Okta Identity Engine release notes (Production)

Generally Available

Version: 2026.05.0

Workday entitlement management

Admins can now manage entitlements for Workday app instances on Okta. This feature allows for the discovery and governance of user-based security groups to enable automated access requests and certifications.

Report exports

You can now choose between CSV and GZIP export formats when generating the following reports:

  • Okta usage
  • Application usage
  • MFA usage
Add access request condition descriptions
You can now add descriptions to access request conditions for apps, collections, and Okta admin role bundles. These descriptions appear alongside the condition's name on the Access Requests tab, making it easier for you to understand the specific purpose of each condition. See Create access request conditions.
Sign-In Widget, versions 7.45.0, 7.45.1, 7.45.2

For details about these releases, see Sign-In Widget Release Notes. For more information about the widget, see Okta Sign-In Widget.

Managed connections renamed to resource connections

On the Okta for AI Agents pages and System Log events, references to managed connections have been renamed to resource connections.

Slack resource server connector

You can now use the Slack resource server connector to create resource connections between Slack and an AI agent. See Configure resource server connectors.

Session retention after user password changes

When users change their password and select Sign me out of all other devices, Okta now retains their current session after their other active sessions are revoked.

System Log event for unconfigured identifiers

When JIT is enabled for Active Directory and a user authenticates with an unconfigured identifier, the event now appears in the System Log.

Dynamic attribute updates for Smart Card authentication

Smart Card authentication supports real-time attribute updates during Just-In-Time (JIT) provisioning. As a result, user profiles are kept up to date by synchronizing identity attributes directly from the PIV/CAC card at the time of authentication.

Okta for AI Agents

You can now register, secure, and govern AI agent identities directly within Okta. Register agents manually or import them directly from provider apps. Enforce least-privilege access, eliminate standing privileges, and use System Logs to trace every delegation hop across your agent workflows. AI agents become accountable members of your digital workforce, governed by the same identity standards as your human users.

CSV report of AD migration progress now available

You can now download a CSV report to view the password migration of specific users. This report provides a detailed breakdown of each user's migration status, such as whether their password was successfully migrated or if a specific error occurred. See Run a password migration.

System Log event for DirSync imports

When Active Directory agent compatibility is verified for DirSync-based imports, the event now appears in the System Log.

Updated default settings for Passkey (FIDO2 WebAuthn) authenticator

The configuration for WebAuthn authenticators defaults to preferred user verification for all orgs and defaults to passkeys for new orgs. These updates reduce manual configuration, ensure a seamless enrollment process, and provide a more reliable sign-in experience for users across various devices.

Skip counts for authenticator enrollment grace periods

This feature allows admins to define a number of skips end users can defer enrollment into an authenticator, as well as customizations to the prompt when end users see the grace period. See Authenticator enrollment policies.

Release controls for Okta Verify on Windows

With the new release controls feature, admins can configure whether to allow, pause, or restrict automatic updates to Okta Verify on Windows. This provides greater flexibility for meeting enterprise change management requirements and managing version rollouts across Windows endpoints. See Configure Okta Verify release controls.

Passkeys rebrand

The FIDO2 (WebAuthn) authenticator is being rebranded to Passkey (FIDO2 WebAuthn), and Okta is introducing enhanced administrative controls and a streamlined user experience. This update centralizes passkey management through a consolidated settings page, allows for customized authenticator naming, and introduces a dedicated Sign in with a passkey button within the Sign-In Widget. These enhancements simplify the authentication journey and provide users with a more intuitive sign-in process with the Sign in with a passkey button. See Configure the Passkeys (FIDO2 WebAuthn) authenticator.

User password migration from AD to Okta

Seamlessly migrate user passwords from AD to Okta without disrupting your users or operations. This establishes Okta as the source of truth for user passwords, enabling it to handle user authentication and eliminating the need for delegated authentication. See Password migration from AD to Okta.

Network zone residential proxy detection

This feature adds new zones associated with Enhanced Dynamic Network Zones beyond anonymous proxies and VPNs. Customers can use service categories such as ZSCALER_PROXY, PERIMETER_81, and more. See Supported IP service categories.

Early Access

Global Token Revocation for third-party and Org2Org IdPs

Okta now supports Global Token Revocation (GTR) for third-party and Org2Org identity providers (IdPs). This feature allows external IdPs to securely trigger Universal Logout, instantly revoking all user sessions and tokens across your entire app ecosystem. See Configure Universal Logout for supported apps.

Redirect federated users to IdPs for reauthentication

Reauthentication to an IdP helps Okta admins secure federated identities by redirecting federated users to their source SAML, OIDC, or Org2Org IdP when a policy requires them to reauthenticate. By forcing reauthentication at the source IdP, admins can close security gaps from long-lived sessions and remove the need to configure duplicate MFA enrolment in Okta. See Redirect federated users to IdPs for re-authentication.

Email auto-enrollment and recovery management

Admins can control the automatic enrollment of email as an authenticator and configure email-based password recovery, unlock, and change where email is not an authenticator. See Make email an optional authenticator.

Managed app assurance for Android

The new Device Profile Restriction condition in device assurance policies ensures that Android users can only access protected apps from the same managed work profile where Okta Verify is installed. This prevents access from personal profiles, which reduces the risk of data leaks and improves security posture. See Add a device assurance policy.

Platform SSO password integration with Device-Bound SSO

The Platform SSO password authentication method now integrates with Device-Bound SSO. When a user signs in at the macOS sign-in window, Okta verifies the password factor and creates a device-bound session. Users can then access Okta-protected apps in their browser without additional password prompts. See Platform SSO for macOS and Configure device configuration profiles for PSSO using a generic MDM.

Secure Enclave key support for Platform SSO

Platform SSO now supports a Secure Enclave key-based authentication method that integrates with Device-Bound SSO. When a user authenticates at the macOS sign-in window with their password, the authentication unlocks a hardware-bound cryptographic key stored in the Secure Enclave. Okta uses the key to create a device-bound session that satisfies any authentication policy that requires Okta FastPass with user verification, without repeated MFA prompts. See Platform SSO for macOS and Configure device configuration profiles for Secure Enclave using a generic MDM.

Detect and discover AI agents

Use the Security Access Monitor browser plugin and Okta Identity Security Posture Management (ISPM) to get visibility into any new OAuth grants to apps and the consequent shadow AI agent usage for your org. The plugin monitors managed browsers for any new OAuth grants to apps and AI agents. ISPM captures OAuth grant telemetry, analyzes the data, and provides you with the visibility you need to identify every third-party app that your users authorize. This helps you mitigate risks related to shadow OAuth grants and AI agents. After you configure the plugin, you can find all new OAuth grants across your org by going to NHIs and AI agents > Browser OAuth Grants page in the ISPM console. See Discover and assess AI agents.

Fixes

  • After deactivating an AD Agent, an incorrect format of the version for the agent was displayed. (OKTA-1117122)

  • Customized error messages weren't displayed to new users when they clicked Forgot password. (OKTA-1118986)

  • Some users couldn't sign in if the global session policy that applied to them was deleted. (OKTA-1131197)

  • The Scan QR Code option appeared for users who required only the Use Security Key option. (OKTA-1145766)

  • After a user.session.context.change event, some global session and app sign-in policy rules configured with In any network zone defined in Okta failed to match during ITP policy re-evaluation. (OKTA-1151868)

  • The Sign-In Widget displayed an error after users completed a self-service password reset when the app authentication policy had the Keep Me Signed In prompt enabled. (OKTA-1152243)

  • AMR claim updates weren't applied to the Salesforce (Federated ID) app integration. (OKTA-1164030)

  • On the Administrator assignment by role page, the Preview role pane displayed "L10N_ERROR[okta.apps.clientCredentials.read.name.code]" instead of the View client credentials permission. (OKTA-1166616)

  • Manual remediation was required when reviewers revoked a user’s access to Active Directory-source groups in a campaign. (OKTA-1167090)

Okta Integration Network

  • Asset Integrity for Pipelines (OIDC) is now available. Learn more.

  • CJ Affiliate (OIDC) is now available. Learn more.

  • Conduit Security (OIDC) is now available. Learn more.

  • Form (OIDC) is now available. Learn more.

  • Harmony (SAML) is now available. Learn more.

  • Harmony (SCIM) is now available. Learn more.

  • Haystack (SCIM) is now available. Learn more.

  • JumpCloud (OIDC) is now available. See JumpCloud.

  • LinkedIn Sales Navigator (SCIM) is now available. Learn more.

  • Magnite Streamr (OIDC) is now available. Learn more.

  • Matik (SAML) is now available. Learn more.

  • Matik (SCIM) is now available. Learn more.

  • Syndio (OIDC) is now available. Learn more.

  • Tandem Health (OIDC) is now available. Learn more.

  • Ternary (OIDC) is now available. Learn more.

  • ThoughtSpot (OIDC) is now available. See Create ThoughtSpot OIDC integration.

  • TOPdesk Operator by FuseLogic (Entitlements Management) is now available. Learn more.

  • Truepic Vision (OIDC) is now available. Learn more.

  • WideField Security - Detect and Remediate (API integration) is now available. Learn more.

  • YipitData Agent (OIDC) is now available. Learn more.

  • Yunu (OIDC) is now available. Learn more.

  • Console (API Service) has a new icon and description.

  • Console (OIDC) has a new app description.

  • Sastrufy has a new app name and a new configuration guide.

  • Software Analytics (OIDC) has a new app name (Antenna), icon, description, new Redirect URIs, and integration guide. Learn more.

  • Suger (OIDC) has a new Redirect URI.

  • Matik (Basic Auth) was updated.

  • Metlife MyBenefits (SWA) was updated.

  • TOPdesk Operator by FuseLogic (SCIM) was updated.

2026.05.1: Update 1 started deployment on May 18

Fixes

  • When a refresh token failure or revocation event was logged in the System Log, an incomplete version of the refresh token hash appeared in the event's target.detailEntry. (OKTA-1145851)

  • The List all profile mappings API sometimes returned an error if the request didn't include the sourceId or targetID parameters. (OKTA-1153229)

  • In the Admin Console, status site links for some cells pointed to an incorrect status page. (OKTA-1158204)

  • The Manage Event Hooks permission didn't allow an admin or service app to create an event hook. (OKTA-1162004)

  • On the Recent Activity page in My Settings, screen reader announcements didn't match the static text for security events. (OKTA-1164456)

  • When an authentication error occurred, the Sign-In Widget displayed an SQL error message instead of a helpful one. (OKTA-1168939)

  • When an admin viewed the Preview pane for Custom Admin Roles, some labels for identity permissions were displayed incorrectly. (OKTA-1168945)

  • Admins with the Manage third-party MCP Servers permission couldn't edit their org's MCP servers. (OKTA-1173945)

Okta Integration Network

  • Butterfly Security (OIDC) is now available. Learn more.

  • Butterfly Security (SCIM) is now available. Learn more.

  • Cimento AI (SAML) is now available. Learn more.

  • Cimento AI (SCIM) is now available. Learn more.

  • Redblock AI (SAML) is now available. Learn more.

  • Scribble Maps (OIDC) is now available. Learn more.

  • Scribble Maps (SAML) is now available. Learn more.

  • Scribble Maps (SCIM) is now available. Learn more.

  • Stripe (SCIM) is now available. Learn more.

  • Common Room (SCIM) now supports Group Push.

  • Rubrik Security Cloud now supports the following scopes:

    • okta.authorizationServers.manage
    • okta.authorizationServers.read
    • okta.idps.manage
    • okta.idps.read
    • okta.networkZones.manage
    • okta.networkZones.read

  • Wrike (SCIM) now supports Group Push.

  • Check Point SASE (SCIM) has been updated with new regions.

  • Dokio (SCIM) has a new API and configuration guide.

  • Harmony SASE (SAML) has a new icon, display name, and description. Learn more.

  • Stripe has a new configuration guide. Learn more.

  • Augment Code (OIDC) was updated.

2026.05.2: Update 2 started deployment on May 26

Sign-In Widget, version 7.45.3

For details about this release, see Sign-In Widget Release Notes. For more information about the widget, see Okta Sign-In Widget.

Device assurance OS version update

The following OS versions are now supported in Device Assurance policies:

  • Android 14 (2026-05-01)
  • Android 15 (2026-05-01)
  • Android 16 (2026-05-01)
  • iOS 18.7.9
  • iOS 26.5
  • macOS Sonoma 14.8.7
  • macOS Sequoia 15.7.7
  • macOS Tahoe 26.5
  • Windows 10 builds (10.0.17763.8755, 10.0.19044.7291, 10.0.19045.7291)
  • Windows 11 builds (10.0.22621.7079, 10.0.22631.8457, 10.0.26100.8457)
Provisioning for Axway Amplify

Provisioning is now available for the Axway Amplify app integration. When you provision the app, you can enable security features like Entitlement Management. See Axway Amplify.

Fixes

  • Admins with read-only permissions could see action buttons for pre-enrolled authenticators. (OKTA-983779)

  • Read-only admins could refresh app groups for apps that support Group Push. (OKTA-1114983)

  • The System Log displayed duplicate Push user deactivation to external application events for SAML apps with SCIM provisioning. (OKTA-1124966)

  • Some deactivated users retained the Deactivating status and couldn't be modified in the Admin Console or through the API. (OKTA-1138239)

  • When a user was assigned a SAML app through a group, they couldn't always access the app after signing in to Okta. (OKTA-1140346)

  • The email attribute for a new primary email address was updated before the email verification process was complete. (OKTA-1147280)

  • The Sign-In Widget displayed an error after users completed a self-service password reset when the app authentication policy had the Keep Me Signed In prompt enabled. (OKTA-1152243)

  • Admins couldn't always use device assurance policies in sign-in policies unless they enabled Okta FastPass as an authenticator. (OKTA-1153165)

  • The AI Agents page didn't provide a link to the ISPM console. (OKTA-1174497)

  • When group rule evaluations failed, the System Log displayed exception messages and SQL queries. (OKTA-1177889)

Okta Integration Network

  • Butterfly Security (API Service) is now available. Learn more.

  • Gatekeeper (SCIM) is now available. Learn more.

  • Icite (API Service) now has the okta.roles.read scope.

2026.05.3: Update 3 started deployment on June 2

Realm ID included in System Log user activity events

The System Log now includes the Realm ID attribute for user activity events, such as authentication, MFA, and app access. This allows admins to filter and categorize user activity by division in downstream security tools without manual logic replication.

Fixes

  • The Add agent, Update agent, Deactivate agent, and Manage auto-update buttons remained active for read-only admins in the Admin Console. Although the server blocked any changes, the Admin Console didn't visually indicate that these actions were restricted. (OKTA-1031559)

  • In orgs with app sign-in policies that used an authentication method chain, users couldn't set up email as an optional authenticator during their account onboarding. This occurred even though email was an allowed optional authenticator. (OKTA-1102579)

  • The Import results dashboard for the Okta Provisioning agent displayed inconsistent totals for a SCIM app. The sum of individual record categories didn't match the overall total of audited records. (OKTA-1135158)

  • When an admin viewed a user profile, the device management status for shared devices displayed incorrectly. (OKTA-1148888)

  • All access certification campaign notification emails were in English even when a different Locale was specified on the user's profile page in the Admin Console. (OKTA-1170541)

  • Group Rules weren't always evaluated after a user's profile was updated.  (OKTA-1171950)

  • In some orgs, admins were prompted to authenticate twice when they tried to sign in to the Admin Console. (OKTA-1175980)

Okta Integration Network

  • Factor Labs (SAML) is now available. Learn more.

  • Requirement Yogi (OIDC) is now available. Learn more.

  • ReReady (OIDC) is now available. Learn more.

  • SYEN Comply for Okta (API Service) is now available. Learn more.

  • Teleport (SAML) is now available. Learn more.

  • Teleport (SCIM) is now available. Learn more.

  • Cisco Webex has a new icon.

  • Clozd (OIDC) has a new redirect URI.

  • KnowBe4 (SAML) has an updated app logo.

  • KnowBe4 (SCIM) has an updated app logo.

  • Lucid (SAML) has an updated title in App Links.

  • SCIM 2.0 Test App (Basic Auth) has an updated app logo.

  • Tenable Cloud Security (SAML) has a configurable ACS and Audience URL.

  • Zscaler (SCIM) has additional attributes.

  • Tenable Cloud Security JIT (SAML) has a configurable ACS and Audience URL.

  • Aetna Health Insurance (SWA) was updated.

  • Samsara (SWA) was updated.

  • Scalefusion OneIdP (SCIM) was updated.