Okta Identity Engine release notes (Production)

Generally Available

Version: 2026.06.0

Search, filtering, and configurable views for AI agents

Admins can now use enhanced filtering, search, and configuration capabilities on the AI agents, AI agent providers, and Import Monitoring > AI agent import pages. 

Realm ID included in System Log user activity events

The System Log now includes the Realm ID attribute for user activity events, such as authentication, MFA, and app access. This allows admins to filter and categorize user activity by division in downstream security tools without manual logic replication.

Configurable connection lifetime for OIDC-enabled LDAP Interface

The LDAP Interface now includes a configurable setting for the maximum connection lifetime when using the OpenID Connect (OIDC) flow. This allows admins to define connection validity for up to 90 days and decouples connection expiry from the global session policy.

Sign-In Widget, version 7.46.0

For details about this release, see Sign-In Widget Release Notes. For more information about the widget, see Okta Sign-In Widget.

Import AI agents from DataRobot

You can now import and manage AI agents built in DataRobot Agent Workforce Platform directly through DataRobot. See AI agent imports.

Suspicious login details added to entity risk detection

In Suspicious Login From An IP Flagged By FastPass detections, the reason field now populates the external_session_id of the suspicious login.

Salesforce provisioning support for PKCE

The Salesforce app integration now supports Proof Key for Code Exchange (PKCE) for OAuth 2.0 flows. This update ensures uninterrupted user provisioning and requires admins to update their Salesforce configuration to maintain service continuity.

Improved network zone error messages

The error message that appears when admins try to delete a network zone that's referenced by multiple policies or rules is now easier to read.

Secure SaaS and Okta Service Accounts

Manage and secure passwords for SaaS app service accounts and Okta service accounts with Okta Privileged Access. You can now assign new Service Accounts permissions to custom roles to delegate service account management duties to non-super admins. See Manage service accounts and Role permissions.

New System Log fields for matched network zones

Okta now includes richer network zone match information in System Log events. When a request is blocked by a network zone (security.request.blocked) or evaluated against a sign-on policy (policy.evaluate_sign_on), the System Log now surfaces the names and IDs of all matched network zones, across IP zones, Dynamic Network Zones (DNZ), and Enhanced Dynamic Network Zones (EDNZ), through new ZoneIdMatch and ZoneNameMatch fields. Up to 10 matched zones are reported per event.

These new fields provide more granular and structured network zone context than the existing Client.Zone field. This gives admins and security teams precise, actionable detail for blocked requests and policy evaluations, making SIEM investigations and audit reviews significantly easier. See Troubleshoot network zone issues using System Log.

Bring your own telephony credentials

Bring Your Own Telephony (BYOT) is now available, allowing admins to use an existing Twilio or Telesign account to deliver MFA SMS and voice messages. This release adds Twilio Verify Fraud Guard support to improve fraud detection. It also introduces a deactivation guardrail that prevents admins from disabling their last active custom telephony provider while the phone authenticator is active. See Configure telephony providers through the Admin Console.

SHA-256 digest algorithm support

Okta now supports the SHA-256 digest algorithm when hashing SAML AuthnRequests that are sent to external IdPs.

Navigation label update for integration agents

The Agents label in the Admin Console has been renamed to Integration agents to provide a more intuitive experience. A dismissible link to the AI Agents page is also available on the Integration agents page to improve navigation.

Improved request details layout

The request details page now features an optimized layout for small screens to improve readability.

Seamless ISV experience for SCIM

Okta now provides a seamless ISV experience to optimize the [Okta Integration Network (OIN)] submission experience for SCIM integrations. This new experience enables independent software vendors (ISVs) to build and manually test their SCIM integration metadata before submission to the OIN. This reduces the time needed for the OIN team to review and validate that the SCIM integration functions as intended, which shortens the time to publish in the OIN. This experience also incorporates communication processes in Salesforce, enabling improved collaboration internally within Okta teams and externally with ISVs. See [Publish an OIN integration overview] and [Submit an integration with the OIN Wizard] guide.

Links: 1. https://www.okta.com/integrations/ 2. https://developer.okta.com/docs/guides/submit-app-overview/ 3. https://developer.okta.com/docs/guides/submit-oin-app/scim/main/

Early Access

SAP SuccessFactors OAuth 2.0 with SAML Assertion

The SAP SuccessFactors app integration now supports OAuth 2.0 with SAML Assertion for enhanced API security. To ensure your provisioning and sync processes continue without interruption, you must migrate to this new authentication method before SAP Basic Authentication deletion deadline on November 20, 2026. See Configure OAuth 2.0 with SAML for SAP SuccessFactors.

New System Log events for privileged access database integrations

Two new System Log events, pam.integration.create and pam.integration.delete, are now available for Okta Privileged Access database management. This enhancement allows admins to track when database integrations are created or deleted. See System Log.

Fixes

  • The Send me an email button on the email verification screen of the Sign-In Widget (third generation) was truncated for Ukrainian translations. (OKTA-1016906)

  • App integrations didn't populate user credentials for subdomains that used the /auth/v3/signin endpoint, preventing users from signing in to the app. (OKTA-1074055)

  • In orgs that use a custom domain, users were redirected to a non-custom domain after they signed out of the My Settings page. (OKTA-1139970)

  • The show/hide password icon on the Sign-In Widget (third-generation) was missing alt text. (OKTA-1156653)

  • Attempts to deactivate and delete a device failed and returned a 404 Not Found: Resource not found error. (OKTA-1160266)

  • The help link image on the Sign-In Widget (third generation) was missing alt text. (OKTA-1164533)

  • The "OR" separator on the Sign-In Widget (third generation) couldn't be read by screen readers. (OKTA-1164534)

  • Okta Expression Language expressions with array attributes didn't always behave as expected. (OKTA-1166566)

  • Sign-in attempts originating from the IP exempt zone or trusted proxies were incorrectly evaluated as high risk with the reason "Anonymizing Proxy." (OKTA-1168827)

  • After a multibrand-enabled org upgraded to Okta Identity Engine, custom brand redirect settings weren't migrated and the end user was incorrectly directed to the End-User Dashboard. (OKTA-1174572)

  • The application.lifecycle.update System Log event didn't populate the changeDetails field when admins updated Active Directory app settings. (OKTA-1178325)

  • RADIUS app sign-in policy rules were missing the Linux platform condition. (OKTA-1184034)

Okta Integration Network

  • Iden (API Service) has a new scope.

  • Fleetclear (OIDC) is now available. Learn more.

  • Dell PowerProtect Backup Services (API Service) is now available. Learn more.

  • Kirin (SAML) is now available. Learn more.

2026.06.1: Update 1 started deployment on June 15

Device assurance OS version update

The following OS versions are now supported in device assurance policies:

  • Android 13, 14, 15, 16 security patch 2026-01-05
Spec-compliant client ID claims for AI agent tokens

Okta Expression Language profiles now include the app.clientId property during user claim evaluations for AI agent OAuth 2.0 clients. This allows developers to generate spec-compliant tokens during AI agent flows.

OAuth secure token exchange for Salesforce requests

Okta for AI Agents now uses the OAuth 2.0 secure token exchange flow when it sends requests to the Salesforce app integration, resource server, or MCP server.

Event hooks for AI agent APIs

The AI agent APIs are now event hook-eligible, enabling Workflows to be triggered based on events. See Event hooks.

Provisioning for Rapid7 InsightAppSec

Provisioning is now available for the Rapid7 InsightAppSec app integration. When you provision the app, you can enable security features like Entitlement Management. See Rapid7 InsightAppSec.

Fixes

  • Some UI labels and descriptions on the AI agents screens were inconsistent. (OKTA-1119360)

  • For a specific Active Directory integration, scheduled and manual incremental imports failed intermittently in Preview environments. This issue occurred after admins resumed a previously halted import block. (OKTA-1135003)

  • During Group Push operations, Okta unexpectedly provisioned a non-Active Directory user into a target Active Directory group. (OKTA-1147204)

  • During an Okta Verify enrollment, a broken mobile setup link was incorrectly displayed. (OKTA-1158811)

  • After a successful YubiKey inline enrollment, the interface displayed a blank page, forcing users to manually close the page to proceed with authentication. (OKTA-1163272)

  • When admins edited a custom admin role that included delegated flow Workflows permissions, Okta incorrectly prompted them to repeat step-up authentication. This issue blocked the changes and displayed a protected-action message. (OKTA-1169760)

  • During Group Push operations, updates sometimes failed with an error message when the system processed group memberships. This issue caused synchronization to fail intermittently for specific push groups. (OKTA-1181698)

  • Group Push operations to Jamf Pro sometimes failed. (OKTA-1183535)

  • IP addresses weren't populated in the user.risk.detect System Log event when a breached credential was detected. (OKTA-1184255)

  • Some users saw a Bad Request error when they tried to sign in with Okta FastPass. (OKTA-1185557)

  • For some orgs using Okta for AI Agents, the OAuth 2.0 authorization flow failed when downstream identity provider client IDs contained a plus character. (OKTA-1191356)

Okta Integration Network

  • CodeSignal (SAML) is now available. Learn more.

  • CodeSignal (SCIM) is now available. Learn more.

  • Dell Power Protect Backup Services powered by Druva has the okta.deviceAssurance.manage and okta.behaviors.manage scopes.

  • Kirin (SAML) is now available. Learn more.

  • Mabyduck (OIDC) is now available. Learn more.

  • Mabyduck now supports Universal Logout.

  • Ocozzio Marketing Center (SAML) is now available. Learn more.

  • Ocozzio Marketing Center (SCIM) is now available. Learn more.

  • Risotto (SAML) is now available. Learn more.

  • StackAdapt (SCIM) is now available. Learn more.

  • X (Twitter) (SWA) was updated.