865098)

  • In Dynamic Zones, some IPs were classified incorrectly as anonymous proxies because of a misconfiguration by a third-party provider. (OKTA-867976)

  • On the Admin Dashboard, some post auth session labels weren't updated to session protection. (OKTA-886337)

  • Admins couldn't increase the global session policy maximum idle time if they set it to a longer duration than the previously saved maximum session time. (OKTA-891348)

Okta Integration Network

  • Attribute Dashboard (OIDC) is now available. Learn more.
  • Balsamiq (SAML) has a new app name, icon, and integration guide.
  • bob (SCIM, SAML) now supports sandbox environments.
  • Drata (OIDC) has a new icon.
  • Mighty ID (OIDC) is now available. Learn more.
  • Salesloft (SAML) is now available. Learn more.
  • Salesloft (SCIM) is now available. Learn more.

2025.3.3: Update 3 started deployment on March 31

Generally Available

Advanced search using conditioned profile attributes

If you have an admin role with permission conditions to access certain user profile attributes, you can now search for those users with those attributes. Note that the advanced search doesn't support the OR operator. See Permission conditions.

Fixes

  • The wrong data appeared in the debug data field of the policy.rule.update System Log event. (OKTA-846160)

  • Users received the wrong error message when they tried to authenticate with biometric methods. (OKTA-846488)

  • Risk information was missing from some device context-triggered user.session.context.change events. (OKTA-880859)

  • If the Okta account management policy was used for self-service unlock and a user only had one factor available, that factor was auto-selected when they started the process. (OKTA-884244)

  • If the Okta account management policy required Identity Verification for all actions, users received a 500 internal server error when they tried to edit their profile settings. (OKTA-888155)

  • When the Passkeys Autofill feature was enabled in the hub org of an Org-to-Org configuration, and there was only one identity provider configured, users weren't automatically redirected to non-hub orgs when they signed in. (OKTA-888882)

  • Sometimes, Google Workspace licenses couldn't be edited. (OKTA-892397)

  • The user.identity_verification System Log event displayed an incorrect assurance level for completed identity verifications. (OKTA-893343)

  • Admins couldn't create or edit third-party identity providers in orgs with Okta-to-Okta claims sharing enabled. (OKTA-893483)

  • Admins whose role had permission conditions couldn't search for users by first or last name. (OKTA-894392)

  • Some text was misaligned on the Password PolicyAdd rule page. (OKTA-897943)

Okta Integration Network

  • Akitra (OIDC) is now available. Learn more.
  • AppsFlyer By Aquera (SCIM) is now available. Learn more.
  • Braintree (SAML) is now available. Learn more.
  • Braintree (SCIM) is now available. Learn more.
  • ContentHubGPT (SAML) is now available. Learn more.
  • HRBrain (SAML) is now available. Learn more.
  • HRBrain (SCIM) is now available. Learn more.
  • Speeda Business Insights (OIDC) is now available. Learn more.
  • Speeda Startup Insights (OIDC) is now available. Learn more.