Okta Release Notes

Version: 2025.10.0

October 2025

Generally Available

• Okta Active Directory Password Sync agent, version 1.7.0
• This version of the agent includes security enhancements.
• New look and feel for delegated flows
• On the Delegated flows page, the buttons, modals, and input fields have been redesigned for a better user experience. See Delegated flows.
• Euskara (Basque) language translations for end users
• In the End-User Dashboard, users can now set the display language to Euskara (Basque). When they select a language, the end-user experience, including when a user signs in, is translated accordingly. See Supported display languages.
• New VPN service for enhanced dynamic zones
• The SURF_EASY_VPN is now supported as an individual VPN service category in enhanced dynamic zones. See Supported IP service categories.
• Error message update
• The error message text that appears when activating a group rule that has an invalid expression has been updated to include the reason for the failure, making it easier to troubleshoot.
• Create user permission conditions
• You can now add conditions to the Create user permission for custom admin roles, applicable to both realm-enabled orgs and those without realms. See Permission conditions.
• User status in Okta Expression Language
• You can now reference User Status in the Okta expression language. Group Rules can leverage user statuses to drive group membership.
• SharePoint On-Premises integration supports SHA-256
• SharePoint integrations (WS-Fed) now use SHA-256 for signing the authentication token.
• Group Push Linking for Microsoft Office 365
• The Group Push feature in the Microsoft Office 365 integration has been enhanced to link existing Okta groups with existing Entra groups.
• This change establishes Okta as the single source of truth for group membership. Once linked, the membership changes made in Okta are pushed automatically, ensuring consistency and seamless access control.
• Supporting additional attributes in O365's Universal Sync provisioning
• To enable seamless access to Kerberos resources through Windows Hello for Business and to help you manage data based on geographies, Okta now supports four additional attributes in O365's Universal Sync provisioning.
  • onPremisesSamAccountName
  • onPremisesDomainName
  • onPremisesUserPrincipalName
  • PreferredDataLocation
• Okta Integration IdP type
• The Okta Integration IdP allows you to use an Okta org as an external IdP, simplifying configuration and providing secure defaults. See Add an Okta Integration Identity Provider.
• Behavior Detections for new ASN
• The error message text that appears when activating a group rule that has an invalid expression has been updated to include the reason for the failure, making it easier to troubleshoot.

Early Access

Fixes

• Sometimes, inactive apps that had provisioning enabled sent deprovisioning calls to downstream apps. (OKTA-930436)
• Sometimes, users who were assigned an app were unable to view or access the app on their End-User Dashboard. (OKTA-985663)
• SAML assertions were encrypted if they included the oktaAuthPayload parameter even though encryption wasn't enabled on the app. (OKTA-998820)
• In some orgs with the Unified claims generation for Okta-protected SAML and OIDC custom app integrations early access feature enabled, users were unable to use the dropdown menus in the Attribute Statements > Show legacy configuration section of the app page. (OKTA-1010898)
• In orgs with Japanese translations, untranslated text appeared on the Active Directory Policy page. (OKTA-1029000)

Okta Integration Network

• Paychex Online was updated.
• Ravenna is now available (API Service Integration). Learn more.
• zkipster was updated.

Doc Updates

Okta Aerial documentation

Documentation for Okta Aerial has been added to Okta Documentation with the following updates:

• Aerial card added to the home page.
• Aerial option added to Documentation dropdown list.
• Aerial release notes added to Release notes dropdown list.
• Okta Aerial allows you to manage multiple Okta orgs from a single, centralized account. The Aerial account lives outside of your other orgs and can manage any Production or Preview org that's linked to the Aerial account. Each Aerial account has a dedicated Aerial org where you can invite Aerial admins who can request and be granted access to connected orgs in your environment. See Okta Aerial.

Original source Report a problem

Version: 2025.09.0

September 2025

Generally Available

• Office 365 License and Roles Management now supports sync entitlements Sync entitlements are now supported for the Office 365 License and Roles Management provisioning type in orgs with Identity Governance enabled.
• Improved user experience for Access Requests The access request details page has been improved to provide more visibility on tasks assigned approvers and answers submitted by requesters. If you integrated Slack or Teams with Access Requests, similar changes have been made to the access request message that approvers receive. Additionally, the email notification sender's name and address have been changed. The sender's name is Okta Access Requests and the email address is [email protected].
• New versions of Okta Provisioning agent and SDK Okta Provisioning agent 3.0.3 and Okta Provisioning agent SDK 2.4.0 are now available. These releases contain bug fixes and minor improvements.
• Nonce rollout for Content Security Policy Okta is rolling out nonces for the style-src directive of the Content Security Policy for every endpoint that returns html content. This is a two stage process: first, the nonce is added to the Content-Security-Policy-Report-Only header style-src directive; later, after any unsafe inline instances are identified and fixed, the nonce is added to the Content-Security-Policy header style-src directive. This update will be gradually applied to all endpoints. These updates will be applied to Okta domains and custom domain pages that aren't customizable by admins (for example, sign-in pages, and error pages on custom domains). See Customize an error page.
• Export Admin Console reports in GZIP format You can now export most Admin Console reports in GZIP format, in addition to the existing CSV format. GZIP exports have a higher row limit (30 million) and a smaller file size.
• Breached Credentials Protection Protect your org from the impact of credentials that have been compromised. If Okta determines that a username and password combination has been compromised after being compared to a third-party curated dataset, the protection response is customizable through password policies, including resetting the user's password, forcing a logout, or calling a delegated Workflow. See Breached credentials protection. This feature is following a slow rollout process.
• IWA agent, version 1.18.0 This version of the agent contains security enhancements. See Okta SSO IWA Web App version history.
• Assigning/revoking an admin role is a protected action Now when an admin assigns or revokes an admin role from a user, they're prompted for additional authentication. See Protected actions in the Admin Console.
• Admin Console Realm updates The hint text for the Realm dropdown on the Add User form has been updated to provide clearer instructions.
• Secure Identity Integrations filters in the OIN catalog The Browse App Integration Catalog page now provides three new Secure Identity Integrations checkboxes: Secure Identity Integrations - Fundamental, Secure Identity Integrations - Advanced, and Secure Identity Integrations - Strategic. When you select one, the OIN catalog displays only the apps with that specific functionality.
• LDAP Interface OIDC app LDAP Interface now has an app sign-in policy that only enforces password. This only applies to Okta orgs without a prior LDAP interface setup. For orgs with an existing LDAP interface setup, global session policies still control LDAP Interface authentication policies. See Set up and manage the LDAP Interface. The session length for OpenID Connect (OIDC) connections is now limited to one hour. After the session expires, a new BIND operation is required to continue performing SEARCH queries on the same connection. You may need to update existing scripts to account for this enforced session length.
• Map unknown platform to desktop Okta now maps unrecognized platform conditions to Other desktop. Previously, unrecognized platform conditions matched correctly only when all six platform conditions (iOS, Android, Other mobile, Windows, macOS, and Other desktop) were selected in the app sign-on policy.
• Child Domain Authentication for Office 365 WS-Federation Office 365 WS-Federation automatic configuration now supports child domain authentication. See Federate multiple Office 365 domains in a single app instance.
• App Switcher for Okta first-party apps The End-User Dashboard, Admin Console, and Workflows Console now have an App Switcher that helps admins quickly navigate between their assigned Okta apps. Note that you must enable the Unified look and feel for Okta Admin Console and Unified look and feel for Okta Dashboard Early Access features for the App Switcher to appear.

Early Access

• Anything-as-a-Source for groups and group memberships Anything-as-a-Source (XaaS) capabilities allow customers to use a custom identity source with Okta. With XaaS, customers can connect custom HR apps or custom databases to source users into Okta's Universal Directory. This release offers XaaS capabilities with groups and group memberships, allowing customers to start sourcing groups with XaaS. Okta now enables creating and updating users, creating and updating groups, and managing group memberships into Okta's Universal Directory from any identity source using XaaS APIs. See Anything-as-a-Source.
• Fixes
  • When a user signed in to a custom domain and then clicked Admin in the App Switcher, they were sometimes presented with the wrong sign-in flow. (OKTA-1014174)

Okta Integration Network

• AmexGBT Egencia has a new app name, icon, and SAML Integration guide. Learn more.
• ZAMP (OIDC) has two new redirect URIs. Learn more.
• Harmony (API Service Integration) is now available. Learn more.
• Shift Security (API Service Integration) is now available. Learn more.
• Teem Finance (OIDC) is now available. Learn more.
• Island (Universal Logout) is now available. Learn more.
• CloudEagle (API Service Integration) was updated.
• Bruin was updated.
• EventNeat (OIDC) is now available. Learn more.
• AdvancedMD was updated.
• Nuclei (OIDC) is now available. Learn more.
• FloQast (SCIM) is now available.
• Astrix Security Monitoring (API Service Integration) is now available.
• Scrut Automation (OIDC) has a new Redirect URI.
• Canva (SWA) was updated.
• eSignon (SAML) is now available. Learn more.
• eSignon (SCIM) is now available.
• AmexGBT Egencia (SCIM) is now available.

Weekly Updates

• 2025.9.1: Update 1 started deployment on September 29

  Generally Available

  • Enhanced protection for Google group imports A safeguard has been added to prevent accidental data loss during group imports from Google. When a large volume of group deletions is detected, the import is stopped to protect against importing bad data.
  • Removed delegate self-approval for Access Requests Delegates can no longer approve requests made on their behalf, ensuring proper separation of duties.
  • Okta Provisioning agent SDK, version 3.0.3 This release contains security enhancements and support for JDK 17. See Okta Provisioning agent and SDK version history.
  • New functionality filters in the OIN The Browse App Integration Catalog page now provides Cross App Access and Privileged Access Management functionality filters. The new filters help admins quickly find Cross App Access- and Privileged Access Management-enabled apps in the OIN.

  Fixes

  • If an admin had a browser extension that used the postMessage API, they sometimes saw an error when they performed a protected action. (OKTA-1001437)
  • When a user signed in to a custom domain and then clicked Admin in the App Switcher, they were sometimes presented with the wrong sign-in flow. (OKTA-1014174)
  • Identity Engine upgrade emails weren't translated into the org's display language. (OKTA-1016747)

  Okta Integration Network

  • MIND (API Service Integration) is now available. Learn more.
  • Frame Security Platform Connector (API Service Integration) is now available. Learn more.
  • Fabrix Smart Actions (API Service Integration) is now available. Learn more.
• 2025.9.2: Update 2 started deployment on October 6

  Okta Provisioning agent SDK, version 3.0.3

  This release contains security enhancements and support for JDK 17. See Okta Provisioning agent and SDK version history.

  Certificate revocation list is deprecated

  The Cache CRL for configuration option has been removed. Okta now manages the certificate revocation list cache for you.

  Fixes

  • Sometimes resetting a user name for an app user failed. (OKTA-963368)
  • Some SAML apps with password synchronization enabled didn't appear on the End-User Dashboard. (OKTA-968243)
  • Group push errors sometimes appeared for apps that had provisioning disabled. (OKTA-983336)
  • Okta admins with custom admin roles couldn't confirm the assignment for an imported user. (OKTA-988692)
  • The Profile Editor Users page didn't render correctly for some users. (OKTA-990194)
  • The System Log entry for Email Domains update operations was missing the change details for username and the domain display name. (OKTA-997246)
  • During AD and LDAP imports, group membership processing missed some updates. (OKTA-1007037)
  • Admins couldn't assign people or groups to PagerDuty when Identity Governance was enabled. (OKTA-1007080)
  • When DirSync was enabled, users located in containers had their common name (CN) changed to an invalid value. (OKTA-1007911)
  • When a user signed in to a custom domain and then clicked Admin in the App Switcher, they were sometimes presented with the wrong sign-in flow. (OKTA-1014174)
  • When Governance Engine was enabled for Zoho Mail + Actions, importing users failed. (OKTA-1015810)
  • The If no match is found option for non-JIT provisioning, account-linking OIDC IdPs was incorrectly labeled as Redirect to Okta sign-in page. (OKTA-961757)
  • Users with custom admin roles saw a Create Token button on the Security API page, even though they didn't have the required permissions. (OKTA-976743)
  • When an error was encountered during a group push event, the system incorrectly reported that the failed operation would be automatically retried. (OKTA-1017493)
  • In the Profile Editor, the checkbox for an enum property with a default value was displayed as unselected after a page refresh, even when the property's default value had been chosen. (OKTA-1020672)
  • Some users incorrectly received an "Invalid Phone Number" error when they enrolled a phone authenticator. (OKTA-1024021) Okta Integration Network
  • Employment hero was updated.
  • Notion was updated.
  • Briefly AI has updated the ACS, Audience URLs, and Attribute Statements.
  • Verizon MDM is now available {API Service Integration}. Learn more.

Original source Report a problem

Version: 2025.09.0

September 2025

Generally Available

Office 365 License and Roles Management now supports sync entitlements Sync entitlements are now supported for the Office 365 License and Roles Management provisioning type in orgs with Identity Governance enabled.

Improved user experience for Access Requests The access request details page has been improved to provide more visibility on tasks assigned approvers and answers submitted by requesters. If you integrated Slack or Teams with Access Requests, similar changes have been made to the access request message that approvers receive. Additionally, the email notification sender's name and address have been changed. The sender's name is Okta Access Requests and the email address is [email protected].

New versions of Okta Provisioning agent and SDK Okta Provisioning agent 3.0.3 and Okta Provisioning agent SDK 2.4.0 are now available. These releases contain bug fixes and minor improvements.

Nonce rollout for Content Security Policy Okta is rolling out nonces for the style-src directive of the Content Security Policy for every endpoint that returns html content. This is a two stage process: first, the nonce is added to the Content-Security-Policy-Report-Only header style-src directive; later, after any unsafe inline instances are identified and fixed, the nonce is added to the Content-Security-Policy header style-src directive. This update will be gradually applied to all endpoints. These updates will be applied to Okta domains and custom domain pages that aren't customizable by admins (for example, sign-in pages, and error pages on custom domains). See Customize an error page.

Export Admin Console reports in GZIP format You can now export most Admin Console reports in GZIP format, in addition to the existing CSV format. GZIP exports have a higher row limit (30 million) and a smaller file size.

Breached Credentials Protection Protect your org from the impact of credentials that have been compromised. If Okta determines that a username and password combination has been compromised after being compared to a third-party curated dataset, the protection response is customizable through password policies, including resetting the user's password, forcing a logout, or calling a delegated Workflow. See Breached credentials protection. This feature is following a slow rollout process.

IWA agent, version 1.18.0 This version of the agent contains security enhancements. See Okta SSO IWA Web App version history.

Assigning/revoking an admin role is a protected action Now when an admin assigns or revokes an admin role from a user, they're prompted for additional authentication. See Protected actions in the Admin Console.

Admin Console Realm updates The hint text for the Realm dropdown on the Add User form has been updated to provide clearer instructions.

Secure Identity Integrations filters in the OIN catalog The Browse App Integration Catalog page now provides three new Secure Identity Integrations checkboxes: Secure Identity Integrations - Fundamental, Secure Identity Integrations - Advanced, and Secure Identity Integrations - Strategic. When you select one, the OIN catalog displays only the apps with that specific functionality.

LDAP Interface OIDC app LDAP Interface now has an app sign-in policy that only enforces password. This only applies to Okta orgs without a prior LDAP interface setup. For orgs with an existing LDAP interface setup, global session policies still control LDAP Interface authentication policies. See Set up and manage the LDAP Interface. The session length for OpenID Connect (OIDC) connections is now limited to one hour. After the session expires, a new BIND operation is required to continue performing SEARCH queries on the same connection. You may need to update existing scripts to account for this enforced session length.

Map unknown platform to desktop Okta now maps unrecognized platform conditions to Other desktop. Previously, unrecognized platform conditions matched correctly only when all six platform conditions (iOS, Android, Other mobile, Windows, macOS, and Other desktop) were selected in the app sign-on policy.

Child Domain Authentication for Office 365 WS-Federation Office 365 WS-Federation automatic configuration now supports child domain authentication. See Federate multiple Office 365 domains in a single app instance.

App Switcher for Okta first-party apps The End-User Dashboard, Admin Console, and Workflows Console now have an App Switcher that helps admins quickly navigate between their assigned Okta apps. Note that you must enable the Unified look and feel for Okta Admin Console and Unified look and feel for Okta Dashboard Early Access features for the App Switcher to appear.

Early Access

Anything-as-a-Source for groups and group memberships Anything-as-a-Source (XaaS) capabilities allow customers to use a custom identity source with Okta. With XaaS, customers can connect custom HR apps or custom databases to source users into Okta's Universal Directory. This release offers XaaS capabilities with groups and group memberships, allowing customers to start sourcing groups with XaaS. Okta now enables creating and updating users, creating and updating groups, and managing group memberships into Okta's Universal Directory from any identity source using XaaS APIs. See Anything-as-a-Source.

Fixes

• When a user signed in to a custom domain and then clicked Admin in the App Switcher, they were sometimes presented with the wrong sign-in flow. (OKTA-1014174)

Okta Integration Network

• AmexGBT Egencia has a new app name, icon, and SAML Integration guide. Learn more.
• ZAMP (OIDC) has two new redirect URIs. Learn more.
• Harmony (API Service Integration) is now available. Learn more.
• Shift Security (API Service Integration) is now available. Learn more.
• Teem Finance (OIDC) is now available. Learn more.
• Island (Universal Logout) is now available. Learn more.
• CloudEagle (API Service Integration) was updated.
• Bruin was updated.
• EventNeat (OIDC) is now available. Learn more.
• AdvancedMD was updated.
• Nuclei (OIDC) is now available. Learn more.
• FloQast (SCIM) is now available.
• Astrix Security Monitoring (API Service Integration) is now available.
• Scrut Automation (OIDC) has a new Redirect URI.
• Canva (SWA) was updated.
• eSignon (SAML) is now available. Learn more.
• eSignon (SCIM) is now available.
• AmexGBT Egencia (SCIM) is now available.

Original source Report a problem

Sign-In Widget 7.34.0

For details about this release, see the Sign-In Widget Release Notes. For more information about the Widget, see the Okta Sign-In Widget.

Okta On-Prem MFA agent version 1.8.5

This version includes security enhancements.

New password expiration message

The Breached Credentials Protection feature now displays a more intuitive error message to users whose passwords have expired.

Okta Provisioning agent, version 3.0.2

Okta Provisioning agent 3.0.2 is now available. This release of the Okta Provisioning agent uses OAuth 2.0 for authorization and OAuth 2.0 Demonstrating Proof-of-Possession (DPoP) to securely communicate with Okta. Agents are now registered through the OAuth 2.0 device registration flow and operate independently from the account used to register them. This release also uses UTC time as the default for meta.lastModified timestamps and includes security enhancements and bug fixes. See Okta Provisioning agent and SDK version history.

Okta Active Directory agent, version 3.21.0

This release includes general enhancements, branding updates, and bug fixes. See Okta Active Directory agent version history.

OAuth 2.0 provisioning for Org2Org with Autorotation

Admins deploying multi-org architectures (for example Okta hub-and-spoke orgs) need to secure user and group provisioning. Provisioning using OAuth2.0 scoped tokens has several advantages over API tokens, including more access granularity, shorter token lifespans, and automatic key rotation. You can now enable OAuth 2.0 Autorotation for Org2Org app provisioning directly from the Admin Console. See Integrate Okta Org2Org with Okta.

Define default values for custom user attributes

Admins can now define default values for custom attributes in a user profile. If you set a custom attribute to be unique, then the default value is automatically set to null (as opposed to an empty string). See Add custom attributes to an Okta user profile.

Expanded use of user.getGroups() function in Okta Expression Language

Admins can now use the user.getGroups() function across all features that support Expression Language. See Group functions for more information.

Auto-confirm for CSV imports

When Identity Governance is enabled and admins use CSV Import with entitlements, auto-confirm is enabled on exact email matches.

Identity Governance user entitlements import limit increased

The maximum number of user entitlements that can be imported from CSV has been increased to 25,000. See Import user entitlements from CSV.

License grouping UI improvement

Microsoft O365 licenses are now grouped under Primary Licenses in the assignment tab for users and groups. Licenses are displayed as collapsed dropdown menus with only primary license name visible. Expanding the dropdown menu displays all sub-licenses under it.

New custom attributes for profile sync provisioning

Profile sync provisioning now supports several custom attributes for Office 365. See Supported user profile attributes for Office 365 provisioning.

Custom profile attributes for OIDC apps

Admins can now add custom profile attributes to OIDC apps in JSON format. See Configure profile attributes for OIDC apps.

Web app integrations now mandate the use of the Authorization Code flow

To enhance security, web app integrations now mandate the use of the Authorization Code flow, as the Implicit flow is no longer recommended. See Build a Single Sign-On (SSO) integration.

Provisioning for Oracle Human Capital Management

Provisioning is now available for the Oracle Human Capital Management app integration. When you provision the app, you can enable security features like Entitlement Management, Privileged Access, and more. See Oracle Human Capital Management.

Unified claims generation for custom apps

Unified claims generation is a new streamlined interface for managing claims (OIDC) and attribute statements (SAML) for Okta-protected custom app integrations. In addition to group and user profile claims, the following new claim types are available: entitlements (requires OIG), device profile, session ID, and session AMR. See Configure custom claims for app integrations.

Governance delegates

Super admins and users can assign another user as a delegate to complete governance tasks for them. Governance tasks include access certification campaign review items and access request approvals, questions, and other tasks. After a delegate is specified, all future governance tasks (access request approvals and access certification reviews) are assigned to the delegate instead of the original approver or reviewer. This helps ensure that governance processes don't stall when approvers are unavailable or tasks need to be rerouted to a different stakeholder for a long period. It also reduces the time spent in reassigning requests and reviews manually. See Governance delegates.

Multiple active IdP signing certificates

Okta now supports multiple active signing certificates for a single SAML identity provider (IdP), enabling seamless certificate rotation with zero downtime. Admins can upload up to two certificates per IdP connection. This improvement eliminates the need for tightly coordinated swaps with IdP partners and reduces the risk of authentication failures due to expired certificates. The feature is available for both the Admin Console and the IdP Certificates API.

JSON Web Encryption of OIDC ID Tokens

You can now encrypt OIDC ID tokens for Okta-protected custom app integrations using JSON Web Encryption. See Encrypt OIDC ID tokens for app integrations.

App Switcher for Okta first-party apps

The End-User Dashboard, Admin Console, and Workflows Console now have an App Switcher that helps admins quickly navigate between their assigned Okta apps. Note that you must enable the Unified look and feel for Okta Admin Console and Unified look and feel for Okta Dashboard Early Access features for the App Switcher to appear.

Original source Report a problem