Okta Identity Engine release notes (Production)

Generally Available

Version: 2026.05.0

Workday entitlement management

Admins can now manage entitlements for Workday app instances on Okta. This feature allows for the discovery and governance of user-based security groups to enable automated access requests and certifications.

Report exports

You can now choose between CSV and GZIP export formats when generating the following reports:

  • Okta usage
  • Application usage
  • MFA usage
Add access request condition descriptions
You can now add descriptions to access request conditions for apps, collections, and Okta admin role bundles. These descriptions appear alongside the condition's name on the Access Requests tab, making it easier for you to understand the specific purpose of each condition. See Create access request conditions.
Sign-In Widget, versions 7.45.0, 7.45.1, 7.45.2

For details about these releases, see https://github.com/okta/okta-signin-widget/releases . For more information about the widget, see https://github.com/okta/okta-signin-widget?tab=readme-ov-file#okta-sign-in-widget .

Managed connections renamed to resource connections

On the Okta for AI Agents pages and System Log events, references to managed connections have been renamed to resource connections.

Slack resource server connector

You can now use the Slack resource server connector to create resource connections between Slack and an AI agent. See Configure resource server connectors.

Session retention after user password changes

When users change their password and select Sign me out of all other devices, Okta now retains their current session after their other active sessions are revoked.

System Log event for unconfigured identifiers

When JIT is enabled for Active Directory and a user authenticates with an unconfigured identifier, the event now appears in the System Log.

Dynamic attribute updates for Smart Card authentication

Smart Card authentication supports real-time attribute updates during Just-In-Time (JIT) provisioning. As a result, user profiles are kept up to date by synchronizing identity attributes directly from the PIV/CAC card at the time of authentication.

Okta for AI Agents

You can now register, secure, and govern AI agent identities directly within Okta. Register agents manually or import them directly from provider apps. Enforce least-privilege access, eliminate standing privileges, and use System Logs to trace every delegation hop across your agent workflows. AI agents become accountable members of your digital workforce, governed by the same identity standards as your human users.

CSV report of AD migration progress now available

You can now download a CSV report to view the password migration of specific users. This report provides a detailed breakdown of each user's migration status, such as whether their password was successfully migrated or if a specific error occurred. See Run a password migration.

System Log event for DirSync imports

When Active Directory agent compatibility is verified for DirSync-based imports, the event now appears in the System Log.

Updated default settings for Passkey (FIDO2 WebAuthn) authenticator

The configuration for WebAuthn authenticators defaults to preferred user verification for all orgs and defaults to passkeys for new orgs. These updates reduce manual configuration, ensure a seamless enrollment process, and provide a more reliable sign-in experience for users across various devices.

Skip counts for authenticator enrollment grace periods

This feature allows admins to define a number of skips end users can defer enrollment into an authenticator, as well as customizations to the prompt when end users see the grace period. See Authenticator enrollment policies.

Release controls for Okta Verify on Windows

With the new release controls feature, admins can configure whether to allow, pause, or restrict automatic updates to Okta Verify on Windows. This provides greater flexibility for meeting enterprise change management requirements and managing version rollouts across Windows endpoints. See Configure Okta Verify release controls.

Passkeys rebrand

The FIDO2 (WebAuthn) authenticator is being rebranded to Passkey (FIDO2 WebAuthn), and Okta is introducing enhanced administrative controls and a streamlined user experience. This update centralizes passkey management through a consolidated settings page, allows for customized authenticator naming, and introduces a dedicated Sign in with a passkey button within the Sign-In Widget. These enhancements simplify the authentication journey and provide users with a more intuitive sign-in process with the Sign in with a passkey button. See Configure the Passkeys (FIDO2 WebAuthn) authenticator.

User password migration from AD to Okta

Seamlessly migrate user passwords from AD to Okta without disrupting your users or operations. This establishes Okta as the source of truth for user passwords, enabling it to handle user authentication and eliminating the need for delegated authentication. See Password migration from AD to Okta.

Network zone residential proxy detection

This feature adds new zones associated with Enhanced Dynamic Network Zones beyond anonymous proxies and VPNs. Customers can use service categories such as ZSCALER_PROXY, PERIMETER_81, and more. See Supported IP service categories.

Early Access

Global Token Revocation for third-party and Org2Org IdPs

Okta now supports Global Token Revocation (GTR) for third-party and Org2Org identity providers (IdPs). This feature allows external IdPs to securely trigger Universal Logout, instantly revoking all user sessions and tokens across your entire app ecosystem. See Configure Universal Logout for supported apps.

Redirect federated users to IdPs for reauthentication

Reauthentication to an IdP helps Okta admins secure federated identities by redirecting federated users to their source SAML, OIDC, or Org2Org IdP when a policy requires them to reauthenticate. By forcing reauthentication at the source IdP, admins can close security gaps from long-lived sessions and remove the need to configure duplicate MFA enrolment in Okta. See Redirect federated users to IdPs for re-authentication.

Email auto-enrollment and recovery management

Admins can control the automatic enrollment of email as an authenticator and configure email-based password recovery, unlock, and change where email is not an authenticator. See Make email an optional authenticator.

Managed app assurance for Android

The new Device Profile Restriction condition in device assurance policies ensures that Android users can only access protected apps from the same managed work profile where Okta Verify is installed. This prevents access from personal profiles, which reduces the risk of data leaks and improves security posture. See Add a device assurance policy.

Platform SSO password integration with Device-Bound SSO

The Platform SSO password authentication method now integrates with Device-Bound SSO. When a user signs in at the macOS sign-in window, Okta verifies the password factor and creates a device-bound session. Users can then access Okta-protected apps in their browser without additional password prompts. See Platform SSO for macOS and Configure device configuration profiles for PSSO using a generic MDM.

Secure Enclave key support for Platform SSO

Platform SSO now supports a Secure Enclave key-based authentication method that integrates with Device-Bound SSO. When a user authenticates at the macOS sign-in window with their password, the authentication unlocks a hardware-bound cryptographic key stored in the Secure Enclave. Okta uses the key to create a device-bound session that satisfies any authentication policy that requires Okta FastPass with user verification, without repeated MFA prompts. See Platform SSO for macOS and Configure device configuration profiles for Secure Enclave using a generic MDM.

Detect and discover AI agents

Use the Security Access Monitor browser plugin and Okta Identity Security Posture Management (ISPM) to get visibility into any new OAuth grants to apps and the consequent shadow AI agent usage for your org. The plugin monitors managed browsers for any new OAuth grants to apps and AI agents. ISPM captures OAuth grant telemetry, analyzes the data, and provides you with the visibility you need to identify every third-party app that your users authorize. This helps you mitigate risks related to shadow OAuth grants and AI agents. After you configure the plugin, you can find all new OAuth grants across your org by going to NHIs and AI agents > Browser OAuth Grants page in the ISPM console. See Discover and assess AI agents.

Fixes

  • After deactivating an AD Agent, an incorrect format of the version for the agent was displayed. (OKTA-1117122)

  • Customized error messages weren't displayed to new users when they clicked Forgot password. (OKTA-1118986)

  • Some users couldn't sign in if the global session policy that applied to them was deleted. (OKTA-1131197)

  • The Scan QR Code option appeared for users who required only the Use Security Key option. (OKTA-1145766)

  • After a user.session.context.change event, some global session and app sign-in policy rules configured with In any network zone defined in Okta failed to match during ITP policy re-evaluation. (OKTA-1151868)

  • The Sign-In Widget displayed an error after users completed a self-service password reset when the app authentication policy had the Keep Me Signed In prompt enabled. (OKTA-1152243)

  • AMR claim updates weren't applied to the Salesforce (Federated ID) app integration. (OKTA-1164030)

  • On the Administrator assignment by role page, the Preview role pane displayed "L10N_ERROR[okta.apps.clientCredentials.read.name.code]" instead of the View client credentials permission. (OKTA-1166616)

  • Manual remediation was required when reviewers revoked a user’s access to Active Directory-source groups in a campaign. (OKTA-1167090)

Okta Integration Network

  • TOPdesk Operator by FuseLogic (SCIM) was updated.

  • Magnite Streamr (OIDC) is now available. Learn more.

  • Matik (Basic Auth) was updated.

  • Console (OIDC) has a new app description.

  • Sastrufy has a new app name and a new configuration guide.

  • WideField Security - Detect and Remediate (API integration) is now available. Learn more.

  • Console (API Service) has a new icon and description.

  • Yunu (OIDC) is now available. Learn more.

  • YipitData Agent (OIDC) is now available. Learn more.

  • Software Analytics (OIDC) has a new app name (Antenna), icon, description, new Redirect URIs, and integration guide. Learn more.

  • Ternary (OIDC) is now available. Learn more.

  • Syndio (OIDC) is now available. Learn more.

  • Form (OIDC) is now available. Learn more.

  • Truepic Vision (OIDC) is now available. Learn more.

  • Tandem Health (OIDC) is now available. Learn more.

  • CJ Affiliate (OIDC) is now available. Learn more.

  • Asset Integrity for Pipelines (OIDC) is now available. Learn more.

  • Metlife MyBenefits (SWA) was updated.

  • Conduit Security (OIDC) is now available. Learn more.

  • Harmony (SCIM) is now available. Learn more.

  • Harmony (SAML) is now available. Learn more.

  • LinkedIn Sales Navigator (SCIM) is now available. Learn more.

  • Haystack (SCIM) is now available. Learn more.

  • Suger (OIDC) has a new Redirect URI.

  • ThoughtSpot (OIDC) is now available. See Create ThoughtSpot OIDC integration.

  • Matik (SCIM) is now available. Learn more.

  • Matik (SAML) is now available. Learn more.

  • JumpCloud (OIDC) is now available. See JumpCloud.

  • TOPdesk Operator by FuseLogic (Entitlements Management) is now available. Learn more.

2026.05.1: Update 1 started deployment on May 14

Fixes

  • When a refresh token failure or revocation event was logged in the System Log, an incomplete version of the refresh token hash appeared in the event's target.detailEntry. (OKTA-1145851)

  • The List all profile mappings API sometimes returned an error if the request didn't include the sourceId or targetID parameters. (OKTA-1153229)

  • In the Admin Console, status site links for some cells pointed to an incorrect status page. (OKTA-1158204)

  • The Manage Event Hooks permission didn't allow an admin or service app to create an event hook. (OKTA-1162004)

  • On the Recent Activity page in My Settings, screen reader announcements didn't match the static text for security events. (OKTA-1164456)

  • When an authentication error occurred, the Sign-In Widget displayed an SQL error message instead of a helpful one. (OKTA-1168939)

  • When an admin viewed the Preview pane for Custom Admin Roles, some labels for identity permissions were displayed incorrectly. (OKTA-1168945)

  • Admins with the Manage third-party MCP Servers permission couldn't edit their org's MCP servers. (OKTA-1173945)

Okta Integration Network

  • Augment Code (OIDC) was updated.

  • Harmony SASE (SAML) has a new icon, display name, and description. Learn more.

  • Redblock AI (SAML) is now available. Learn more.

  • Dokio (SCIM) has a new API and configuration guide.

  • Common Room (SCIM) now supports Group Push.

  • Rubrik Security Cloud now supports the following scopes:

    • okta.authorizationServers.manage
    • okta.authorizationServers.read
    • okta.idps.manage
    • okta.idps.read
    • okta.networkZones.manage
    • okta.networkZones.read

  • Check Point SASE (SCIM) has been updated with new regions.

  • Stripe has a new configuration guide. Learn more.

  • Stripe (SCIM) is now available. Learn more.

  • Butterfly Security (OIDC) is now available. Learn more.

  • Butterfly Security (SCIM) is now available. Learn more.

  • Wrike (SCIM) now supports Group Push.

  • Scribble Maps (SCIM) is now available. Learn more.

  • Scribble Maps (OIDC) is now available. Learn more.

  • Scribble Maps (SAML) is now available. Learn more.

  • Cimento AI (SCIM) is now available. Learn more.

  • Cimento AI (SAML) is now available. Learn more.