Okta Identity Engine release notes (Production)

Version: 2026.05.0

May 2026

Generally Available

Workday entitlement management

Admins can now manage entitlements for Workday app instances on Okta. This feature allows for the discovery and governance of user-based security groups to enable automated access requests and certifications.

Report exports

You can now choose between CSV and GZIP export formats when generating the following reports:

  • Okta usage
  • Application usage
  • MFA usage

Add access request condition descriptions

You can now add descriptions to access request conditions for apps, collections, and Okta admin role bundles. These descriptions appear alongside the condition's name on the Access Requests tab, making it easier for you to understand the specific purpose of each condition. See Create an access request condition.

Sign-In Widget, versions 7.45.0, 7.45.1, 7.45.2

For details about these releases, see Sign-In Widget Release Notes. For more information about the widget, see Okta Sign-In Widget.

Managed connections renamed to resource connections

On the Okta for AI Agents pages and System Log events, references to managed connections have been renamed to resource connections.

Slack resource server connector

You can now use the Slack resource server connector to create resource connections between Slack and an AI agent. See Configure resource server connectors.

Session retention after user password changes

When users change their password and select Sign me out of all other devices, Okta now retains their current session after their other active sessions are revoked.

System Log event for unconfigured identifiers

When JIT is enabled for Active Directory and a user authenticates with an unconfigured identifier, the event now appears in the System Log.

Okta for AI Agents

You can now register, secure, and govern AI agent identities directly within Okta. Register agents manually or import them directly from provider apps. Enforce least-privilege access, eliminate standing privileges, and use System Logs to trace every delegation hop across your agent workflows. AI agents become accountable members of your digital workforce, governed by the same identity standards as your human users.

System Log event for DirSync imports

When Active Directory agent compatibility is verified for DirSync-based imports, the event now appears in the System Log.

Updated default settings for Passkey (FIDO2 WebAuthn) authenticator

The configuration for WebAuthn authenticators defaults to preferred user verification for all orgs and defaults to passkeys for new orgs. These updates reduce manual configuration, ensure a seamless enrollment process, and provide a more reliable sign-in experience for users across various devices.

Skip counts for authenticator enrollment grace periods

This feature allows admins to define a number of skips end users can defer enrollment into an authenticator, as well as customizations to the prompt when end users see the grace period. See Authenticator enrollment policies.

Release controls for Okta Verify on Windows

With the new release controls feature, admins can configure whether to allow, pause, or restrict automatic updates to Okta Verify on Windows. This provides greater flexibility for meeting enterprise change management requirements and managing version rollouts across Windows endpoints. See Configure Okta Verify release controls.

Passkeys rebrand

The FIDO2 (WebAuthn) authenticator is being rebranded to Passkey (FIDO2 WebAuthn), and Okta is introducing enhanced administrative controls and a streamlined user experience. This update centralizes passkey management through a consolidated settings page, allows for customized authenticator naming, and introduces a dedicated Sign in with a passkey button within the Sign-In Widget. These enhancements simplify the authentication journey and provide users with a more intuitive sign-in process with the Sign in with a passkey button. See Configure the Passkeys (FIDO2 WebAuthn) authenticator.

Network zone residential proxy detection

This feature adds new zones associated with Enhanced Dynamic Network Zones beyond anonymous proxies and VPNs. Customers can use service categories such as ZSCALER_PROXY, PERIMETER_81, and more. See Supported IP service categories.

Early Access

Global Token Revocation for third-party and Org2Org IdPs

Okta now supports Global Token Revocation (GTR) for third-party and Org2Org identity providers (IdPs). This feature allows external IdPs to securely trigger Universal Logout, instantly revoking all user sessions and tokens across your entire app ecosystem. See Configure Universal Logout for supported apps.

Redirect federated users to IdPs for reauthentication

Reauthentication to an IdP helps Okta admins secure federated identities by redirecting federated users to their source SAML, OIDC, or Org2Org IdP when a policy requires them to reauthenticate. By forcing reauthentication at the source IdP, admins can close security gaps from long-lived sessions and remove the need to configure duplicate MFA enrollment in Okta. See Redirect federated users to IdPs for re-authentication.

Email auto-enrollment and recovery management

Administrators can control the automatic enrollment of email as an authenticator and configure email-based password recovery, unlock, and change where email is not an authenticator.

Managed app assurance for Android

The new Device Profile Restriction condition in device assurance policies ensures that Android users can only access protected apps from the same managed work profile where Okta Verify is installed. This prevents access from personal profiles, which reduces the risk of data leaks and improves security posture. See Add a device assurance policy.

Platform SSO password integration with Device-Bound SSO

The Platform SSO password authentication method now integrates with Device-Bound SSO. When a user signs in at the macOS sign-in window, Okta verifies the password factor and creates a device-bound session. Users can then access Okta-protected apps in their browser without additional password prompts. Documentation for this EA feature will be available after the release of Okta Verify app for macOS 9.63.

Secure Enclave key support for Platform SSO

Platform SSO now supports a Secure Enclave key-based authentication method that integrates with Device-Bound SSO. When a user authenticates at the macOS sign-in window with their password, the authentication unlocks a hardware-bound cryptographic key stored in the Secure Enclave. Okta uses the key to create a device-bound session that satisfies any authentication policy that requires Okta FastPass with user verification, without repeated MFA prompts. Documentation for this EA feature will be available after the release of Okta Verify app for macOS 9.63.

Detect and discover AI agents

Use the Security Access Monitor browser plugin and Okta Identity Security Posture Management (ISPM) to get visibility into any new OAuth grants to apps and the consequent shadow AI agent usage for your org. The plugin monitors managed browsers for any new OAuth grants to apps and AI agents. ISPM captures OAuth grant telemetry, analyzes the data, and provides you with the visibility you need to identify every third-party app that your users authorize. This helps you mitigate risks related to shadow OAuth grants and AI agents. After you configure the plugin, you can find all new OAuth grants across your org by going to NHIs and AI agentsBrowser OAuth Grants page in the ISPM console. See Discover and assess AI agents.

Fixes

  • After deactivating an AD Agent, an incorrect format of the version for the agent was displayed. (OKTA-1117122)

  • Some users couldn't sign in if the global session policy that applied to them was deleted. (OKTA-1131197)

  • After a user.session.context.change event, some global session and app sign-in policy rules configured with In any network zone defined in Okta failed to match during ITP policy re-evaluation. (OKTA-1151868)

  • The Sign-In Widget displayed an error after users completed a self-service password reset when the app authentication policy had the Keep Me Signed In prompt enabled. (OKTA-1152243)

  • AMR claim updates weren't applied to the Salesforce (Federated ID) app integration. (OKTA-1164030)

  • On the Administrator assignment by role page, the Preview role pane displayed "L10N_ERROR[okta.apps.clientCredentials.read.name.code]" instead of the View client credentials permission. (OKTA-1166616)

Okta Integration Network

  • Asset Integrity for Pipelines (OIDC) is now available. Learn more.

  • CJ Affiliate (OIDC) is now available. Learn more.

  • Conduit Security (OIDC) is now available. Learn more.

  • Form (OIDC) is now available. Learn more.

  • Harmony (SAML) is now available. Learn more.

  • Harmony (SCIM) is now available. Learn more.

  • Haystack (SCIM) is now available. Learn more.

  • JumpCloud (OIDC) is now available. See JumpCloud.

  • LinkedIn Sales Navigator (SCIM) is now available. Learn more.

  • Magnite Streamr (OIDC) is now available. Learn more.

  • Matik (SAML) is now available. Learn more.

  • Matik (SCIM) is now available. Learn more.

  • Syndio (OIDC) is now available. Learn more.

  • Tandem Health (OIDC) is now available. Learn more.

  • Ternary (OIDC) is now available. Learn more.

  • ThoughtSpot (OIDC) is now available. See Create ThoughtSpot OIDC integration.

  • TOPdesk Operator by FuseLogic (Entitlements Management) is now available. Learn more.

  • Truepic Vision (OIDC) is now available. Learn more.

  • WideField Security - Detect and Remediate (API integration) is now available. Learn more.

  • YipitData Agent (OIDC) is now available. Learn more.

  • Yunu (OIDC) is now available. Learn more.

  • Console (API Service) has a new icon and description.

  • Console (OIDC) has a new app description.

  • Sastrufy has a new app name and a new configuration guide.

  • Software Analytics (OIDC) has a new app name (Antenna), icon, description, new Redirect URIs, and integration guide. Learn more.

  • Suger (OIDC) has a new Redirect URI.

  • Matik (Basic Auth) was updated.

  • Metlife MyBenefits (SWA) was updated.

  • TOPdesk Operator by FuseLogic (SCIM) was updated.

Version: 2026.04.0

April 2026

Generally Available

Policy Insights Dashboard

The Policy Insights Dashboard gives you a clear view of a policy's impact on your org. You can monitor trends in sign-ins, access denials, and authenticator enrollments, and also gain insight into the time users spend signing in and the prevalence of phishing-resistant authentications. The dashboard also tracks the frequency of rule matches and the percentage of successful sign-in attempts. See Use the Policy Insights Dashboard.

Search for IdPs in the Sign-In Widget

When there are more than 10 IdPs on the Sign-In Widget, it now displays a search field so users can easily find the IdP they're looking for.

Device assurance OS version update

The following OS versions are now supported in device assurance policies:

  • Android 13, 14, 15, 16 security patch 2026-01-05

Sign-In Widget, versions 7.44.1 and 7.44.0

For details about these releases, see Sign-In Widget Release Notes. For more information about the widget, see Okta Sign-In Widget.

Slack integration for Identity Governance

Okta for Government Moderate and Government High customers who use commercial Slack instances can now integrate Slack with their org to streamline access management in Access Requests and Access Certifications. Users can now submit and approve requests in Slack as well as receive Slack notifications for access requests and certification campaigns. Feature availability varies depending on whether the Unified requester experience feature is enabled. See Okta Identity Governance Limitations for Public Sector Service and Integrate Slack.

Custom admin permissions for inline and event hooks

The inline hook and event hook framework now supports read and write permissions for custom admin roles. This enhancement gives fine-grained access to manage inline and event hooks that previously required the super admin role. See Role permissions.

Provisioning for MuleSoft Anypoint Platform

Admins can now automate user lifecycle management for the MuleSoft Anypoint Platform app. This integration supports creating, updating, and deactivating users, and pushing groups as teams. See MuleSoft Anypoint Platform provisioning

URL validation for custom identity verification (IDV)

Validation has been added to the URL fields from the custom IDV configurations. This helps prevent malicious Distributed Denial-of-Service (DDoS) attacks based on Server-Side Request Forgery (SSRF).

Increase to the maximum access duration limit

When you create or edit access request conditions, you can now set the Access duration field to a maximum of 365 days or 52 weeks.

Submit entitlement management integrations

Independent Software Vendors (ISVs) can now submit SCIM 2.0-based entitlement management integrations to the Okta Integration Network (OIN). This enhancement enables customers and IT admins to discover, manage, and assign fine-grained entitlements such as roles and permissions directly from Okta. By standardizing entitlement management, organizations can automate access assignments and streamline Identity Governance, ensuring users receive the right access and roles without manual intervention. For more information, see Submit an integration with the OIN Wizard.

Detection settings in session protection

Tailor ITP to your org's security priorities to gain control and balance security with a seamless user experience. With new detection settings, you can define which session context changes trigger policy reevaluations, helping you focus only on what truly matters. See Session protection.

New System Log objects for security.request.blocked events

The System Log now displays the following IpDetails objects for dynamic and enhanced dynamic zones:

  • Operator indicates whether the type is VPN or Proxy
  • Type includes values like VPN, Proxy, and Tor
  • IsAnonymous indicates if the proxy is anonymous

These objects move risk and behavior telemetry out of string-only keys in the debug context and into dedicated, structured fields in the security context event. This change improves risk visibility and eliminates the need for string parsing.

Maximum consecutive characters setting for passwords

You can now set a maximum number of consecutive repeating characters in passwords. This feature enhances security by allowing you to customize your password strength requirements.

Block words from being used in passwords

You can now use Okta Expression Language to block words from being used in passwords. This feature enhances security by allowing you to customize your password strength requirements.

Early Access

Okta for AI Agents is self-service EA

Orgs that are subscribed to Okta for AI Agents can now enable the product from the Features page. You can use Okta for AI Agents to register, secure, and govern AI agent identities directly within Okta. See Okta for AI Agents.

New System Log events for Cross App Access connections

The following events are fired when you create, delete, or update a Cross App Access connection:

  • app.cross_app_access.connection.create
  • app.cross_app_access.connection.delete
  • app.cross_app_access.connection.update

IBM Db2 LUW support for On-premises Connector for Generic Databases

The On-premises Connector for Generic Databases now supports IBM Db2 LUW. This enables admins to manage users and entitlements in IBM Db2 LUW environments. See On-premises Connector for Generic Databases.

Fixes

  • Data was missing from the policy.rule.update System Log event. (OKTA-888091)

  • Users couldn't complete authentication or proceed past the sign-in page when a policy rule required user verification but users hadn't yet enrolled in that factor type. (OKTA-914818)

  • Apps created from the On-premises Connector for Generic Databases incorrectly appeared on the End-User Dashboard. Clicking the app resulted in an invalid redirect because the connector doesn't support SSO. (OKTA-1076893)

  • When users tried to sign in with an unenrolled passkey, the Sign-In Widget (third generation) error page didn't display the Username and Keep me signed in fields. (OKTA-1093610)

  • An incorrect error message was displayed when a Bidirectional Group Management issue occurred. (OKTA-1104305)

  • Users received an error if they double tapped Sign in with a Passkey on Safari or Chrome browser on iOS. (OKTA-1107055)

  • The passkeys option was missing from some text strings in the Sign-In Widget. (OKTA-1108991)

  • The passkey icon wasn't displayed consistently on the Sign-In Widget when the Create passkeys setting was enabled. (OKTA-1109452)

  • In some orgs, when users authenticated with an OIDC IdP, Okta deleted their account and made them a new one with a different user ID. (OKTA-1112671)

  • When an admin deactivated a Group Push mapping rule, membership updates stopped for previously matched groups. (OKTA-1125151)

  • When a DirSync import failed with a permission error, the agent was operational but had the Disruption label in the Admin Console. (OKTA-1128087)

  • Some admins couldn't use the Send a test email feature with their custom email provider. (OKTA-1129589)

Okta Integration Network

  • Dokio now supports an additional custom attribute.

  • Reftab Discovery (API Service) now supports the Groups Read scope.

  • ZoomInfo (SCIM) was updated.

Weekly Updates

2026.04.1: Update 1 started deployment on April 13

Generally Available

Provisioning for Informatica Cloud

Provisioning is now available for the Informatica Cloud app integration. When you provision the app, you can enable security features like Entitlement Management. See Informatica Cloud.

Fixes

  • The AuthnRequestId field wasn't included in authorization code flow and device code flow token request events in the System Log. (OKTA-1082636)

  • When an admin created an LDAP integration in an Admin Console where French was the selected language, "LDAP Server(s)" was improperly translated. (OKTA-1106969)

  • Some event hooks failed to send live events because the target URL was incorrectly encoded. (OKTA-1111770)

  • The Add resource window displayed outdated icons. (OKTA-1125857)

  • Okta Verify out-of-band authentication enrollment failed when the Okta account management policy was evaluated. (OKTA-1142207)

  • In some orgs, users who hadn't finished activating their accounts saw a 500 Internal Server Error when they tried to sign in, instead of being prompted to complete their account activation. (OKTA-1145737)

Okta Integration Network

  • DynaMed Decisions (OIDC) is now available. Learn more.

  • Gearset (SAML) is now available. Learn more

  • Groniva (OIDC) is now available. Learn more.

  • Kymata (OIDC) is now available. Learn more.

  • Liz Smart Office (OIDC) is now available. Learn more.

  • Raptor Technology (OIDC) is now available. Learn more.

  • Wordsmith AI (OIDC) is now available. Learn more.

  • Wordsmith AI (SCIM) is now available. Learn more.

  • Sastrify now supports Express Configuration.

  • Wirespeed (API) now supports the okta.users.read scope. Learn more.

  • Linktree (SWA) was updated.

2026.04.2: Update 2 started deployment on April 20

Generally Available

Closed App submission status for ISVs

ISVs can now hide draft app submissions by setting the status to Closed. This enhancement ensures that closed submissions no longer appear in the ISV org, providing a cleaner view of active app drafts.

Sign-In Widget, version 7.44.2

For details about this release, see Sign-In Widget Release Notes. For more information about the widget, see Okta Sign-In Widget.

Device assurance OS version update

The following OS versions are now supported in device assurance policies:

  • Android 14, 15, 16 security patch 2026-04-01
  • iOS 26.4.1
  • macOS 26.4.1

See Okta Device Assurance: Supported OS levels.

Provisioning for OneLogin

Admins can now automate user lifecycle management for the OneLogin app. This integration uses OAuth-based authentication to support user provisioning, profile updates, and deactivation directly from Okta. See Create a OneLogin SCIM integration.

Provisioning for HashiCorp Cloud Platform

Provisioning is now available for the HashiCorp Cloud Platform app integration. When you provision the app, you can enable security features like Entitlement Management. See HashiCorp Cloud Platform .

Fixes

  • During profile mapping, the cache sometimes became stale and the updated profile mapping wasn't saved. (OKTA-1043935)

  • When an org with a large number of OUs configured an Okta group for AD provisioning, the OUs weren't properly displayed in the provision configuration form. (OKTA-1116250)

  • The Sign-In Widget displayed a generic error message instead of a descriptive error that helped users understand and resolve the issue. (OKTA-1116854)

  • Some admins saw a 403 error when they tried to load the Policy Insights Dashboard, even though they had the correct permissions. (OKTA-1124197)

  • Some users were able to authenticate despite browser restrictions configured in the device assurance policy. (OKTA-1135261)

  • When a user was assigned a SAML app through a group, they couldn't always access the app after signing in to Okta. (OKTA-1140346)

  • When users tried to access the End-User Settings URL without an active session, they were redirected to the End-User Dashboard after authenticating instead of the End-User Settings. (OKTA-1146531)

  • Some orgs with ITP enabled reported multiple instances of the same brute force attack detection and suspicious app access detection for a single user within a short timeframe. (OKTA-1150464)

  • During an AD password migration with JIT enabled, users who signed in using an unconfigured identifier were improperly handled. (OKTA-1150501)

Okta Integration Network

  • OneLogin (OIDC) is now available. See Create a OneLogin OIDC Integration.

  • Twilio (SAML) is now available. Learn more.

  • V7 Go (OIDC) is now available. Learn more.

  • Cisco Identity Intelligence - Read-Write Management API Service (API Service Integration) now supports okta.serviceAccounts.read and okta.networkZones.read.

  • Google Cloud Workforce Identity Federation (OIDC) now supports Group claims.

  • Google Cloud Workforce Identity Federation (SAML) now supports IdP Initiated Flow.

2026.04.3: Update 3 started deployment on May 5

Generally Available

Device assurance OS version update

The following OS versions are now supported in device assurance policies:

  • Windows 10 (10.0.17763.8644, 10.0.19044.7184, 10.0.19045.7184)
  • Windows 11 (10.0.22631.6936, 10.0.26100.8246, 10.0.26200.8246)

Device assurance OS version update

The following OS versions are now supported in device assurance policies:

  • Android 13, 14, 15, 16 security patch 2026-01-05

Okta On-Prem SCIM Server agent, version 1.8.0

Okta On-prem SCIM Server agent 1.8.0 is available. This version of the agent introduces support for single-value entitlements in SCIM 2.0. Admins can now implement a cardinality policy using the Okta SCIM resource extension to restrict specific entitlements to a single value.

Fixes

  • When users were added to a group using a CSV file, a processing issue occurred during Group Push that resulted in missing users in the downstream org. (OKTA-1045473)

  • When an admin reset a user's Okta Verify authenticator, the resulting email notification was sent from the custom domain instead of the default domain. (OKTA-1129391)

  • When users who weren't enrolled in an IdP factor tried to access an app that required it after signing in through an external IdP, they saw an error instead of an enrollment prompt. (OKTA-1131671)

  • When configuring Okta Verify to use Face ID or Touch ID, FastPass wasn't available as an option for verification. (OKTA-1138211)

  • Some users encountered an error during Okta FastPass authentication and had to refresh the page to sign in successfully. (OKTA-1141248)

  • Inline hooks intermittently failed with a connection error before a response could be received. (OKTA-1030671)

  • In some orgs, admins couldn't add apps to their authentication policies. (OKTA-1141832)

  • Some admins saw an error message when they clicked Save on the General Settings page of their OIDC app. The System Log showed multiple duplicate successful update entries even though the app settings weren't saved. (OKTA-1161655)

Okta Integration Network

  • Augment Code (OIDC) is now available. Learn more.

  • Clarion by Cantina (API Service) is now available. Learn more.

  • Data Residency and AI Data Protection for Okta (API Service) is now available. Learn more.

  • FleetDM is now available. Learn more.

  • Fullcast (OIDC) is now available. Learn more.

  • License Logic (API Service) is now available. Learn more.

  • My Bright Horizons (OIDC) is now available. Learn more.

  • myMobilityHQ (OIDC) is now available. Learn more.

  • Quickture (OIDC) is now available. Learn more.

  • Scaleflex VXP (SAML) is now available. Learn more.

  • Sinch (SAML) is now available. Learn more.

  • Ysis (OIDC) is now available. Learn more.

  • Kpler now supports Express Configuration.

  • My Bright Horizons now supports Express Configuration.

  • myMobilityHQ now supports Express Configuration.

  • X (Twitter) (SWA) was updated.

Version: 2026.03.0

March 2026

Generally Available

Sign-In Widget, version 7.43.0

For details about this release, see Sign-In Widget Release Notes. For more information about the widget, see Okta Sign-In Widget.

Improved error handling for group membership searches

When an internal error is returned for a group membership search, the ordering and sorting direction options are removed and the search is performed again.

Admin Console recent search results

The spotlight search now displays the admin's recent search results. See Admin Console search.

Identity Threat Protection (ITP) page for eligible orgs

In eligible orgs, super admins can now access the Security > Identity Threat Protection page. The page provides information about how ITP works and helps super admins contact Okta to start a trial of the product. The page is also available from the Security Monitoring widget on the Administrator Dashboard. See Identity Threat Protection with Okta AI.

Yammer rebranded to Microsoft Viva

The Yammer integration in Microsoft Office 365 now displays the Microsoft Viva logo and directs users to the Microsoft Viva homepage. This update supports Viva Insights and Viva Connections in GCC environments.

Enhanced provisioning controls for Microsoft Office 365

Admins can now configure the Microsoft Office 365 integration to sync only user profile attributes, or to sync attributes, licenses, and roles. This setting helps prevent Okta from overwriting licenses and roles that are managed directly in Microsoft. See Provision users to Office 365.

Grace period for device assurance

Occasionally, users' devices might fall out of compliance with security policies due to temporary conditions such as missed software updates or unapproved network connections. Without a grace period, they would be immediately blocked from accessing critical resources, which disrupts productivity and causes frustration. The Grace period for the device assurance feature allows you to define a temporary window during which non-compliant devices can still access resources. This gives users time to remediate issues without being locked out, balancing productivity with security standards. See Add a device assurance policy

Dynamic OS version compliance for device assurance

You can configure OS version compliance by using device assurance. However, you have to manually update the policies every time a new OS version or patch is released. With Dynamic OS version compliance, Okta updates device assurance policies with the latest OS versions and patches, eliminating the need for manual updates. With this feature you can ensure OS version compliance in your org without tracking OS releases. See Add a device assurance policy.

Early Access

Improved DirSync-based imports

Optimize performance of AD DirSync-based imports by skipping unnecessary prechecks and downloading organizational units without using DirSync.

Self-Service for Enhanced Disaster Recovery

When unexpected infrastructure-related outages occur, orgs need an immediate and reliable way to maintain business continuity. Okta's Standard Disaster Recovery, implemented by Okta's operations teams, provides failover and failback with a recovery time objective of one hour.

Okta's Enhanced Disaster Recovery (Enhanced DR) gives admins the option to manage their org's recovery. This feature empowers admins by providing direct, self-service tools and APIs to manage, test, and automate the failover and restoration processes for their impacted orgs.

With Enhanced DR, admins gain active control to initiate a failover and restore for impacted orgs directly from the Okta Disaster Recovery Admin portal or through APIs. Additionally, teams can validate their system's resilience by safely testing these failover and restoration capabilities at their convenience. Finally, Enhanced DR enables orgs to automate failover processes by using real-time monitoring to invoke failover APIs, significantly minimizing downtime during an actual event. See Okta disaster recovery.

Fixes

  • You couldn't search for and select users with Provisioned, Active, Recovery, Password Expired, or Locked out status when assigning a step in an approval sequence and in request types. (OKTA-944822)

  • Group rules sometimes behaved unpredictably when multiple distinct transactions ran the rules on the same user at the same time. (OKTA-954076)

  • Some users couldn't upload valid YubiKey seed files. (OKTA-1078087)

  • Some users saw a Failed to fetch error message on the Sign-In Widget when they tried to reset their password using email. (OKTA-1083742)

  • In some orgs, users who authenticated on a shared device could be signed in as a previous user. (OKTA-1100263)

  • The passkeys option was missing from some text strings in the Sign-In Widget. (OKTA-1108991)

  • The Access Testing Tool incorrectly evaluated authentication policy rules for Android devices with Device Assurance. (OKTA-1111439)

  • When AD-sourced users attempted to sign in using an expired temporary password and self-service password change was disabled, an incorrect error message was displayed. (OKTA-1113434)

  • Bot detection events were logged for standard Admin/Management API calls when the Sign-In Widget wasn't involved. (OKTA-1113990)

  • Sometimes users on mobile devices saw a legacy authentication flow instead of the expected interface when they attempted to authenticate without Okta Verify installed. (OKTA-1115306)

  • In some preview orgs, admins didn't see the Security > Authentication Policies page. (OKTA-1119757)

  • Some orgs couldn't send email through their custom SMTP. (OKTA-1124146)

Okta Integration Network

  • Guardare (SAML) is now available. Learn more.

  • Valence Remediation (API) is now available. Learn more.

  • Cato Networks Provisioning now supports user imports and updates.

  • PerimeterX now supports SAML.

  • PerimeterX now supports SCIM.

  • Druva Data Security Cloud (API Service) now has the okta.clients.read scope.

  • Natoma has a new app icon.

  • Adobe Creative (SWA) was updated.

  • Adobe Fonts (SWA) was updated.

Weekly Updates

2026.03.1: Update 1 started deployment on March 16

Generally Available

Device assurance OS version update

The following OS versions are now supported in device assurance policies:

  • Android 14, 15, 16 security patch 2026-03-01
  • iOS 18.7.6
  • iOS 26.3.1
  • macOS 26.3.1

To view the latest OS support updates, see Okta Device Assurance: Supported OS levels.

Device assurance OS version update

Windows 11 (26H1) isn't a supported release under Device Assurance policies. This is a special release only for select new devices.

Fixes

  • An error occurred when an admin attempted to add a duplicate SWA integration. (OKTA-600590)

  • Authentication policy rules with user type conditions weren't evaluated when users initiated a Native to Web SSO flow using an interclient token. (OKTA-1103810)

  • When DirSync was enabled, AD incremental imports removed group description values in Okta. (OKTA-1108167)

  • When an admin integrated an app through the API, some of the custom SSO properties didn't populate on the integration page. (OKTA-1109692)

  • The Add Resource dialog couldn't load more users or groups if the search term included special characters. (OKTA-1114749)

  • When an admin pressed the Enter key to select a recent spotlight search result, the search field disappeared. (OKTA-1115374)

  • The Microsoft Teams app integration incorrectly redirected users to an outdated URL during the Secure Web Authentication (SWA) flow. (OKTA-1117744)

  • The mandatory SSO configuration check for testing information was incorrectly bypassed for all SSO submissions. (OKTA-1119127)

  • Workflows admins couldn't edit their admin email notifications. (OKTA-1119296)

  • When admins provisioned users, incremental synchronizations for permission sets failed. The connector pushed duplicate permission set assignments, which resulted in errors for sets already assigned to the user. (OKTA-1121168)

  • Admins could initiate temporary password resets for users sourced from Okta, Active Directory (AD), or LDAP, bypassing the password policy that disabled self-service password reset. (OKTA-1122913)

  • The Sign-In Widget didn't load the bot protection enforcement challenge required on some endpoints, leading to an incorrect user redirect to a 403 page. (OKTA-1125106)

Okta Integration Network

  • CyberProof Threat Exposure Management Platform (API integration) is now available. Learn more.

  • Google Cloud Workforce Identity Federation (SAML) is now available. Learn more.

  • Google Cloud Workforce Identity Federation (SCIM) is now available. Learn more.

  • Sensor Tower (SAML) is now available. Learn more.

  • YakChat (OIDC) is now available. Learn more.

  • Google Cloud Workforce Identity Federation (OIDC) has a new Redirect URI. Learn more.

  • JetBrains (SWA) was updated.

2026.03.2: Update 2 started deployment on March 23

Generally Available

Sign-In Widget, version 7.40.4

For details about this release, see Sign-In Widget Release Notes. For more information about the widget, see Okta Sign-In Widget.

Device assurance OS version update

The following OS versions are now supported in device assurance policies:

  • Windows 10 (10.0.17763.8511, 10.0.19044.7058, 10.0.19045.7058)
  • Windows 11 (10.0.22631.6783, 10.0.26100.8037, 10.0.26200.8037)

See Okta Device Assurance: Supported OS levels.

Okta Provisioning agent, version 3.1.0

Okta Provisioning agent 3.1.0 is now available. This version introduces strict SCIM error validation to ensure standard compliance and resolves an issue that prevented the agent from starting. See Okta Provisioning agent and SDK version history.

Fixes

  • The Go to Profile Editor and Force Sync buttons weren't disabled for read-only admins. (OKTA-1031561)

  • Users couldn't press the escape key to close the navigation menu in My Settings. (OKTA-1047944)

  • OIDC-configured Org2Org apps appeared as eligible for SAML conversion on the Tasks page in the Admin Console. (OKTA-1053194)

  • Admins were prematurely signed out when using non-registered devices to access apps protected by Chrome Device Trust. (OKTA-1093201)

  • Okta Verify enrollment flows didn't work consistently with the Okta account management policy. (OKTA-1100648)

  • In orgs with SAML Okta Org2Org integrations, the Sign-In Widget sometimes displayed incorrect user information. (OKTA-1102232)

  • Screen readers couldn't detect duplicate error messages in the Sign-In Widget (third generation). (OKTA-1109288)

  • After an update, the Okta Provisioning Agent failed to start due to a permission error on the bundled Java binary. (OKTA-1110701)

  • SCIM OAuth2 token expiration dates set beyond January 19, 2038 were incorrectly stored. (OKTA-1111756)

  • During AD password migrations, some users who performed a password change were migrated with a stale password. (OKTA-1115797)

  • Some AD users' sessions weren't terminated after they changed their password and clicked Sign out from all other devices. (OKTA-1119410)

  • Brackets in OIN display names didn't appear on the app integration pages. (OKTA-1122916)

  • When user enumeration prevention was enabled, the self-service unlock flow wasn't triggered for users on known devices. (OKTA-1123124)

  • When a SCIM server returned a 404 Not Found error during an on-premises provisioning import, the agent interpreted the error as a completed import. This resulted in a partial import that deprovisioned some users. (OKTA-1123270)

  • On the Administrators > Admins tab, the info icon was missing for admins with more than 10 role assignments. (OKTA-1125121)

Okta Integration Network

  • Brellium (OIDC) is now available. Learn more.

  • Brellium (SCIM) is now available. Learn more.

  • Doppel (OIDC) is now available. Learn more.

  • Draftwise (SAML) is now available. Learn more.

  • Guardare - EU (SAML) is now available. Learn more.

  • Portnox (OIDC) is now available. Learn more.

  • Doppel (OIDC) now supports Express Configuration.

  • Doppel (OIDC) now supports Universal Logout.

  • IdentiGuard (API Service) now has the okta.users.read and okta.factors.read scopes.

  • 6sense legacy (SAML) was updated.

  • Google Cloud Workforce Identity Federation was updated.

  • Jack Henry & Associates Client Portal (SWA) was updated.

  • Observe.AI (SCIM) was updated.

  • UPS (SWA) was updated.

  • ZoomInfo (SCIM) was updated.

2026.03.3: Update 3 started deployment on March 30

Generally Available

Provisioning for ThoughtSpot

Provisioning is now available for the ThoughtSpot app integration. When you provision the app, you can enable security features like Entitlement Management. See ThoughtSpot.

Jamf Pro User Enrollment provisioning

Admins can automate user lifecycle management and use OAuth-based authentication to support user provisioning, profile updates, and deactivation. This integration also supports importing users and pushing groups from Okta to Jamf Pro User Enrollment. See Jamf Pro User Enrollment.

Fixes

  • In the OIN Wizard, ISVs were unable to edit integrations after a published instance was generated. A repetitive instance generation loop prevented access to the editing interface and blocked configuration updates. (OKTA-1100298)

  • For Native to Web SSO, the issuer validation for SAML app intent links was too strict. (OKTA-1115767)

  • Admins couldn't edit the authenticator enrollment policy for custom one-time passcodes when the grace periods feature was enabled. (OKTA-1121225)

  • Some users saw an error message when they tried to sign out from the My Settings page. (OKTA-1126441)

  • Some report admins received a 403 error when loading the Authentication Activity report. (OKTA-1126512)

  • When users attempted to authenticate on Android devices, some password managers didn't allow them to register passkeys. (OKTA-1135513)

  • The Sign-In Widget didn't load the bot protection enforcement challenge required on some endpoints, leading to an incorrect user redirect to a 403 page. (OKTA-1136962)

  • Okta Verify out-of-band authentication enrollment failed when the Okta account management policy was evaluated. (OKTA-1142207)

Okta Integration Network

  • Archlet (OIDC) is now available. Learn more.

  • Archlet (Staging) (OIDC) is now available. Learn more.

  • Brevity (SCIM) is now available. Learn more.

  • Jamf Admin Access (OIDC) is now available. Learn more.

  • Parabol (SCIM) is now available. Learn more.

  • Tiled (SAML) is now available. Learn more.

  • Archlet (Staging) now supports Express Configuration.

  • Archlet (Staging) now supports Universal Logout.

  • Archlet now supports Express Configuration.

  • Jamf Admin Access now supports Express Configuration.

  • Jamf Admin Access now supports Universal Logout.

  • Tiled now supports SCIM.

  • Brevity has a new integration guide.

  • Fabrix Smart Action (API Service) now has the okta.apps.manage, okta.users.manage and okta.users.read scopes.

  • Parabol has a new logo, SAML Configuration Guide, and App description.

  • Udemy Business has a new optional App Instance Property and a new configuration guide. Learn more.

  • Campaigner (SWA) was updated.