Okta Identity Engine release notes (Production)

Version: 2025.06.0

June 2025

Generally Available

Sign-In Widget, version 7.32.0

For details about this release, see the Sign-In Widget Release Notes. For more information about the Widget, see the Okta Sign-In Widget.

Device assurance OS version updates

The following OS versions are now supported in device assurance policies:

  • Android 13, 14, 15 security patch 2025-06-01
  • iOS 15.8.4
  • iOS 16.7.11
  • iOS 18.5
  • macOS Ventura 13.7.6
  • macOS Sonoma 14.7.6
  • macOS Sequoia 15.5
  • Windows 10 (10.0.17763.7314, 10.0.19044.5854, 10.0.19045.5854)
  • Windows 11 (10.0.22621.5335, 10.0.22631.5335, 10.0.26100.4061)

Personal apps excluded from apps count

On the Admin Dashboard, the Total apps count on the Apps widget now excludes personal apps. This provides a more accurate apps count for the org. See Monitor your apps.

Per-app SAML certificate expiry notifications

The Tasks page now displays certificate expiry notifications for individual SAML apps.

New help message for custom domains

Admins creating an Okta-managed custom domain now see a message encouraging them to add a CAA record.

App permissions no longer include agent permissions

Now when you assign the Manage applications permission to an admin, the Manage agents permission isn't automatically granted. For existing admin role assignments that include the Manage applications permission, the Manage agents permission is retained in the assignment. See Role permissions.

Okta Provisioning Agent now supports Group Push with SCIM 2.0

You can now use Group Push with on-premises apps by using Okta Provisioning Agent and SCIM 2.0. See Create SCIM connectors for on-premises provisioning.

New look and feel in the Partner Admin Portal app

The Partner Admin Portal app pages now have a new look and feel, including redesigned side and top navigation menus.

Define default values for custom user attributes

You can now define default values for custom attributes in a user profile. See Add custom attributes to an Okta user profile.

Domain restrictions on Realms

You can now limit users to a specific domain in Realms, which adds an extra layer of oversight for realm and partner admins and enforces boundaries between user populations. See Manage realms.

Authentication claims sharing between Okta orgs

Authentication claims sharing allows an admin to configure their Okta org to trust claims from third-party IdPs during SSO. Sharing claims also allows Okta to interpret the authentication context from an IdP. This helps eliminate duplicate factor challenges during user authentication and helps improve security posture. See Add a SAML Identity Provider.

Improvements to Okta RADIUS

Okta RADIUS now supports Java version 17 and has a new 64-bit installer.

Authentication claims sharing between Okta orgs

Authentication claims sharing allows an admin to configure their Okta org to trust claims from IdPs during SSO. Sharing claims also allows Okta to interpret the authentication context from an IdP. This helps eliminate duplicate factor challenges during user authentication and helps improve security posture. See Add a SAML Identity Provider.

Create dynamic resource sets with conditions

Resource set conditions help you limit the scope of a role by excluding an admin's access to certain apps. This gives you more granular control over your custom admin roles and helps meet your org's unique security needs. See Resource set conditions.

Biometric user verification in authentication policies

You can now configure authentication policies to require biometric user verification (no passcode). With this feature you ensure that users confirm their biometrics when they authenticate with Okta FastPass or Okta Verify Push. See Biometric user verification in authentication policies.

Automatic renewal of Okta Certificate Authorities

Okta Certificate Authorities (CAs) used for management attestation expire every five years. Without proactive renewal, expired CAs lead to disruptions in authentication and hinder compliance requirements. To mitigate this risk, the Okta CA Renewal Service automatically renews CAs 1.5 years before expiration, ensuring uninterrupted authentication and compliance. By managing CA renewals proactively, this service prevents downtime, reduces manual intervention, and guarantees that management attestation remains seamless and uninterrupted. See Okta Certificate Authority Renewal and Activation Guide

Manage Subscription button removed

The Manage Subscription button has been removed from the Settings page.

Admins prevented from deleting published app instances

When an app instance has the Published version status, admins can no longer delete it from their org.

Early Access

Send app context to external IdPs

You can now forward context about an app to an external identity provider (IdP) when a user attempts to access the app. When you enable the Application context checkbox for an IdP, the app name and unique instance ID are included in the SAML or OpenID Connect request sent to the external IdP. This enhancement allows external IdPs to make more informed, context-aware authentication decisions, supporting advanced security scenarios, and Zero Trust environments. To enable this feature, go to Settings > Features in the Admin Console, locate Send Application Context to an External IdP, and enable.

Enrollment grace periods

Today, when admins define an enrollment policy for a group, the entire group must enroll immediately, which can be disruptive to their day-to-day tasks.

With Enrollment Grace Periods, end users can defer enrollment in new authenticators until an admin-defined deadline when enrollment becomes mandatory. This allows end users to enroll at a time convenient to them and allows for more graceful enrollment before enforcing new authenticator types in authentication policies. See Authenticator enrollment policies.

RingCentral uses new default phone number logic

The RingCentral app integration's logic for detecting and populating phone numbers has been updated to work with both DirectNumber and IntegrationNumber entries.

Single Logout for IdPs is EA in Preview

The Single Logout (SLO) for IdPs feature boosts security for organizations using shared devices and external IdPs by automatically ending IdP sessions when a user signs out of any app. This feature also requires a fresh authentication for every new user, eliminating session hijacking risks on shared devices. SLO for IdP supports both SAML 2.0 and OIDC IdP connections, which provides robust session management for shared workstations in any environment. See Add a SAML Identity Provider.

Block words from being used in passwords

You can now use Okta Expression Language to block words from being used in passwords. This feature enhances security by allowing you to customize your password strength requirements.

Fixes

  • SDK strings that contained iOS were parsed as unknown operating systems. (OKTA-856044)

  • Some UI elements on the Personal information page in My Settings had the wrong background color. (OKTA-904266)

  • In orgs with an embedded Sign-In Widget and the Email Optional feature enabled, users weren't prompted for their email address during self-service unlock flows. (OKTA-917289)

  • The /idp/myaccount/sessions endpoint didn't accept access tokens granted by custom authorization servers. (OKTA-929488)

  • Some users were prompted by their service provider to authenticate with Okta Verify (OV) even though they had already authenticated using OV at their identity provider. (OKTA-937311)

  • On the Settings page, the Technical contact field displayed a "This field cannot be left blank" error even when there was text in the field. (OKTA-939469)

  • In the End-User Dashboard, if a user resized the browser to a mobile-sized view, the navigation menu opened and closed repeatedly. (OKTA-940213)

Okta Integration Network

  • Pluto Bioinformatics is now available (SAML). Learn more.
  • FORA is now available (OIDC). Learn more.
  • Teamplify is now available (OIDC). Learn more.
  • XOPS is now available (API Service Integration). Learn more.

Version: 2025.05.0

May 2025

Generally Available

App permissions no longer include agent permissions

Now when you assign the Manage applications permission to an admin, the Manage agents permission isn't automatically granted. For existing admin role assignments that include the Manage applications permission, the Manage agents permission is retained in the assignment. See Role permissions.

Realms per org limit expanded

You can now create up to five thousand realms per org. See Manage realms

Microsoft Office 365 Single Sign-on integration supports SHA-256

The Office 365 SSO integration (WS-Fed Auto and Manual) now uses SHA-256 for signing the authentication token.

New versions of Okta Provisioning agent and SDK

Okta Provisioning agent 2.3.0 and Okta Provisioning agent SDK 2.2.0 are now available. These releases contain bug fixes and minor improvements. See Okta Provisioning agent and SDK version history.

Reasons added to System Log event

In the System Log, the Reasons field for user.risk.detect events now indicates if the detection was triggered by a DCO event.

Device assurance OS version updates

Device assurance policies now support the following OS versions

  • Android 12, 13, 14, and 15 to security patch 2025-05-01
  • iOS 18.4.1
  • macOS Sequoia 15.4.1
  • Windows 10 (10.0.17763.7136, 10.0.19044.5737, 10.0.19045.5737)
  • Windows 11 (10.0.22621.5189, 10.0.22631.5189, 10.0.26100.3775)

Removal of device support for Windows 11 21H2

Okta Verify no longer supports devices that use Windows 11 21H2. See Supported platforms for Okta Verify.

Support for additional attributes in Office 365's Universal Sync

Office 365's Universal Sync now enables users to access Kerberos resources with Windows Hello for Business. See Supported user profile attributes for Office 365 provisioning

Improved Documentation Search

The search functionality on help.okta.com has been updated with the following improvements:

  • Localized Japanese search: Supports localized searches in Japanese for all translated content.
  • Focused results: Searches take place directly in Okta help instead of rerouting users to the Okta Help Center.

These features are now available on help.okta.com to help users quickly locate relevant documentation for their specific needs.

Okta Active Directory agent, version 3.20.0

This release includes support for enhanced incremental imports from AD using DirSync. Incremental import with DirSync avoids full imports and offers delta imports with AD that significantly improves performance. Configuration and opt-in is required within Okta after an agent update. This release also includes security enhancements and bug fixes. See Okta Active Directory agent version history

New protected action

Creating API tokens is now a protected action. When you enable this feature in your org, admins are prompted for authentication when they perform create an API token, at an interval that you specify. This additional layer of security helps ensure that only authorized admins can perform key tasks in your org. See Protected actions in the Admin Console.

Universal Logout for Splunk Enterprise

Splunk Enterprise now supports Universal Logout. This enables admins to automatically sign users out of this app when Universal Logout is triggered. See Third-party apps that support Universal Logout.

Policy Recommendation Tool deprecated

The trial period of the Policy Recommendation Tool has ended and the product has been deprecated.

Updates to the advanced search filters

The operators dropdown menu in the Advanced search section on people, groups and group membership pages shows all options and grays out the options that aren't applicable.

Express Configuration for OIN apps

Express Configuration lets you quickly set up SSO for OIN apps in your org. During Express Configuration, Okta and the app exchange data that's necessary to automatically set up SSO. This reduces the need for manual configuration and minimizes the chance for errors. See Add an app with Express Configuration.

ADFS version 1.8.3

Bug fixes and security hardening.

Updated text for the Login.gov IdP

For the Login.gov IdP, the Type of Identity Verification label has been updated to Type of Service Level, and the list of possible service levels has been updated.

Entitlement claims

You can now enrich tokens with app entitlements that produce deeper integrations. After you configure this feature for your app integration, use the Okta Expression Language in Identity Engine to add entitlements at runtime as OIDC claims and SAML assertions. See Generate federated claims.

Early Access

Advanced device posture checks

Advanced posture checks provide extended device assurance to users. It empowers admins to enforce compliance based on customized device attributes that extend beyond Okta's standard checks. Using osquery, this feature facilitates real-time security assessments across macOS devices. As a result, orgs gain enhanced visibility and control over their device fleet and ensure that only trusted devices can access sensitive resources. See Configure advanced posture checks for device assurance.

Enhanced device assurance with Android Device Trust

Android Device Trust integration for Device Assurance enhances Okta's capability to evaluate and enforce security measures on Android devices. It introduces additional security settings such as checks for Play Integrity status and Wi-Fi security. This integration strengthens device compliance while eliminating the need for Mobile Device Management (MDM), providing orgs with increased flexibility in securing their Android endpoints. See Integrate Okta with Android Device Trust.

Inline step-up flow for User Verification with Okta Verify

End users can now easily satisfy authentication policies that require higher User Verification (UV) levels, even if their current enrollment is insufficient. This feature proactively guides users through the necessary UV enablement steps. As a result, administrators can confidently implement stricter biometric UV policies to eliminate the risk of user lockouts and reduce support inquiries related to UV mismatches. See User experience according to Okta Verify user verification settings.

Breached Credentials Protection

Protect your org from the impact of credentials that have been compromised. If Okta determines that a username and password combination has been compromised after being compared to a third-party curated dataset, the protection response is customizable through password policies, including resetting the user's password, forcing a logout, or calling a delegated Workflow. See Breached credentials detection.

This feature is following a slow rollout process beginning on May 15.

Okta as an external authentication method for Microsoft Entra ID

Use Okta multifactor authentication (MFA) to satisfy Microsoft Entra ID MFA requirements. This helps users avoid double authentication and provides a seamless experience across Okta and Microsoft 365 apps. See Configure Okta as an external authentication method for Microsoft Entra ID .

DirSync group imports for Active Directory

For Active Directory (AD) integrations, the Provisioning tab now provides an Enable imports with AD using DirSync checkbox. When you enable the checkbox, admins can perform incremental group imports using DirSync. See Configure Active Directory import and account settings.

Custom admin roles for ITP

Through this feature, customers can use granular ITP permissions and resources to create custom roles to right-size authorization for ITP configuration and monitoring. See Configure custom admin roles for ITP.

Fixes

  • Users were sent to the wrong help topic when they clicked Learn more in the Change Password section of the end-user Settings page. (OKTA-801189)

  • Admins who tried to create a stream with an inaccessible URL received an Internal Server Error (HTTP 500) instead of an API Validation Error (HTTP 400). (OKTA-827169)

  • Users who signed out of the End-User Settings version 2.0 page were redirected to their sign-in page instead of their custom sign-out page. (OKTA-878856)

  • When a custom admin role had the Generate device recovery PIN permission, admins with that role couldn't create a recovery PIN for a Desktop MFA client. (OKTA-881842)

  • When accessing an Okta org2org application on macOS devices, some users were unnecessarily prompted to enroll in the Okta Verify app. (OKTA-882059)

  • When doing incremental imports using Okta Provisioning agent, users whose profiles weren't modified were removed from groups in Okta. (OKTA-884952)

  • Admins and users couldn't reset the password for staged accounts with an unverified email status. (OKTA-885853)

  • The border for the table of Active Directory instances on the Delegated Authentication page was missing. (OKTA-893589)

  • When authenticating with SMS or Google Authenticator, some users saw an incorrect error message when they entered a space in the Enter code field of the Sign-In Widget (third generation). (OKTA-897996)

  • When admins enabled the Unified Look and Feel for Okta Admin Console feature, some user interface elements didn't render correctly on Default Policy pages. (OKTA-903370)

  • When users enrolled in Okta Verify, the core.user.factor.activate System Log event wasn't recorded. (OKTA-908444)

  • Some users were asked repeatedly to approve multiple Okta FastPass user verification prompts. (OKTA-909450)

  • Users were prompted for multifactor authentication twice when they signed in to a spoke org in an Okta Org2Org scenario even though the Trust claims from this identity provider option was selected for the hub org. (OKTA-912172)

  • Some users saw a login hint in the UserHome page URL for OIDC apps even though login hints were disabled. (OKTA-919432)

  • Super admins couldn't always access Workflows with the role-based access control (RBAC) feature enable. (OKTA-920704)

  • When third-party IdP claims sharing was enabled, the redirect to the IdP happened during reauthentication even if IdP didn't provide any AMR claims. (OKTA-922086)

  • PERIMETER81_VPN was incorrectly announced as a supported IP service category in enhanced dynamic zones. (OKTA-923426)

  • When a call to activate a downstream app user failed while activating a user, the user was stuck in an activating status. (OKTA-925217)

  • The user's profile dropdown menu label displayed the user's email address instead of their first name in the Secure Partner Portal app. (OKTA-925251)

  • If a third-party SAML IdP sent the session.amr SAML attribute without the attribute schema type, Okta rejected the response when the third-party claims sharing feature was enabled. (OKTA-925864)

  • Starting with version 136, Chrome no longer returned the thirdPartyBlockingEnabled signal, and users whose Device Assurance policies relied on the signal were denied access to their resources. (OKTA-927884)

Okta Integration Network

Weekly Updates

2025.5.1: Update 1 started deployment on May 19

Generally Available

On-Prem MFA agent, version 1.8.2

Version 1.8.2 of the On-Prem MFA agent is now available. This version includes security enhancements.

Sign-In Widget, version 7.31.1

For details about this release, see the Sign-In Widget Release Notes. For more information about the Widget, see the Okta Sign-In Widget.

Sign-In Widget, version 7.31.0

For details about this release, see the Sign-In Widget Release Notes. For more information about the Widget, see the Okta Sign-In Widget.

New filter and columns for Access Certifications reports

You can use the Campaign ID filter in the Past campaign details and Past campaign summary reports. You can find a campaign's ID from System Log events or from the URL for the campaign details page. Additionally, the following columns are available for use in the Admin Console.

  • Past campaign details report:

    • User email
    • Reviewer email
    • Reviewer reassigned
  • Past campaign summary report:

    • Campaign resource count

Fixes

  • Some System Log entries showed the wrong user agent operating system version for risk scoring and new device detection events. (OKTA-792841)

  • Some Active Directory Single Sign-On (ADSSO) users were required to provide their username in the Sign-In Widget before they were routed to ADSSO. (OKTA-814881)

  • The Application Usage report didn't include successful RADIUS authentications. (OKTA-815504)

  • Some users didn't receive emails from Okta. (OKTA-826144)

  • When users edited an authorization server on the Security > API page, the value of the Type column on the Claims tab incorrectly wrapped to a second line. (OKTA-863707)

  • Some users weren't prompted for multifactor authentication after the Keep me signed in period expired. (OKTA-871178)

  • Admins didn't receive the correct notifications when they had both role and admin email notifications selected. (OKTA-876846)

  • Some ADSSO functionality didn't work as expected. (OKTA-880273)

  • When users edited an authorization server on the Security > API page, some user interface elements had the wrong background color. (OKTA-893509)

  • Some user interface elements on the API Token page had the wrong background color. (OKTA-893608)

  • Some users saw an extra line at the bottom of the Identity Providers page. (OKTA-893613)

  • Some user interface elements in the Access Testing Tool didn't render correctly when the Unified UI for the Admin App feature was enabled. (OKTA-904105)

  • Some user interface elements in the entity risk policy didn't render correctly when the Unified UI for the Admin App feature was enabled. (OKTA-904369)

  • Some user interface elements had incorrect spacing on the Okta API Scopes tab of app pages. (OKTA-905018)

  • Email notifications for the super admin role weren't applied consistently when all admin email notification settings were selected for the role. (OKTA-906587)

  • Agents in an error state were properly displayed on the Agent Monitors page for their respective directory integration but weren't displayed on the Admin Dashboard. (OKTA-910056)

  • Some users received an error message when they tried to sign in after their account was unlocked. (OKTA-913228)

  • Some users were prompted for multifactor authentication despite having previously selected Stay signed in. (OKTA-914076)

  • On the Add resource dialog, the Show more button didn't display all the resources that were already included in the resource set. (OKTA-921890)

  • Starting with version 136, Chrome no longer returned the thirdPartyBlockingEnabled signal, and users whose Device Assurance policies relied on the signal were denied access to their org. (OKTA-927884)

  • After signing in to Okta on a mobile device (either Android or iOS), opening the menu resulted in the screen flickering. (OKTA-933477)

  • Some users were unable to authenticate using Microsoft Entra ID External Authentication Methods. (OKTA-936300)

  • Updating an LDAP-sourced user profile sometimes resulted in an error. (OKTA-939330)

Okta Integration Network

  • Attribute Dashboard (OIDC) now supports IdP-initiated SSO flows.
  • DX (SAML) is now available. Learn more.
  • Embrace (SAML) is now available. Learn more.
  • Merkle (OIDC) is now available. Learn more.
  • SAP Concur by Aquera is now available. Learn more.
  • SAP S/4HANA by Aquera (SCIM) is now available. Learn more.

2025.5.2: Update 2 started deployment on May 27

Fixes

  • The online help link on the Brands page didn't link to the correct page. (OKTA-654709)

  • Some users saw an error message when editing the Embedded widget sign-in support settings on the Settings > Account page. (OKTA-881712)

  • LDAP agents were displayed as operational after registration, even if they hadn't successfully connected to Okta. (OKTA-886963)

  • Some users were prompted to enroll in additional authenticators after they enrolled in the FIDO2 (WebAuthn) authenticator. (OKTA-888797)

  • Some user interface elements in pages under the Customizations menu didn't render correctly when the Unified UI for the Admin App feature was enabled. (OKTA-893521)

  • The border on the Delegated Authentication page for LDAP used squared corners instead of rounded corners. (OKTA-893569)

  • When some users requested a new account activation email, an error message appeared after they clicked Request activation email. (OKTA-919395)

  • Some user interface elements on app pages weren't rendered correctly. (OKTA-932378)

  • Some pages didn't load correctly when the Unified look and feel for Okta Admin Console feature was enabled. (OKTA-938750)

Okta Integration Network

  • CyberDefenders (OIDC) is now available. Learn more.
  • Google Cloud Workforce Identity Federation (OIDC) is now available. Learn more.
  • Pro-Vigil (SAML) is now available. Learn more.

2025.5.3: Update 3 started deployment on June 2

Generally Available

RingCentral uses new default phone number logic

The RingCentral app integration's logic for detecting and populating phone numbers has been updated to work with both DirectNumber and IntegrationNumber entries.

Integrator Free Plan org now available

The Integrator Free Plan org is now available on the Sign up page of the developer documentation site. These orgs replace the previous Developer Editions Service orgs, which will start being deactivated on July 18th. See Changes Are Coming to the Okta Developer Edition Organizations. For information on the configurations for the Integrator Free Plan orgs, see Okta Integrator Free Plan org configurations.

Fixes

  • Users who successfully authenticated with AMR claims were still prompted to stay signed in. (OKTA-914125)

  • Users with '+' in their email address couldn't reset their passwords from email templates. (OKTA-914601)

  • When an admin changed a user attribute in Okta, the profile in Zendesk reverted back to the default language of the Zendesk account. (OKTA-916240)

  • In the System Log, 'policy.evaluate_sign_on' events with a DENY outcome displayed a 'PolicyRuleFactorMode'. (OKTA-922161)

  • Some users incorrectly received an Invalid Phone Number error when they enrolled an SMS factor. (OKTA-923373)

  • When an admin configured the Salesforce.com connector with the Customer Portal user type and then ran an import, no users were fetched. (OKTA-931016)

  • When using an Org2Org integration between a Classic hub org and an OIE spoke org, some users were prompted for MFA in the spoke org even though Trust claims from this identity provider was enabled and they had already authenticated in the hub org. (OKTA-931086)

  • After signing in to Okta on a mobile device (either Android or iOS), opening the menu resulted in the screen flickering. (OKTA-933477)

  • When users performed Org2Org SSO with an existing IdP session, FactorVerifiedByIdp was missing from the System Log entry. (OKTA-935626)

  • When third-party IdP claims sharing was enabled, some claims were missing from the System Log. (OKTA-936530)

  • Some UI elements rendered incorrectly on the Security Methods section of the Settings page on the End-User Dashboard. (OKTA-937390)

  • Some pages didn't load correctly when the Unified look and feel for Okta Admin Console feature was enabled. (OKTA-938750)

  • Updating an LDAP-sourced user profile sometimes resulted in an error. (OKTA-939330)

  • When the Enforce MFA for admin-only Identity Governance apps feature was enabled, the authentication policy settings were hidden from the the Application pages. (OKTA-939580)

  • When third-party claims sharing was enabled, users couldn't sign in using their IdP because of an authentication loop. (OKTA-939862)

  • Search functionality didn't work in the AAGUID list table. (OKTA-940240)

Okta Integration Network

  • Conviva (SCIM) is now available. Learn more.
  • Paylocity (Demo)(SCIM & SAML) is now available. Learn more.
  • SELR.ai (OIDC) is now available. Learn more.
  • Wirespeed (API service) is now available. Learn more.

Version: 2025.04.0

April 2025

Generally Available

Secure Identity Integrations

Secure Identity Integrations (SII) provides additional depth for the 50+ most-used enterprise SaaS applications with the inclusion of SSO, SCIM, Apps with entitlement support, Third-party apps that support Universal Logout, Workflows, and Identity Security Posture Management (ISPM).

Sign-In Widget, version 7.30.0

For details about this release, see the Sign-In Widget Release Notes. For more information about the Widget, see the Okta Sign-In Widget.

New versions of Okta Provisioning agent and SDK

Okta Provisioning agent 2.2.1 and Okta Provisioning agent SDK 2.1.1 are now available. These releases contain bug fixes and minor improvements.

OIN test account information deleted after 30 days

Okta deletes your test account credentials 30 days after you publish your app in OIN Wizard. You must create a new test account and re-enter the required information before submitting the app.

Risk Provider and Risk Events APIs are deprecated

These APIs have been deprecated. Use the SSF Security Event Tokens API instead to receive security-related events and other data-subject signals. Use the SSF Receiver API for third-party security event providers.

MyAccount Management scopes

The MyAccount Management scopes have been updated to non-system scopes and are now configurable by admins. See Create API access scopes .

Phishing resistance enabled by default

The Phishing resistant option is now selected by default as a possession factor constraint in newly created authentication policy and Okta account management policy rules. This only applies to orgs with phishing-resistant authenticators enabled. See Add an authentication policy rule and Add a rule for authenticator enrollment.

Step-up authentication for updating policies

Okta prompts for step-up authentication when admins perform protected actions in the Admin Console, like updating sign-on policies. The changes are only allowed after the admin authenticates successfully. This feature enhances org security by allowing admins to require MFA before performing protected actions. See Protected actions in the Admin Console.

Okta Verified text removed from the OIN

In the OIN catalog, the Okta Verified disclaimer has been removed from the app integration pages.

Okta account management policy

The Okta account management policy helps admins easily build phishing resistance into actions such as account unlock, password recovery, authenticator enrollment, and profile setting changes. Using the familiar rule-based framework of an authentication policy, admins can now customize which phishing-resistant authenticators are required when users attempt these common self-service actions. All of the configurations in the authentication policies can now be applied for authenticator management. See Okta account management policy.

Desktop MFA Recovery for Okta Device Access

Desktop MFA Recovery is now available for Desktop MFA for macOS. It provides a way for admins to generate a time-limited device recovery PIN to unblock Desktop MFA users who lost their MFA authentication device. See Desktop MFA recovery .

Early Access

Manage Active Directory accounts in Okta Privileged Access

This feature allows management of Active Directory (AD) account passwords through Okta Privileged Access using the Okta AD Agent. Admins can set discovery rules for accounts in specific organizational units (OUs) and create policies for user access, ensuring passwords are rotated upon check-in or on a schedule. Users with access can view their assigned accounts and retrieve passwords. To enable this feature, contact Okta support. See Manage Active Directory accounts

OAuth 2.0 provisioning for Org2Org with Auto-Rotation

Admins deploying multi-org architectures (for example Okta hub-and-spoke orgs) need to secure user and group provisioning. Provisioning using OAuth2.0 scoped tokens has several advantages over API tokens, including more access granularity, shorter token lifespans, and automatic key rotation. You can now enable OAuth 2.0 Auto-Rotation for Org2Org app provisioning directly from the Admin Console.

See Integrate Okta Org2Org with Okta.

On-prem Connector for SAP Netweaver ABAP supports more attributes

Okta On-prem Connector now supports more user attributes, which enables better integration between Okta and SAP Netweaver ABAP.

Fixes

  • The Sign-In Widget (third generation) didn't display font sizes correctly. (OKTA-552923)

  • Custom app logos didn't appear on the app's page. (OKTA-655724)

  • This update applied general security fixes. (OKTA-690936)

  • The reported results of an import varied between what was displayed when the import finished, the import summary email, and the values displayed on the Import Monitoring page. (OKTA-739010)

  • Some users with profiles imported from Active Directory didn't receive the self-service unlock email and couldn't recover their accounts. (OKTA-843086)

  • Some admins couldn't delete an authenticator from orgs with many authentication policy rules. (OKTA-847583)

  • The MFA Factor column in the MFA Usage report displayed the name Windows Hello (Web Authentication) for the FIDO2 (WebAuthn) authenticator.

    (OKTA-848611)
  • Orgs that had registration inline hooks in Classic Engine couldn't deactivate them after upgrading to Identity Engine. (OKTA-855960)

  • The SettingsAPI menu appeared to some admins who didn't have permission to view it. (OKTA-856337)

  • Pagination controls and Show more on the Authentication policies page didn't work correctly. (OKTA-858605)

  • The risk level was LOW in some network related user.session.context.change events. (OKTA-863401)

  • The Recent activity tab of the end-user Settings page didn't render tables correctly. (OKTA-874276)

  • The end-user Settings page didn't display text correctly when the window was resized. (OKTA-874292)

  • Screen readers couldn't read the names of languages in the Select language dropdown menu on the end-user Settings page. (OKTA-874318)

  • Admins couldn't add FIDO2 (WebAuthn) authenticators to authenticator groups. (OKTA-875920)

  • Admins using multiple user types sometimes encountered an internal error when attempting to update an app instance. (OKTA-880825)

  • The Import Monitoring page was viewable by admins who didn't have the necessary permissions. Accessing the page resulted in a 403 error. (OKTA-880835)

  • Sometimes a Null Pointer Exception error occurred when performing a group push to Google Workspace. (OKTA-886861)

  • The user.risk.detect event was incorrectly identified on the Entity Risk Policy page. (OKTA-887297)

  • When users signed in to the end-user Settings page and tried to authenticate with an identity verification vendor, the Back to Settings button was missing. This button was also missing from the error page if the user didn't satisfy the identity verification. (OKTA-894271)

  • LDAP agents failed to parse queries when group names had special characters. (OKTA-902231)

Okta Integration Network

  • AppVentory (API Service) is now available. Learn more.
  • Curricula (SAML) has a new integration guide.
  • Fabrix (API Service) is now available. Learn more.
  • GoSearch (SCIM) now supports Group Push.
  • OpenAI by Aquera (SCIM) is now available. Learn more.
  • Peaxy Lifecycle Intelligence (OIDC) is now available. Learn more.
  • Suger (OIDC) is now available. Learn more.
  • Suger (SCIM) is now available. Learn more.
  • Warp Employee Provisioning (API Service) is now available. Learn more.

Weekly Updates

2025.4.1: Update 1 started deployment on April 14

Generally Available

Sign-In Widget, version 7.30.1

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Okta Sign-In Widget.

New look and feel in Access Requests

The Access Requests console and Okta Access Requests web app now have a new look and feel, including redesigned side and top navigation menus and the addition of a gray background. Additionally, Dark mode is no longer available for Access Requests.

Device assurance OS version updates

The following OS versions are now supported in device assurance policies:

  • Android 12, 13, 14, 15 security patch 2025-04-01
  • iOS 16.7.11
  • iOS 18.4
  • macOS Ventura 13.7.5
  • macOS Sonoma 14.7.5
  • macOS Sequoia 15.4
  • Windows 10 (10.0.17763.7009, 10.0.19044.5608, 10.0.19045.5608)
  • Windows 11 (10.0.22621.5039, 10.0.22631.5039, 10.0.26100.3476)

Fixes

  • The Access Testing Tool didn't work if the device assurance policy included Chrome OS platform conditions. (OKTA-840977)

  • On the Sign-In Widget (third generation), an error sometimes occurred when a user with an Apple device attempted to sign in using Okta Verify. (OKTA-861910)

  • Error messages appeared in different places on the Sign-In Widget (third generation) depending on which authenticator the user chose. (OKTA-871675)

  • In Preview orgs, org admins couldn't edit IdP group assignments when a super admin group was included in the group list. (OKTA-880124)

  • The Edit role screen didn't always display the correct Workflow permissions. (OKTA-886964)

  • Users couldn't sign in to their org with a Smart Card when the org used authentication method chains and the Keep me signed in option was selected. (OKTA-887124)

  • Super admins saw an error when they attempted to reset a user's authenticators. (OKTA-890695)

  • The id_token_hint parameter was exposed in the System Log. (OKTA-890738)

  • When a user interacted with the Graph API in Azure Active Directory PowerShell, the activity was incorrectly logged in Office 365. (OKTA-896032)

  • Users couldn't sign in to the Office 365 GCC High OIN app if it was integrated with WS-Fed. (OKTA-899506)

  • On the Give access to Okta Support page, the Provide Support access for self-assigned cases section sometimes didn't display the correct cases. (OKTA-909308)

  • A JavaScript issue prevented users from accessing the Glory app. (OKTA-917414)

Okta Integration Network

  • Adroll by Aquera (SCIM) is now available. Learn more.
  • Hero (API Service) is now available. Learn more.
  • Hyperproof (SCIM) is now available. Learn more.
  • Microsoft Dynamics 365 BC by Aquera (SCIM) is now available. Learn more.
  • ZAMP (OIDC) has additional redirect URIs.

2025.4.2: Update 2 started deployment on April 21

Generally Available

Trust incidents and updates checkbox removed

On the Account page, the Admin email notifications section no longer has the Trust incidents and updates checkbox. Admins can subscribe to this communication type through https://status.okta.com.

Fixes

  • Some domains and realm types weren't recorded in the System Log. (OKTA-834681)

  • The Email Optional feature didn't work when self-service password resets were switched to the Okta account management policy. Email requirements from the legacy password policy were still being enforced. (OKTA-863721)

  • When users tried to sign in from outside of their permitted network zone, they saw a Contact your administrator link on the error page even though the admin disabled the link. (OKTA-874992)

  • The registration inline hook for progressive profiling returned the user's default time zone instead of the one in their profile. (OKTA-881008)

  • Super admins couldn't update the operator for profile attribute conditions on a custom admin role. (OKTA-884966)

  • Sometimes, Google Workspace licenses couldn't be edited. (OKTA-892397)

  • Desktop Multifactor Authentication (MFA) push notifications gave the wrong name for the computer's operating system. (OKTA-902839)

  • When the Unified look and feel for Okta Admin Console feature was enabled, the headings on the Downloads page were misaligned. (OKTA-904262)

  • Some text strings in the Move user to realm page weren't translated. (OKTA-909317)

  • When the Unified look and feel for Okta Admin Console feature was enabled, users' names didn't always render correctly. (OKTA-909497)

  • When some users selected the Unlock account option, they received the Self Service Unlock is not allowed at this time error message. (OKTA-913307)

  • In the Edit user attributes page of the Secure Partner Access Admin Portal, the base attributes couldn't be edited. (OKTA-914964)

  • Global session policy rules weren't honored as expected in certain scenarios. (OKTA-916343)

Okta Integration Network

  • Adroll by Aquera (SCIM) has a new description and display name.
  • Files.com by Aquera (SCIM) is now available. Learn more.
  • Global Relay Identity Sync has a new display name.
  • GoTo Meeting by Aquera (SCIM) is now available. Learn more.
  • GroWrk (SAML) is now available. Learn more.
  • Helpjuice by Aquera (SCIM) is now available. Learn more.
  • Island Management Console (SCIM) is now available. Learn more.
  • OK2Pay (SAML) is now available. Learn more.

2025.4.3: Update 3 started deployment on May 5

Generally Available

Sign-In Widget, version 7.30.2

For details about this release, see the Sign-In Widget Release Notes. For more information about the Widget, see the Okta Sign-In Widget.

Sign-In Widget, version 7.30.3

For details about this release, see the Sign-In Widget Release Notes. For more information about the Widget, see the Okta Sign-In Widget.

Fixes

  • Some users received a server error message when they tried to sign in to orgs that have Factor Sequencing enabled. (OKTA-792815)

  • On the Networks page, the Add Zone button was unexpectedly available when Admin Created was selected for some environments. (OKTA-850713)

  • Some app logos didn't appear for their respective app on the Authentication policies page. (OKTA-861734)

  • When a user was created and added to an app through group assignment, and the app had provisioning enabled, no application.user_membership.add event was logged. (OKTA-868825)

  • When an admin performed a protected action, they weren't prompted for authentication if they had recently signed in to Okta. (OKTA-889142)

  • After their accounts were suspended, users who correctly answered their security question were moved to an Active status in API calls. (OKTA-897292)

  • Users weren't able to validate MFA through FIDO2, Okta Verify Push, or TOTP authentication if the OrgUrl contained a trailing slash character or uppercase letters. (OKTA-897324)

  • On the End-User Dashboard, the side navigation panel didn't always reappear after a user resized their screen. (OKTA-900098)

  • When the Unified look and feel for Okta Admin Console feature was enabled, the headings on the Downloads page were misaligned. (OKTA-904262)

  • Reasons weren't displayed for some user.session.context.change System Log events when the risk level was MEDIUM. (OKTA-905183)

  • When the Unified look and feel for Okta Admin Console feature was enabled, admins couldn't edit a page or email template in full-screen mode in Customizations > Brands. (OKTA-905316)

  • Duplicate AD/LDAP app instances could be registered for a single domain. (OKTA-911468)

  • On the User profile page in the Secure Partner Access Admin Portal, the base user attributes couldn't be edited. (OKTA-914964)

  • When an admin edited role notifications for the Workflows Administrator role, they saw an unresponsive dialog. (OKTA-918276)

  • Users received a 400 Bad Request error during self-service registration in preview orgs with inline hooks. (OKTA-918774)

  • When an Okta Classic Engine org was involved in a multi-org Okta-to-Okta authentication flow, and Okta-to-Okta claims sharing was enabled, the OktaAuth (SAML) and okta_auth (OIDC) claims weren't processed correctly. (OKTA-918969)

  • Users were deactivated during imports where Super Admin privileges had been granted through group membership assignment. (OKTA-831811)

  • Admins couldn't obtain a recovery PIN for a registered device if the user associated with the device was deactivated, suspended, or pending activation. See Desktop MFA recovery . (OKTA-834144)

  • Users didn't receive the custom "access denied" message when they couldn't open an app due to a device security issue. (OKTA-848802)

  • Some users couldn't sign in on iOS devices because their Okta FastPass kept looping during authentication. (OKTA-888833)

  • Custom profile attribute fields on the End User Settings 2.0 page displayed Undefined text in the dropdown menu. (OKTA-891973)

  • Users were incorrectly prompted for multifactor authentication when they tried to sign in to locked accounts. (OKTA-892415)

  • Some admins with a custom role couldn't view client secrets for apps that they had permission to view. (OKTA-893511)

  • Admins sometimes received an error when they tried to change the sign in and sign out redirect URIs for OIDC app integrations. (OKTA-901862)

  • On the Admin Dashboard, the Tasks widget sometimes displayed incorrect provisioning tasks for the Okta ISV Portal App. (OKTA-902656)

  • Some colors and fonts were inconsistent across the Admin Console. (OKTA-904047)

  • When the Username attribute had no format restrictions applied to it, multiple identifiers could be associated with and gain access through the same account. (OKTA-910103)

  • Users were prompted for multifactor authentication twice when they signed in to a spoke org in an Okta Org2Org scenario even though the Trust claims from this identity provider option was selected for the hub org. (OKTA-912172)

  • Some users who had never used Okta FastPass were incorrectly asked to provide biometric verification when signing in. (OKTA-914699)

  • The System Log didn't record the name of the rule that applied to the authenticator that users were required to enroll in. (OKTA-914931)

  • When Okta-to-Okta claims sharing was enabled, federated users who were sourced from a third-party identity provider were incorrectly prompted to provide a password on their hub org. (OKTA-919385)

  • An error message appeared when admins tried to create an API Service app and assign it to an authentication policy. (OKTA-928343)

Okta Integration Network

  • Applixure (OIDC) is now available. Learn more.
  • Degreed by Aquera (SCIM) is now available. Learn more.
  • LinearB (SAML) is now available. Learn more.
  • LinearB (SCIM) is now available. Learn more.
  • myComply (SAML) is now available. Learn more.
  • Othership Workplace Scheduler (SAML) is now available. Learn more.
  • Othership Workplace Scheduler (SCIM) is now available. Learn more.
  • Pandadoc by Aquera (SCIM) is now available. Learn more.
  • Saleo (SCIM) is now available. Learn more.
  • Splunk-On-Call by Aquera (SCIM) is now available. Learn more.