Okta Identity Engine release notes (Production)

Version: 2025.08.0

August 2025

Generally Available

Device assurance OS version updates

The following OS versions are now supported in device assurance policies:

  • iOS (18.6)
  • macOS (13.7.7, 14.7.7, 15.6)

Sign-In Widget 7.34.0

For details about this release, see the Sign-In Widget Release Notes. For more information about the Widget, see the Okta Sign-In Widget.

Okta On-Prem MFA agent version 1.8.5

This version includes security enhancements.

New password expiration message

The Breached Credentials Protection feature now displays a more intuitive error message to users whose passwords have expired.

Okta Provisioning agent, version 3.0.2

Okta Provisioning agent 3.0.2 is now available. This release of the Okta Provisioning agent uses OAuth 2.0 for authorization and OAuth 2.0 Demonstrating Proof-of-Possession (DPoP) to securely communicate with Okta. Agents are now registered through the OAuth 2.0 device registration flow and operate independently from the account used to register them. This release also uses UTC time as the default for meta.lastModified timestamps and includes security enhancements and bug fixes. See Okta Provisioning agent and SDK version history.

ITP detections for AMFA orgs

Adaptive MFA orgs now benefit from ITP detections on sessions and entity users when these are detected on directly assigned super admins. These detection events are actionable using Workflows. This feature aligns with the [Okta Secure Identity Commitment](https://www.okta.com/secure-identity-commitment). See Identity Threat Protection events in System Log. This feature is now available to FedRAMP Moderate customers.

Okta Active Directory agent, version 3.21.0

This release includes general enhancements, branding updates, and bug fixes. See Okta Active Directory agent version history.

Automate SCIM Integration for OIN Apps with Express Configuration

Express Configuration is a feature designed to automate the setup of SSO and SCIM for instances of OIN SaaS integrations by enterprise customers with minimal manual effort. It allows enterprise customers to securely configure OIDC and SCIM integrations without copying and pasting configuration values between Okta and Auth0-enabled apps. See Add an app with Express Configuration

OAuth 2.0 provisioning for Org2Org with Autorotation

Admins deploying multi-org architectures (for example Okta hub-and-spoke orgs) need to secure user and group provisioning. Provisioning using OAuth2.0 scoped tokens has several advantages over API tokens, including more access granularity, shorter token lifespans, and automatic key rotation. You can now enable OAuth 2.0 Autorotation for Org2Org app provisioning directly from the Admin Console.

See Integrate Okta Org2Org with Okta.

Define default values for custom user attributes

Admins can now define default values for custom attributes in a user profile. If you set a custom attribute to be unique, then the default value is automatically set to null (as opposed to an empty string). See Add custom attributes to an Okta user profile.

Updates for groups in the Partner Admin portal

The Partner Admin portal now displays up to 20 groups per page instead of 10. Additionally, if there are at least three characters in the search query and the contains search feature turned on, the system will use the the contains search instead of the starts with search in the groups list.

Expanded use of user.getGroups() function in Okta Expression Language

Admins can now use the user.getGroups() function across all features that support Expression Language. See Group functions for more information.

Auto-confirm for CSV imports

When Identity Governance is enabled and admins use CSV Import with entitlements, auto-confirm is enabled on exact email matches.

Identity Governance user entitlements import limit increased

The maximum number of user entitlements that can be imported from CSV has been increased to 25,000. See Import user entitlements from CSV.

New System Log event for ID verification events

The new user.identity_verification.start System Log event is triggered when an identity verification flow begins. It includes a reference ID for relevant events in the identity verification process, and indicates which operation lead to the start of this process. See Add an identity verification vendor as an identity provider.

License grouping UI improvement

Microsoft O365 licenses are now grouped under Primary Licenses in the assignment tab for users and groups. Licenses are displayed as collapsed dropdown menus with only primary license name visible. Expanding the dropdown menu displays all sub-licenses under it.

Track MFA abandonment in the System Log

You can now monitor abandoned MFA attempts in the System Log using the user.authentication.auth_via_mfa event. The event now has two additional statuses for the event outcome:

  • UNANSWERED: MFA prompt was abandoned, but the user eventually signed in using another authenticator.
  • ABANDONED: MFA prompt was abandoned and the user couldn't sign in.

See Track MFA abandonment in the System Log

New custom attributes for profile sync provisioning

Profile sync provisioning now supports several custom attributes for Office 365. See Supported user profile attributes for Office 365 provisioning.

Custom profile attributes for OIDC apps

Admins can now add custom profile attributes to OIDC apps in JSON format. See Configure profile attributes for OIDC apps.

Universal Logout in the OIN Wizard

Universal Logout (UL) in the Okta Integration Network Wizard allows you to build, test, and submit UL functionality to the Okta Integration Network (OIN). It lets you terminate users' sessions and revoke their tokens for supported OIN apps, as well as for generic OpenID Connect (OIDC) and Security Assertion Markup Language (SAML) apps.

Granular configuration for Keep Me Signed In

Admins can now configure the post-authentication prompt for Keep Me Signed In (KMSI) at a granular level in authentication policies. This allows admins to selectively enable post-authentication KMSI on a per-user, per-group, or per-app basis. When enabled, this feature exposes a frequency setting that lets admins control how often the post-authentication prompt is presented to users. See Keep me signed in. The post-authentication prompt text (title, subtitle, accept button, and reject button) is now customizable through the Brands management API. See Configure Keep me signed in (KMSI) and Brands API.

Web app integrations now mandate the use of the Authorization Code flow

To enhance security, web app integrations now mandate the use of the Authorization Code flow, as the Implicit flow is no longer recommended. See Build a Single Sign-On (SSO) integration.

Early Access

Export Okta Identity Governance reports in PDF format

You can now export Okta Identity Governance reports to PDF. When exporting, you can also select specific columns to include in the report.

Passkeys from Android devices

Okta now accepts passkeys that are generated by Android devices. Okta associates these passkeys with trusted web domains to enable users to authenticate with them. This expands the number of device types that Okta supports for passkey use. See Configure the FIDO2 (WebAuthn) authenticator.

Custom FIDO2 AAGUID

Customers can add non-FIDO Metadata Service (MDS) security keys and other authenticators and have more granular control over them. This extends FIDO2 (WebAuthn) authenticator support to a wider range of security keys and other authenticators, which gives customers greater flexibility and control over the security in their environment.

Provisioning for Oracle Human Capital Management

Provisioning is now available for the Oracle Human Capital Management app integration. When you provision the app, you can enable security features like Entitlement Management, Privileged Access, and more. See Oracle Human Capital Management.

Temporary Access Code authenticator

The Temporary Access Code (TAC) authenticator allows admins to generate temporary codes that let users authenticate in onboarding, account recovery, and other temporary access scenarios. This authenticator enhances security in these scenarios by granting users access to their orgs without having to use their usual authenticators. See Configure the temporary access code authenticator.

Associated domains

Associated domains let you build a trust relationship among your app, the referring domain, the user's credentials that are associated with that domain, and your brand in Okta. This feature makes it easier to adopt phishing-resistant authenticators, like passkeys in the FIDO2 (WebAuthn) authenticator. See Configure associated domains.

System Log event for Identity Assertion Authorization Grant (ID-JAG) issuance

The app.oauth2.token.grant.id_jag event is generated when an app completes an OAuth 2.0 token exchange to get an Identity Assertion Authorization Grant (ID-JAG) JWT.

Unified claims generation for custom apps

Unified claims generation is a new streamlined interface for managing claims (OIDC) and attribute statements (SAML) for Okta-protected custom app integrations. In addition to group and user profile claims, the following new claim types are available: entitlements (requires OIG), device profile, session ID, and session AMR. See Configure custom claims for app integrations.

Governance delegates

Super admins and users can assign another user as a delegate to complete governance tasks for them. Governance tasks include access certification campaign review items and access request approvals, questions, and other tasks. After a delegate is specified, all future governance tasks (access request approvals and access certification reviews) are assigned to the delegate instead of the original approver or reviewer. This helps ensure that governance processes don't stall when approvers are unavailable or tasks need to be rerouted to a different stakeholder for a long period. It also reduces the time spent in reassigning requests and reviews manually. See Governance delegates

Multiple active IdP signing certificates

Okta now supports multiple active signing certificates for a single SAML identity provider (IdP), enabling seamless certificate rotation with zero downtime. Admins can upload up to two certificates per IdP connection. This improvement eliminates the need for tightly coordinated swaps with IdP partners and reduces the risk of authentication failures due to expired certificates. The feature is available for both the Admin Console and the IdP Certificates API.

Device signal collection policy

With the new device signal collection policy, admins can override Okta default behavior and specify how Okta must collect device data, which is then used to evaluate authentication policies. See Create device signal collection rules.

JSON Web Encryption of OIDC ID Tokens

You can now encrypt OIDC ID tokens for Okta-protected custom app integrations using JSON Web Encryption. See Encrypt OIDC ID tokens for app integrations.

App Switcher for Okta first-party apps

The End-User Dashboard, Admin Console, and Workflows Console now have an App Switcher that helps admins quickly navigate between their assigned Okta apps. Note that you must enable the Unified look and feel for Okta Admin Console and Unified look and feel for Okta Dashboard Early Access features for the App Switcher to appear.

Device Logout

Device Logout allows admins to sign users out of devices that are protected by Desktop MFA. Admins can perform device sign out from the user's risk profile. If your org has Identity Threat Protection with Okta AI, you can configure an entity risk policy to automatically trigger a sign-out action. If a user is deactivated or suspended, Okta automatically signs the user out from all devices that are protected with Desktop MFA. See Sign users out of devices.

Cross App Access

Admins can now manage third-party app data sharing with the new Cross App Access feature in the Okta Admin Console. This feature moves complex consent processes away from end-users, enhancing security and streamlining the experience. Once configured, end users can access their data from other SaaS apps without navigating OAuth consent flows. See Configure Cross App Access.

Fixes

  • When an admin performed an incremental import using the Okta Provisioning agent, the last.modified timestamp was in the local time zone rather than the expected UTC. (OKTA-908307)

  • Admins couldn't always reactivate an app, even when there were active instances of that same app. (OKTA-944775)

  • After a reviewer approved or revoked a review item, the value for the campaignItemRemediationStatus System Log event incorrectly displayed NONE. (OKTA-950851)

  • When conditions were removed from a groups resource, admins who were assigned the resource set couldn't add groups. (OKTA-961708)

  • When enrolling in Okta, users in orgs with specific Access Control settings were shown incorrect authenticators. (OKTA-963136)

  • When a user selected the Remind me later option in an org that allowed grace periods and then accessed an app, an error sometimes appeared. (OKTA-964324)

  • When users accessed an app after signing in to Classic Engine, their session was overridden if they subsequently accessed an app after signing in to Identity Engine. (OKTA-968179)

  • In the Partner Admin Portal, some pages took longer than expected to load or refresh. (OKTA-976067)

  • On the Edit role page, the Role description field displayed the Role name value. (OKTA-984100)

  • In orgs with the Breached Credentials Protection feature enabled, the wrong password expiration date was displayed to some users. (OKTA-984104)

  • When an admin assigned a group to an app, the resulting System Log event was incomplete. (OKTA-985709)

  • When accessing the Edit User Attributes page for a given user in the Partner Admin Portal, the screen didn't show the form when an enum array property was in the user schema, but not present in the user profile. (OKTA-986528)

Weekly Updates

2025.8.1: Update 1 started deployment on August 18

Generally Available

Device assurance OS version updates

The following OS versions are now supported in device assurance policies:

  • Android 13, 14, 15, 16 security patch 2025-08-01

Export Okta Identity Governance reports in PDF format

You can now export Okta Identity Governance reports to PDF. When exporting, you can also select specific columns to include in the report.

Early Access

Desktop MFA recovery for Windows

This release enhances the Desktop MFA feature on Windows to include an admin-assisted recovery path. If a user is locked out of their Windows device, an admin can now issue a time-based recovery PIN. This grants the user temporary access to their computer without needing their primary MFA device, enabling them to resolve their authenticator issue and sign in successfully. See Enable Desktop MFA recovery for Windows.

Fixes

  • Sometimes admins could assign themselves as approvers for their own access requests.

  • When an admin edited a resource set, the event didn't appear in the Admin changes section on the Administrators page. (OKTA-817804)

  • Admins couldn't publish customized sign-in and error pages, and some users saw default sign-in and error pages instead of previously published customized ones. (OKTA-838267)

  • An error was intermittently returned when attempting to add a new sign-in redirect URI to an existing OIDC app. (OKTA-892769)

  • Notification emails for AD and LDAP agent upgrades included sections for updated agents when none existed. (OKTA-958346)

  • Okta didn't migrate customer-provided certificates to Okta-managed ones. (OKTA-959003)

  • Custom admins with privileges for customizing domains didn't see the Edit menu item on the Domains tab of a brand page. (OKTA-974191)

  • Some users couldn't reset their passwords when they were enrolled in more than two authenticators, and User Enumeration Prevention for Recovery and an Okta account management policy were enabled in their org. (OKTA-981374)

  • The App sign-in tile was smaller than the other tiles on the Authentication policies page. (OKTA-987744)

  • In the Partner Admin Portal, the enum array fields on the Edit User Attributes page failed to load initial values from the user's profile. (OKTA-988096)

  • When LDAP instances were either deactivated or reactivated, the associated LDAP agents remained in their current state. (OKTA-990260)

  • The LDAP interface app showed an Okta IP address instead of the requester's original IP address, leading to authentication failure. (OKTA-991371)

  • In the Partner Admin Portal, the side navigation text loaded before the main content of the page. This caused a visual issue where the text appeared to leak before a user was fully authenticated. (OKTA-991510)

  • Some users who enabled the Early Access feature Unified claims generation for Okta-protected SAML and OIDC custom app integrations saw an error when they tried to add custom claims to an app integration. (OKTA-997102)

  • An error message appeared to super admins when they tried to configure the custom OTP authenticator, and the authenticator didn't appear on the Authenticators page. (OKTA-997916)

Okta Integration Network

  • Prowler (Prowler SaaS) has a new display name.

  • Ethos has a new Redirect URI.

  • Prowler Cloud (SAML) is now available. Learn more.

  • 1VALET was updated.

  • Adobe Enterprise (SWA) was updated.

  • Adobe (SWA) was updated.

  • Apple store for Business (SWA) was updated.

  • Paycor (SWA) was updated

  • National Car Rental (SWA) was updated.

  • Marriott Hotels (SWA) was updated.

  • Desana has a new icon.

  • Console updated with a new redirect URI and icon (OIDC). Learn more.

  • FORA was updated.

  • Approveit (SAML) is now available. Learn more.

  • Bing Webmaster (SWA) was updated.

  • Reward Builder is now available. Learn more.

  • Staircase AI (SCIM) now supports the EU region.

2025.8.2: Update 2 started deployment on August 25

Fixes

  • When an app was deleted, group push rules weren't deleted and would sometimes trigger erroneous System Log entries. This fix will be slowly made available to all orgs. (OKTA-881642)

  • This update includes security enhancements. (OKTA-945597)

  • When a group push failed due to a rate limit being exceeded, a System Log event was logged and marked with success instead of an error. (OKTA-952427)

  • In authenticator enrollment policies, an auto-populate pop-up containing a phone number appeared when admins tried to select a due date for the phone authenticator's grace period. (OKTA-963746)

  • Some users saw an error when submitting their username to sign in. (OKTA-963933)

  • App groups weren't fully deleted after a successful DELETE API call and could still be found by their ID. This fix will be slowly made available to all orgs. (OKTA-972614)

  • In orgs that didn't have Multifactor Authentication (MFA) or Adaptive MFA enabled, the Require user interaction option in authentication policy rules remained selected after admins cleared it. (OKTA-972708)

  • Custom admins with privileges for customizing domains didn't see the Edit menu item on the Domains tab of a brand page. (OKTA-974191)

  • Some custom admin roles had different permissions for authentication policies and device signal collection policies and couldn't access them. (OKTA-982043)

  • When an admin triggered a password reset for a user who was concurrently also being provisioned in AD or LDAP, the user's status was discarded. This fix will be slowly made available to all orgs. (OKTA-982286)

  • The PolicyRuleChangeDetails System Log event didn't track UI schema events. (OKTA-984139)

  • Okta admins with custom admin roles couldn't unsuspend users due to the missing Activate button. (OKTA-986984)

  • When multiple signing certificates were configured for an IdP, and the certificates were invalid, the System Log didn't display information about which certificate failed to validate. (OKTA-987881)

  • Some user-provided passwords that didn't meet the configured strength requirements accepted by Okta. (OKTA-988423)

  • On the People page in the Admin Console, the Suspended status was incorrectly categorized as Inactive. (OKTA-990078)

  • Some users saw an error when trying to sign in from an external IdP. (OKTA-993126)

  • The Set up button for the password authenticator was displayed on the End-User Settings 2.0 page, even though a password couldn't be enrolled. (OKTA-997943)

  • Okta couldn't send emails from orgs with custom SMTP server configurations. (OKTA-1003170)

Okta Integration Network

  • Exaforce has a new app icon.

  • DMARCwise (SAML) is now available. Learn more.

  • WMSPanel (OIDC) is now available. Learn more.

  • Giftsenda (SAML) is now available. Learn more.

Version: 2025.07.0

July 2025

Generally Available

Sign-In Widget, version 7.33.0

For details about this release, see the Sign-In Widget Release Notes. For more information about the Widget, see the Okta Sign-In Widget.

Release notes available in Japanese

Release notes for Okta Identity Engine are now translated to Japanese for each release. These translations are published within a week of the English publication.

Okta Provisioning agent, version 2.3.1

This release contains security enhancements. See Okta Provisioning agent and SDK version history.

Enhanced security for End User Settings

End User Settings version 2.0 now performs policy evaluations before granting new access tokens.

Okta Hyperdrive agent, version 1.5.1

This version includes security enhancements.

Automatic certificate enrollment for certificate-based authentication in WS-Fed SSO

Automatic certificate enrollment is now supported for certificate-based authentication in WS-Fed SSO requests. Users can authenticate with smart/PIV cards without setting up smartcards, allowing seamless access to their Windows devices and Office 365 apps.

Claims sharing enhancement

Claims sharing between Identity Engine orgs now supports the inclusion of authentication policy and global session policy rules that include authentication method chains. This enhancement gives admins greater flexibility when designing authentication for org-to-org scenarios. See Add a SAML Identity Provider.

Okta LDAP agent, version 5.24.0

This version of the agent includes the following:

  • Configuration files are now encrypted
  • Local LDAP agent configuration files are monitored for unexpected changes
  • install.log created to help debug installation issues
  • Security enhancements

Enhancement for advanced posture checks

Admins can now configure advanced posture checks to appear as a checkbox or textbox in device assurance policies.

Google Workspace improvements

The following changes have been made to improve the performance of the Google Workspace app integration:

  • More robust group-related error handling
  • Eliminated duplicate group creation upon import when Import Groups is disabled

Okta MFA Credential Provider for Windows

This release includes bug fixes and security enhancements.

New label for admin-initiated security methods

The My Settings > Security methods page now displays an Enrolled by admin label on admin-initiated security methods.

Name matching for identity verification

Admins can now map attributes for both preferred and legal first and last names when sending verification claims to an identity verification (IDV) vendor. This improves the accuracy of verification and gives the admin control over which attributes are sent to the vendor.

Conditions for create user permission

You can now add conditions to the Create user permission for custom admin roles. This enables you to granularly control which user attributes admins can set values for during user creation. See Permission conditions.

Bypass ASN binding with the Default Exempt IP Zone

The ASN binding feature associates admins with the IP address that they signed in from. If the IP changes during a session, the admin is signed out of Okta, and an event appears in the System Log. To bypass IP and ASN binding, you can add the client IP to the Default Exempt IP Zone. See IP exempt zone.

New identity verification provider added

Okta now supports using Incode and CLEAR Verified as identity providers. This increases the number of identity verification vendors (IDVs) you can use to verify the identity of your users when they onboard or reset their account. See Add an identity verification vendor as an identity provider.

New validation rule for user profile attributes in OIN Wizard

The OIN Wizard now requires the use of valid user profile properties when referencing attribute values in EL expressions. The system rejects any invalid user EL expressions and attributes that aren't included in the allowlist. See Define attribute statements.

Secure Partner Access for external partners

Secure Partner Access provides a secure way for external business partners to access your org's resources. It streamlines your partner management tasks, reduces IT workload, and simplifies the process of configuring your org's security requirements. See Manage Secure Partner Access.

Certificate-based authentication for Office 365

Okta Identity Engine now supports certificate-based authentication for WS-Fed SSO requests. Users can authenticate using smart/PIV cards to seamlessly access their Windows devices and Office 365 apps.

Manage Subscription button removed

The Manage Subscription button has been removed from the Settings page.

New look and feel in the Admin Console

The Admin Console now provides a new look and feel, including redesigned side and top navigation menus and the addition of a gray background.

New look and feel in the End-User Dashboard

The End-User Dashboard now provides a new look and feel, including redesigned side and top navigation menus and the addition of a gray background.

Restrict access to the Admin Console

By default, users and groups with assigned admin roles have access to the Admin Console app. With this feature, super admins can choose to manually assign the app to delegated admins instead. This is recommended for orgs with admins who don't need access, like business partners, third-party admins, or admins who only use the Okta API. See Configure administrator settings.

Early Access

Network restrictions for OIDC token endpoints is EA in Preview

You can now apply network restrictions to OIDC token endpoints to enhance token security. See Create OpenID Connect app integrations.

Okta Integration IdP type is EA in Preview

The Okta Integration IdP allows you to use an Okta org as an external IdP, simplifying configuration and providing secure defaults. See Add an Okta Integration Identity Provider.

Universal Directory map toggle

The new Universal Directory (UD) map toggle enables admins to link a user's email address to their identifier. This allows admins to enable the self-service registration feature. See General Security.

OAMP protection for password expiry flows

This feature improves the security posture of customer orgs by protecting the password expiry flow with the Okta account management policy. Password expiry flows now require the assurance defined in an org's Okta account management policy. See Enable password expiry.

Enforce MFA for Identity Governance admin apps

The Enforce MFA for Identity Governance admin apps feature is no longer available as a self-service Early Access feature. Admins must contact Okta Support to enable or disable this feature. See Enable MFA for the Admin Console.

OU moves for LDAP-provisioned users

When an admin configures Okta to LDAP provisioning settings, they can now move users to a different Organizational Unit (OU) by changing their group assignments. See Configure Okta to LDAP provisioning settings.

Okta Hyperspace agent, version 1.5.1

This version includes security enhancements.

System Log event for monitoring LDAP Agent config file changes

A system.agent.ldap.config_change_detected event is generated when an LDAP agent detects changes to its configuration file.

On-prem Connector for Oracle EBS

On-prem Connector for Oracle EBS connects Oracle EBS on-premises apps with Okta Identity Governance. It helps admins discover, view, and manage Oracle EBS entitlements directly in Okta. This integration enhances security, saves time, streamlines entitlement management, and eliminates the need for custom integrations. See On-prem Connector for Oracle EBS and Supported entitlements by On-prem Connector.

Integrate Okta with Device Posture Provider

The Device Posture Provider feature enhances Zero Trust security by integrating external device compliance signals into the Okta policy engine. Previously, Okta couldn't leverage signals from third-party or custom tools to enforce access policies. Now, by accepting SAML/OIDC assertions from external compliance services, admins can incorporate custom compliance attributes into device assurance policies. This enables organizations to utilize their existing device trust signals within Okta, and foster a more flexible and secure posture without the need for extra agents or redundant tooling. See Integrate Okta with Device Posture Provider.

Provisioning for Oracle Human Capital Management

Provisioning is now available for the Oracle Human Capital Management app integration. When you provision the app, you can enable security features like Entitlement Management, Privileged Access, and more. See Oracle Human Capital Management.

Fixes

  • The Grace period for device assurance feature didn't apply to Chrome Device Trust users. (OKTA-817660)

  • Group push errors were displayed for app instances that didn't have provisioning enabled. (OKTA-924631)

  • Client location, IP address, and user agent weren't visible for security.breached_credential.detected events in System Log. (OKTA-934324)

  • In orgs with user enumeration prevention enabled, users who locked out their account saw an incorrect warning in the Sign-In Widget. (OKTA-939242)

  • When any of the When a user is reactivated in the app options were enabled for an app integration, the first attempt to re-login using ADSSO by disconnected AD users failed. (OKTA-939542)

  • Additional roles couldn't be added to the base Role attribute for SmartRecruiters app integrations. (OKTA-944146)

  • Users on devices with small viewports were unable to sign out. (OKTA-958188)

  • Editing a previously blank default value of an attribute in the Profile Editor failed if the Attribute length was set. (OKTA-958747)

  • Some users who were logged out of Okta by the breached credentials protection feature had custom attribute values deleted from their user profile. (OKTA-964312)

Okta Integration Network

  • Cockroach Labs (SCIM) is now available. Learn more.
  • Grace (OIDC) is now available. Learn more.
  • Hive (SCIM) is now available. Learn more.
  • Optmyzr (OIDC) is now available. Learn more.
  • Planfix (SCIM) is now available. Learn more.
  • Planfix (SAML) is now available. Learn more.
  • Splunk Add-on for Okta Identity Cloud (API integration) is now available. Learn more.

Weekly Updates

2025.7.1: Update 1 started deployment on July 14

Generally Available

Sign-In Widget, version 7.33.1

For details about this release, see the Sign-In Widget Release Notes. For more information about the Widget, see the Okta Sign-In Widget.

Fixes

  • Some users had to authenticate with their passwords twice when signing in to Okta to access a bookmark app in orgs where Okta Verify Push was required as the second authenticator. (OKTA-817382)

  • In some OIE preview orgs with routing rules, users who clicked the embedded URL of an app were incorrectly sent to the IdP, even though they weren't assigned to that app. (OKTA-827133)

  • Users were deactivated during imports where Super Admin privileges had been granted through group membership assignment. (OKTA-831811)

  • Some users with custom admin roles were unable to use the authorization server token preview. (OKTA-847900)

  • Users weren't able to validate MFA through FIDO2, Okta Verify Push, or TOTP authentication if the OrgUrl contained a trailing slash character or uppercase letters. (OKTA-897324)

  • The multiple identifiers feature didn't process case sensitivity correctly when evaluating identifier attributes. (OKTA-899235)

  • Users were unable to enroll in Okta Verify on their mobile device when signing in to an org using the Okta Org2Org app. (OKTA-926590)

  • Some users saw an error when they tried to load the list of apps mapped to a policy. (OKTA-934678)

  • The create user form didn't clearly indicate whether an admin can view or edit the files, which caused confusion during user creation. (OKTA-953319)

  • When the /login/agentlessDsso test login flow was used with a null state token, a null pointer exception occurred. (OKTA-958088)

  • The Networks page became unresponsive when admins clicked the Show more option. (OKTA-958764)

  • Users were unable to create a new schema property using a previously used name due to an incomplete cleanup process of deleted schema properties. (OKTA-963030)

  • A blank page was displayed after an Okta user was successfully converted to a service account. (OKTA-969178)

  • The create user form didn't clearly indicate whether an admin can view or edit the files, which caused confusion during user creation. (OKTA-971861)

Okta Integration Network

  • NVIDIA Identity Federation (SCIM & SAML) is now available. Learn more.
  • Zoho Directory (API Integration) is now available. Learn more.

2025.7.2: Update 2 started deployment on July 21

Generally Available

Sign-In Widget 7.33.2

For details about this release, see the Sign-In Widget Release Notes. For more information about the Widget, see the Okta Sign-In Widget.

Fixes

  • Authentication policies timed out if they included a lot of app instances. (OKTA-886236)

  • The System Log displayed an inaccurate risk level for Entity Risk Policy Action Cleared User Risk detections. (OKTA-944114)

  • Some users saw an error when they tried to access the End User Settings version 2.0. (OKTA-944786)

  • When the Direct Authentication feature was enabled, admins with a custom role couldn't create OIDC apps. (OKTA-970705)

  • The options to add WebAuthn and set permission conditions weren't available on the Partner Admin Portal. (OKTA-971778)

  • The create user form didn't clearly indicate whether an admin can view or edit the files, which caused confusion during user creation. (OKTA-971861)

  • Provisioning new users without a password to on-premises SAP instances failed, even when Sync Password was disabled. (OKTA-973324)

  • The create user form didn't clearly indicate whether an admin can view or edit files, which caused confusion during user creation. (OKTA-977736)

  • This release includes security enhancements. (OKTA-984152)

Okta Integration Network

  • CaterCow (OIDC) is now available. Learn more.

  • Cato Portal has a new Redirect URI. Learn more.

  • DevRev (SAML) is now available. Learn more.

  • DevRev (SCIM) is now available. Learn more.

  • Fastly has a new configuration guide. Learn more.

  • Fastly (SCIM) is now available. Learn more.

  • Hexnode (API service) is now available. Learn more.

  • ImmuniWeb (OIDC) is now available. Learn more.

  • Observe.ai (Provisioning)(SCIM) is now available. Learn more.

  • SmartCompany is now OneHR.

  • Sociabble (OIDC) is now available. Learn more.

  • Sociabble (SAML) is now available. Learn more.

2025.7.3: Update 3 started deployment on August 4

Generally Available

Device assurance OS version updates

The following OS versions are now supported in device assurance policies: - Windows 10 (10.0.17763.7558, 10.0.19044.6093, 10.0.19045.6093) - Windows 11 (10.0.22621.5624, 10.0.22631.5624, 10.0.26100.4652)

Sign-In Widget, version 7.33.3

For details about this release, see the Sign-In Widget Release Notes. For more information about the Widget, see the Okta Sign-In Widget.

Fixes

  • When signing in to Okta, AD-sourced users were prompted that their password would expire, even with a password policy set to never expire. (OKTA-931026)

  • Read-only admins couldn't view event hooks. (OKTA-935143)

  • Admins couldn't identify when user enumeration settings were changed or who changed them. (OKTA-945576)

  • When users tried to sign in to the End-User Dashboard and an error occurred, the custom error page wasn't displayed. (OKTA-963685)

  • When an admin with a custom role was deactivated and then immediately reactivated, they temporarily retained their former privileges and could access the Admin Console. (OKTA-968997)

  • Users with case-insensitive usernames didn't match to existing strict case-sensitive users. (OKTA-969228)

  • Provisioning new users without a password to on-premises SAP instances failed, even when Sync Password was disabled. (OKTA-973324)

  • Admins couldn't create a user under a passwordless enrollment policy without setting a password. (OKTA-976891)

  • The create user form didn't clearly indicate whether an admin can view or edit files, which caused confusion during user creation. (OKTA-977736)

  • When users clicked outside of the Sign-in Widget (third generation), error messages disappeared even though the errors weren't resolved. (OKTA-888819)

  • The Stay signed in option for the post-authentication Keep me signed in feature didn't work in orgs with embedded Sign-In Widgets. (OKTA-921958)

  • Customers couldn't upgrade to Identity Engine when their Classic Engine org used a custom domain, didn't have custom sign-in page, and used version 5.10 or earlier of the Sign-In Widget. (OKTA-961939)

  • Users appeared twice in the results of the User App Access report. (OKTA-963812)

  • Some users encountered an error during self-service registration if they entered a value that already existed in the directory. (OKTA-965382)

  • When an admin managed Active Directory users and groups in Okta, the events didn't always appear in the System Log. (OKTA-976990)

  • Some Active Directory users saw a password expiration notice after the breached credentials protection feature had already expired their passwords. (OKTA-979447)

  • When admins cleared a user's sessions and selected Also include logout enabled apps and Okta API tokens, factors remembered by Keep me signed in for that user weren't cleared. (OKTA-979580)

  • The default value of a custom property reset whenever it was edited. (OKTA-983015)

  • Some users saw an error when they tried to assign groups in the JIT Settings of their social login identity provider. (OKTA-983565)

  • After signing in to an Office 365 app and redirecting back to Okta, some AD-sourced users remained in a DEACTIVATING state. (OKTA-986550)

Version: 2025.06.0

June 2025

Generally Available

Sign-In Widget, version 7.32.0

For details about this release, see the Sign-In Widget Release Notes. For more information about the Widget, see the Okta Sign-In Widget.

Device assurance OS version updates

The following OS versions are now supported in device assurance policies:

  • Android 13, 14, 15 security patch 2025-06-01
  • iOS 15.8.4
  • iOS 16.7.11
  • iOS 18.5
  • macOS Ventura 13.7.6
  • macOS Sonoma 14.7.6
  • macOS Sequoia 15.5
  • Windows 10 (10.0.17763.7314, 10.0.19044.5854, 10.0.19045.5854)
  • Windows 11 (10.0.22621.5335, 10.0.22631.5335, 10.0.26100.4061)

Personal apps excluded from apps count

On the Admin Dashboard, the Total apps count on the Apps widget now excludes personal apps. This provides a more accurate apps count for the org. See Monitor your apps.

Per-app SAML certificate expiry notifications

The Tasks page now displays certificate expiry notifications for individual SAML apps.

New help message for custom domains

Admins creating an Okta-managed custom domain now see a message encouraging them to add a CAA record.

App permissions no longer include agent permissions

Now when you assign the Manage applications permission to an admin, the Manage agents permission isn't automatically granted. For existing admin role assignments that include the Manage applications permission, the Manage agents permission is retained in the assignment. See Role permissions.

Okta Provisioning Agent now supports Group Push with SCIM 2.0

You can now use Group Push with on-premises apps by using Okta Provisioning Agent and SCIM 2.0. See Create SCIM connectors for on-premises provisioning.

New look and feel in the Partner Admin Portal app

The Partner Admin Portal app pages now have a new look and feel, including redesigned side and top navigation menus.

Define default values for custom user attributes

You can now define default values for custom attributes in a user profile. See Add custom attributes to an Okta user profile.

Domain restrictions on Realms

You can now limit users to a specific domain in Realms, which adds an extra layer of oversight for realm and partner admins and enforces boundaries between user populations. See Manage realms.

Authentication claims sharing between Okta orgs

Authentication claims sharing allows an admin to configure their Okta org to trust claims from third-party IdPs during SSO. Sharing claims also allows Okta to interpret the authentication context from an IdP. This helps eliminate duplicate factor challenges during user authentication and helps improve security posture. See Add a SAML Identity Provider.

Improvements to Okta RADIUS

Okta RADIUS now supports Java version 17 and has a new 64-bit installer.

Authentication claims sharing between Okta orgs

Authentication claims sharing allows an admin to configure their Okta org to trust claims from IdPs during SSO. Sharing claims also allows Okta to interpret the authentication context from an IdP. This helps eliminate duplicate factor challenges during user authentication and helps improve security posture. See Add a SAML Identity Provider.

Create dynamic resource sets with conditions

Resource set conditions help you limit the scope of a role by excluding an admin's access to certain apps. This gives you more granular control over your custom admin roles and helps meet your org's unique security needs. See Resource set conditions.

Biometric user verification in authentication policies

You can now configure authentication policies to require biometric user verification (no passcode). With this feature you ensure that users confirm their biometrics when they authenticate with Okta FastPass or Okta Verify Push. See Biometric user verification in app sign-in policies.

Automatic renewal of Okta Certificate Authorities

Okta Certificate Authorities (CAs) used for management attestation expire every five years. Without proactive renewal, expired CAs lead to disruptions in authentication and hinder compliance requirements. To mitigate this risk, the Okta CA Renewal Service automatically renews CAs 1.5 years before expiration, ensuring uninterrupted authentication and compliance. By managing CA renewals proactively, this service prevents downtime, reduces manual intervention, and guarantees that management attestation remains seamless and uninterrupted. See Okta Certificate Authority Renewal and Activation Guide

Manage Subscription button removed

The Manage Subscription button has been removed from the Settings page.

Admins prevented from deleting published app instances

When an app instance has the Published version status, admins can no longer delete it from their org.

Shared signal transmitters

Okta uses CAEP to send security-related events and other data-subject signals to third-party security vendors. To enable the transmission of signals from Okta, create an SSF stream using the SSF Transmitter API. Then, configure the third-party receiver to accept signals sent as Security Event Tokens (SETs) from Okta. See Configure a shared signal transmitter.

Early Access

Send app context to external IdPs

You can now forward context about an app to an external identity provider (IdP) when a user attempts to access the app. When you enable the Application context checkbox for an IdP, the app name and unique instance ID are included in the SAML or OpenID Connect request sent to the external IdP. This enhancement allows external IdPs to make more informed, context-aware authentication decisions, supporting advanced security scenarios, and Zero Trust environments. To enable this feature, go to Settings > Features in the Admin Console, locate Send Application Context to an External IdP, and enable.

Enrollment grace periods

Today, when admins define an enrollment policy for a group, the entire group must enroll immediately, which can be disruptive to their day-to-day tasks.

With Enrollment Grace Periods, end users can defer enrollment in new authenticators until an admin-defined deadline when enrollment becomes mandatory. This allows end users to enroll at a time convenient to them and allows for more graceful enrollment before enforcing new authenticator types in authentication policies. See Authenticator enrollment policies.

RingCentral uses new default phone number logic

The RingCentral app integration's logic for detecting and populating phone numbers has been updated to work with both DirectNumber and IntegrationNumber entries.

Single Logout for IdPs is EA in Preview

The Single Logout (SLO) for IdPs feature boosts security for organizations using shared devices and external IdPs by automatically ending IdP sessions when a user signs out of any app. This feature also requires a fresh authentication for every new user, eliminating session hijacking risks on shared devices. SLO for IdP supports both SAML 2.0 and OIDC IdP connections, which provides robust session management for shared workstations in any environment. See Add a SAML Identity Provider.

Block words from being used in passwords

You can now use Okta Expression Language to block words from being used in passwords. This feature enhances security by allowing you to customize your password strength requirements.

Fixes

  • SDK strings that contained iOS were parsed as unknown operating systems. (OKTA-856044)

  • Some UI elements on the Personal information page in My Settings had the wrong background color. (OKTA-904266)

  • In orgs with an embedded Sign-In Widget and the Email Optional feature enabled, users weren't prompted for their email address during self-service unlock flows. (OKTA-917289)

  • The /idp/myaccount/sessions endpoint didn't accept access tokens granted by custom authorization servers. (OKTA-929488)

  • Some users were prompted by their service provider to authenticate with Okta Verify (OV) even though they had already authenticated using OV at their identity provider. (OKTA-937311)

  • On the Settings page, the Technical contact field displayed a "This field cannot be left blank" error even when there was text in the field. (OKTA-939469)

  • In the End-User Dashboard, if a user resized the browser to a mobile-sized view, the navigation menu opened and closed repeatedly. (OKTA-940213)

Okta Integration Network

  • Pluto Bioinformatics is now available (SAML). Learn more.
  • FORA is now available (OIDC). Learn more.
  • Teamplify is now available (OIDC). Learn more.
  • XOPS is now available (API Service Integration). Learn more.

Weekly Updates

2025.6.1: Update 1 started deployment on June 23

Generally Available

Frame-ancestors rollout for Content Security Policy

Okta is rolling out the frame-ancestors directive of the Content Security Policy (CSP) for the /auth/services/devicefingerprint and /API/v1/internal/device/nonce endpoints. To prevent blocking access to these endpoints from embedded frames, add any embedder origin as a trusted origin. See Trusted Origins for iFrame embedding.

In addition, Okta is rolling out the use of nonce with the script-src directive of the CSP for the /auth/services/devicefingerprint. To prevent blocking inline scripts that you may have injected on the page returned by this endpoint, allowlist your inline script to account for the nonce addition to script-src.

New On-Prem MFA agent version

Version 1.8.3 of the On-Prem MFA agent is now available. This version includes security enhancements.

Fixes

  • The request.userAgent.contains("XXX") expression was supported only in authentication policies for Office 365 apps. (OKTA-827195)

  • Users were sometimes prompted for additional security methods from authentication method chain steps even though they weren't needed to satisfy assurance requirements. (OKTA-869644)

  • App logos could be added or updated using any SVG format. (OKTA-876028)

  • After the Okta Active Directory or LDAP agents was successfully updated, the corresponding email notification reported that zero agents were running the new version. (OKTA-876968)

  • Customization fields in email templates were populated with unencoded information. (OKTA-922766)

  • The Proxy IP Usage report returned unknown values for Proxy Type. (OKTA-930091)

  • Chromebook users were prompted to enroll Okta Verify on their device even though it wasn't supported. (OKTA-937063)

  • SAML attribute statements were incorrectly hidden on some users' custom SAML app pages. (OKTA-939543)

  • Users with existing sessions were prompted to authenticate with a password even though Trust claims from this identity provider was enabled on their IdP. (OKTA-947997)

  • The table on the HealthInsight page was misaligned. (OKTA-948682)

  • When the Governance for admin roles feature was enabled, admins could create custom roles with the same name as a standard role. (OKTA-950114)

  • Custom authenticator logos weren't displayed on the Security methods page. (OKTA-950902)

  • When some AD or LDAP imports failed, the warning "Incorrect result size: expected 1, actual 2" was displayed in the job UI, but no System Log message was written. (OKTA-638810)

  • When admins changed the prompt for authentication frequency to 1825 days (five years) in authentication policy rules, the option changed to When an Okta global session doesn't exist. (OKTA-920782)

  • During a full import with AD DirSync, appuser.CN was cleared, which resulted in any attributes mapped from appuser.CN to the Okta user profile being cleared. (OKTA-944122)

  • When an admin opened a video from the Getting Started page, the close button wasn't visible. (OKTA-946268)

  • Editing a previously blank default value of an attribute in the Profile Editor failed if the Attribute length was set. (OKTA-958747)

  • This version includes security enhancements. (OKTA-963287)

Okta Integration Network

  • Complyfirst.co (OIDC) is now available. Learn more.
  • Duo Security SCIM Provisioning (SCIM) is now available. Learn more.
  • Genea Access Control (SAML) is now available. Learn more.
  • Genea Access Control (OIDC) is now available. Learn more.
  • Snapshot AI (OIDC) is now available. Learn more.

2025.6.2: Update 2 started deployment on June 30

Generally Available

Sign-In Widget, version 7.32.2

For details about this release, see the Sign-In Widget Release Notes. For more information about the Widget, see the Okta Sign-In Widget.

Fixes

  • When a user's session expired and they tried to reauthenticate through the Sign-In Widget (second generation), an error sometimes appeared. (OKTA-805758)

  • Inline enrollment didn't trigger when the user clicked Sign in with Okta FastPass. (OKTA-864326)

  • The Report a Security Issue section appeared on the Sign-In Help page even though the End User Help Form setting was disabled. (OKTA-898824)

  • When an admin retried a failed Office365 provisioning task, the Immutable ID value was cleared. (OKTA-913410)

  • Certificate authorities for Okta Device Access didn't appear in the Admin Console after the user who created them was deleted. (OKTA-928246)

  • Android users couldn't authenticate using Okta FastPass after they clicked Edit Profile on the end-user settings page. (OKTA-939020)

  • Some users received an error when they tried to enroll in an authenticator. (OKTA-941710)

Okta Integration Network